[CERT-daily] Tageszusammenfassung - 16.03.2020

Mon Mar 16 18:17:13 CET 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 13-03-2020 18:00 − Montag 16-03-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Kritische Lücke: Angreifer könnten aus VMware Fusion und Workstation ausbrechen ∗∗∗
---------------------------------------------
Wer virtuelle Maschinen mit Fusion, Horizon, Remote Console (VMRC) und Workstation betreibt, sollte sich aus Sicherheitsgründen die aktualisierten Versionen herunterladen und installieren. Andernfalls könnten Angreifer im schlimmsten Fall aus einer VM ausbrechen und Schadcode im Host-System ausführen.
---------------------------------------------
https://www.heise.de/security/meldung/Kritische-Luecke-Angreifer-koennten-aus-VMware-Fusion-und-Workstation-ausbrechen-4683204.html


∗∗∗ Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help ∗∗∗
---------------------------------------------
Shadowserver has unexpectedly lost the financial support of our largest sponsor. We need to transition the impacted operations staff and move our data center by May 26th 2020. This is an extremely aggressive timeline. We urgently appeal to our constituents and the community to rally together, help save Shadowserver and help secure the Internet. This is the initial announcement and the index page to more detailed supporting content.
---------------------------------------------
https://www.shadowserver.org/news/saving-shadowserver-and-securing-the-internet-why-you-should-care-how-you-can-help/


∗∗∗ BlackWater Malware Abuses Cloudflare Workers for C2 Communication ∗∗∗
---------------------------------------------
A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malwares command and control (C2) server.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/


∗∗∗ MonitorMinor: vicious stalkerware ∗∗∗
---------------------------------------------
The other day, our Android traps ensnared an interesting specimen of stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality.
---------------------------------------------
https://securelist.com/monitorminor-vicious-stalkerware/95575/?utm_source=rss&utm_medium=rss&utm_campaign=monitorminor-vicious-stalkerware


∗∗∗ Phishing PDF With Incremental Updates., (Sat, Mar 14th) ∗∗∗
---------------------------------------------
Someone asked me for help with this phishing PDF.
---------------------------------------------
https://isc.sans.edu/diary/rss/25904


∗∗∗ Desktop.ini as a post-exploitation tool, (Mon, Mar 16th) ∗∗∗
---------------------------------------------
Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however.
---------------------------------------------
https://isc.sans.edu/diary/rss/25912


∗∗∗ Open MQTT Report - Expanding the Hunt for Vulnerable IoT devices ∗∗∗
---------------------------------------------
New MQTT IPv4 scans are now carried out daily as part of our efforts to expand our capability to enable the mapping of exposed IoT devices on the Internet. A new report - Open MQTT - is now shared in our free daily victim remediation reports to 107 National CSIRTs and 4600+ network owners. In particular, the report identifies accessible MQTT broker service that enable anonymous access. The work is being carried out as part of the EU CEF VARIoT (Vulnerability and Attack Repository for IoT)
---------------------------------------------
https://www.shadowserver.org/news/open-mqtt-report-expanding-the-hunt-for-vulnerable-iot-devices/


∗∗∗ Has The Sun Set On The Necurs Botnet? ∗∗∗
---------------------------------------------
Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and [...]
---------------------------------------------
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/


∗∗∗ COVID-19 Themed Phishing Campaigns Continue ∗∗∗
---------------------------------------------
Another COVID-19 (Coronavirus) phishing campaign has been discovered -- this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed.
---------------------------------------------
https://www.securityweek.com/covid-19-themed-phishing-campaigns-continue


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), [...]
---------------------------------------------
https://lwn.net/Articles/815097/


∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-appliance-could-allow-a-local-attacker-to-obtain-sensitive-information-cve-2019-4719/


∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing error messages. (CVE-2019-4656) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-error-processing-error-messages-cve-2019-4656/


∗∗∗ Security Bulletin: IBM Cloud Automation Manager Session Fixation Vulnerability (CVE-2019-4617) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-automation-manager-session-fixation-vulnerability-cve-2019-4617/


∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services v2.1.1 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affect-financial-transaction-manager-for-corporate-payment-services-v2-1-1/


∗∗∗ Security Bulletin: IBM MQ could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-a-local-attacker-to-obtain-sensitive-information-by-inclusion-of-sensitive-data-within-trace-cve-2019-4619/


∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vulnerable-to-apache-commons-beanutils-cve-2019-10086/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily