[CERT-daily] Tageszusammenfassung - 16.07.2019

Tue Jul 16 18:34:58 CEST 2019

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 15-07-2019 18:00 − Dienstag 16-07-2019 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Topinambour & Windows event logs ∗∗∗
---------------------------------------------
TL;DR:
 * Block outgoing SMB traffic if you can
 * Hunt or Monitor for event ID 106 in "Microsoft-Windows-TaskScheduler%4Operational.evtx"
 * Think about enabling "Audit Process creation" in "Security.evtx" and command line logging
 * Hunt or monitor for event ID 4688 in "Security.evtx"
---------------------------------------------
http://www.cert.at/services/blog/20190716140317-2501_en.html


∗∗∗ VU#129209: LLVMs Arm stack protection feature can be rendered ineffective ∗∗∗
---------------------------------------------
When the stack protection feature is rendered ineffective, it leaves the function vulnerable to stack-based buffer overflows. It is possible that the return address could be overwritten due to a local buffer overflow and is not caught when the cookie is checked at the end. It is also possible that the cookie itself could be overwritten since it resides on the stack, causing an unintended value to pass the check. 
---------------------------------------------
https://kb.cert.org/vuls/id/129209


∗∗∗ Analysis: Server-side polymorphism & PowerShell backdoors ∗∗∗
---------------------------------------------
Malware actors very rarely stick to the same script for extended periods of time. They constantly modify and update their attack methods. Recently we have observed malware that uses server-side polymorphism to hide its payload, which consists of a backdoor fully written in PowerShell.
---------------------------------------------
https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors


∗∗∗ FBI Releases Master Decryption Keys for GandCrab Ransomware ∗∗∗
---------------------------------------------
In an FBI Flash Alert, the FBI has released the master decryption keys for the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Using these keys, any individual or organization can create and release their very own GandCrab decryptor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/


∗∗∗ iOS 13: Bug in Beta gibt Passwörter frei ∗∗∗
---------------------------------------------
Wer eine Vorabversion von iOS oder iPadOS einsetzt, sollte vorsichtig mit den Geräten umgehen. Ein Fehler erlaubt Angreifern, Zugangsdaten einzusehen.
---------------------------------------------
https://heise.de/-4471743


∗∗∗ Is ‘REvil’ the New GandCrab Ransomware? ∗∗∗
---------------------------------------------
The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as "REvil," "Sodin," and "Sodinokibi."
---------------------------------------------
https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/


∗∗∗ Extenbro DNS-Changer Used in Adware Campaign ∗∗∗
---------------------------------------------
A recently observed DNS-changer Trojan is being used in an adware campaign to prevent users from accessing security-related websites, Malwarebytes reveals.
---------------------------------------------
https://www.securityweek.com/extenbro-dns-changer-used-adware-campaign


∗∗∗ Betrügerische Amazon Marketplace-Shops stehlen Geld! ∗∗∗
---------------------------------------------
Verbraucher/innen können beim Online-Shopping über Amazon auch bei Drittanbieter/innen Bestellungen tätigen. Uns erreichen zahlreiche Meldungen von Personen, die von betrügerischen Marketplace-Shops zu Überweisungen auf externe Konten aufgefordert wurden. Das Geld darf nicht bezahlt werden! Es handelt sich um Betrug und Überweisungen sind verloren.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-amazon-marketplace-shops-stehlen-geld/


∗∗∗ Finger weg von notebooksbilliger-angebot.net ∗∗∗
---------------------------------------------
Im Online-Shop notebooksbilliger-angebot.net finden Sie vor allem günstige Laptops, Tablets und Smartphones. Echte Schnäppchen werden Sie dort jedoch keine ergattern, denn es handelt sich um einen Fake-Shop. Ihre Bestellung wird trotz Bezahlung nie geliefert. Wir raten, unbekannte Shops immer genauer unter die Lupe zu nehmen!
---------------------------------------------
https://www.watchlist-internet.at/news/finger-weg-von-notebooksbilliger-angebotnet/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Vuln: Symantec Norton Password Manager CVE-2019-9700 IP Address Spoofing Vulnerability ∗∗∗
---------------------------------------------
An attacker can exploit this issue to spoof an IP address which may lead to a false sense of trust, allowing the attacker to perform malicious activities. Other attacks may also be possible. Versions prior to Symantec Norton Password Manager 6.3.0.2082 are vulnerable. 
---------------------------------------------
http://www.securityfocus.com/bid/108676


∗∗∗ Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet ∗∗∗
---------------------------------------------
API blunder exposes data, fix incoming from Lenovo Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/iomega_nas_boxes/


∗∗∗ Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu ∗∗∗
---------------------------------------------
The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software.
---------------------------------------------
https://thehackernews.com/2019/07/zoom-ringcentral-vulnerabilities.html


∗∗∗ Moodle CVE-2019-10187 Security Bypass Vulnerability ∗∗∗
---------------------------------------------
Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. Moodle 3.7, 3.6 through 3.6.4, 3.5 through 3.5.6 and prior unsupported versions are vulnerable.
---------------------------------------------
https://www.securityfocus.com/bid/109174/discuss


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (expat and radare2), Oracle (thunderbird), Red Hat (389-ds-base, keepalived, libssh2, perl, and vim), Scientific Linux (thunderbird), SUSE (bzip2, kernel, podofo, systemd, webkit2gtk3, and xrdp), and Ubuntu (bash, nss, redis, squid, squid3, and Zipios).
---------------------------------------------
https://lwn.net/Articles/793852/


∗∗∗ Cisco Content Security Management Appliance Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sma-xss


∗∗∗ IBM Security Bulletin: IBM has released Unified Extensible Firmware Interface (UEFI) fixes in response to TianoCore EDK II BIOS Vulnerability (CVE-2018-12182) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-released-unified-extensible-firmware-interface-uefi-fixes-in-response-to-tianocore-edk-ii-bios-vulnerability-cve-2018-12182/


∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to File Path Traversal (CVE-2019-4430) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-file-path-traversal-cve-2019-4430/


∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerability CVE-2019-12086 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-jackson-databind-vulnerability-cve-2019-12086/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Event Streams ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-event-streams/


∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Business Developer. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-business-developer/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java™ Technology Edition affect IBM Tivoli Netcool Configuration Manager (CVE-2018-1890, CVE-2019-2426) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-current-releases-of-the-ibm-sdk-java-technology-edition-affect-ibm-tivoli-netcool-configuration-manager-cve-2018-1890-cve-2019-2426/


∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerabilities in IBM SONAS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-mozilla-firefox-vulnerabilities-in-ibm-sonas-7/


∗∗∗ IBM Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WAS vulnerability. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-asset-analyzer-raa-is-affected-by-a-was-vulnerability-2/


∗∗∗ Linux kernel vulnerability CVE-2019-11599 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K51674118

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily