[CERT-daily] Tageszusammenfassung - 08.04.2020

Wed Apr 8 18:20:42 CEST 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 07-04-2020 18:00 − Mittwoch 08-04-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Web server security: Infrastructure components ∗∗∗
---------------------------------------------
Cybercriminals understand that your website is not only the face of your organization, but often also its weakest link. With just one misconfigured port, malicious spearphishing email or unpatched vulnerability, an attacker can deploy a range of techniques and tools to enter and then move undetected throughout a network to find a valuable target.
---------------------------------------------
https://resources.infosecinstitute.com/web-server-security-infrastructure-components/


∗∗∗ FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks ∗∗∗
---------------------------------------------
FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware.
---------------------------------------------
https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/154508/


∗∗∗ Microsoft shares new threat intelligence, security guidance during global crisis ∗∗∗
---------------------------------------------
Our threat intelligence shows that COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to the pandemic. We’re seeing a changing of lures, not a surge in attacks. These attacks are settling into the normal ebb and flow of the threat environment.
---------------------------------------------
https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/


∗∗∗ DDG botnet, round X, is there an ending? ∗∗∗
---------------------------------------------
DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), [...]
---------------------------------------------
https://blog.netlab.360.com/an-update-on-the-ddg-botnet/


∗∗∗ COVID-19 Exploited by Malicious Cyber Actors ∗∗∗
---------------------------------------------
This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for [...]
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/aa20-099a


∗∗∗ New dark_nexus IoT Botnet Puts Others to Shame ∗∗∗
---------------------------------------------
Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen.
---------------------------------------------
https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-to-shame/


∗∗∗ Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation ∗∗∗
---------------------------------------------
This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html


∗∗∗ These hackers have been quietly targeting Linux servers for years ∗∗∗
---------------------------------------------
Researchers at Blackberry detail a newly uncovered hacking campaign that has been operating successfully against unpatched open-source servers for the best part of a decade.
---------------------------------------------
https://www.zdnet.com/article/these-hackers-have-been-quietly-targeting-linux-servers-for-years/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Advantech WebAccess/NMS ∗∗∗
---------------------------------------------
This advisory contains mitigations for multiple vulnerabilities in Advantechs WebAccess/NMS network management system.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-098-01


∗∗∗ GE Digital CIMPLICITY ∗∗∗
---------------------------------------------
This advisory contains mitigations for a privilege escalation vulnerability in GE Digital CIMPLICITY HMI/SCADA products.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-098-02


∗∗∗ HMS Networks eWON Flexy and Cosy ∗∗∗
---------------------------------------------
This advisory contains mitigations for a cross-site scripting vulnerability in HMS Networks eWON Flexy and Cosy Industrial VPN routers.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-098-03


∗∗∗ Fuji Electric V-Server Lite ∗∗∗
---------------------------------------------
This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server Lite data collection and management service.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-098-04


∗∗∗ KUKA.Sim Pro ∗∗∗
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-098-05


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (firefox), Debian (chromium and firefox-esr), Oracle (ipmitool and telnet), Red Hat (firefox and qemu-kvm), Scientific Linux (firefox, krb5-appl, and qemu-kvm), Slackware (firefox), SUSE (gmp, gnutls, libnettle and runc), and Ubuntu (firefox, gnutls28, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, [...]
---------------------------------------------
https://lwn.net/Articles/817059/


∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0294


∗∗∗ Security Advisory - Information Disclosure Vulnerability about SWAPGS Instruction ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200408-01-swapgs-en


∗∗∗ Security Bulletin: IBM Security Information Queue could reveal sensitive data in application error messages (CVE-2020-4164) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-could-reveal-sensitive-data-in-application-error-messages-cve-2020-4164/


∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-to-using-python-component-with-known-vulnerabilities-in-rhel-7/


∗∗∗ Security Bulletin: Insufficient command validation in IBM Security Information Queue (CVE-2020-4282) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-command-validation-in-ibm-security-information-queue-cve-2020-4282/


∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities affect IBM DOORS Next Generation ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scripting-vulnerabilities-affect-ibm-doors-next-generation/


∗∗∗ Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-has-insufficient-session-expiration-cve-2020-4284/


∗∗∗ Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-uses-components-with-known-vulnerabilities-cve-2019-8331-cve-2019-11358/


∗∗∗ Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-does-not-invalidate-sessions-after-logout-cve-2020-4291/


∗∗∗ Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-does-not-prevent-a-products-owner-from-being-modified-cve-2020-4290/


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Quality Manager (RQM) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-quality-manager-rqm/


∗∗∗ Security Bulletin: A vulnerability in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2019-19925, CVE-2019-19645, CVE-2019-19924, CVE-2019-19923, CVE-2019-19880, CVE-2019-19646, CVE-2019-19926) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-sqlite-affects-ibm-cloud-application-performance-management-response-time-monitoring-agent-cve-2019-19925-cve-2019-19645-cve-2019-19924-cve-2019-19923-cve-20/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily