Tageszusammenfassung - 16.09.2021

End-of-Day report

Timeframe: Mittwoch 15-09-2021 18:00 - Donnerstag 16-09-2021 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

Phishing 101: why depend on one suspicious message subject when you can use many?, (Thu, Sep 16th)

There are many e-mail subjects that people tend to associate with phishing due to their overuse in this area. Among the more traditional and common phishing subjects, that most people have probably seen at some point, are variations on the [...]

https://isc.sans.edu/diary/rss/27842


Third Critical Bug Affects Netgear Smart Switches - Details and PoC Released

New details have been revealed about a recently remediated critical vulnerability in Netgear smart switches that could be leveraged by an attacker to potentially execute malicious code and take control of vulnerable devices. The flaw - dubbed "Seventh Inferno" (CVSS score: 9.8) - is part of a trio of security weaknesses, called Demons Cries (CVSS score: 9.8) and Draconian Fear (CVSS score: 7.8)

https://thehackernews.com/2021/09/third-critical-bug-affects-netgear.html


PetitPotam - NTLM Relay to AD CS

Deployment of an Active Directory Certificate Services (AD CS) on a corporate environment could allow system administrators to utilize it for establishing trust between different directory objects. However, it could allow red team operators to conduct an NTLM relay attack towards the web interface of an AD CS in order to compromise the network.

https://pentestlab.blog/2021/09/14/petitpotam-ntlm-relay-to-ad-cs/


Hunderttausende MikroTik-Router sind seit 2018 angreifbar

Ein auf die Geräte spezialisiertes Botnetz hat in den vergangenen Monaten großangelegte Angriffe auf Cloudflare und Yandex zu verantworten.

https://heise.de/-6193825


Operation Layover: How we tracked an attack on the aviation industry to five years of compromise

Cisco Talos linked the recent aviation targeting campaigns to an actor who has been targeting the aviation industry for two years. The same actor has been running successful malware campaigns for more than five years.

https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html


Vorsicht vor unseriösen Shops auf Pinterest

Günstige Modeangebote auf Pinterest entpuppen sich im Nachhinein als Kostenfalle. Oft kommt es zu hohen Lieferkosten, Zollkosten oder Rücksendekosten - Falls Retouren überhaupt akzeptiert werden.

https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-shops-auf-pinterest/


Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER-s Ransomware Infrastructure and a Windows Zero-Day Exploit

RiskIQ-s Team Atlas assesses with high confidence that the network infrastructure supporting the exploitation of a Windows zero-day vulnerability disclosed by Microsoft on September 7, CVE-2021-40444, shares historical connections with that of a ransomware syndicate known as WIZARD SPIDER. This group, also tracked separately under the names UNC1878 and RYUK, deploys several different ransomware families in targeted Big-Game Hunting campaigns.

https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/


Dangling Domains: Security Threats, Detection and Prevalence

Dangling domains are a largely overlooked threat in DNS, but they can be exploited for domain hijacking and are important to detect.

https://unit42.paloaltonetworks.com/dangling-domains/


New Go malware Capoae targets WordPress installs, Linux systems

Capoae highlights the increase of cyberattacks designed to deploy cryptocurrency-mining payloads.

https://www.zdnet.com/article/new-go-malware-capoae-targets-wordpress-installs-linux-systems/


Malware samples found trying to hack Windows from its Linux subsystem

Security researchers at Lumens Black Lotus Labs have found a series of malware samples that were configured to infect the Windows Subsystem for Linux and then pivot to its native Windows environment.

https://therecord.media/malware-samples-found-trying-to-hack-windows-from-its-linux-subsystem/


Universal decryptor released for past REvil ransomware victims

Romanian cybersecurity firm Bitdefender has published today a universal decryption utility that will be able to help past victims of the REvil (Sodinokibi) ransomware gang recover their encrypted files - if they still have them.

https://therecord.media/universal-decryptor-released-for-past-revil-ransomware-victims/

Vulnerabilities

Kritische Sicherheitslücke ohne Patch gefährdet ältere IBM-System-X-Server

Die Server werden seit 2020 nicht mehr mit Updates versorgt. Angreifer können sie nun über eine Lücke in der Firmware der Admin-Schnittstelle IMM kapern.

https://heise.de/-6193718


Security updates for Thursday

Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).

https://lwn.net/Articles/869380/


Several Access Bypass, CSRF Vulnerabilities Patched in Drupal

Drupal developers on Wednesday informed users that updates released for Drupal 8.9, 9.1 and 9.2 patch five vulnerabilities that can be exploited for cross-site request forgery (CSRF) and access bypass.

https://www.securityweek.com/several-access-bypass-csrf-vulnerabilities-patched-drupal


iTunes U 3.8.3

https://support.apple.com/kb/HT212809


Security Bulletin: WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842)

https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-information-disclosure-cve-2021-29842/


Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-7656).

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-are-vulnerable-to-cross-site-scripting-cve-2020-7656/


Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-txseries-for-multiplatforms-6/


Security Bulletin: libXml2 used by IBM InfoSphere Identity Insight has a potential vulnerability (CVE-2021-3518)

https://www.ibm.com/blogs/psirt/security-bulletin-libxml2-used-by-ibm-infosphere-identity-insight-has-a-potential-vulnerability-cve-2021-3518/


Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517, CVE-2021-36090)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-commons-compress-affect-websphere-application-server-liberty-cve-2021-33517-cve-2021-36090/


Security Bulletin: IBM® Db2® could allow a local user to read and write specific files due to weak file permissions (CVE-2020-4976)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-user-to-read-and-write-specific-files-due-to-weak-file-permissions-cve-2020-4976/


Security Bulletin: IBM® Db2® is vulnerable to an information disclosure, exposing remote storage credentials to privileged users under specific conditions.(CVE-2021-29752)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-exposing-remote-storage-credentials-to-privileged-users-under-specific-conditions-cve-2021-29752/


Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-aix-6/


Security Bulletin: A vulnerability in Bouncy Castle affect IBM Watson Machine Learning Accelerator

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-bouncy-castle-affect-ibm-watson-machine-learning-accelerator-2/


Security Bulletin: IBM® Db2® could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. (CVE-2021-29825)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-disclose-sensitive-information-when-using-admin_cmd-with-load-or-backup-cve-2021-29825/


Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2021 - Includes Oracle Apr 2021 CPU minus CVE-2021-2163

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-apr-2021-includes-oracle-apr-2021-cpu-minus-cve-2021-2163/


Security Bulletin: IBM® Db2® under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. (CVE-2021-29763)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-under-very-specific-conditions-could-allow-a-local-user-to-keep-running-a-procedure-that-could-cause-the-system-to-run-out-of-memory-and-cause-a-denial-of-ser/


OpenSSH: Schwachstelle ermöglicht Offenlegung von Informationen

http://www.cert-bund.de/advisoryshort/CB-K21-0979


Kubernetes: Mehrere Schwachstellen

http://www.cert-bund.de/advisoryshort/CB-K21-0977


Fluent Bit: Schwachstelle ermöglicht Darstellen falscher Informationen

http://www.cert-bund.de/advisoryshort/CB-K21-0985


Atlassian Jira Software: Schwachstelle ermöglicht Codeausführung

http://www.cert-bund.de/advisoryshort/CB-K21-0980