[CERT-daily] Tageszusammenfassung - 21.09.2020

Daily end-of-shift report team at cert.at
Mon Sep 21 18:27:45 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 18-09-2020 18:00 − Montag 21-09-2020 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Google App Engine: Redirect-Feature begünstigt Phishing und Malware-Verbreitung ∗∗∗
---------------------------------------------
Googles Cloud-Anwendungsplattform App Engine bietet Kriminellen beim Generieren schädlicher Links viel Freiraum, den diese im Zuge aktiver Angriffe auskosten.
---------------------------------------------
https://heise.de/-4906593


∗∗∗ iOS 14: Private WLAN-Adressen können für Probleme sorgen ∗∗∗
---------------------------------------------
iOS 14 sattelt iPhones automatisch auf zufällige MAC-Adressen um. Das führt in Heim- und Firmennetzen unter Umständen zu Verbindungsstörungen.
---------------------------------------------
https://heise.de/-4907542


∗∗∗ uMatrix wird nicht weiterentwickelt: Repository steht auf "archived" ∗∗∗
---------------------------------------------
Die Browser-Erweiterung uMatrix ist auf GitHub als archiviert markiert worden. Damit endet die Weiterentwicklung der Firewall.
---------------------------------------------
https://heise.de/-4906711


∗∗∗ Windows 10 Health Report: September 2020 issues, Defender fiasco, & more ∗∗∗
---------------------------------------------
This Windows 10 Health Report provides an overview of the problems people are encountering in September 2020 due to new cumulative updates or changes made in the operating system.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-10-health-report-september-2020-issues-defender-fiasco-and-more/


∗∗∗ Slightly broken overlay phishing, (Mon, Sep 21st) ∗∗∗
---------------------------------------------
At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes - sometimes the phishing authors "cut out the middleman" and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.
---------------------------------------------
https://isc.sans.edu/diary/rss/26586


∗∗∗ The Hidden PHP Malware that Reinfects Cleaned Files ∗∗∗
---------------------------------------------
Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection — especially if you lack access to necessary logs, which is usually the case for shared hosting services. Some of the more common causes of reinfections are issues like cross- site contamination or unpatched website software security vulnerabilities that get re-exploited.
---------------------------------------------
https://blog.sucuri.net/2020/09/the-hidden-php-malware-that-reinfects-cleaned-files.html


∗∗∗ One Part Steganography, Four Redirectors, and a Splash of C2! ∗∗∗
---------------------------------------------
What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine Id like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic web content to proxy traffic over third party image providers, and try to find a valid bi-directional method for sending data between a NATd client and a public server.
---------------------------------------------
https://medium.com/@curtbraz/one-part-steganography-four-redirectors-and-a-splash-of-c2-e13e5a65daa9


∗∗∗ Is domain name abuse something companies should worry about? ∗∗∗
---------------------------------------------
Should you worry about domain name abuse? For the most part it depends on what kind of company you are and what you expect to encounter.
---------------------------------------------
https://blog.malwarebytes.com/business-2/2020/09/is-domain-name-abuse-something-companies-should-worry-about/


∗∗∗ The Return of Raining SYSTEM Shells with Citrix Workspace app ∗∗∗
---------------------------------------------
TL;DR Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/


∗∗∗ Code execution, defense evasion are top tactics used in critical attacks against corporate endpoints ∗∗∗
---------------------------------------------
Cisco examines MITRE ATT&CK data to suggest the threat vectors enterprise security staff should focus their efforts on.
---------------------------------------------
https://www.zdnet.com/article/defense-evasion-code-execution-are-the-top-attack-tactics-used-against-corporate-endpoints/


∗∗∗ Rückblick auf das zweite Drittel 2020 ∗∗∗
---------------------------------------------
Anders als das erste Jahresdrittel, begann das zweite wesentlich weniger dramatisch, was IT-Sicherheit angeht. Neben Citrix, dem auch im 2. Jahresdrittel unsere erste anlassbezogene Aussendung zu verdanken war, kam auch eine andere alte Schwachstelle zu neuem "Ruhm".
---------------------------------------------
https://cert.at/de/blog/2020/9/ruckblick-auf-das-zweite-drittel-2020



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitslücke: Mobiler Firefox-Browser führte Befehle aus dem WLAN aus ∗∗∗
---------------------------------------------
Im gleichen WLAN konnten Angreifer den mobilen Firefox-Browser unter Android beliebige Webseiten oder andere Apps öffnen lassen - ohne Nutzerinteraktion.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-mobiler-firefox-browser-fuehrte-befehle-aus-dem-wlan-aus-2009-150987-rss.html


∗∗∗ Micropatch for Zerologon, the "perfect" Windows vulnerability (CVE-2020-1472) ∗∗∗
---------------------------------------------
The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders.
---------------------------------------------
https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (inspircd and modsecurity), Fedora (chromium, cryptsetup, gnutls, mingw-libxml2, and seamonkey), openSUSE (ark, chromium, claws-mail, docker-distribution, fossil, hylafax+, inn, knot, libetpan, libjpeg-turbo, libqt4, librepo, libvirt, libxml2, lilypond, mumble, openldap2, otrs, pdns-recursor, perl-DBI, python-Flask-Cors, singularity, slurm_18_08, and virtualbox), SUSE (jasper, less, ovmf, and rubygem-actionview-4_2), and Ubuntu (sa-exim).
---------------------------------------------
https://lwn.net/Articles/832080/


∗∗∗ MISP 2.4.132 released (security fix CVE-2020-25766 and bugs fixed) ∗∗∗
---------------------------------------------
A new version of MISP (2.4.132) has been released with several bugs fixed including an important security fix CVE-2020-25766.
---------------------------------------------
https://www.misp-project.org/2020/09/21/MISP.2.4.132.released.html


∗∗∗ B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php


∗∗∗ B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php


∗∗∗ B-swiss 3 Digital Signage System 3.6.5 Database Disclosure ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php


∗∗∗ Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4579) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-http-2-in-ibm-datapower-gateway-cve-2020-4579/


∗∗∗ Security Bulletin: IBM Business Automation Content Analyzer is affected by Insecure Cookie vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-business-automation-content-analyzer-is-affected-by-insecure-cookie-vulnerability/


∗∗∗ Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4581) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-http-2-in-ibm-datapower-gateway-cve-2020-4581/


∗∗∗ Security Bulletin: Denial of Service in IBM DataPower Gateway (CVE-2020-4580) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-datapower-gateway-cve-2020-4580/


∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2020-8616 and CVE-2020-8617). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve-2020-8616-and-cve-2020-8617/


∗∗∗ Security Bulletin: Vulnerability in ntp (CVE-2020-11868 and CVE-2020-13817). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ntp-cve-2020-11868-and-cve-2020-13817/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list