[CERT-daily] Tageszusammenfassung - 10.12.2020

Thu Dec 10 18:10:15 CET 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 10-12-2020 18:00 − Donnerstag 10-12-2020 18:00
Handler:     Stephan Richter
Co-Handler:  Dimitri Robl

=====================
=       News        =
=====================

∗∗∗ Qbot malware switched to stealthy new Windows autostart method ∗∗∗
---------------------------------------------
A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/


∗∗∗ Adobe Flash Player: Jetzt ist endgültig Schluss ∗∗∗
---------------------------------------------
Seit Jahren wird das Ende des Adobe Flash Players verkündet. Im Januar 2021 soll es nun aber tatsächlich so weit sein.
---------------------------------------------
https://www.golem.de/news/adobe-flash-player-jetzt-ist-endgueltig-schluss-2012-152739.html


∗∗∗ Python Backdoor Talking to a C2 Through Ngrok, (Thu, Dec 10th) ∗∗∗
---------------------------------------------
I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most services available on the Internet, it has been abused by attackers for a long time.
---------------------------------------------
https://isc.sans.edu/diary/rss/26866


∗∗∗ PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL ∗∗∗
---------------------------------------------
PGMiner is a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution vulnerability.The post PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL appeared first on Unit42.
---------------------------------------------
https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/


∗∗∗ Hackers are selling more than 85,000 SQL databases on a dark web portal ∗∗∗
---------------------------------------------
Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesnt want to pay the ransom demand.
---------------------------------------------
https://www.zdnet.com/article/hackers-are-selling-more-than-85000-sql-databases-on-a-dark-web-portal/


∗∗∗ Proof-of-concept exploit code published for new Kerberos Bronze Bit attack ∗∗∗
---------------------------------------------
The Kerberos Bronze Bit attack can allow intruders to bypass authentication and access sensitive network services.
---------------------------------------------
https://www.zdnet.com/article/proof-of-concept-exploit-code-published-for-new-kerberos-bronze-bit-attack/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites ∗∗∗
---------------------------------------------
On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator’s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin’s publisher, ...Read MoreThe post Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress
---------------------------------------------
https://www.wordfence.com/blog/2020/12/reflected-xss-in-pagelayer-plugin-affects-over-200000-wordpress-sites/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (ant, cimg, containerd, libproxy, libproxy-mozjs, libproxy-webkit, libslirp, python-lxml, tomcat8, tomcat9, and xorg-server), CentOS (firefox and thunderbird), Debian (apt, linux-4.19, python-apt, and sqlite3), Fedora (ceph, chromium, containerd, matrix-synapse, mingw-openjpeg2, openjpeg2, python-authlib, python-canonicaljson, and spice-gtk), Mageia (chromium-browser-stable), openSUSE (chromium and pngcheck), Slackware (curl), SUSE (clamav, curl,
---------------------------------------------
https://lwn.net/Articles/839668/


∗∗∗ Serious Vulnerabilities in Dualog Connection Suite ∗∗∗
---------------------------------------------
TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL […]The post Serious Vulnerabilities in Dualog Connection Suite first appeared on Pen Test Partners.
---------------------------------------------
https://www.pentestpartners.com/security-blog/serious-vulnerabilities-in-dualog-connection-suite/


∗∗∗ Medtronic MyCareLink ∗∗∗
---------------------------------------------
This advisory contains mitigations for Improper Authentication, Heap-based Buffer Overflow, and Time-of-check Time-of-use Race Condition vulnerabilities in the Medtronic MyCareLink Patient Reader.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01


∗∗∗ Mitsubishi Electric MELSEC iQ-F Series ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Check or Handling of Exceptional Conditions vulnerability in Mitsubishi Electrics MELSEC iQ-F series FX5U(C) CPU modules.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-345-01


∗∗∗ Host Engineering H2-ECOM100 Module ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in the Host Engineering ECOM100 Module, an Ethernet communications module for PLC systems.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-345-02


∗∗∗ Gafgyt Using Pulse Secure Vulnerability ∗∗∗
---------------------------------------------
SummaryA vulnerability in Pulse Secures Connect VPN framework is allowing for exploitation by Gafgyt. Avira details how this exploit works in a new blog.Threat TypeMalware, VulnerabilityOverviewAvira Labs has observed an increase in IoT malware binaries. These binaries have the capability to exploit CVE-2020-8218. This increase led to the discovery of a new variant of Gafgyt. Its functionality is mostly the same as the original Gafgyt with some inclusion of functionality from other malware
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/02145e80d8a7b87b486015b358849987


∗∗∗ Cisco Jabber Desktop and Mobile Client Software Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO


∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ( CVE-2020-8244) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-v11-cve-2020-8244/


∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect (CVE-2019-1552) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect-cve-2019-1552/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-node-js/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Codec ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-apache-commons-codec/


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-sdk-for-node-js-in-ibm-cloud-4/


∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-apache-struts-affect-ibm-sterling-file-gateway-cve-2019-0233-cve-2019-0230-3/


∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernate-validator-affects-liberty-for-java-for-ibm-cloud-cve-2020-10693/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-buffer-overflow-cve-2020-4701-3/


∗∗∗ Security Bulletin: JRE vulnerability (CVEID: 178768) impacts IBM Aspera High-Speed Transfer Server/IBM Aspera High-Speed Transfer Endpoint version 3.9.6.2 and earlier ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-jre-vulnerability-cveid-178768-impacts-ibm-aspera-high-speed-transfer-server-ibm-aspera-high-speed-transfer-endpoint-version-3-9-6-2-and-earlier/


∗∗∗ Security Bulletin: Vulnerability in ksu affects AIX (CVE-2020-4829) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksu-affects-aix-cve-2020-4829/


∗∗∗ Symantec Messaging Gateway: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-1222

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily