[CERT-daily] Tageszusammenfassung - 27.10.2020

Tue Oct 27 18:29:19 CET 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 23-10-2020 18:00 − Dienstag 27-10-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Vorsicht: Betrügerisches FinanzOnline-E-Mail im Umlauf ∗∗∗
---------------------------------------------
Aktuell sind gefälschte E-Mails im Namen des Finanzamtes unterwegs. In der E-Mail werden Sie über Ihre Steuerrückerstattung informiert und aufgefordert, die Transaktion zu genehmigen. Klicken Sie aber keinesfalls auf den Link, Sie landen auf einer gefälschten FinanzOnline-Website, die es Kriminellen ermöglicht, persönliche Daten sowie Kreditkartendaten abzugreifen!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-betruegerisches-finanzonline-e-mail-im-umlauf/


∗∗∗ Industrieanlagen mit OPC UA systematisch schlecht konfiguriert ∗∗∗
---------------------------------------------
Forscher des Fraunhofer FKIE und der RWTH Aachen haben das Internet nach Steuerungen auf Basis des Standards OPC UA durchsucht. 92% waren unsicher eingerichtet.
---------------------------------------------
https://heise.de/-4939199


∗∗∗ Sicherheitsupdate: Angreifer attackieren Microsofts Webbrowser Edge ∗∗∗
---------------------------------------------
Die Entwickler von Microsoft haben im Webbrowser Edge mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-4940091


∗∗∗ Malware Emotet versteckt sich hinter gefälschtem Upgrade für Microsoft Word ∗∗∗
---------------------------------------------
Eine neue Kampagne gaukelt Opfern vor, sie benötigen ein Upgrade mit neuen Funktionen für Microsoft Word. Tatsächlich sollen sie die Sicherheitsvorkehrungen zum Schutz vor gefährlichen Makros deaktivieren. Die schädlichen Dokumente verteilen die Hintermänner weiterhin per E-Mail.
---------------------------------------------
https://www.zdnet.de/88389137/malware-emotet-versteckt-sich-hinter-gefaelschtem-upgrade-fuer-microsoft-word/


∗∗∗ KashmirBlack: Botnet attackiert WordPress, Joomla und Drupal ∗∗∗
---------------------------------------------
Die Hintermänner nutzen bekannte Schwachstellen in CMS-Plattformen und Plug-ins. Darüber schleusen sie einen Cryptominer ein. Laut Imperva verfügt das Botnet inzwischen über eine "massive Infrastruktur".
---------------------------------------------
https://www.zdnet.de/88389169/kashmirblack-botnet-attackiert-wordpress-joomla-und-drupal/


∗∗∗ New RAT malware gets commands via Discord, has ransomware feature ∗∗∗
---------------------------------------------
The new Abaddon remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/


∗∗∗ Massive Nitro data breach impacts Microsoft, Google, Apple, more ∗∗∗
---------------------------------------------
A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/massive-nitro-data-breach-impacts-microsoft-google-apple-more/


∗∗∗ Study of the ShadowPad APT backdoor and its relation to PlugX ∗∗∗
---------------------------------------------
In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans.
---------------------------------------------
https://news.drweb.com/show/?i=14048&lng=en&c=9


∗∗∗ Majority of Microsoft 365 Admins Don’t Enable MFA ∗∗∗
---------------------------------------------
Beyond admins, researchers say that 97 percent of all total Microsoft 365 users do not use multi-factor authentication.
---------------------------------------------
https://threatpost.com/microsoft-365-admins-mfa/160592/


∗∗∗ LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes ∗∗∗
---------------------------------------------
Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers.
---------------------------------------------
https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/


∗∗∗ Excel 4 Macros: "Abnormal Sheet Visibility", (Mon, Oct 26th) ∗∗∗
---------------------------------------------
Excel 4 macros are composed of formulas (commands) and values stored inside a sheet.
---------------------------------------------
https://isc.sans.edu/diary/rss/26726


∗∗∗ Password Security & Password Managers ∗∗∗
---------------------------------------------
In the spirit of National Cyber Security Awareness Month (NCSAM), let’s talk about a security basic that many people overlook: passwords. These are one of the most fundamental aspects of website security, yet we too often see webmasters taking a lax approach to secure passwords. In fact, the online security provider TeamPassword found that last year the most commonly leaked password was 123456. That edges out some real gems including qwerty and the always-popular password.
---------------------------------------------
https://blog.sucuri.net/2020/10/password-security-password-managers.html


∗∗∗ P.A.S. Fork v. 1.0 — A Web Shell Revival ∗∗∗
---------------------------------------------
A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily available) PHP web shells do the job, there’s no need to code an entirely new tool.
---------------------------------------------
https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗
---------------------------------------------
Overview
Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
Description
CVE-2020-10143
Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create [...]
---------------------------------------------
https://kb.cert.org/vuls/id/760767


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown).
---------------------------------------------
https://lwn.net/Articles/835401


∗∗∗ HPE/Aruba: Kritische Lücken in SSMC, AirWave Glass und weiteren Produkten ∗∗∗
---------------------------------------------
Jetzt updaten: Unter anderem kann eine Lücke mit Höchstwertung in der StoreServ Management Console Angreifern unbefugte Remote-Zugriffe leicht machen.
---------------------------------------------
https://heise.de/-4938532


∗∗∗ NVIDIA Patches Code Execution Flaws in GeForce Experience ∗∗∗
---------------------------------------------
Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high.
---------------------------------------------
https://www.securityweek.com/nvidia-patches-code-execution-flaws-geforce-experience


∗∗∗ Trend Micro AntiVirus for Mac: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1047


∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1045


∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-developer-portal-is-vulnerable-to-social-engineering-attacks-cve-2020-4337-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-platform-symphony-and-ibm-spectrum-symphony-3/


∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8169, CVE-2020-8177) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-affect-powersc-cve-2020-8169-cve-2020-8177/


∗∗∗ Security Bulletin: Vulnerabilities in NTPv4 affect AIX (CVE-2020-11868, CVE-2020-13817, and CVE-2020-15025) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ntpv4-affect-aix-cve-2020-11868-cve-2020-13817-and-cve-2020-15025/


∗∗∗ Security Bulletin: CVE-2020-15190 for Tensorflow in Watson Machine Learning Community Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-15190-for-tensorflow-in-watson-machine-learning-community-edition/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily