[CERT-daily] Tageszusammenfassung - 05.11.2020

Thu Nov 5 18:16:53 CET 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 04-11-2020 18:00 − Donnerstag 05-11-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Exploit für Cisco-VPN AnyConnect in Umlauf - Sicherheitsupdate steht noch aus ∗∗∗
---------------------------------------------
Attacken auf Ciscos VPN-Lösung AnyConnect könnten kurz bevor stehen. Bislang gibt es aber nur Patches für andere Lücken in IOS XR, Webwex & Co.
---------------------------------------------
https://heise.de/-4948798


∗∗∗ Attacks on industrial enterprises using RMS and TeamViewer: new data ∗∗∗
---------------------------------------------
In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.
---------------------------------------------
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/


∗∗∗ Did You Spot "Invoke-Expression"?, (Thu, Nov 5th) ∗∗∗
---------------------------------------------
When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet[1]. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string.
---------------------------------------------
https://isc.sans.edu/diary/rss/26762


∗∗∗ Legacy Mauthtoken Malware Continues to Redirect Mobile Users ∗∗∗
---------------------------------------------
During malware analysis, we regularly find variations of this injected script on various compromised websites: . The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code: [...]
---------------------------------------------
https://blog.sucuri.net/2020/11/legacy-mauthtoken-malware-continues-to-redirect-mobile-users.html


∗∗∗ BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers ∗∗∗
---------------------------------------------
A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations.
---------------------------------------------
https://www.securityweek.com/bec-scammers-exploit-flaw-spoof-domains-rackspace-customers


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitsupdates: BIG-IP Appliances und die Admin-Falle ∗∗∗
---------------------------------------------
Der Netzwerkausrüster F5 hat wichtige Patches zum Absichern verschiedener Appliances veröffentlicht.
---------------------------------------------
https://heise.de/-4949448


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark).
---------------------------------------------
https://lwn.net/Articles/836238/


∗∗∗ In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover - CVE-2020-14871 ∗∗∗
---------------------------------------------
FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyzed the exploit to determine how it worked, reproduced the vulnerability on different versions of Solaris, and then reported it to Oracle. In this blog post we present a description of the [...]
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily