End-of-Day report
Timeframe: Freitag 10-09-2021 18:00 - Montag 13-09-2021 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
Warten auf Windows-Patches: Selbstbau-Anleitung für MSHTML-Exploit in Umlauf
Sicherheitsforscher warnen, wie Angreifer Microsofts Schutzmaßnahmen vor Windows-Attacken umgehen könnten. Außerdem ist ein Exploit-Baukasten verfügbar.
https://heise.de/-6190319
SOVA, Worryingly Sophisticated Android Trojan, Takes Flight
The malware appeared in August with an ambitious roadmap (think ransomware, DDoS) that could make it the most feature-rich Android malware on the market.
https://threatpost.com/sova-sophisticated-android-trojan/169366/
Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th)
This parser takes the logs from a Windows 2012R2 and/or 2019 server (C:\DNSLogs\windns.log) and parses them into usable metatada which can be monitored and queried via an ELK dashboard. The logs have been mapped using DNS ECS field meta here [1].
https://isc.sans.edu/diary/rss/27828
New SpookJS Attack Bypasses Google Chrome-s Site Isolation Protection
A newly discovered side-channel attack demonstrated on modern processors can be weaponized to successfully overcome Site Isolation protections weaved into Google Chrome and Chromium browsers and leak sensitive data in a Spectre-style speculative execution attack. Dubbed "Spook.js" by academics from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv [...]
https://thehackernews.com/2021/09/new-spookjs-attack-bypasses-google.html
REvil: Ransomware-Gang in neuer Aufstellung wieder aktiv
Neue Forenbeiträge und "Happy Blog"-Inhalte belegen, dass die Erpresserbande um REvil zurück ist - und dass ihre Auszeit wohl nicht freiwillig war.
https://heise.de/-6190537
BazarLoader to Conti Ransomware in 32 Hours
Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report. The groups deploying this RaaS have only grown [...]
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
Incident response analyst report 2020
We deliver a range of services: incident response, digital forensics and malware analysis. Data in the report comes from our daily practices with organizations seeking assistance with full-blown incident response or complementary expert activities for their internal incident response teams.
https://securelist.com/incident-response-analyst-report-2020/104080/
Vulnerabilities
Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF
Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application.
https://blog.talosintelligence.com/2021/09/nitro-pro-code-execution.html
Security updates for Monday
Security updates have been issued by Debian (qemu and thunderbird), Fedora (chromium, firefox, and mosquitto), openSUSE (apache2-mod_auth_openidc, gifsicle, openssl-1_1, php7-pear, and wireshark), Oracle (oswatcher), Red Hat (cyrus-imapd, firefox, and thunderbird), SUSE (apache2-mod_auth_openidc, compat-openssl098, php7-pear, and wireshark), and Ubuntu (git and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon).
https://lwn.net/Articles/869103/
Update - Kritische Sicherheitslücke in der Microsoft MSHTML Komponente - Workarounds verfügbar, Exploits veröffentlicht
Update: 13. September 2021 / Beschreibung Microsoft hat außerhalb des üblichen Patch-Zyklus eine Warnung über eine Sicherheitslücke in der MSHTML Komponente veröffentlicht. Diese kann von Angreifer:innen durch entsprechend präparierte Microsoft Office-Dokumente ausgenutzt werden - laut Microsoft sind solche Dokumente bereits im Umlauf.
https://cert.at/de/warnungen/2021/9/kritische-sicherheitslucke-in-der-microsoft-mshtml-komponente-workarounds-verfugbar
Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2021-20509)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-csv-injection-cve-2021-20509-2/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2021 CPU that is bundled with IBM WebSphere Application Server Patterns
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-websphere-application-server-july-2021-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/
Security Bulletin: Multiple vulnerabilities in ICU libraries used in IBM DataPower Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-icu-libraries-used-in-ibm-datapower-gateway/
Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-29727, CVE-2021-29801, CVE-2021-29862)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-aix-kernel-cve-2021-29727-cve-2021-29801-cve-2021-29862-2/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-25/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security SOAR (CVE-2021-2341, CVE-2021-2369)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-security-soar-cve-2021-2341-cve-2021-2369/
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-sdk-java-technology-edition-8/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-24/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-23/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-22/
Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-affect-liberty-for-java-for-ibm-cloud-2/
Security Bulletin: Input Validation Vulnerability in Apache Commons Codec Affects IBM Sterling Connect:Direct for UNIX
https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerability-in-apache-commons-codec-affects-ibm-sterling-connectdirect-for-unix/