[CERT-daily] Tageszusammenfassung - 22.10.2019

Tue Oct 22 18:42:16 CEST 2019

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 21-10-2019 18:00 − Dienstag 22-10-2019 18:00
Handler:     Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Three Service Account Secrets Straight from Hackers and Security Pros ∗∗∗
---------------------------------------------
A survey of nearly 300 Black Hat conference attendees this year showed strong agreement that service accounts are an attractive target.
---------------------------------------------
https://threatpost.com/service-account-secrets/148996/


∗∗∗ MISP Summit 0x05 Wrap-Up ∗∗∗
---------------------------------------------
I’m in Luxembourg for a full week of infosec events. It started today with the MISP summit. It was already the fifth edition and, based on the number of attendees, the tool is getting more and more popularity.
---------------------------------------------
https://blog.rootshell.be/2019/10/21/misp-summit-0x05-wrap-up/


∗∗∗ emotet_network_protocol ∗∗∗
---------------------------------------------
This repository has been created with the idea of helping the community of cybersecurity researchers and malware researchers. It explains in detail how the network communication protocol used by Emotet to communicate with the C&Cs works. Knowing all these details, it should be relatively easy to emulate the communication, and obtain the new modules and distributed malware directly from the c&c.
---------------------------------------------
https://d00rt.github.io/emotet_network_protocol/


∗∗∗ Avast, NordVPN Breaches Tied to Phantom User Accounts ∗∗∗
---------------------------------------------
Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that -- while otherwise unrelated -- shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.
---------------------------------------------
https://krebsonsecurity.com/2019/10/avast-nordvpn-breaches-tied-to-phantom-user-accounts/


∗∗∗ The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT ∗∗∗
---------------------------------------------
Bread crumbs left behind open up a possible connection between Magecart Group 5 and Carbanak.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/


∗∗∗ Malspam Campaign Targeted German Organizations with Buran Ransomware ∗∗∗
---------------------------------------------
Researchers spotted a malspam campaign that targeted German organizations with samples of the Buran crypto-ransomware family. In early October, Bromium observed a malspam campaign whose emails impersonated online fax service eFax. The emails contained hyperlinks to a PHP page that served up malicious Word documents.
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/malspam-campaign-targeted-german-organizations-with-buran-ransomware/


∗∗∗ genosyla.net und versandhaus-voss.de liefern keine Ware ∗∗∗
---------------------------------------------
Bei genosyla.net und versandhaus-voss.de finden Sie günstige Elektrogeräte. Viele Produkte sind im Schnitt 100 Euro billiger als bei anderen Shops. Der Haken: die Ware wird trotz Bezahlung nie geliefert. Es handelt sich um betrügerische Webshops. Sie verlieren Ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/genosylanet-und-versandhaus-vossde-liefern-keine-ware/


∗∗∗ Browser-based attacks, our customers, and us ∗∗∗
---------------------------------------------
While some browser-based attacks such as web skimming steal customer data and thus victimize both the organization and the users, other attacks leverage an organizations website to attack the customers or to attack another organization entirely.
---------------------------------------------
https://www.zdnet.com/article/browser-based-attacks-our-customers-and-us/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (jss and kernel), Debian (libpcap, openjdk-8, and tcpdump), Fedora (java-11-openjdk), openSUSE (libreoffice), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk, python, and wget), Scientific Linux (java-1.7.0-openjdk), SUSE (ceph, ceph-iscsi, ses-manual_en, dhcp, openconnect, and procps), and Ubuntu (exiv2, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, [...]
---------------------------------------------
https://lwn.net/Articles/802863/


∗∗∗ ZDI-19-908: Foxit Studio Photo JPEG Batch Processing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-908/


∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm-event-streams-is-affected-by-jackson-databind-vulnerabilities/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily