[CERT-daily] Tageszusammenfassung - 17.09.2020

Daily end-of-shift report team at cert.at
Thu Sep 17 18:23:19 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 16-09-2020 18:00 − Donnerstag 17-09-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Cyber-Angriff auf Uniklinik Düsseldorf: BSI warnt vor akuter Ausnutzung bekannter Schwachstelle ∗∗∗
---------------------------------------------
Am 10. September 2020 kam es zu einem IT-Sicherheitsvorfall im Universitätsklinikum Düsseldorf (UKD). Gemäß BSI-Gesetz hat das UKD das Bundesamt für Sicherheit in der Informationstechnik (BSI) über diesen Vorfall informiert. [...]
In diesem Zusammenhang weist das BSI mit Nachdruck darauf hin, dass derzeit eine seit Januar 2020 bekannte Schwachstelle (CVE-2019-19781) in VPN-Produkten der Firma Citrix für Cyber-Angriffe ausgenutzt wird. Dem BSI werden zunehmend Vorfälle bekannt, bei denen Citrix-Systeme bereits vor der Installation der im Januar 2020 bereitgestellten Sicherheitsupdates kompromittiert wurden. Dadurch haben Angreifer auch nach Schließung der Sicherheitslücke weiterhin Zugriff auf das System und dahinterliegende Netzwerke. Diese Möglichkeit wird aktuell vermehrt ausgenutzt, um Angriffe auf betroffene Organisationen durchzuführen.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldorf_170920.html


∗∗∗ Evasive URLs in Spam ∗∗∗
---------------------------------------------
Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam/


∗∗∗ phpbash – A Terminal Emulator Web Shell ∗∗∗
---------------------------------------------
It’s common for hackers to utilize post-compromise tools that contain a graphical user interface (GUI) that can be loaded in the web browser. A GUI generally makes the tool easier to use — and certainly more visually appealing than just raw text. One example of web malware that uses GUIs are PHP webshells like r57.
---------------------------------------------
https://blog.sucuri.net/2020/09/phpbash-terminal-editor-web-shell.html


∗∗∗ GuLoaders VM-Exit Instruction Hammering explained ∗∗∗
---------------------------------------------
In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques.
---------------------------------------------
http://blog.joesecurity.org/2020/09/guloaders-vm-exit-instruction-hammering.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Schadcode per Word-Datei: Microsoft flickt Office für Mac ∗∗∗
---------------------------------------------
Microsoft hat die macOS-Version seiner Office-Suite aktualisiert. Die Updates schließen Schwachstellen, die das Ausführen von Schadcode ermöglichen.
---------------------------------------------
https://heise.de/-4904475


∗∗∗ Apple iOS & iPadOS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apple iOS und Apple iPadOS ausnutzen, um beliebigen Programmcode auszuführen, einen Denial of Service Zustand herbeizuführen, Informationen offenzulegen, einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder sonstige Auswirkungen zu verursachen.
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-0907


∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen.
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-0906


∗∗∗ Vulnerability Spotlight: Remote code execution vulnerability Apple Safari ∗∗∗
---------------------------------------------
The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine.
---------------------------------------------
https://blog.talosintelligence.com/2020/09/vuln-spotlight-apple-safari-sept-2020.html


∗∗∗ High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce ∗∗∗
---------------------------------------------
On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites.
---------------------------------------------
https://www.wordfence.com/blog/2020/09/high-severity-vulnerabilities-patched-in-discount-rules-for-woocommerce/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (dotnet3.1, kernel, mbedtls, and python35), Mageia (libraw), openSUSE (mumble), SUSE (libsolv, libzypp, and perl-DBI), and Ubuntu (libdbi-perl, libphp-phpmailer, mcabber, ncmpc, openssl, openssl1.0, qemu, samba, storebackup, and util-linux).
---------------------------------------------
https://lwn.net/Articles/831720/


∗∗∗ Synology-SA-20:21 Zerologon ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Directory Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_20_21


∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
---------------------------------------------
https://support.citrix.com/article/CTX281474


∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websphere-application-server-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise/


∗∗∗ Security Bulletin: IBM Aspera Shares 1.9.14 Patch Level 1 and earlier are vulnerable to DOM XSS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-1-9-14-patch-level-1-and-earlier-are-vulnerable-to-dom-xss-2/


∗∗∗ Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-websphere-application-server-liberty-cve-2020-4590/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list