[CERT-daily] Tageszusammenfassung - 01.12.2020

Daily end-of-shift report team at cert.at
Tue Dec 1 18:14:46 CET 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 30-11-2020 18:00 − Dienstag 01-12-2020 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Banking-Malware Gootkit ist zurück und hat es auf PCs in Deutschland abgesehen ∗∗∗
---------------------------------------------
Das CERT-Bund und verschiedene Sicherheitsforscher warnen vor Trojaner-Attacken. Infektionen sind aber nicht ohne Weiteres möglich.
---------------------------------------------
https://heise.de/-4976043


∗∗∗ FBI warns of BEC scammers using email auto-forwarding in attacks ∗∗∗
---------------------------------------------
The FBI is warning U.S. companies about scammers actively abusing auto-forwarding rules on web-based email clients to increase the likelihood of successful Business Email Compromise (BEC) attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-using-email-auto-forwarding-in-attacks/


∗∗∗ Critical Oracle WebLogic flaw actively exploited by DarkIRC malware ∗∗∗
---------------------------------------------
A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-exploited-by-darkirc-malware/


∗∗∗ IceRat evades antivirus by running PHP on Java VM ∗∗∗
---------------------------------------------
IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware.
---------------------------------------------
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp


∗∗∗ How prevalent is DNS spoofing? Could a repeat of the Dyn/Mirai DDoS attack have the same results? ∗∗∗
---------------------------------------------
Two separate groups of academics have recently released research papers based on research into the Domain Name System (DNS). One has found that the overwhelming majority of popular site operators haven’t learned from the 2016 Dyn/Mirai incident/attack and set up a backup DNS server, and the other has shown that the rate of DNS spoofing, though still very small, has more than doubled in less than seven years.
---------------------------------------------
https://www.helpnetsecurity.com/2020/12/01/dns-spoofing/


∗∗∗ Xanthe - Docker aware miner ∗∗∗
---------------------------------------------
Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways. Cisco Talos recently discovered a cryptocurrency-mining botnet attack were calling "Xanthe," which attempted to compromise one of Ciscos security honeypots for tracking Docker-related threats.
---------------------------------------------
https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html


∗∗∗ Docker malware is now common, so devs need to take Docker security seriously ∗∗∗
---------------------------------------------
Three years after the first malware attacks targeting Docker, developers are still misconfiguring and exposing their Docker servers online.
---------------------------------------------
https://www.zdnet.com/article/docker-malware-is-now-common-so-devs-need-to-take-docker-security-seriously/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ GO SMS Pro Vulnerable to File Theft: Part 2 ∗∗∗
---------------------------------------------
Last week we released an advisory about an SMS app called GO SMS Pro. Media files sent via text in the app are stored insecurely on a publicly accessible server. With some very minor scripting, it is trivial to throw a wide net around that content. While its not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you. [...] It seems like GOMO is attempting to fix the issue, but a complete fix is still not available in the app.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/go-sms-pro-vulnerable-to-file-theft-part-2/


∗∗∗ Multiple (RCE) Vulnerabilities in Micro Focus Operations Bridge Manager ∗∗∗
---------------------------------------------
After analysing OBM, I found a mountain of critical security vulnerabilities that when combined result in a complete compromise of the application: 
- Use of Hard-coded Credentials 
- Insecure Java Deserialization (an incredible total of 41 of them) 
- Use of Outdated and Insecure Java Libraries 
- Incorrect Default Folder Permissions (resulting in Privilege Escalation to SYSTEM) 
All of these vulnerabilities affect the latest version, 2020.05, and possibly earlier versions. Both Windows and Linux installations are affected, except for the privilege escalation, which only affects Windows.
---------------------------------------------
https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md


∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0009 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] 
Impact: Processing maliciously crafted web content may lead toarbitrary code execution.
---------------------------------------------
https://webkitgtk.org/security/WSA-2020-0009.html


∗∗∗ QNAP QTS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1181


∗∗∗ Foxit Phantom PDF Suite: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1180


∗∗∗ HCL Domino: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1177


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-buffer-overflow-cve-2020-4701-2/


∗∗∗ Security Bulletin: Information disclosure vulnerability may affect IBM Business Automation Workflow – CVE-2020-4900 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-may-affect-ibm-business-automation-workflow-cve-2020-4900-2/


∗∗∗ Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-cloud-pak-for-data-streams-flows-2/


∗∗∗ Security Bulletin: Node.js module upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-module-upgrade-for-ibm-cloud-pak-for-data-streams-flows/


∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server affects IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-ibm-websphere-application-server-affects-ibm-voice-gateway/


∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-affects-ibm-voice-gateway/


∗∗∗ Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-cloud-pak-for-data-streams-flows/


∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-ibm-java-sdk-affects-ibm-voice-gateway-3/


∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-3/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list