Tageszusammenfassung - 28.09.2021

End-of-Day report

Timeframe: Montag 27-09-2021 18:00 - Dienstag 28-09-2021 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor

In-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.

https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/


TLS 1.3 and SSL - the current state of affairs, (Tue, Sep 28th)

It has been over 3 years since the specification for TLS 1.3 was published, and although the protocol has some minor drawbacks, it is undoubtedly the most secure TLS version so far. One would therefore hope that the adoption of TLS 1.3 and its use on web servers around the globe would steadily increase over time (ideally hand in hand with a slow disappearance of older cryptographic protocols, especially the historic SSL 2.0 and SSL 3.0).

https://isc.sans.edu/diary/rss/27882


Securing mobile devices. A timely reminder

If you-re commuting again or if you-re responsible for securing your people-s devices it-s a good idea to revisit and review your security admin for mobile devices. This post isn-t breaking any new ground, but it is a good place to start that review process, and think about your security behaviours.

https://www.pentestpartners.com/security-blog/securing-mobile-devices-a-timely-reminder/


Vorsicht, wenn die Wohnungsbesichtigung über booking.com abgewickelt werden sollte

Sie haben endlich Ihre Traumwohnung gefunden? Der einzige Haken: Sie sollten schon vor der Besichtigung eine Kaution bezahlen, die angeblich von booking.com verwaltet wird? Dann sind Sie auf ein betrügerisches Wohnungsinserat gestoßen. Zahlen Sie keinesfalls eine Kaution vor der Besichtigung. Diese Wohnung gibt es nicht und Sie verlieren Ihre geleistete Zahlung!

https://www.watchlist-internet.at/news/vorsicht-wenn-die-wohnungsbesichtigung-ueber-bookingcom-abgewickelt-werden-sollte/


Highlights From the Unit 42 Cloud Threat Report, 2H 2021

In the Unit 42 Cloud Threat Report, 2H 2021, our researchers dive deep into the full scope of supply chain attacks in the cloud and explain often misunderstood details about how they occur. We also provide actionable recommendations any organization can adopt immediately to begin protecting their software supply chains in the cloud.

https://unit42.paloaltonetworks.com/cloud-threat-report-2h-2021/


Anatomy and Disruption of Metasploit Shellcode

In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike.

https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/

Vulnerabilities

ZDI-21-1116: NETGEAR R7800 net-cgi Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 routers. Authentication is not required to exploit this vulnerability. CVE ID: CVE-2021-34947

http://www.zerodayinitiative.com/advisories/ZDI-21-1116/


SSA-728618: Multiple Vulnerabilities in Solid Edge before SE2021MP8

Siemens has released a new version for Solid Edge that fixes multiple file parsing vulnerabilities which could be triggered when the application reads files in IFC, JT or OBJ formats.

https://cert-portal.siemens.com/productcert/txt/ssa-728618.txt


Security updates for Tuesday

Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim).

https://lwn.net/Articles/871096/


D-LINK Router: Schwachstelle ermöglicht Denial of Service

D-LINK Router DIR-X1560 < 1.04B04, D-LINK Router DIR-X6060 < 1.02B01 Ein entfernter, anonymer Angreifer kann eine Schwachstelle in verschiedenen D-LINK Routern ausnutzen, um einen Denial of Service Angriff durchzuführen.

http://www.cert-bund.de/advisoryshort/CB-K21-1019


Security Bulletin: IBM Security SOAR is using a version of Elasticsearch that has known vulnerabilities (CVE-2021-22137, CVE-2021-22135)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-using-a-version-of-elasticsearch-that-has-known-vulnerabilities-cve-2021-22137-cve-2021-22135/


Security Bulletin: PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2021-32029)

https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-affects-ibm-sterling-connectdirect-for-microsoft-windows-cve-2021-32029/