[CERT-daily] Tageszusammenfassung - 03.12.2020

Daily end-of-shift report team at cert.at
Thu Dec 3 18:23:27 CET 2020 

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 02-12-2020 18:00 − Donnerstag 03-12-2020 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ APT-Gruppen: Turla und Co. tarnen Angriffe durch scheinbar harmlose Aktivitäten ∗∗∗
---------------------------------------------
Eine Spionage-Malware der wohl staatlich finanzierten Turla-Gang setzt auf Dropbox zum Datenklau. In einem anderen Fall verschleierte Coin-Mining Schlimmeres.
---------------------------------------------
https://heise.de/-4978541


∗∗∗ Studie: Schwachstellen in Open-Source-Software bleiben in der Regel vier Jahre unentdeckt ∗∗∗
---------------------------------------------
Patches stehen in der Regel innerhalb von vier Wochen zur Verfügung. Zudem sind nur 17 Prozent der registrierten Sicherheitslücken als "schädlich" einzustufen. GitHub sieht Open-Source-Software als "kritische Infrastruktur" an.
---------------------------------------------
https://www.zdnet.de/88390280/studie-schwachstellen-in-open-source-software-bleiben-in-der-regel-vier-jahre-unentdeckt/


∗∗∗ What did DeathStalker hide between two ferns? ∗∗∗
---------------------------------------------
While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware "PowerPepper".
---------------------------------------------
https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/


∗∗∗ Xerox DocuShare Bugs Allow Data Leaks ∗∗∗
---------------------------------------------
CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes.
---------------------------------------------
https://threatpost.com/xerox-docushare-bugs/161791/


∗∗∗ Another LILIN DVR 0-day being used to spread Mirai ∗∗∗
---------------------------------------------
In March, we reported[1] that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the vendor soon fixed the vulnerability. On August 26, 2020, our Anglerfish honeypot detected that another new LILINDVR/ [...]
---------------------------------------------
https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/


∗∗∗ Adventures in Anti-Gravity (Part II) ∗∗∗
---------------------------------------------
Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component.
---------------------------------------------
https://objective-see.com/blog/blog_0x5C.html


∗∗∗ TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected ∗∗∗
---------------------------------------------
TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known [...]
---------------------------------------------
https://thehackernews.com/2020/12/trickbot-malware-gets-uefibios-bootkit.html


∗∗∗ Spamhaus Intelligence API: Free threat intelligence data for security developers ∗∗∗
---------------------------------------------
Spamhaus Technology releases its Intelligence API. This is the first time Spamhaus has released its extensive threat intelligence via API, providing enriched data relating to IP addresses exhibiting compromised behaviour. Available free of charge, developers can readily access enhanced data that catalogues IP addresses compromised by malware, worms, Trojan infections, devices controlled by botnets, and third party exploits, such as open proxies. The API features live and historical data, [...]
---------------------------------------------
https://www.helpnetsecurity.com/2020/12/03/spamhaus-intelligence-api/


∗∗∗ Open Source Tool Helps Secure Siemens PCS 7 Control Systems ∗∗∗
---------------------------------------------
Industrial cybersecurity company OTORIO has released an open source tool designed to help organizations harden Siemens’ SIMATIC PCS 7 distributed control systems (DCS).
---------------------------------------------
https://www.securityweek.com/open-source-tool-helps-secure-siemens-pcs-7-control-systems



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Google Play Apps Remain Vulnerable to High-Severity Flaw ∗∗∗
---------------------------------------------
Patches for a flaw (CVE-2020-8913) in the Google Play Core Library have not been implemented by several popular Google Play apps, including Cisco Teams and Edge.
---------------------------------------------
https://threatpost.com/google-play-apps-remain-vulnerable-to-high-severity-flaw/161785/


∗∗∗ iCloud for Windows 11.5 ∗∗∗
---------------------------------------------
Foundation: A local user may be able to read arbitrary files
ImageIO: Processing a maliciously crafted image may lead to arbitrary code execution
ImageIO: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
libxml2: Processing maliciously crafted web content may lead to code execution
libxml2: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
libxml2: Processing a maliciously crafted file may lead to arbitrary code execution
SQLite: A remote attacker may be able to cause a denial of service
SQLite: A remote attacker may be able to cause arbitrary code execution
SQLite: A remote attacker may be able to leak memory
SQLite: A maliciously crafted SQL query may lead to data corruption
WebKit: Processing maliciously crafted web content may lead to arbitrary code execution
---------------------------------------------
https://support.apple.com/kb/HT211935


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/838870/


∗∗∗ Mozilla Foundation Security Advisory 2020-53 ∗∗∗
---------------------------------------------
In security advisory 2020-53, the Mozilla Foundation describes a stack overflow vulnerability (CVE-2020-26970) patched in Thunderbird 78.5.1. The issue was caused by writing an SMTP server status integer value on the stack designed to only hold one byte. This could potentially corrupt the stack which might be exploitable.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/0f933021879b159a96ec238084392321


∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1190


∗∗∗ Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-pyyaml-affects-ibm-spectrum-protect-plus-container-and-microsoft-file-systems-agents-cve-2020-1747/


∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3rd party cryptographc vulnerability (CVE-2020-4254) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big-data-intelligence-sonarg-is-affected-by-a-3rd-party-cryptographc-vulnerability-cve-2020-4254/


∗∗∗ Security Bulletin: A security bypass vulnerability in Apache Solr (lucene) affects IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-bypass-vulnerability-in-apache-solr-lucene-affects-ibm-infosphere-information-server/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-affect-ibm-netezza-analytics/


∗∗∗ Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4447, CVE-2020-4759 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-with-administration-console-for-content-platform-engine-component-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list