[CERT-daily] Tageszusammenfassung - 10.04.2020

Daily end-of-shift report team at cert.at
Fri Apr 10 18:15:58 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 09-04-2020 18:00 − Freitag 10-04-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ DNS: Gehackte Router zeigen Coronavirus-Warnung mit Schadsoftware ∗∗∗
---------------------------------------------
Gehackte Router leiten bekannte Domains auf eine gefälschte Warnung der WHO um und versuchen, ihren Opfern eine Schadsoftware unterzujubeln.
---------------------------------------------
https://www.golem.de/news/dns-gehackte-router-zeigen-coronavirus-warnung-mit-schadsoftware-2003-147511-rss.html


∗∗∗ Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th) ∗∗∗
---------------------------------------------
How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified.
---------------------------------------------
https://isc.sans.edu/diary/rss/25960


∗∗∗ PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th) ∗∗∗
---------------------------------------------
Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified.
---------------------------------------------
https://isc.sans.edu/diary/rss/26004


∗∗∗ Analysis of a WordPress Credit Card Swiper ∗∗∗
---------------------------------------------
While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in the past). With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing [...]
---------------------------------------------
https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.html


∗∗∗ Sophos Releases Sandboxie in Open Source ∗∗∗
---------------------------------------------
Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available.
---------------------------------------------
https://www.securityweek.com/sophos-releases-sandboxie-open-source


∗∗∗ Gefälschte Mails von Sebastian Kurz im Umlauf ∗∗∗
---------------------------------------------
Viele Menschen benötigen derzeit aufgrund geschlossener Betriebe oder fehlender Aufträge finanzielle Unterstützung. Kriminelle nützen diese Ausnahmesituation aus und verschicken E-Mails im Namen von Sebastian Kurz, in denen sie rasche Soforthilfe anbieten. Der Link in diesen E-Mails führt jedoch zu einer unseriösen Trading-Plattform, bei der den Internet-NutzerInnen durch das Investment in Bitcoins schnelles Geld versprochen wird.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-mails-von-sebastian-kurz-im-umlauf/


∗∗∗ CVE-2020-0688: Verwundbare Microsoft Exchange Server in Österreich ∗∗∗
---------------------------------------------
Mit CVE-2020-0688 wurde im Februar eine Lücke in Microsoft Exchange Servern gepatched, die AngreiferInnen ermöglicht, beliebigen Code über das Netzwerk auszuführen -- und das mit NT Authority\SYSTEM also der Windows-Entsprechung von root. Für eine erfolgreiche Attacke werden zwar gültige Zugangsdaten für einen Mailaccount benötigt, da es bei CVE-2020-0688 aber auch zu einer Privilegieneskaltion kommt, können diese auch unpriviligiert sein.
---------------------------------------------
https://cert.at/de/blog/2020/4/cve-2020-0688-verwundbare-microsoft-exchange-server-in-osterreich



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗
---------------------------------------------
This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in the Rockwell Automation RSLinx Classic PLC communications software.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-100-01


∗∗∗ VMSA-2020-0006 ∗∗∗
---------------------------------------------
VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0006.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox).
---------------------------------------------
https://lwn.net/Articles/817233/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-affects-ibm-integration-bus-ibm-app-connect-enterprise-v11/


∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vulnerability-in-websphere-application-server-cve-2020-4362/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-3/


∗∗∗ Security Bulletin: Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-possible-remote-code-execution-vulnerability-in-watson-knowledge-catalog-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vulnerability-with-ibm-java-affects-spss-modeler/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list