[CERT-daily] Tageszusammenfassung - 09.05.2018

Wed May 9 18:56:46 CEST 2018

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 08-05-2018 18:00 − Mittwoch 09-05-2018 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ "Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots ∗∗∗
---------------------------------------------
Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/


∗∗∗ PoC Developed for CoinHive Mining In Excel Using Custom JavaScript Functions ∗∗∗
---------------------------------------------
Within days of Microsoft announcing that they are introducing custom JavaScript equations in Excel, a security researcher has developed a way to use this method to load the CoinHive in-browser JavaScript miner within Excel.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/poc-developed-for-coinhive-mining-in-excel-using-custom-javascript-functions/


∗∗∗ Call for speakers One Conference ∗∗∗
---------------------------------------------
The international One Conference 2018 will take place on October 2 & 3 in The Hague. Overall theme of this edition is "Merging Worlds – Securing the connected future".
---------------------------------------------
https://www.ncsc.nl/english/current-topics/news/call-for-speakers-one-conference.html


∗∗∗ Nice Phishing Sample Delivering Trickbot, (Wed, May 9th) ∗∗∗
---------------------------------------------
Users have to deal with phishing for a very long time. Today, most of them remain dumb messages quickly redacted with a simple attached file and a message like "Click on me, its urgent!". Yesterday, I put my hands on a very nice sample that deserve to be dissected to demonstrate that phishing campaigns remain an excellent way to infect a computer!
---------------------------------------------
https://isc.sans.edu/diary/rss/23641


∗∗∗ Massive localstorage[.]tk Drupal Infection ∗∗∗
---------------------------------------------
After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one: [...]
---------------------------------------------
https://blog.sucuri.net/2018/05/massive-localstorage-tk-drupal-infection.html


∗∗∗ Its 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V ∗∗∗
---------------------------------------------
Scores of bugs, from Edge and Office to kernel code to Adobe Flash, need fixing ASAP Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon peoples personal information, and so on.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/microsoft_windows_hyperv_patch_tuesday/


∗∗∗ Introducing Orchestrator decryption tool ∗∗∗
---------------------------------------------
Researched and written by Donny Maasland and Rindert Kramer Introduction During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft’s System Center Orchestrator. According to Microsoft, Orchestrator is a workflow management solution for data centers and can be used to automate the creation, [...]
---------------------------------------------
https://blog.fox-it.com/2018/05/09/introducing-orchestrator-decryption-tool/


∗∗∗ Netzwerkfähige Medizinprodukte besser schützen ∗∗∗
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/sicherheitsanforderung_medizinprodukte_09052018.html


∗∗∗ Gandcrab Ransomware Walks its Way onto Compromised Sites ∗∗∗
---------------------------------------------
This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
---------------------------------------------
https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html


∗∗∗ Google CTF 2018 is here ∗∗∗
---------------------------------------------
https://security.googleblog.com/2018/05/google-ctf-2018-is-here.html


∗∗∗ Gefälschte Mobilis GmbH-Bestellung verbreitet Schadsoftware ∗∗∗
---------------------------------------------
Kriminelle versenden eine gefälschte Bestellung der Mobilis GmbH. In dem geschäftlichen Schreiben fordern sie von Unternehmen, dass diese den Dateianhang für weiterführende Informationen zum Einkauf öffnen. In Wahrheit verbirgt er Schadsoftware. Aus diesem Grund ist es wichtig, dass Empfänger/in die vermeintliche Bestellung nicht öffnen und die Nachricht in ihren Spam-Ordner verschieben.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-mobilis-gmbh-bestellung-verbreitet-schadsoftware/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CVE-2018-8897 ∗∗∗
---------------------------------------------
Aktuell gehen Medienberichte über einen Bug im Umgang von
Betriebssystemen mit Intel und AMD CPUs umher, dazu hatten wir die
ersten Rückfragen bezüglich der Kritikalität. Wir sehen das nicht
tragisch: der Bug ist nach momentanem Wissensstand weder remote noch
via JavaScript etc. ausnutzbar, und daher "nur" eine klassische
Privilege Escalation.
---------------------------------------------
http://www.cert.at/services/blog/20180509142228-2199.html


∗∗∗ Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink ∗∗∗
---------------------------------------------
This medical advisory includes mitigations for improper authentication
and OS command injection vulnerabilities in Silex Technology SX-500,
SD-320AN, and GE Healthcare MobileLink devices.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-18-128-01


∗∗∗ Siemens Medium Voltage SINAMICS Products ∗∗∗
---------------------------------------------
This advisory includes mitigations for improper input validation
vulnerabilities in Siemens SINAMICS modular drive systems.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-18-128-01


∗∗∗ Siemens Siveillance VMS ∗∗∗
---------------------------------------------
This advisory includes mitigations for a deserialization of untrusted
data vulnerability in the Siemens Siveillance Video Management
Software.
--------------------------------------------- 
https://ics-cert.us-cert.gov/advisories/ICSA-18-128-02


∗∗∗ Siemens Siveillance VMS Video Mobile App ∗∗∗
---------------------------------------------
This advisory includes mitigations for an improper certificate
validation vulnerability in the Siemens Siveillance VMS mobile app.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-18-128-03


∗∗∗ May 2018 Office Update Release ∗∗∗
---------------------------------------------
The May 2018 Public Update releases for Office are now available! This
month, there are 30 security updates and 22 non-security updates. All
of the security and non-security updates are listed in KB article
4133083.
---------------------------------------------
https://blogs.technet.microsoft.com/office_sustained_engineering/2018/05/08/may-2018-office-update-release/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel), Gentoo (rsync),
openSUSE (Chromium), Oracle (kernel), Red Hat (kernel and kernel-rt),
Scientific Linux (kernel), SUSE (kernel and php7), and Ubuntu (dpdk,
libraw, linux, linux-lts-trusty, linux-snapdragon, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/754021/


∗∗∗ Security Update Summary ∗∗∗
---------------------------------------------
https://portal.msrc.microsoft.com/en-us/security-guidance/summary


∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Some Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180509-01-mobile-en


∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Huawei iBMC Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180509-01-bypass-en


∗∗∗ [R1] OpenSSL Stand-alone Patch Available for SecurityCenter versions 5.0 or Later ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2018-04


∗∗∗ Oracle Java SE vulnerability CVE-2018-2811 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K01294982


∗∗∗ Oracle Java SE vulnerability CVE-2018-2796 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K71021401


∗∗∗ Oracle Java SE vulnerability CVE-2018-2798 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K24593421


Next End-of-Day report: 2018-05-11

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily