End-of-Day report
Timeframe: Freitag 17-09-2021 18:00 - Montag 20-09-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Jetzt patchen! Krypto-Miner schlüpft durch OMIGOD-Lücken auf Azure-Server
Angreifer attackieren derzeit Azure-Kunden mit virtuellen Linux-PCs. Admins sollten jetzt handeln und die verfügbaren Sicherheitsupdates installieren.
https://heise.de/-6195928
Epik data breach impacts 15 million users, including non-customers
Scraped WHOIS data of NON-Epik customers also exposed in the 180 GB leak.
https://arstechnica.com/?p=1796568
Bring Your APIs Out of the Shadows to Protect Your Business
APIs are immensely more complex to secure. Shadow APIs - those unknown or forgotten API endpoints that escape the attention and protection of IT - present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do.
https://threatpost.com/apis-out-of-shadows-protect-your-business/169334/
Video: Simple Analysis Of A CVE-2021-40444 .docx Document, (Sun, Sep 19th)
I created a video for the analysis I described in my last diary entry "Simple Analysis Of A CVE-2021-40444 .docx Document".
https://isc.sans.edu/diary/rss/27850
EventBuilder Exposed Information of Over 100,000 Event Registrants
Event management company EventBuilder exposed files containing the personal information of at least 100,000 users who registered for events on its platform.
https://www.securityweek.com/eventbuilder-exposed-information-over-100000-event-registrants
Network Security Trends: May-July 2021
Network security trends, May-July 2021: We analyze how vulnerabilities are being exploited in the wild and rank the most common types of attacks.
https://unit42.paloaltonetworks.com/network-security-trends/
Threat landscape for industrial automation systems. Statistics for H1 2021
In H1 2021, the percentage of ICS computers on which malicious objects were blocked was 33.8%, which was 0.4 p.p. more than in H2 2020.
https://ics-cert.kaspersky.com/reports/2021/09/09/threat-landscape-for-industrial-automation-systems-statistics-for-h1-2021/
-Yes, we are breaking the law:- An interview with the operator of a marketplace for stolen data
A website called Marketo emerged earlier this year, billing itself as a marketplace where people can buy leaked data. Although Marketo isn-t a ransomware group, it appears to borrow key strategies from those types of threat actors.
https://therecord.media/yes-we-are-breaking-the-law-an-interview-with-the-operator-of-a-marketplace-for-stolen-data/
Vulnerabilities
#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports., (Mon, Sep 20th)
After the "OMIGOD" vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against port:1270.
https://isc.sans.edu/diary/rss/27852
Security updates for Monday
Security updates have been issued by Debian (gnutls28, nettle, nextcloud-desktop, and openssl1.0), Fedora (dovecot-fts-xapian, drupal7, ghostscript, haproxy, libtpms, lynx, wordpress, and xen), openSUSE (xen), Red Hat (rh-ruby27-ruby), and SUSE (openssl, openssl1, and xen).
https://lwn.net/Articles/869863/
Researchers put together a list of vulnerabilities abused by Ransomware - Look for these immediately
LINK To make it easy, I pulled it and created a simple txt list you can use. These are the some of the initial access methods.
https://securitythreatnews.com/2021/09/20/researchers-put-together-a-list-of-vulnerabilities-abused-by-ransomware-look-for-these-immediately/
McAfee Endpoint Security: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0991
Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-11022, CVE-2020-11023).
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-are-vulnerable-to-cross-site-scripting-cve-2020-11022-cve-2020-11023/
Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU - Apr 2021 + Oracle Apr 2021; Jul 2021 + Oracle 2021 CPU
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-tech-edition-quarterly-cpu-apr-2021-oracle-apr-2021-jul-2021-oracle-2021-cpu/
Security Bulletin: Aspera Web Applications (Shares, Console) are affected by OpenSSL Vulnerabilities (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)
https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-shares-console-are-affected-by-openssl-vulnerabilities-cve-2021-23839-cve-2021-23840-cve-2021-23841/
Security Bulletin: IBM Data Replication Java SDK Update
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java-sdk-update-4/
Security Bulletin: IBM Data Replication Java SDK Update
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java-sdk-update-3/
Security Bulletin: ISC DHCP for IBM i is affected by CVE-2021-25217
https://www.ibm.com/blogs/psirt/security-bulletin-isc-dhcp-for-ibm-i-is-affected-by-cve-2021-25217/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-7/
Security Bulletin: IBM Data Replication Java SDK Update
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-replication-java-sdk-update-2/
Security Bulletin: IBM Cloud Pak for Data could allow a local user with special privileges to obtain highly sensitive information
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-could-allow-a-local-user-with-special-privileges-to-obtain-highly-sensitive-information/
Security Bulletin: IBM Aspera Webapps products (Shares, Console) are affected by OpenSSL Vulnerability (CVE-2021-3712)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-products-shares-console-are-affected-by-openssl-vulnerability-cve-2021-3712/
Security Bulletin: IBM Aspera Webapps (Shares, Console) are vulnerable to an OpenSSL Vunerability (CVE-2020-7656).
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-shares-console-are-vulnerable-to-an-openssl-vunerability-cve-2020-7656/
Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU Apr 2021 + Oracle APR 2021; Jul 2021 + Oracle Jul 2021
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-tech-edition-quarterly-cpu-apr-2021-oracle-apr-2021-jul-2021-oracle-jul-2021/
Security Bulletin: Aspera Web Applications (Shares, Console) are affected by an OpenSSL Vulnerability (CVE-2020-1971)
https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-shares-console-are-affected-by-an-openssl-vulnerability-cve-2020-1971/
Security Bulletin: Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-commons-affect-tivoli-netcool-omnibus-webgui-cve-2021-35515-cve-2021-35516-cve-2021-35517-cve-2021-36090/
Security Bulletin: Multiple vulnerabilities is affecting Tivoli Netcool/OMNIbus WebGUI
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-is-affecting-tivoli-netcool-omnibus-webgui/