[CERT-daily] Tageszusammenfassung - 30.11.2020

Daily end-of-shift report team at cert.at
Mon Nov 30 18:38:52 CET 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 27-11-2020 18:00 − Montag 30-11-2020 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Bug oder Feature: Privilege Escalation in Windows Autopilot ∗∗∗
---------------------------------------------
SEC Consult hat im Deploymentprozess von Windows Autopilot eine Schwachstelle identifziert, die eine Erweiterung lokaler Berechtigungen ermöglicht.
---------------------------------------------
https://www.sec-consult.com/./blog/2020/11/bug-oder-feature-privilege-escalation-in-windows-autopilot/


∗∗∗ Credit card skimmer fills fake PayPal forms with stolen order info ∗∗∗
---------------------------------------------
A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/credit-card-skimmer-fills-fake-paypal-forms-with-stolen-order-info/


∗∗∗ Cyberthreats to financial organizations in 2021 ∗∗∗
---------------------------------------------
Let us review the forecasts we made at the end of 2019 and see how accurate we were. Then we will go through the key events of 2020 relating to financial attacks. Finally, we need to make a forecast of financial attacks in 2021.
---------------------------------------------
https://securelist.com/cyberthreats-to-financial-organizations-in-2021/99591/


∗∗∗ Threat Hunting with JARM, (Fri, Nov 27th) ∗∗∗
---------------------------------------------
Recently I have been testing a new tool created by the people at Salesforce. The tool is called JARM and what it does is query TLS instances (HTTPS servers and services) to create a fingerprint of their TLS configuration. Much like analyzing the nuances of network traffic can be used to fingerprint the operating system and version of a server, JARM fingerprints TLS instances to create a fingerprint which can be used to compare one TLS service to another.
---------------------------------------------
https://isc.sans.edu/diary/rss/26832


∗∗∗ German users targeted with Gootkit banker or REvil ransomware ∗∗∗
---------------------------------------------
After a noted absence, the Gootkit banking Trojan returns en masse to hit Germany. In an interesting twist, some of the victims may receive ransomware instead.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/


∗∗∗ SD-WAN Product Vulnerabilities Allow Hackers to Steer Traffic, Shut Down Networks ∗∗∗
---------------------------------------------
Researchers at cybersecurity consulting firm Realmode Labs have identified vulnerabilities in SD-WAN products from Silver Peak, Cisco, Citrix and VMware, including potentially serious flaws that can be exploited to steer traffic or completely shut down an organization’s network.
---------------------------------------------
https://www.securityweek.com/sd-wan-product-vulnerabilities-allow-hackers-steer-traffic-shut-down-networks


∗∗∗ Tens of Dormant North American Networks Suspiciously Resurrected at Once ∗∗∗
---------------------------------------------
More than fifty networks in the North American region suddenly burst to life after being dormant for a long period of time, Spamhaus reveals. The Geneva-based international nonprofit organization is focused on tracking spam, phishing, malware, and botnets, and provides threat intelligence that can help filter spam and related threats.
---------------------------------------------
https://www.securityweek.com/tens-dormant-north-american-networks-suspiciously-resurrected-once


∗∗∗ Hackers are targeting MacOS users with this updated malware ∗∗∗
---------------------------------------------
Researchers link new malware attacks designed to install a backdoor onto compromised systems to Vietnamese-backed hacking operation OceanLotus.
---------------------------------------------
https://www.zdnet.com/article/hackers-are-targeting-macos-users-with-this-updated-malware/


∗∗∗ Whac-A-Mole: Six Years of DNS Spoofing. (arXiv:2011.12978v1 [cs.CR]) ∗∗∗
---------------------------------------------
DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins.
---------------------------------------------
http://arxiv.org/abs/2011.12978



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitsupdate: Lücke in Trend Micro ServerProtect gefährdet Linux-Systeme ∗∗∗
---------------------------------------------
Es gibt eine abgesicherte Version von Trend Micro ServerProtect for Linux.
---------------------------------------------
https://heise.de/-4974321


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, [...]
---------------------------------------------
https://lwn.net/Articles/838579/


∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-txseries-for-multiplatforms-2/


∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Network Time Protocol (NTP) vulnerabilities (CVE-2020-11868, CVE-2020-13817) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-security-is-affected-by-network-time-protocol-ntp-vulnerabilities-cve-2020-11868-cve-2020-13817/


∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-txseries-for-multiplatforms/


∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Content Classification ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-affect-ibm-content-classification/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-content-classification-3/


∗∗∗ Security Bulletin: IBM Content Classification is affected by a Eclipse Jetty (Publicly disclosed vulnerability) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-classification-is-affected-by-a-eclipse-jetty-publicly-disclosed-vulnerability/


∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-cics-tx-on-cloud/


∗∗∗ Security Bulletin: Eclipse Jetty (Publicly disclosed vulnerability) affects Content Classifaction ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-eclipse-jetty-publicly-disclosed-vulnerability-affects-content-classifaction/


∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM CICS TX on Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affect-ibm-cics-tx-on-cloud/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list