[CERT-daily] Tageszusammenfassung - 31.10.2019

Thu Oct 31 18:41:23 CET 2019

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 30-10-2019 18:00 − Donnerstag 31-10-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st) ∗∗∗
---------------------------------------------
Ive recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful.
---------------------------------------------
https://isc.sans.edu/diary/rss/25474


∗∗∗ Data URLs and HTML Entities in New WordPress Malware ∗∗∗
---------------------------------------------
Last week, an ongoing WordPress malware campaign started a new wave which included a variety of experimental injection types. Scripts as Data URLs The first type looks pretty similar to what we discussed in our recent post.  However, instead of placing the code between the … tags, these injections have begun to embed them inline using a so called data URL notation in the src parameter.
---------------------------------------------
https://blog.sucuri.net/2019/10/data-urls-and-html-entities-in-new-wordpress-malware.html


∗∗∗ MS-ISAC Releases EOS Software Report List ∗∗∗
---------------------------------------------
Original release date: October 30, 2019The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an end-of-support (EOS) software report list. Software that has reached its EOS date no longer receives security updates and patches from the vendor and is, therefore, susceptible to exploitation from security vulnerabilities.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2019/10/30/ms-isac-releases-eos-software-report-list


∗∗∗ 5th eHealth Security Conference: ENISA advises on cybersecurity for hospitals ∗∗∗
---------------------------------------------
ENISA, the EU Agency for Cybersecurity organised the 5th consecutive eHealth Security Conference in cooperation with the Spanish Authorities and the Centre for Information Security of Catalonia (CESICAT) on the 30th October in Barcelona.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/5th-ehealth-security-conference-enisa-advises-on-cybersecurity-for-hospitals


∗∗∗ Office 365 Users Targeted by Voicemail Scam Pages ∗∗∗
---------------------------------------------
Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious [...]
---------------------------------------------
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/


∗∗∗ Ungenutzte E-Mail-Adressen ermöglichen Zugang zu persönlichen Konten ∗∗∗
---------------------------------------------
E-Mail-Adressen, die nicht mehr genutzt werden, werden oft neu vergeben. Wenn diese Adressen noch bei Social-Media-Konten, Gaming-Accounts, Online-Shops oder anderen Zugangsdaten hinterlegt sind, können sich die neuen BesitzerInnen Zugang zu diesen Konten verschaffen. Kriminelle nutzen das zu Betrugs- und Erpressungszwecken aus.
---------------------------------------------
https://www.watchlist-internet.at/news/ungenutzte-e-mail-adressen-ermoeglichen-zugang-zu-persoenlichen-konten/


∗∗∗ Untitled Goose Game security hole could have allowed hackers to wreak havoc ∗∗∗
---------------------------------------------
The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer.
---------------------------------------------
https://hotforsecurity.bitdefender.com/blog/untitled-goose-game-security-hole-could-have-allowed-hackers-to-wreak-havoc-21721.html


∗∗∗ Home & Small Office Wireless Routers Exploited to Attack Gaming Servers ∗∗∗
---------------------------------------------
Unit 42 researchers discovered an updated Gafgy variant that looks to infect home and small office WiFi routers of known commercial brands, like Zyxel, Huawei, and Realtek to attack gaming servers. More than 32,000 WiFi routers are potentially vulnerable to these exploits around the world.
---------------------------------------------
https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/


∗∗∗ Vorwarnung: Neue Webseite kommt nächste Woche ∗∗∗
---------------------------------------------
tl;dr: Nein, wir werden nächste Woche nicht gehackt, wir stellen nur eine neue Webseite online.
---------------------------------------------
http://www.cert.at/services/blog/20191031121150-2561.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ XSA-299 Security Vulnerability ∗∗∗
---------------------------------------------
IBM is aware of a reported XSA-299 security vulnerability (CVE-2019-18421) that potentially would permit an attacker from within a VSI to elevate privileges to that of the host.There are no known malicious exploits of this vulnerability, which potentially impacts the hypervisor.IBM is implementing updates to remediate this vulnerability. No downtime for clients is expected and no client action is necessary for IBM Cloud virtual servers. While we do not anticipate any issues with remediation, we [...]
---------------------------------------------
https://www.ibm.com/blogs/psirt/xsa-299-security-vulnerability/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (italc and python-ecdsa), Fedora (php and sudo), openSUSE (binutils and docker-runc), Oracle (thunderbird), Red Hat (firefox and sudo), SUSE (ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, [...]
---------------------------------------------
https://lwn.net/Articles/803583/


∗∗∗ XSA-303 - ARM: Interrupts are unconditionally unmasked in exception handlers ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-303.html


∗∗∗ XSA-302 - passed through PCI devices may corrupt host memory after deassignment ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-302.html


∗∗∗ XSA-301 - add-to-physmap can be abused to DoS Arm hosts ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-301.html


∗∗∗ XSA-299 - Issues with restartable PV type change operations ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-299.html


∗∗∗ XSA-298 - missing descriptor table limit checking in x86 PV emulation ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-298.html


∗∗∗ XSA-296 - VCPUOP_initialise DoS ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-296.html


Next End-of-Day report: 2019-11-04

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily