[CERT-daily] Tageszusammenfassung - 24.08.2020

Daily end-of-shift report team at cert.at
Mon Aug 24 18:20:52 CEST 2020 

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 21-08-2020 18:00 − Montag 24-08-2020 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Ransomware attackiert VPN und RDP ∗∗∗
---------------------------------------------
Ransomware wird immer gefährlicher. Hacker nutzen vor allem das Remote Desktop Protocol (RDP), und Virtual Private Networks (VPN) als Einfallstore. E-Mail-Phishing verliert dagegen an Bedeutung.
---------------------------------------------
https://www.zdnet.de/88382240/ransomware-attackiert-vpn-und-rdp/


∗∗∗ DarkSide: New targeted ransomware demands million dollar ransoms ∗∗∗
---------------------------------------------
A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/


∗∗∗ Lifting the veil on DeathStalker, a mercenary triumvirate ∗∗∗
---------------------------------------------
DeathStalker is a unique threat group that appears to target law firms and companies in the financial sector. They don’t deploy ransomware or steal payment information to resell it, their interest in gathering sensitive business information [...]
---------------------------------------------
https://securelist.com/deathstalker-mercenary-triumvirate/98177/


∗∗∗ Hunting for Risky Rules in Office 365 ∗∗∗
---------------------------------------------
When an attacker compromises an Office 365 mailbox, one of the most common activities that we see is new inbox rules being created - therefore finding these rules is a good way to identify compromised accounts and mailboxes.
---------------------------------------------
https://blog.rothe.uk/risky-rules-in-office365/


∗∗∗ Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach ∗∗∗
---------------------------------------------
The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis.
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html


∗∗∗ Protect your organization in the age of Magecart ∗∗∗
---------------------------------------------
The continuing wave of attacks by cybercriminal groups known under the umbrella term Magecart perfectly illustrates just how unprepared many e-commerce operations are from a security point of view. It all really boils down to timing. If the e-commerce world was able to detect such Magecart attacks in a matter of seconds (rather than weeks or months), then we could see an end to Magecart stealing all of the cybercrime headlines.
---------------------------------------------
https://www.helpnetsecurity.com/2020/08/24/protect-your-organization-in-the-age-of-magecart/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress WooCommerce stores under attack, patch now ∗∗∗
---------------------------------------------
Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-woocommerce-stores-under-attack-patch-now/


∗∗∗ Xen Security Advisory CVE-2020-14364 / XSA-335 ∗∗∗
---------------------------------------------
An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice->setup_len exceeds the USBDevice->data_buf[4096], in do_token_{in,out} routines.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-335.html


∗∗∗ Sicherheitsupdate: VMware App Volumes abgesichert ∗∗∗
---------------------------------------------
Angreifer könnten die Anwendungsmanagement-Software App Volumes von VMware attackieren.
---------------------------------------------
https://heise.de/-4876962


∗∗∗ VMSA-2020-0018 ∗∗∗
---------------------------------------------
VMware ESXi, vCenter Server, and Cloud Foundation updates address a partial denial of service vulnerability (CVE-2020-3976)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0018.html


∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution ∗∗∗
---------------------------------------------
The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process.
---------------------------------------------
https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firejail, icingaweb2, inetutils, libjackson-json-java, proftpd-dfsg, python2.7, software-properties, and sqlite3), Fedora (chrony), Mageia (chrony), openSUSE (dovecot23, postgresql12, and python), Slackware (bind), SUSE (gettext-runtime and SUSE Manager Server 3.2), and Ubuntu (bind9).
---------------------------------------------
https://lwn.net/Articles/829486/


∗∗∗ Synology-SA-20:19 ISC BIND ∗∗∗
---------------------------------------------
CVE-2020-8622 allows remote authenticated users to conduct denial-of-service attacks via a susceptible version of DNS Server. None of Synologys products are affected by CVE-2020-8620, CVE-2020-8621, CVE-2020-8623, or CVE-2020-8624 as these vulnerabilities only affect ISC BIND 9.9.12 and later.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_20_19


∗∗∗ Citrix Hypervisor Security Update ∗∗∗
---------------------------------------------
Two issues have been identified in Citrix Hypervisor that may, in certain configurations, allow privileged code in an HVM guest VM to execute code in the control domain, potentially compromising the host.
---------------------------------------------
https://support.citrix.com/article/CTX280451


∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0838


∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – CVE-2020-2601 affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jan-2020-cve-2020-2601-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/


∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jan-2020-includes-oracle-jan-2020-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/


∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server where an attacker can cause a denial of service (CVE-2020-4383) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-elastic-storager-server-where-an-attacker-can-cause-a-denial-of-service-cve-2020-4383/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-connectdirect-for-unix-2/


∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-kernel-affects-ibm-netezza-host-management-3/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-clickjacking-vulnerability/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-components-with-known-vulnerabilities-2/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-connectdirect-for-unix/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-components-with-known-vulnerabilities/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by an Open Redirect vulnerabilitiy ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-an-open-redirect-vulnerabilitiy/


∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-affects-ibm-spectrum-protect-plus-cve-2019-9924-3/


∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to multiple node.js vulnerabilities (CVE-2020-11080, CVE-2020-10531, CVE-2020-8172, CVE-2020-8174) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-multiple-node-js-vulnerabilities-cve-2020-11080-cve-2020-10531-cve-2020-8172-cve-2020-8174/


∗∗∗ Security Bulletin: Multiple Java vulnerabilities affect IBM Spectrum Protect Plus (CVE-2020-2805, CVE-2020-2803, CVE-2020-2830, CVE-2020-2781, CVE-2020-2800. CVE-2020-2757, CVE-2020-2756, CVE-2020-2755, CVE-2020-2754) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabilities-affect-ibm-spectrum-protect-plus-cve-2020-2805-cve-2020-2803-cve-2020-2830-cve-2020-2781-cve-2020-2800-cve-2020-2757-cve-2020-2756-cve-2020-275-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list