- Daily - CERT.at

Tageszusammenfassung - 05.08.2020
by Daily end-of-shift report 05 Aug '20

05 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-08-2020 18:00 − Mittwoch 05-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the fourth of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/mms-exploit-part-4-completin… ∗∗∗ Richtlinien gegen Sicherheitslücken in Legacy-Programmiersprachen veröffentlicht ∗∗∗ --------------------------------------------- Das Politecnico di Milano und Trend Micro haben einen Leitfaden für das Entwickeln mit Legacy-Programmiersprachen für Betriebstechnik in der Industrie erstellt. --------------------------------------------- https://heise.de/-4863229 ∗∗∗ Sophos: Ransomware WastedLocker trickst Sicherheitsanwendungen aus ∗∗∗ --------------------------------------------- Die Hintermänner haben offenbar sehr gute Kenntnisse über interne Funktionen von Windows. Sie nutzen diese, um Dateien im Windows-Cache statt direkt auf der Festplatte zu verschlüsseln. Damit vereiteln sie eine verhaltensbasierte Analyse ihrer Schadsoftware. --------------------------------------------- https://www.zdnet.de/88382004/sophos-ransomware-wastedlocker-trickst-sicher… ∗∗∗ Unseriöse Angebote werben mit ORF-Promis ∗∗∗ --------------------------------------------- Immer wieder werden Promis dazu genutzt, um unseriöse Angebote zu bewerben. Aktuell werden vor allem Bilder von ORF-Stars und von nachgemachten Nachrichten-Logos verwendet, um Menschen in die Falle zu locken. Die gefälschten Werbungen werden Ihnen dabei beim Handy-Spielen angezeigt und sollen Sie dazu bringen Apps für Spieleautomaten herunterzuladen. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-angebote-werben-mit-orf-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers can abuse Microsoft Teams updater to install malware ∗∗∗ --------------------------------------------- Microsoft Teams can still double as a Living off the Land binary (LoLBin) and help attackers retrieve and execute malware from a remote location. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-… ∗∗∗ The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks ∗∗∗ --------------------------------------------- On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-cr… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (net-snmp), Fedora (mingw-curl), openSUSE (firefox, ghostscript, and opera), Oracle (libvncserver and postgresql-jdbc), Scientific Linux (postgresql-jdbc), SUSE (firefox, kernel, libX11, xen, and xorg-x11-libX11), and Ubuntu (apport, grub2, grub2-signed, libssh, libvirt, mysql-8.0, ppp, tomcat8, and whoopsie). --------------------------------------------- https://lwn.net/Articles/828114/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - July 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ GRUB2 Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Information Leak Vulnerabilities in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Protection Mechanism Failure Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Elevation of Privilege Vulnerability in Some Microsoft Windows Systems ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Remote Code Execution Vulnerability in Microsoft Windows SMBv1 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Bulletin: jackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight (CVE-2019-14892, CVE-2019-14893) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-publicly… ∗∗∗ Security Bulletin: CVE-2014-3577 HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2014-3577-httpcompone… ∗∗∗ Security Bulletin: CVE-2020-4481 HTTP properties vulnerable to an XXE attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4481-http-proper… ∗∗∗ Security Bulletin: vulnerabilities in in IBM® Runtime Environment Java™ Version 8 affect IBM WIoTP MessageGateway (CVE-2020-2805, CVE-2020-2803, CVE-2020-2781, CVE-2020-2755, CVE-2020-2754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-in-ibm… ∗∗∗ Security Bulletin: CVE-2009-2625 CVE-2012-0881 CVE-2013-4002 CVE-2014-0107 Multiple Xml handling Issues in xerces and xalan ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2009-2625-cve-2012-08… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js http-proxy module denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2949-may-affect-… ∗∗∗ Security Bulletin: CVE-2015-5254 Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2015-5254-apache-acti… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ IBM Spectrum Protect: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0785 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2020
by Daily end-of-shift report 04 Aug '20

04 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 03-08-2020 18:00 − Dienstag 04-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploiting Android Messengers with WebRTC: Part 1 ∗∗∗ --------------------------------------------- Posted by Natalie Silvanovich, Project Zero. This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications dont apply WebRTC patches and when the communication and notification of security issues breaks down. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messenger… ∗∗∗ Network Design: Firewall, IDS/IPS ∗∗∗ --------------------------------------------- There are many different types of devices and mechanisms within the security environment to provide a layered approach of defense. This is so that if an attacker is able to bypass one layer, another layer stands in the way to protect the network. --------------------------------------------- https://resources.infosecinstitute.com/network-design-firewall-idsips/ ∗∗∗ Certificate Transparency: a birds-eye view ∗∗∗ --------------------------------------------- The goal of this post is to build up a high-level description of CT from scratch, explaining why all the pieces are the way they are and how they fit together. --------------------------------------------- https://emilymstark.com/2020/07/20/certificate-transparency-a-birds-eye-vie… ∗∗∗ goldscheideanstalt-solidus24.de & feingold-scheideanstalt.de fälschen Trusted Shops-Zertifikat ∗∗∗ --------------------------------------------- goldscheideanstalt-solidus24.de & feingold-scheideanstalt.de – durchaus ansprechende Webshops für Goldbarren und Goldmünzen. Das vollständige Impressum mit gültigen Angaben, sowie das Trusted Shops-Gütezeichen wirken vertrauensvoll. Doch Vorsicht: Diese Goldhändler sind Fake, Sie erhalten trotz Bezahlung keine Ware! --------------------------------------------- https://www.watchlist-internet.at/news/goldscheideanstalt-solidus24de-feing… ===================== = Vulnerabilities = ===================== ∗∗∗ NodeJS module downloaded 7M times lets hackers inject code ∗∗∗ --------------------------------------------- A Node.js module downloaded millions of times has a security flaw that can enable attackers to perform a denial-of-service (DoS) attack on a server or get full-fledged remote shell access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nodejs-module-downloaded-7m-… ∗∗∗ CVE-2020–9854: "Unauthd" ∗∗∗ --------------------------------------------- Security researcher Ilias Morad, describes an impressive exploit chain, combining three macOS logic bugs he uncovered in macOS. His exploit chain allowed a local user to elevate privileges all the way to ring-0 (kernel)! --------------------------------------------- https://objective-see.com/blog/blog_0x4D.html ∗∗∗ Reminder: Patch Cisco ASA / FTD Devices (CVE-2020-3452). Exploitation Continues , (Tue, Aug 4th) ∗∗∗ --------------------------------------------- Just a quick reminder: We are continuing to see small numbers of exploit attempts against CVE-2020-3452. Cisco patched this directory traversal vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. --------------------------------------------- https://isc.sans.edu/diary/rss/26426 ∗∗∗ Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder ∗∗∗ --------------------------------------------- On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, webkit2gtk, and zabbix), Fedora (webkit2gtk3), openSUSE (claws-mail, ghostscript, and targetcli-fb), Red Hat (dbus, kpatch-patch, postgresql-jdbc, and python-pillow), Scientific Linux (libvncserver and postgresql-jdbc), SUSE (kernel and python-rtslib-fb), and Ubuntu (ghostscript, sqlite3, squid3, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/828015/ ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: Possible denial of service attack affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-denial-of-servic… ∗∗∗ Security Bulletin: Incorrect file permissions allows authenticated users to recover IPMI user passwords ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-file-permission… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a denial of service vulnerability in MySQL (CVE-2020-2752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Vulnerability in GNU gettext affects IBM Spectrum Protect Plus (CVE-2018-18751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gnu-gett… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2020-4459) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability in IBM® Runtime Environment Java™ Version 8.0 affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ru… ∗∗∗ Security Bulletin: OpenSSH vulnerability affects IBM Spectrum Protect Plus (CVE-2020-15778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssh-vulnerability-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability exists in IBM® Runtime Environment Java™ which affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ August 2020 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2020-08-01 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0781 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2020
by Daily end-of-shift report 03 Aug '20

03 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-07-2020 18:00 − Montag 03-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Warnung vor Sicherheitslücke in Abus-Alarmanlagen ∗∗∗ --------------------------------------------- Aufgrund einer neuen Sicherheitslücke ist es möglich, die Alarmanlage aus der Ferne zu deaktivieren. --------------------------------------------- https://futurezone.at/produkte/abus-alarmanlagen-warnung-vor-sicherheitslue… ∗∗∗ The core of Apple is PPL: Breaking the XNU kernels kernel ∗∗∗ --------------------------------------------- This bypass was reported as Project Zero issue 2035 and fixed in iOS 13.6; you can find a POC that demonstrates how to map arbitrary physical addresses into EL0 there. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/the-core-of-apple-is-ppl-bre… ∗∗∗ Emotet is back… and where are we? ∗∗∗ --------------------------------------------- A couple weeks ago, Emotet sprang back to life. The first new spam messages started flowing after a five month hiatus. --------------------------------------------- https://team-cymru.com/2020/07/31/emotet-is-back-and-where-are-we/ ∗∗∗ TCC-Absicherung in macOS "komplett geknackt" ∗∗∗ --------------------------------------------- Einem Sicherheitsexperten ist es gelungen, Apples eigentlich drakonische "Entitlement Checks" zu umgehen. Das Problem wurde gepatcht. --------------------------------------------- https://heise.de/-4860891 ∗∗∗ Meetup fixes security flaws which could have allowed hackers to take over groups ∗∗∗ --------------------------------------------- Researchers at Checkmarx detail "Holy Grail" of two vulnerabilities, now patched. --------------------------------------------- https://www.zdnet.com/article/meetup-fixes-security-flaws-which-could-have-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Group - Critical - Information Disclosure - SA-CONTRIB-2020-030 ∗∗∗ --------------------------------------------- Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:ALL This vulnerability is mitigated by the fact that the victim must have the GroupNode plugin installed on their website and have no other hook_node_grants() implementations on their website aside from the one that was recently removed by Group. If you do not use the GroupNode plugin or still have hook_node_grants() implementing modules enabled, your site may not be affected. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2020-030 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2 and mercurial), Fedora (chromium, firefox, and freerdp), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox, grub2, and kernel), and SUSE (ghostscript and targetcli-fb). --------------------------------------------- https://lwn.net/Articles/827697/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ffmpeg, libjcat, mbedtls, tcpreplay, and wireshark-cli), Debian (ark, evolution-data-server, libjpeg-turbo, libopenmpt, libpam-radius-auth, libphp-phpmailer, libssh, ruby-zip, thunderbird, and transmission), Fedora (chromium, clamav, claws-mail, evolution-data-server, freerdp, glibc, java-latest-openjdk, nspr, and nss), Gentoo (libsndfile, pycrypto, python, snmptt, thunderbird, and webkit-gtk), Mageia (botan2, chocolate-doom, cloud-init, dnsmasq, freerdp/remmina, gssdp/gupnp java-1.8.0-openjdk, matio, microcode, nasm, openjpeg2, pcre2, php-phpmailer, redis, roundcubemail, ruby-rack, thunderbird, virtualbox, xerces-c), openSUSE (claws-mail, ldb, libraw), Oracle (firefox), Red Hat (bind, grub2, grub2, grub2, grub2, grub2, kernel-rt, libvncserver, nss, and, nspr, qemu-kvm-rhev), Scientific Linux (firefox), Slackware (thunderbird), SUSE (claws-mail, ldb, libraw, firefox, kernel, kernel, targetcli-fb). --------------------------------------------- https://lwn.net/Articles/827920/ ∗∗∗ Security Bulletin: Financial Transaction Manager for High Value Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Watson Machine Learning Service is impacted by security vulnerabilities in OpenJDK 11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-s… ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook and IBM i2 Analysts' Notebook Premium Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: Apr 2020 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apr-2020-multiple-vulnera… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4534) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Financial Transaction Manager for High Value Payments is affected by a potential SQL Injection CVE-2020-4328 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2020
by Daily end-of-shift report 31 Jul '20

31 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-07-2020 18:00 − Freitag 31-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Office 365 phishing abuses Google Ads to bypass email filters ∗∗∗ --------------------------------------------- An Office 365 phishing campaign abused Google Ads to bypass secure email gateways (SEGs), redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-abuses-g… ∗∗∗ One Byte to rule them all ∗∗∗ --------------------------------------------- Posted by Brandon Azad, Project Zero. For the last several years, nearly all iOS kernel exploits have followed the same high-level flow: memory corruption and fake Mach ports are used to gain access to the kernel task port, which provides an ideal kernel read/write primitive to userspace. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.ht… ∗∗∗ WastedLocker: technical analysis ∗∗∗ --------------------------------------------- According to currently available information, in the attack on Garmin a targeted build of the Trojan WastedLocker was used. We have performed technical analysis of the Trojan sample. --------------------------------------------- https://securelist.com/wastedlocker-technical-analysis/97944/ ∗∗∗ Obscured by Clouds: Insights into Office 365 Attacks and How MandiantManaged Defense Investigates ∗∗∗ --------------------------------------------- With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-36… ∗∗∗ Malspam campaign caught using GuLoader after service relaunch ∗∗∗ --------------------------------------------- We discovered a spam campaign distributing GuLoader in the aftermath of the services relaunch. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caug… ∗∗∗ New infection chain of njRAT variant ∗∗∗ --------------------------------------------- Recently, 360 Security Center has detected that a variant of the remote access tool njRAT is active. --------------------------------------------- https://blog.360totalsecurity.com/en/new-infection-chain-of-njrat-variant/ ∗∗∗ Umfragen von appdoctor.me führen zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Es klingt so verlockend: Einfach kurz eine App testen und schon hat man 35 Euro verdient. Doch leider steckt hinter solchen Umfrageplattformen und Jobangeboten oftmals Betrug. So auch auf der Webseite appdoctor.me, auf der App-TesterInnen gesucht werden. Geld wird Ihnen hier jedoch nicht ausbezahlt. Stattdessen eröffnen die Kriminellen ein Konto in Ihrem Namen, um dort Geldwäsche zu betreiben. --------------------------------------------- https://www.watchlist-internet.at/news/umfragen-von-appdoctorme-fuehren-zu-… ===================== = Vulnerabilities = ===================== ∗∗∗ KDE archive tool flaw let hackers take over Linux accounts ∗∗∗ --------------------------------------------- A vulnerability exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victims computers simply by tricking them into downloading an archive and extracting it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kde-archive-tool-flaw-let-ha… ∗∗∗ If you own one of these 45 Netgear devices, replace it: Gear maker wont patch vulnerable gear despite live proof-of-concept code ∗∗∗ --------------------------------------------- Thats one way of speeding up the tech refresh cycle. Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/07/30/netgear_aban… ∗∗∗ Ripple20 impact onDistribution Automation products ∗∗∗ --------------------------------------------- On the 16th of June 2020, a series of vulnerabilities affecting a TCP/IP library from Treck Inc. were made public by JSOF Tech in Jerusalem, Israel. The products listed in this document have integrated this library and thus are affected by the vulnerabilities listed in this document. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA000473&Language… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg). --------------------------------------------- https://lwn.net/Articles/827572/ ∗∗∗ Forscher legt zwei Zero-Day-Lücken im Tor-Netzwerk und -Browser offen ∗∗∗ --------------------------------------------- Internet Service Provider können unter Umständen alle Verbindungen zum Tor-Netzwerk blockieren. Der Forscher wirft dem Tor Project vor, die von ihm gemeldeten Schwachstellen nicht zu beseitigen. Er kündigt zudem die Offenlegung weiterer Bugs an. --------------------------------------------- https://www.zdnet.de/88381926/forscher-legt-zwei-zero-day-luecken-im-tor-ne… ∗∗∗ iTunes 12.10.8 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211293 ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Apache CXF, which is shipped with IBM Tivoli Network Manager (CVE-2020-1954). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2020
by Daily end-of-shift report 30 Jul '20

30 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-07-2020 18:00 − Donnerstag 30-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TrickBots new Linux malware covertly infects Windows devices ∗∗∗ --------------------------------------------- TrickBots Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-… ∗∗∗ Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 ∗∗∗ --------------------------------------------- Posted by Maddie Stone, Project Zero. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-re… ∗∗∗ Security controls for ICS/SCADA environments ∗∗∗ --------------------------------------------- Supervisory control and data acquisition systems (SCADA) are a subset of ICS. These systems are unique in comparison to traditional IT systems. This makes using standard security controls written with traditional systems in mind somewhat tricky. --------------------------------------------- https://resources.infosecinstitute.com/security-controls-for-ics-scada-envi… ∗∗∗ ESET Threat Report Q2 2020 ∗∗∗ --------------------------------------------- A view of the Q2 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts. --------------------------------------------- https://www.welivesecurity.com/2020/07/29/eset-threat-report-q22020/ ∗∗∗ Researchers exploit HTTP/2, WPA3 protocols to stage highly efficient ‘timeless timing’ attacks ∗∗∗ --------------------------------------------- Presented at this year’s Usenix conference, the technique, named ‘Timeless Timing Attacks’, exploits the way network protocols handle concurrent requests to solve one of the endemic challenges of remote timing side-channel attacks. --------------------------------------------- https://portswigger.net/daily-swig/researchers-exploit-http-2-wpa3-protocol… ∗∗∗ Effective Threat Intelligence Through Vulnerability Analysis ∗∗∗ --------------------------------------------- The vulnerability ecosystem has matured considerably in the last few years. A significant amount of effort has been invested to capture, curate, taxonomize and communicate the vulnerabilities in terms of severity, impact and complexity of the associated exploit or attack. --------------------------------------------- https://www.tripwire.com/state-of-security/vulnerability-management/effecti… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Boothole ermöglicht Umgehung von Secure Boot ∗∗∗ --------------------------------------------- Der Fehler in dem Bootloader Grub ermöglicht damit ein dauerhaftes Bootkit. Ein komplettes Update wird aber schwierig und dauert. (grub, Linux) --------------------------------------------- https://www.golem.de/news/grub-2-boothole-ermoeglicht-umgehung-von-secure-b… ∗∗∗ CVE-2020–9934: Bypassing TCC for Unauthorized Access ∗∗∗ --------------------------------------------- In this guest blog post, security researcher Matt Shockley describes a lovely security vulnerability he uncovered in macOS. --------------------------------------------- https://objective-see.com/blog/blog_0x4C.html ∗∗∗ Sicherheitsupdates: Gefährliche Lücken in Cisco SD-WAN und Data Center ∗∗∗ --------------------------------------------- Angreifer könnten durch Schwachstellen in Cisco-Software ganze Netzwerke übernehmen. --------------------------------------------- https://heise.de/-4858759 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (October 2019) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (Apr 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020, Apr 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Open Source logback used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-open-sou… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 68.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-35/ ∗∗∗ Dell OpenManage Server Administrator: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0770 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0768 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2020
by Daily end-of-shift report 29 Jul '20

29 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-07-2020 18:00 − Mittwoch 29-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ VermieterInnen aufgepasst: Besonders in der Urlaubszeit wollen BetrügerInnen an Ihr Geld! ∗∗∗ --------------------------------------------- Betrug im Internet zielt manchmal auf ganz bestimmte Personengruppen ab. Gerade jetzt in der Urlaubszeit sind auch Zimmer- oder Ferienwohnung-VermieterInnen sowie Hoteliers im Visier von BetrügerInnen. Die Kriminellen geben sich dabei als interessierte Gäste aus und versuchen durch Scheckbetrug an das Geld der VermieterInnen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/vermieterinnen-aufgepasst-besonders-… ∗∗∗ Betrüger-Mails: Emotet klaut Dateianhänge für mehr Authentizität ∗∗∗ --------------------------------------------- Aufgepasst: Emotet hat dazu gelernt und versteckt sich nun in noch glaubhafteren Mails. --------------------------------------------- https://heise.de/-4857724 ∗∗∗ Netwalker malware: What it is, how it works and how to prevent it | Malware spotlight ∗∗∗ --------------------------------------------- Netwalker is a data encryption malware that represents an evolution of the well-known Kokoklock ransomware and has been active since September 2019. This article will detail the specific technical features of the Netwalker ransomware. --------------------------------------------- https://resources.infosecinstitute.com/netwalker-malware-what-it-is-how-it-… ∗∗∗ MMS Exploit Part 3: Constructing the Memory Corruption Primitives ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the third of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-3-construct… ===================== = Vulnerabilities = ===================== ∗∗∗ Magento gets security updates for severe code execution bugs ∗∗∗ --------------------------------------------- Adobe today released security updates to fix two code execution vulnerabilities affecting Magento Commerce and Magento Open Source, rated as important and critical severity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-gets-security-update… ∗∗∗ Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin ∗∗∗ --------------------------------------------- On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. --------------------------------------------- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulne… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, firefox-esr, luajit, and salt), Fedora (clamav, java-1.8.0-openjdk, and java-11-openjdk), Gentoo (claws-mail, dropbear, ffmpeg, libetpan, mujs, mutt, and rsync), openSUSE (qemu), Red Hat (openstack-tripleo-heat-templates), SUSE (freerdp, ldb, rubygem-puma, samba, and webkit2gtk3), and Ubuntu (mysql-5.7, mysql-8.0 and sympa). --------------------------------------------- https://lwn.net/Articles/827376/ ∗∗∗ Security Bulletin: Legacy Components of IBM Netcool Configuration Manager have been updated. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-legacy-components-of-ibm-… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1954) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed multiple Security Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Information Disclosure (CVE-2020-4463) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Security Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ IBM Informix: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0764 ∗∗∗ Stored Cross-Site Scripting (XSS) Vulnerability in Namirial SIGNificant SignAnyWhere ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/stored-cross-site-scripting-xs… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2020
by Daily end-of-shift report 28 Jul '20

28 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Montag 27-07-2020 18:00 − Dienstag 28-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ QSnatch Data-Stealing Malware Infected Over 62,000 QNAP NAS Devices ∗∗∗ --------------------------------------------- Called QSnatch (or Derek), the data-stealing malware is said to have compromised 62,000 devices since reports emerged last October, with a high degree of infection in Western Europe and North America. ... "All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes," the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) said in the alert. --------------------------------------------- https://thehackernews.com/2020/07/qnap-nas-malware-attack.html ∗∗∗ Team Pangu demonstrated an unpatchable SEP vulnerability in iOS ∗∗∗ --------------------------------------------- Xu Hao a member of Team Pangu says they have found an “unpatchable” vulnerability on the Secure Enclave Processor (SEP) chip in iPhones. Hao presented his talk – Attack Secure Boot of SEP – on 24th July at MOSEC 2020 in Shanghai, China. --------------------------------------------- https://androidrookies.com/team-pangu-demonstrates-unpatchable-secure-encla… ∗∗∗ IT-Sicherheit: Public Cloud kann zum Einfallstor in Unternehmen werden ∗∗∗ --------------------------------------------- Schlecht gepflegte Workloads und Authentifizierungsschwächen in Cloud-Umgebungen untergraben die Sicherheit – von beidem gibt es reichlich, meint eine Studie. --------------------------------------------- https://heise.de/-4856561 ∗∗∗ Vorsicht: 500 Euro Amazon-Geschenkkarte führt in Abo-Falle ∗∗∗ --------------------------------------------- Freuen Sie sich nicht zu früh, wenn Sie eine 500 Euro Amazon-Geschenkkarte in Ihrem E-Mail-Posteingang finden. Sie werden in eine Abo-Falle gelockt, denn dieses E-Mail stammt nicht von Amazon! Klicken Sie nicht auf den Link und verschieben Sie das E-Mail in den Spam-Ordner. Haben Sie auf den Link geklickt und Kreditkartendaten angeführt, wird Ihnen Monat für Monat ein Betrag zwischen 50 und 90 Euro abgebucht! Lesen Sie hier, wie Sie dieses betrügerische Abo kündigen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-500-euro-amazon-geschenkkar… ===================== = Vulnerabilities = ===================== ∗∗∗ Reverse String WooCommerce WordPress Credit Card Swiper ∗∗∗ --------------------------------------------- As 2020 continues to be the worst year in almost anybody’s lifetime, allow me to take this opportunity to stoke the fires of your existential dread even further. As a sequel to my last blog post earlier this year about the credit card swiper that I found on a WordPress ecommerce website using WooCommerce, today I found another very noteworthy infection of the same variety. --------------------------------------------- https://blog.sucuri.net/2020/07/reverse-string-woocommerce-wordpress-credit… ∗∗∗ TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure ∗∗∗ --------------------------------------------- It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains .. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2020-008 ∗∗∗ TYPO3-CORE-SA-2020-007: Potential Privilege Escalation ∗∗∗ --------------------------------------------- In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php which again contains the encryptionKey as well as credentials of the database management system being used. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2020-007 ∗∗∗ TYPO3-PSA-2020-001: Critical vulnerability in legacy versions of TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to sensitive information disclosure in previous TYPO3 versions which are not maintained by the community anymore. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2020-001 ∗∗∗ TYPO3-EXT-SA-2020-014: Sensitive Information Disclosure in extension "Media Content Element" (mediace) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Media Content Element" (mediace) is susceptible to Sensitive Information Disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-014 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (cacti, cacti-spine, go1.13, SUSE Manager Client Tools, and tomcat), Red Hat (postgresql-jdbc and python-pillow), Slackware (mozilla), SUSE (python-Django and python-Pillow), and Ubuntu (clamav, librsvg, libslirp, linux-gke-5.0, linux-oem-osp1, linux-hwe, linux-azure-5.3, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-oracle-5.3, and sqlite3). --------------------------------------------- https://lwn.net/Articles/827232/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 78.1 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-33/ ∗∗∗ Security Vulnerabilities fixed in Firefox 79 ∗∗∗ --------------------------------------------- Severity: high - CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker - CVE-2020-6514: WebRTC data channel leaks internal address to peer - CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy - CVE-2020-15659: Memory safety bugs fixed in Firefox 79 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/ ∗∗∗ JSA11041 - 2020-07 Security Bulletin: Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of large packets requiring fragmentation (CVE-2020-1655) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11041&actp=RSS ∗∗∗ JSA11036 - 2020-07 Security Bulletin:Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of small fragments requiring reassembly (CVE-2020-1649) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11036&actp=RSS ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service vulnerability (CVE-2020-4466) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Pentest results for IBM Netcool Operations Insight found a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-pentest-results-for-ibm-n… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: XML parsing vulnerability in Apache Santuario might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2019-12400 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-parsing-vulnerability… ∗∗∗ Security Bulletin: Security Bulletin: A Vulnerability in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-a-vulne… ∗∗∗ Security Bulletin: SB0003782 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb0003782/ ∗∗∗ Security Bulletin: Novalink is impacted by Swagger vulnerability affects WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-s… ∗∗∗ Security Bulletin: IBM Ingelligent Operations Center is Vulnerable to Stored Cross-Site Scripting (CVE-2020-4318) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-ingelligent-operation… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple libxml2 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2020
by Daily end-of-shift report 27 Jul '20

27 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-07-2020 18:00 − Montag 27-07-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No More Ransom turns 4: Saves $632 million in ransomware payments ∗∗∗ --------------------------------------------- The No More Ransom Project celebrates its fourth anniversary today after helping over 4.2 million visitors recover from a ransomware infection and saving an estimated $632 million in ransom payments. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/no-more-ransom-turns-4-saves… ∗∗∗ ProLock ransomware – new report reveals the evolution of a threat ∗∗∗ --------------------------------------------- Ransomware crooks keep adjusting their approach to make their demands more compelling, even against companies that say theyd never pay up. --------------------------------------------- https://nakedsecurity.sophos.com/2020/07/27/prolock-ransomware-new-report-r… ∗∗∗ Cracking Maldoc VBA Project Passwords, (Sun, Jul 26th) ∗∗∗ --------------------------------------------- In diary entry "VBA Project Passwords" I explained that VBA project passwords in malicious documents don't hinder analysis: you can just extract the macros without knowing the password. It's only when you would perform a dynamic analysis with the step-by-step debugger of the VBA IDE, that the password would prevent you from doing this. But there are simple methods to remove the password, and then you can go ahead with your debugging. --------------------------------------------- https://isc.sans.edu/diary/rss/26390 ∗∗∗ Analyzing Metasploit ASP .NET Payloads, (Mon, Jul 27th) ∗∗∗ --------------------------------------------- I recently helped a friend with the analysis of a Metasploit ASP .NET payload. --------------------------------------------- https://isc.sans.edu/diary/rss/26392 ∗∗∗ Ensiko: A Webshell With Ransomware Capabilities ∗∗∗ --------------------------------------------- Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshe… ∗∗∗ Jetzt patchen! Angreifer attackieren BIG-IP Appliances von F5 ∗∗∗ --------------------------------------------- Derzeit haben Angreifer eine kritische Sicherheitslücke in verschiedenen BIG-IP Appliances im Visier. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-4852900 ∗∗∗ Evolution of Valak, from Its Beginnings to Mass Distribution ∗∗∗ --------------------------------------------- Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551.The post Evolution of Valak, from Its Beginnings to Mass Distribution appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/valak-evolution/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2fsprogs, ffmpeg, milkytracker, mupdf, openjdk-11, and qemu), Fedora (bashtop), Gentoo (ant, arpwatch, awstats, cacti, chromium, curl, dbus, djvu, filezilla, firefox, freexl, fuseiso, fwupd, glib-networking, haml, hylafaxplus, icinga, jhead, lha, libexif, libreswan, netqmail, nss, ntfs3g, ntp, ocaml, okular, ossec-hids, qtgui, qtnetwork, re2c, reportlab, samba, sarg, sqlite, thunderbird, transmission, tre, twisted, webkit-gtk, wireshark, and xen), --------------------------------------------- https://lwn.net/Articles/827153/ ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4498) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2018-20852) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2018-18066) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a buffer overflow vulnerability (CVE-2015-2716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM MQ Appliance (CVE-2020-4025 and CVE-2020-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Udaya testing on production 12345 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-udaya-testing-on-producti… ∗∗∗ Security Bulletin: Dev team testing on production 123 456 789 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dev-team-testing-on-produ… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2020
by Daily end-of-shift report 24 Jul '20

24 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-07-2020 18:00 − Freitag 24-07-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 5 severe D-Link router vulnerabilities disclosed, patch now ∗∗∗ --------------------------------------------- 5 severe D-Link vulnerabilities have been disclosed that could allow an attacker to take complete control over a router without needing to login. --------------------------------------------- https://www.bleepingcomputer.com/news/security/5-severe-d-link-router-vulne… ∗∗∗ Sicherheitslücke: Wenn das Youtube-Tutorial die Cloud-Zugangsdaten leakt ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Hunderte Youtube-Tutorials ausgewertet und immer wieder Zugangsdaten entdeckt - mit diesen konnten sie sich auf AWS einloggen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-wenn-das-youtube-tutorial-die-c… ∗∗∗ MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec ∗∗∗ --------------------------------------------- This post is the second of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-2-effective… ∗∗∗ Compromized Desktop Applications by Web Technologies, (Fri, Jul 24th) ∗∗∗ --------------------------------------------- For a long time now, it has been said that "the new operating system is the browser". Today, we do everything in our browsers, we connect to the office, we process emails, documents, we chat, we perform our system maintenances, ... But many popular web applications provide also desktop client: Twitter, Facebook, Slack are good examples. Such applications just replace the classic browser and use the API [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26384 ∗∗∗ Garmin Connect: Ausfall offenbar nach Ransomware-Attacke ∗∗∗ --------------------------------------------- Eine Ransomware-Attacke hat Server von Garmin lahmgelegt. Fitnesstracker und Sportuhren lassen sich nicht synchronisieren. Der Ausfall dauert wohl mehrere Tage. --------------------------------------------- https://heise.de/-4851576 ∗∗∗ New variant of Phobos ransomware is coming ∗∗∗ --------------------------------------------- In recent years, the spread of ransomware has become increasingly severe, thousands of servers and databases around the world have been invaded and destroyed. --------------------------------------------- https://blog.360totalsecurity.com/en/new-variant-of-phobos-ransomware-is-co… ∗∗∗ „Letzte Mahnung“: Ignorieren Sie diese betrügerische BAWAG-Mail! ∗∗∗ --------------------------------------------- BetrügerInnen senden derzeit vermehrt E-Mails im Namen der Bank „BAWAG P.S.K.“. Darin werden Sie aufgefordert einen neuen Dienst zu aktivieren, indem Sie Ihre Bankdaten auf einer gefälschten BAWAG-Seite eingeben sollen. Achtung, diese Daten landen direkt in den Händen der Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/letzte-mahnung-ignorieren-sie-diese-… ===================== = Vulnerabilities = ===================== ∗∗∗ Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027 ∗∗∗ --------------------------------------------- Project: Easy BreadcrumbVersion: 8.x-1.128.x-1.10Date: 2020-July-22Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: This module enables you to use the current URL (path alias) and the current pages title to automatically extract the breadcrumbs segments and its respective links then show them as breadcrumbs on your website.The module doesnt sufficiently sanitize editor input in certain --------------------------------------------- https://www.drupal.org/sa-contrib-2020-027 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (java-11-openjdk, mod_authnz_pam, podofo, and python27), openSUSE (cni-plugins, tomcat, and xmlgraphics-batik), Oracle (dbus and thunderbird), SUSE (freerdp, kernel, libraw, perl-YAML-LibYAML, and samba), and Ubuntu (libvncserver and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/826965/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (PSIRT-ADV0022379) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: IBM QRadar Advisor with Watson App for IBM QRadar SIEM does not adequately mask all passwords during input (CVE-2020-4408) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: IBM Verify Gateway PAM components do not set restricted access permission for debug logs (CVE-2020-4405) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-pam-co… ∗∗∗ Privilege Escalation Vulnerability in SteelCentral Aternity Agent ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/privilege-escalation-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2020
by Daily end-of-shift report 23 Jul '20

23 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-07-2020 18:00 − Donnerstag 23-07-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Popular Chinese-Made Drone Is Found To Have Security Weakness ∗∗∗ --------------------------------------------- Cybersecurity researchers revealed on Thursday a newfound vulnerability in an app that controls the worlds most popular consumer drones, threatening to intensify the growing tensions between China and the United States. From a report: In two reports, the researchers contended that an app on Googles Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited .. --------------------------------------------- https://it.slashdot.org/story/20/07/23/1437214/ ∗∗∗ Skimmers in Images & GitHub Repos ∗∗∗ --------------------------------------------- MalwareBytes recently shared some information about web skimmers that store malicious code inside real .ico files. During a routine investigation, we detected a similar issue. Instead of targeting .ico files, however, attackers chose to inject content into real .png files — both on compromised sites and in booby trapped Magento repos on GitHub. Googletagmanager.png Our security analyst Keith Petkus found this piece of malware injected on a compromised Magento 2.x site. --------------------------------------------- https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html ∗∗∗ Towards native security defenses for the web ecosystem ∗∗∗ --------------------------------------------- With the recent launch of Chrome 83, and the upcoming release of Mozilla Firefox 79, web developers are gaining powerful new security mechanisms to protect their applications from common web vulnerabilities. In this post we share how our Information Security Engineering team is deploying Trusted Types, Content Security Policy, Fetch Metadata Request Headers and the Cross-Origin Opener Policy across Google to help guide and inspire other developers to similarly adopt these features to protect their applications. --------------------------------------------- https://security.googleblog.com/2020/07/towards-native-security-defenses-fo… ∗∗∗ Forensoftware vBulletin: Schlecht programmiertes Testskript als mögliche Gefahr ∗∗∗ --------------------------------------------- Wer das Skript vb_test.php zum Test von vBulletin-Installationsvoraussetzungen nutzt, sollte es danach wegen gefährlicher Lücken sofort vom Server löschen. --------------------------------------------- https://heise.de/-4851012 ===================== = Vulnerabilities = ===================== ∗∗∗ ASUS Router Vulnerable to Fake Updates and XSS ∗∗∗ --------------------------------------------- Recently ASUS patched two issues I discovered in the RT-AC1900P router firmware update functionality. These vulnerabilities could allow for complete compromise of the router and all traffic that traverses it. Finding 1: Update Accepts Forged Server Certificates (CVE-2020-15498) Finding 2: XSS in Release Notes Dialog Window (CVE-2020-15499) --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/asus-router… ∗∗∗ Drupal: Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029 ∗∗∗ --------------------------------------------- Project: Modal Form Version: 8.x-1.x-dev Date: 2020-July-22 Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Modal form module is a toolset for quick start of using forms in modal windows.Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the forms fully-qualified class name. Solution: Upgrade to modal_form-8.x-1.2. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-029 ∗∗∗ Sicherheitsupdate: Netzwerk-Schützer von Cisco sind löchrig ∗∗∗ --------------------------------------------- Admins, die Netzwerke mit Hard- und Software von Cisco schützen, sollten aus Sicherheitsgründen die aktuellen Versionen von Adaptive Security Appliance (ASA) und Firepower Threat Defense (FTD) installieren. ... Ein entfernter und unangemeldeter Angreifer könnte mittels präparierter HTTP-Anfragen auf das Web-Services-Dateisystem von anvisierten Geräten zugreifen (Directory-Traversal-Attacke). Dieses Dateisystem ist aber nur verfügbar, wenn Any-Connect- oder WebVPN-Features aktiviert sind. Davon sind alle Geräte mit verwundbaren ASA- und FTD-Versionen betroffen. (CVE-2020-3452) --------------------------------------------- https://heise.de/-4850949 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler and tomcat8), Fedora (cacti, cacti-spine, java-1.8.0-openjdk, mbedtls, mingw-python3, singularity, and xen), openSUSE (firefox, redis, and singularity), Red Hat (samba), SUSE (java-11-openjdk, qemu, and vino), and Ubuntu (ffmpeg and pillow). --------------------------------------------- https://lwn.net/Articles/826841/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Z Development and Test Environment – April 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Novalink is impacted by Denial of service vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-d… ∗∗∗ Security Bulletin: Websphere Application Server Liberty vulnerabilities used by IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Java vulnerability CVE-2019-2949 affecting IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-cve-20… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Network Deployment security vulnerabilities in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-exists-in-w… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: WebSphere security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-security-vulner… ∗∗∗ Security Bulletin: Java vulnerabilities affecting IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerabilities-affe… ∗∗∗ Security Bulletin: Cross Site Scripting security vulnerabilities in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-secu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2020
by Daily end-of-shift report 22 Jul '20

22 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-07-2020 18:00 − Mittwoch 22-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime: Der Kampf um die Router ∗∗∗ --------------------------------------------- Router sind für Cyber-Kriminelle eine wichtige Ressource. Das rechtfertigt auch außergewöhnliche Maßnahmen. --------------------------------------------- https://heise.de/-4848764 ∗∗∗ Arbeiterkammer warnt: Bewertungen können zur Falle werden! ∗∗∗ --------------------------------------------- Gesucht: italienische Pizzeria. Gefunden: Pizzeria mit top Bewertungen! Vorsicht! Auch bei Online-Bewertungen gibt es Betrug. So kaufen Unternehmen Fake-Bewertungen, die die Unternehmen besser dastehen lassen sollen als sie sind. Gleichzeitig müssen auch Sie bei Bewertungen darauf achten, was Sie schreiben. Ansonsten könnte eine Klage drohen. Arbeiterkammer (AK) und Internet Ombudsmann haben rechtliche Fragen bei Bewertungsplattformen unter die Lupe genommen. --------------------------------------------- https://www.watchlist-internet.at/news/arbeiterkammer-warnt-bewertungen-koe… ∗∗∗ Phishing-Kampagne nutzt Googles Cloud-Dienste zum Diebstahl von Office-365-Anmeldedaten ∗∗∗ --------------------------------------------- Die Hacker hosten auf Google Drive eine speziell gestaltete PDF-Datei. Die Google Cloud stellt für den Angriff auch eine Phishing-Website bereit. Ähnliche Attacken missbrauchen auch Cloud-Dienste anderer Anbieter wie Microsoft Azur. --------------------------------------------- https://www.zdnet.de/88381697/phishing-kampagne-nutzt-googles-cloud-dienste… ∗∗∗ Emotet botnet is now heavily spreading QakBot malware ∗∗∗ --------------------------------------------- Researchers tracking Emotet botnet noticed that the malware started to push QakBot banking trojan at an unusually high rate, replacing the longtime TrickBot payload. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily… ∗∗∗ Format String Vulnerabilities ∗∗∗ --------------------------------------------- C++ and strings The C++ programming language has a couple of different variable types designed to manage text data. These include C strings, which are defined as arrays of characters, and the C++ string data type. These types of variables can be used for a variety of different purposes. The most visible is printing messages [...] --------------------------------------------- https://resources.infosecinstitute.com/format-string-vulnerabilities/ ∗∗∗ Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- What is a command injection vulnerability? Many applications are not designed to be wholly self-contained. They often access external systems as well, including databases, application programming interfaces (APIs) and others. Some applications are designed to run commands within the terminal of the system that they are running on. For example, a program may wish to [...] --------------------------------------------- https://resources.infosecinstitute.com/command-injection-vulnerabilities/ ∗∗∗ How to configure Internet Options for Local Group Policy ∗∗∗ --------------------------------------------- Does this sound familiar? “Welcome to Monopoly!” “All right, now we’re going to go with auctions if you don’t buy.” “Why? That’s so annoying!” “Because if we don’t, it takes forever.” “All right, fine, but I want money if I land on Free Parking.” “Fine, if that’s what it takes. But I want ‘even [...] --------------------------------------------- https://resources.infosecinstitute.com/how-to-configure-internet-options-fo… ∗∗∗ MATA: Multi-platform targeted malware framework ∗∗∗ --------------------------------------------- The MATA malware framework possesses several components, such as loader, orchestrator and plugins. The framework is able to target Windows, Linux and macOS operating systems. --------------------------------------------- https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ ∗∗∗ A few IoCs related to CVE-2020-5092, (Wed, Jul 22nd) ∗∗∗ --------------------------------------------- I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5092. As I responded I captured a number if indicators of compromise. While I have not had a lot of time to dig into them, hopefully they will be of use to somebody. --------------------------------------------- https://isc.sans.edu/diary/rss/26378 ∗∗∗ Malicious Magento User Creator ∗∗∗ --------------------------------------------- We recently found a simple malicious script leveraging Magento’s internal functions to create a new admin user with the admin role “Inchoo” ⁠— probably referring to a Croatian Magento consulting company. The script is simple but very effective and can easily be overlooked as another Magento file without closer inspection. It’s based on a sample that has been circulating the Internet since 2012 and provides a boilerplate for attackers to easily specify user [...] --------------------------------------------- https://blog.sucuri.net/2020/07/malicious-magento-user-creator.html ===================== = Vulnerabilities = ===================== ∗∗∗ Shadow Attacks: Forscher hebeln PDF-Signaturprüfung erneut aus ∗∗∗ --------------------------------------------- 2019 umgingen Forscher von der Ruhr-Universität Bochum die Signatur-Überprüfung von PDF-Software. Nun entwickelten sie erfolgreich drei neue Angriffe. --------------------------------------------- https://heise.de/-4849183 ∗∗∗ Jetzt updaten: Exploit-Code für Patchday-Lücke in SharePoint Server verfügbar ∗∗∗ --------------------------------------------- Gegen eine kritische Lücke in SharePoint Server, Visual Studio und dem .NET Framework gibt es seit dem MS-Patchday Updates. Die Gefahr eines Angriffs steigt. --------------------------------------------- https://heise.de/-4849584 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librsvg and squid), Fedora (mailman, mingw-LibRaw, php-horde-kronolith, and targetcli), openSUSE (openconnect), Red Hat (cloud-init, container-tools:rhel8, dbus, java-1.8.0-openjdk, java-11-openjdk, jbig2dec, kernel, kpatch-patch, mod_auth_openidc:2.3, nodejs:10, openstack-keystone, rh-nodejs10-nodejs, sane-backends, thunderbird, and virt:rhel), SUSE (webkit2gtk3 and xrdp), and Ubuntu (evolution-data-server, linux, linux-aws, linux-aws-hwe, [...] --------------------------------------------- https://lwn.net/Articles/826713/ ∗∗∗ Raining SYSTEM Shells with Citrix Workspace app ∗∗∗ --------------------------------------------- TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/raining-system-shells-with-ci… ∗∗∗ Security Advisory - fastjson Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200722-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in jackson-databind shipped with IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not hide a cryptographic key in one of its binary files (CVE-2020-4385) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Network Deployment security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-securit… ∗∗∗ Security Bulletin: SB0003748 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb0003748/ ∗∗∗ Security Bulletin: SB0003749 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb0003749/ ∗∗∗ Security Bulletin: WebSphere Application Server security vulnerability in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not hide client secrets when debug tracing is active (CVE-2020-4372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: IBM Verify Gateway PAM components default to cleartext storage of client secret (CVE-2020-4369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-pam-co… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0746 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0745 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2020
by Daily end-of-shift report 21 Jul '20

21 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Montag 20-07-2020 18:00 − Dienstag 21-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft will disable insecure TLS in Office 365 on Oct 15 ∗∗∗ --------------------------------------------- Microsoft has set the official retirement date for the insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols in Office 365 starting with October 15, 2020, after temporarily halting deprecation enforcement for commercial customers due to COVID-19. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-inse… ∗∗∗ Sextortion Update: The Final Final Chapter, (Mon, Jul 20th) ∗∗∗ --------------------------------------------- Even though the Sextortion emails which began in the July of 2018 are old news, and old hat, I am still tracking the BTC Addresses that were holding the money from the successful transactions. --------------------------------------------- https://isc.sans.edu/diary/rss/26334 ∗∗∗ Couple of interesting Covid-19 related stats, (Tue, Jul 21st) ∗∗∗ --------------------------------------------- It is nothing new that Covid-19 forced many organizations around the world to quickly adopt the "work from home" model, which in turn resulted in an increased number of machines offering remote access services and protocols accessible from the internet. --------------------------------------------- https://isc.sans.edu/diary/rss/26374 ∗∗∗ Understanding the Benefits of the Capability Maturity Model Integration (CMMI) ∗∗∗ --------------------------------------------- “Cybersecurity is the leading corporate governance challenge today, yet 87% of C-suite professionals and board members lack confidence in their company’s cybersecurity capabilities. Many CISOs and CSOs focus on implementing standards and frameworks, but what good is compliance if it does not improve your overall cybersecurity resilience? --------------------------------------------- https://www.tripwire.com/state-of-security/featured/understanding-benefits-… ∗∗∗ Kleinanzeigenbetrug: Das können Opfer tun ∗∗∗ --------------------------------------------- Sie haben auf einer Kleinanzeigenplattform, wie ebay, willhaben und Co ein Produkt an einen Kriminellen verkauft? Sie haben den Betrug zu spät erkannt – das Paket wurde bereits aufgegeben? Mit ein wenig Glück, viele Recherche, Kommunikation und Hartnäckigkeit können Sie das Paket möglicherweise stoppen und wieder zurückbekommen! --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-das-koennen-opfe… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Workspace app for Windows Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in the automatic update service of Citrix Workspace app for Windows that could result in: A local user escalating their privilege level to that of an administrator on the computer running Citrix Workspace app for Windows. A remote compromise of the computer running Citrix Workspace app when Windows file sharing (SMB) is enabled. --------------------------------------------- https://support.citrix.com/article/CTX277662 ∗∗∗ Notfallpatches: Adobe stopft kritische Lücken in Bridge, Prelude und Photoshop ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe hat Sicherheitsupdates außer der Reihe für Android- und Windows-Anwendungen veröffentlicht. --------------------------------------------- https://heise.de/-4849092 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ksh), openSUSE (ant, chromium, ldb, samba, and LibVNCServer), Red Hat (dbus, kernel, kernel-rt, and NetworkManager), and SUSE (cni-plugins, firefox, openexr, Salt, salt, SUSE Manager Client Tools, and tomcat). --------------------------------------------- https://lwn.net/Articles/826603/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2019 CPU ( CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WML CE: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-sqlite-through-3-3… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (July 2020v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: SB003732 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb003732/ ∗∗∗ Security Bulletin: WML CE: TensorFlow: In SQLite before 3.32.3, select.c mishandles query-flattener optimization ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-tensorflow-in-sqli… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect B2B API of IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht XXE ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0740 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0741 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2020
by Daily end-of-shift report 20 Jul '20

20 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-07-2020 18:00 − Montag 20-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet: Erste Angriffswelle nach fünfmonatiger Pause ∗∗∗ --------------------------------------------- Nach mehrmonatiger Pause haben Forscher eine neue Emotet-Angriffswelle beobachtet. Die Ziele lagen vor allem in den USA sowie im Vereinigten Königreich. --------------------------------------------- https://heise.de/-4847070 ∗∗∗ How to use Windows 10 File History to make secure backups ∗∗∗ --------------------------------------------- With File History feature on Windows, you can back up copies of files that are in the Documents, Music, Pictures, Videos, and Desktop folders. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/how-to-use-windows-10-file-… ∗∗∗ Zone.Identifier: A Coupe Of Observations, (Sat, Jul 18th) ∗∗∗ --------------------------------------------- In diary entry "Sysmon and Alternate Data Streams", we reported that Sysmon records the content of small Alternate Data Streams (containing text) in the event log. This is useful for the Zone.Identifier ADS, a stream that is added by many browsers to mark a file as orginating from the Internet. Modern browsers will include extra information in Zone.Identifier, like the URL: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26366 ∗∗∗ Online-Shop-Software: Zwei-Faktor-Authentifizierung für Magento-Shops verfügbar ∗∗∗ --------------------------------------------- Admins können Online-Shops auf Magento-Basis nun effektiver gegen feindliche Übernahmen absichern. --------------------------------------------- https://heise.de/-4847660 ===================== = Vulnerabilities = ===================== ∗∗∗ Windows 10 Store wsreset tool lets attackers bypass antivirus ∗∗∗ --------------------------------------------- A technique that exploits Windows 10 Microsoft Store called wsreset.exe can delete files to bypass antivirus protection on a host without being detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-store-wsreset-too… ∗∗∗ Scanning Activity for ZeroShell Unauthenticated Access, (Sun, Jul 19th) ∗∗∗ --------------------------------------------- In the past 36 hours, an increase in scanning activity to exploit and compromise ZeroShell Linux router began. This router software had several unauthenticated remote code execution released in the past several years, the last one was CVE-2019-12725. The router latest software version can be dowloaded here. --------------------------------------------- https://isc.sans.edu/diary/rss/26368 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libopenmpt, nginx, nss, qemu, rails, redis, ruby-sanitize, and tomcat9), Fedora (glibc, libldb, nspr, nss, samba, and webkit2gtk3), openSUSE (cairo, firefox, google-compute-engine, LibVNCServer, mumble, ntp, openconnect, openexr, openldap2, pdns-recursor, python-ipaddress, rubygem-puma, samba, singularity, slirp4netns, thunderbird, xen, and xrdp), and Oracle (.NET Core, .NET Core 3.1, java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/826537/ ∗∗∗ 3 Vulnerabilities Found on AvertX IP Cameras ∗∗∗ --------------------------------------------- Security cameras make up 5% of enterprise IoT devices but account for 33% of all security issues. We found three vulnerabilities in AvertX IP cameras. --------------------------------------------- https://unit42.paloaltonetworks.com/avertx-ip-cameras-vulnerabilities/ ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: WML CE: Pillow before 7.1.0 has multiple out-of-bounds reads ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-pillow-before-7-1-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: WML CE: In Pillow before 7.1.0, there is a Buffer Overflow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-in-pillow-before-7… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: WML CE: libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-libjpeg-turbo-2-0-… ∗∗∗ Security Bulletin: WML CE: SQLite through 3.32.2 has has a use-after-free problem. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-sqlite-through-3-3… ∗∗∗ Security Bulletin: A vulnerability in Jackson Databind affects IBM Operations Analytics Predictive Insights (CVE-2020-8840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jackso… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Rails ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2020
by Daily end-of-shift report 17 Jul '20

17 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-07-2020 18:00 − Freitag 17-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface ∗∗∗ --------------------------------------------- This post is the first of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. New posts will be published as they are completed and will be linked here when complete. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-1-introduct… ∗∗∗ Zoom Addresses Vanity URL Zero-Day ∗∗∗ --------------------------------------------- A previously undisclosed bug in Zoom’s customizable URL feature has been addressed that could have offered a hacker a perfect social-engineering avenue for stealing credentials or sensitive information. --------------------------------------------- https://threatpost.com/zoom-vanity-url-zero-day/157510/ ∗∗∗ Fake WordPress Plugin SiteSpeed Serves Malicious Ads & Backdoors ∗∗∗ --------------------------------------------- Fake WordPress plugins appear to be trending as an effective way of establishing a foothold on compromised websites. During a recent investigation, we discovered a fake component which was masquerading as a legitimate plugin. Named SiteSpeed, it contained a lot of interesting malicious capabilities. --------------------------------------------- https://blog.sucuri.net/2020/07/fake-wordpress-plugin-sitespeed-malware-bac… ∗∗∗ capa: Automatically Identify Malware Capabilities ∗∗∗ --------------------------------------------- capa is the FLARE team’s newest open-source tool for analyzing malicious programs. Our tool provides a framework for the community to encode, recognize, and share behaviors that we’ve seen in malware. Regardless of your background, when you use capa, you invoke decades of cumulative reverse engineering experience to figure out what a program does. In this post you will learn how capa works, how to install and use the tool, and why you should integrate it into your triage workflow [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-iden… ∗∗∗ Threat modelling and IoT hubs ∗∗∗ --------------------------------------------- IoT hubs are increasingly being used to provide a single point of access to the myriad of smart devices in the home. One ring to rule them all, if rather [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/threat-modelling-and-iot-hubs/ ∗∗∗ Diese Betrugsmaschen sollten GamerInnen kennen (Teil 2) ∗∗∗ --------------------------------------------- Ob Phishing-Versuche oder Fake-Shops: Die Betrugsmaschen im Gaming-Bereich unterscheiden sich teilweise kaum von anderen Betrügereien im Internet. Wir sammeln die häufigsten Betrugsmaschen und erklären, wie Sie diese erkennen und dagegen vorgehen können. Im zweiten Teil zeigen wir Ihnen Betrugsmaschen rund um Schadsoftware, Fake-Shops und betrügerische Apps. --------------------------------------------- https://www.watchlist-internet.at/news/diese-betrugsmaschen-sollten-gamerin… ∗∗∗ Diebold Nixdorf warns of a new class of ATM black box attacks across Europe ∗∗∗ --------------------------------------------- New ATM black box (jackpotting) attacks have been spotted in Belgium. --------------------------------------------- https://www.zdnet.com/article/diebold-nixdorf-warns-of-a-new-class-of-atm-b… ∗∗∗ Mac cryptocurrency trading application rebranded, bundled with malware ∗∗∗ --------------------------------------------- ESET researchers lure GMERA malware operators to remotely control their Mac honeypots --------------------------------------------- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-applic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (bashtop and python39), openSUSE (openexr), Red Hat (java-1.8.0-openjdk), and Scientific Linux (thunderbird). --------------------------------------------- https://lwn.net/Articles/826367/ ∗∗∗ Security Bulletin: Vulnerabilities in Dojo affect IBM Spectrum Protect for Virtual Environments (CVE-2020-5259, CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-a… ∗∗∗ Security Bulletin: IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments are vulnerabile to Logjam (CVE-2015-4000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-back… ∗∗∗ Security Bulletin: IBM Spectrum Protect Snapshot for VMware is vulnerable to Logjam (CVE-2015-4000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-snap… ∗∗∗ Security Bulletin: Vulnerabilities in Dojo affect IBM Spectrum Protect Snapshot for VMware (CVE-2020-5259, CVE-2020-5258) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java JRE, 8.0-1.1 affect IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2020-11656, CVE-2020-11655 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerability affects IBM Spectrum Protect Snapshot for VMware (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty XSS Vulnerabilities Affect IBM Control Center (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache CXF XSS Vulnerability Affects IBM Control Center (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-xss-vulnerabil… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4464) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2020
by Daily end-of-shift report 16 Jul '20

16 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-07-2020 18:00 − Donnerstag 16-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BlackRock - the Trojan that wanted to get them all ∗∗∗ --------------------------------------------- Around May 2020 ThreatFabric analysts have uncovered a new strain of banking malware dubbed BlackRock that looked pretty familiar. After investigation, it became clear that this newcomer is derived from the code of the Xerxes banking malware, which itself is a strain of the LokiBot Android banking Trojan. The source code of the Xerxes malware was made public by its author around May 2019, which means that it is accessible to any threat actor. --------------------------------------------- https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_… ∗∗∗ Windows Server Containers Are Open, and Here’s How You Can Break Out ∗∗∗ --------------------------------------------- We demonstrate a complete technique to escalate privileges and escape Windows Server Containers.The post Windows Server Containers Are Open, and Here’s How You Can Break Out appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabiliti… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory XSA-329 - Linux ioperm bitmap context switching issues ∗∗∗ --------------------------------------------- IO port permissions dont get rescinded when context switching to an unprivileged task. Therefore, all userspace can use the IO ports granted to the most recently scheduled task with IO port permissions. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-329.html ∗∗∗ Schadcode-Lücken gefährden Router von Cisco ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco holt zum Rundumschlag aus und veröffentlicht quer durch die eigenen Produktreihen Sicherheitsupdates. --------------------------------------------- https://heise.de/-4845109 https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ 2 Million Users Affected by Vulnerability in All in One SEO Pack ∗∗∗ --------------------------------------------- On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel's [...] --------------------------------------------- https://www.wordfence.com/blog/2020/07/2-million-users-affected-by-vulnerab… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (evolution-data-server and webkit2gtk), Fedora (kernel, snapd, and xen), openSUSE (thunderbird and xen), Oracle (dbus and thunderbird), Red Hat (java-1.8.0-openjdk, java-11-openjdk, jbig2dec, sane-backends, and thunderbird), Scientific Linux (kernel), SUSE (cairo, containerd, docker, docker-runc, golang-github-docker-libnetwork, google-compute-engine, mailman, mercurial, openconnect, openexr, and xrdp), and Ubuntu (libvpx and snapd). --------------------------------------------- https://lwn.net/Articles/826288/ ∗∗∗ Synology-SA-20:18 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to conduct man-in-the-middle attacks via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_18 ∗∗∗ Trend Micro Internet Security: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0724 ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0721 ∗∗∗ macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211289 ∗∗∗ iOS 13.6 and iPadOS 13.6 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211288 ∗∗∗ tvOS 13.4.8 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211290 ∗∗∗ watchOS 6.2.8 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211291 ∗∗∗ Security Advisory - Windows DNS Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200716-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2019 CPU (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: XML External Entity Injection (XXE) Vulnerability Affects IBM Secure External Authentication Server (CVE-2020-4462) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-external-entity-injec… ∗∗∗ Security Bulletin: Cross-site Scripting and Vulnerable library – JQuery v1.11.1 affects IBM Engineering Workflow Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… ∗∗∗ Security Bulletin: Missing Cookie Attribute Vulnerability Affects IBM Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-cookie-attribute-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2020 CPU (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerability Affects IBM Secure External Authentication Server (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… ∗∗∗ Security Bulletin: : HTTP Header Weakness Affects IBM Secure External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-http-header-weakness-affe… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Jazz Foundation and IBM Engineering products. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2020 CPU (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2020
by Daily end-of-shift report 15 Jul '20

15 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-07-2020 18:00 − Mittwoch 15-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows Server: Sigred ist eine wurmartige kritische Lücke in Windows DNS ∗∗∗ --------------------------------------------- Der Bug betrifft alle Maschinen mit Windows Server 2003 bis 2019. Microsoft rät zum Patch, da sich Malware darüber selbst ausbreiten kann. --------------------------------------------- https://www.golem.de/news/windows-server-sigred-ist-eine-wurmartige-kritisc… ∗∗∗ Spamdexing (SEO spam malware) ∗∗∗ --------------------------------------------- Introduction: About SEO spam - is my website a target? You’ve spent time and energy in positioning your website high in search engine rankings through good SEO practices. You realize, however, that someone has hijacked your site by inserting their own spam. You are a victim of SEO spam, otherwise known as spamdexing, web spam, [...] --------------------------------------------- https://resources.infosecinstitute.com/spamdexing-seo-spam-malware/ ∗∗∗ Word docs with macros for IcedID (Bokbot), (Wed, Jul 15th) ∗∗∗ --------------------------------------------- Today's diary reviews Microsoft Word documents with macros to infect vulnerable Windows hosts with IcedID malware (also known as Bokbot) on Tuesday 2020-07-14. This campaign has previously pushed Valak or Ursnif, often with IcedID as the follow-up malware to these previous infections. --------------------------------------------- https://isc.sans.edu/diary/rss/26352 ∗∗∗ Simple DGA Spotted in a Malicious PowerShell ∗∗∗ --------------------------------------------- DGA (“Domain Generation Algorithm“) is a technique implemented in some malware families to defeat defenders and to make the generation of IOC’s (and their usage – example to implement black lists) more difficult. When a piece of malware has to contact a C2 server, it uses domain names or IP [...] --------------------------------------------- https://blog.rootshell.be/2020/07/14/simple-dga-spotted-in-a-malicious-powe… ∗∗∗ Website misconfigurations and other errors to avoid ∗∗∗ --------------------------------------------- Website misconfigurations can lead to hacking, malfunction, and worse. We take a look at recent mishaps and advise site owners on how to lock down their platforms. --------------------------------------------- https://blog.malwarebytes.com/how-tos-2/2020/07/website-misconfigurations-a… ∗∗∗ Diese Betrugsmaschen sollten GamerInnen kennen (Teil 1) ∗∗∗ --------------------------------------------- Ob Phishing-Versuche oder Fake-Shops: Die Betrugsmaschen im Gaming-Bereich unterscheiden sich teilweise kaum von anderen Betrügereien im Internet. Wir sammeln die häufigsten Betrugsmaschen und erklären, wie Sie diese erkennen und dagegen vorgehen können. Im ersten Teil zeigen wir Ihnen die betrügerischen Tricks rund um Phishing und Accountdiebstahl. --------------------------------------------- https://www.watchlist-internet.at/news/diese-betrugsmaschen-sollten-gamerin… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft July 2020 Patch Tuesday - Patch Now!, (Tue, Jul 14th) ∗∗∗ --------------------------------------------- This month we got patches for 123 vulnerabilities. Of these, 17 are critical and 2 were previously disclosed. --------------------------------------------- https://isc.sans.edu/diary/rss/26350 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dbus), Debian (python3.5), Fedora (podofo and roundcubemail), Oracle (dbus, dovecot, jbig2dec, kernel, nodejs:10, nodejs:12, sane-backends, and thunderbird), Red Hat (.NET Core and kernel), SUSE (ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, [...] --------------------------------------------- https://lwn.net/Articles/826181/ ∗∗∗ Security Advisory - Two Vulnerabilities in SaltStack Salt ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200715-… ∗∗∗ Security Advisory - Apache Tomcat File Inclusion Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200715-… ∗∗∗ Security Bulletin: IBM has released a Unified Extensible Firmware Interface (UEFI) fix in response to an Intel escalation of information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-released-a-unifie… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affect the IBM FlashSystem 900 (CVE-2019-2989 and CVE-2019-2964) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Apr 2020 CPU (CVE-2020-2805, CVE-2020-2803, CVE-2020-2757, CVE-2020-2756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Apache Tomcat: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0717 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2020
by Daily end-of-shift report 14 Jul '20

14 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Montag 13-07-2020 18:00 − Dienstag 14-07-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SCANdalous! (External Detection Using Network Scan Data and Automation) ∗∗∗ --------------------------------------------- Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? (Yes You Scan)”—had another name before today that, for legal reasons, we’re keeping to ourselves. A special thanks to our legal team who is always looking out for us, this blog post would be a lot less fun without them. Strap in folks. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-det… ∗∗∗ Vorsicht vor betrügerischer Werbung auf Facebook ∗∗∗ --------------------------------------------- Facebook und Instagram, durchaus lukrative Werbekanäle. Dass haben auch Kriminelle erkannt. Mit der Botschaft, dass die Shops luvpatient.com, liebesfreund.de und colorootd.com die Corona-Krise angeblich nicht überstanden haben, werden Produkte zu sehr günstigen Preisen im Feed oder zwischen den Stories beworben. Doch Vorsicht: Die bestellte Ware kommt nicht oder nur in minderwertiger Qualität an! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischer-werbung… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB20-33), Adobe Media Encoder (APSB20-36), Adobe Genuine Service (APSB20-37), Adobe ColdFusion (APSB20-43) and Adobe Download Manager (APSB20-49). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1893 ∗∗∗ SAP Patchday Juli 2020 ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in mehreren SAP Produkten ausnutzen, um die Kontrolle über SAP Anwendungen zu übernehmen, um Informationen offenzulegen, um einen Cross-Site Scripting Angriff durchzuführen und um weitere, nicht spezifizierte Auswirkungen zu erreichen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0690 ∗∗∗ SSA-305120 (Last Update: 2020-07-14): Vulnerabilities in SICAM MMU, SICAM T and SICAM SGU ∗∗∗ --------------------------------------------- SICAM MMU, SICAM T and the discontinued SICAM SGU devices are affected by multiple security vulnerabilities which could allow an attacker to perform a variety of attacks. This may include unauthenticated firmware installation, remote code execution and leakage of confidential data like passwords. Siemens has released updates to introduce authentication to the web application. It is still recommended to implement further mitigations, as most of the vulnerabilities might not be sufficiently [...] --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-305120.txt ∗∗∗ SSA-364335 (Last Update: 2020-07-14): Clear Text Transmission Vulnerability on SIMATIC HMI Panels ∗∗∗ --------------------------------------------- A clear text transmission vulnerability in SIMATIC HMI panels could allow an attacker to access sensitive information under certain circumstances.Siemens recommends specific countermeasures to mitigate this vulnerability. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-364335.txt ∗∗∗ SSA-573753 (Last Update: 2020-07-14): Remote Code Execution in Siemens LOGO! Web Server ∗∗∗ --------------------------------------------- The latest update for LOGO! 8 BM devices fixes a vulnerability that could allow remote code execution in the web server functionality.Siemens provides a firmware update for the latest versions of LOGO! BM. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-573753.txt ∗∗∗ SSA-589181 (Last Update: 2020-07-14): Denial-Of-Service in SIMATIC S7-200 SMART CPU Family Devices ∗∗∗ --------------------------------------------- The latest update for SIMATIC S7-200 SMART fixes a vulnerability that could allow an attacker to cause a permanent Denial-of-Service of an affected device by sending a large number of crafted packets.Siemens has released an update for the SIMATIC S7-200 SMART CPU family and recommends that customers update to the latest version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-589181.txt ∗∗∗ SSA-604937 (Last Update: 2020-07-14): Multiple Web Server Vulnerabilities in Opcenter Execution Core ∗∗∗ --------------------------------------------- The latest update of Opcenter Execution Core fixes multiple vulnerabilities where the most severe could allow an attacker to perform a cross-site scripting (XSS) attack under certain conditions.Siemens has released an update for the Opcenter Execution Core and recommends that customers update to the latest version. Siemens recommends specific countermeasures as there are currently no further fixes available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-604937.txt ∗∗∗ SSA-631949 (Last Update: 2020-07-14): Ripple20 and Intel SPS Vulnerabilities in SPPA-T3000 Solutions ∗∗∗ --------------------------------------------- SPPA-T3000 solutions are affected by vulnerabilities that were recently dislosed by JSOF research lab (“Ripple20”) for the TCP/IP stack used in APC UPS systems, and by Intel for the Server Platform Services (SPS) used in SPPA-T3000 Application Server and Terminal Server hardware.The advisory provides information to what amount SPAA-T3000 solutions are affected. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-631949.txt ∗∗∗ SSA-841348 (Last Update: 2020-07-14): Multiple Vulnerabilities in the UMC Stack ∗∗∗ --------------------------------------------- The latest update for the below listed products fixes two security vulnerabilities that could allow an attacker to cause a partial Denial-of-Service on the UMC component of the affected devices under certain circumstances, and one vulnerability that could allow an attacker to locally escalate privileges from a user with administrative privileges to execute code with SYSTEM level privileges. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-841348.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mingw-podofo and python-rsa), openSUSE (LibVNCServer, mozilla-nss, nasm, openldap2, and permissions), Red Hat (dovecot, sane-backends, and thunderbird), Scientific Linux (dbus), and SUSE (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/826113/ ∗∗∗ [20200706] - Core - System Information screen could expose redis or proxy credentials ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/823-20200706-core-system-i… ∗∗∗ [20200705] - Core - Escape mod_random_image link ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/822-20200705-core-escape-m… ∗∗∗ [20200704] - Core - Variable tampering via user table class ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/821-20200704-core-variable… ∗∗∗ [20200703] - Core - CSRF in com_privacy remove-request feature ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/820-20200703-core-csrf-in-… ∗∗∗ [20200702] - Core - Missing checks can lead to a broken usergroups table record ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/819-20200702-core-missing-… ∗∗∗ [20200701] - Core - CSRF in com_installer ajax_install endpoint ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/818-20200701-core-csrf-in-… ∗∗∗ Security Bulletin: Apache Tika as used by IBM QRadar SIEM is vulnerable to a denial of service (CVE-2020-1951, CVE-2020-1950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tika-as-used-by-ib… ∗∗∗ Security Bulletin: IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2020-4510) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-is-vulnerable-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (CVE-2020-4513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in Java affect the IBM FlashSystem 900 (CVE-2019-2989 and CVE-2019-2964) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service (CVE-2020-4511) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to command injection (CVE-2020-4512) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (CVE-2020-4364) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2020
by Daily end-of-shift report 13 Jul '20

13 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-07-2020 18:00 − Montag 13-07-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware adds online sandbox detection to evade analysis ∗∗∗ --------------------------------------------- Malware developers are now checking if their malware is running in the Any.Run malware analysis service to prevent their malware from being easily analyzed by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-adds-anyrun-sandbox-… ∗∗∗ Hidden Miners ∗∗∗ --------------------------------------------- It is always a good idea to have multiple options when it comes to making a profit. This is especially true for criminals. Having a backdoor is nice, but having the backdoored system directly make money is even better. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners ∗∗∗ Scanning Home Internet Facing Devices to Exploit, (Sat, Jul 11th) ∗∗∗ --------------------------------------------- In the past 45 days, I noticed a surge of activity in my honeypot logs for home router exploitation. This is a summary of the various hosts and IP addresses with potential exploit packages available for download. What is also interesting is the fact that most URL were only IP based, no hostname associated with them. --------------------------------------------- https://isc.sans.edu/diary/rss/26340 ∗∗∗ Injecting Magecart into Magento Global Config ∗∗∗ --------------------------------------------- At the beginning of June 2020, we were contacted about a Magento website breach that caused a leak of credit card numbers. A thorough analysis of the website identified the webpage’s footer had malicious code added to it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-m… ∗∗∗ Introducing Winbindex - the Windows Binaries Index ∗∗∗ --------------------------------------------- I indexed all Windows files which appear in Windows update packages, and created a website which allows to quickly view information about the files and download some of them from Microsoft servers. The files that can be downloaded are executable files (currently exe, dll and sys files). --------------------------------------------- https://m417z.com/Introducing-Winbindex-the-Windows-Binaries-Index/ ∗∗∗ Threat spotlight: WastedLocker, customized ransomware ∗∗∗ --------------------------------------------- WastedLocker ransomware, attributed to the Russian Evil Corp gang, is such a targeted threat, you might call it a custom-built ransomware family. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-was… ∗∗∗ TrickBot Malware Warning Victims of Infection by Mistake ∗∗∗ --------------------------------------------- Security researchers observed some variants of the TrickBot malware family mistakenly warning victims that they had suffered an infection. Advanced Intel’s Vitali Kremez traced the mistake to “password-stealing grabber.dll.” This module is responsible for stealing browser credentials and cookies from Google Chrome, Microsoft Edge and other web browsers that are stored on a victim’s machine. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/trickbo… ∗∗∗ TrickBots new API-Hammering explained ∗∗∗ --------------------------------------------- As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works. --------------------------------------------- http://blog.joesecurity.org/2020/07/trickbots-new-api-hammering-explained.h… ∗∗∗ Researchers create magstripe versions from EMV and contactless cards ∗∗∗ --------------------------------------------- Banking industry loophole reported more than a decade ago still remains open and ripe for exploitation today. --------------------------------------------- https://www.zdnet.com/article/researchers-create-magstripe-versions-of-emv-… ∗∗∗ This botnet has surged back into action spreading a new ransomware campaign via phishing emails ∗∗∗ --------------------------------------------- Theres been a big jump in Phorpiex botnet activity - but its a trojan malware attack that was the most common malware campaign in June. --------------------------------------------- https://www.zdnet.com/article/this-botnet-has-surged-back-into-action-sprea… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular TP-Link Family of Kasa Security Cams Vulnerable to Attack ∗∗∗ --------------------------------------------- Researcher warns the highly-rated Kasa family of security cameras have bugs that gives hackers access to private video feeds and settings. --------------------------------------------- https://threatpost.com/popular-tp-link-family-of-kasa-security-cams-vulnera… ∗∗∗ macOS-Sicherheitslücke: Komplettes Dateisystem ohne Zugriffsrechte auslesbar ∗∗∗ --------------------------------------------- In mount_apfs steckte ein Bug, der Apples Systemschutz zumindest read-only aushebeln konnte. Ein Fix ist da, doch der ist eher ungewöhnlich. --------------------------------------------- https://heise.de/-4841670 ∗∗∗ Remote Code Execution Vulnerability in Zoom Client for Windows (0day) ∗∗∗ --------------------------------------------- [Update 7/13/2020: Zoom only took one (!) day to issue a new version of Client for Windows that fixes this vulnerability, which is remarkable. We have reviewed their fix and can confirm that it efficiently resolves the vulnerability. --------------------------------------------- https://blog.0patch.com/2020/07/remote-code-execution-vulnerability-in.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, mailman, openjpeg2, ruby-rack, squid3, tomcat8, and xen), Fedora (botan2, kernel, LibRaw, mingw-OpenEXR, mingw-podofo, podofo, seamonkey, squid, and webkit2gtk3), Mageia (ffmpeg, mbedtls, mediawiki, and xpdf), Oracle (kernel), Red Hat (bind, dbus, jbig2dec, and rh-nodejs12-nodejs), and SUSE (graphviz and xen). --------------------------------------------- https://lwn.net/Articles/826038/ ∗∗∗ Sophos XG Firewall: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0686 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0688 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0687 ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.8 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2020-11656, CVE-2020-11655 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM StoredIQ InstaScan ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM StoredIQ InstaScan (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM StoredIQ InstaScan ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability identified in Apache ActiveMQ used in Cloud Pak System (CVE-2020-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-identified-… ∗∗∗ Security Bulletin: IBM StoredIQ is affected by a vulnerability in NGINX (CVE-2019-20372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-storediq-is-affected-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM StoredIQ (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2020
by Daily end-of-shift report 10 Jul '20

10 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-07-2020 18:00 − Freitag 10-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ tag2domain - a system for labeling DNS domains ∗∗∗ --------------------------------------------- Tag2domain - doing proper statistics on domain names In the course of nic.at’s Connecting Europe Facilities (CEF) project CEF-TC-2018-3 we were able to focus on some long overdue but relevant research: a tagging / labeling database of domain names. --------------------------------------------- https://cert.at/en/blog/2020/7/tag2domain ∗∗∗ Conti ransomware shows signs of being a Ryuk successor ∗∗∗ --------------------------------------------- The Conti Ransomware is an upcoming threat targeting corporate networks with new features that allow it to perform quicker and more targeted attacks. There are also indications that this ransomware shares the same malware code as Ryuk, who has slowly been fading away, while Contis distribution is increasing. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs… ∗∗∗ How to unc0ver a 0-day in 4 hours or less ∗∗∗ --------------------------------------------- By Brandon Azad, Project Zero. At 3 PM PDT on May 23, 2020, the unc0ver jailbreak was released for iOS 13.5 (the latest signed version at the time of release) using a zero-day vulnerability and heavy obfuscation. By 7 PM, I had identified the vulnerability and informed Apple. By 1 AM, I had sent Apple a POC and my analysis. This post takes you along that journey. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/how-to-unc0ver-0-day-in-4-ho… ∗∗∗ Report: Most Popular Home Routers Have ‘Critical’ Flaws ∗∗∗ --------------------------------------------- Common devices from Netgear, Linksys, D-Link and others contain serious security vulnerabilities that even updates don’t fix. --------------------------------------------- https://threatpost.com/report-most-popular-home-routers-have-critical-flaws… ∗∗∗ Excel spreasheet macro kicks off Formbook infection, (Fri, Jul 10th) ∗∗∗ --------------------------------------------- Today's diary covers a Formbook infection from Thursday, June 9th 2020. --------------------------------------------- https://isc.sans.edu/diary/rss/26332 ∗∗∗ Fintechs im Visier – Analyse der Evilnum‑Malware ∗∗∗ --------------------------------------------- Bei der Analyse der Angriffe auf Fintech-Unternehmen fanden ESET Forscher selbstentwickelte Tools und interessante Parallelen zu anderen APT-Gruppen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/07/08/fintechs-im-visier-analys… ===================== = Vulnerabilities = ===================== ∗∗∗ Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data ∗∗∗ --------------------------------------------- The backdoor accounts grant access to a secret Telnet admin account running on the devices external WAN interface. --------------------------------------------- https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devic… ∗∗∗ VMSA-2020-0017 ∗∗∗ --------------------------------------------- A privilege escalation vulnerability in VMware Fusion, VMRC for Mac and Horizon Client for Mac was privately reported to VMware. Updates are available to address this vulnerability. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0017.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, LibRaw, python-pillow, and python36), Mageia (coturn, samba, and vino), openSUSE (opera), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/825850/ ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition for IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2949-may-affect-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2020
by Daily end-of-shift report 09 Jul '20

09 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-07-2020 18:00 − Donnerstag 09-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 , (Thu, Jul 9th) ∗∗∗ --------------------------------------------- I just can't get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week [1]. Details with proof of concept code snippets were released yesterday [2]. --------------------------------------------- https://isc.sans.edu/diary/rss/26330 ∗∗∗ Citrix provides context on Security Bulletin CTX276688 ∗∗∗ --------------------------------------------- [...] Standard procedure for most software companies in advising customers of vulnerabilities is limited to the publication of the bulletin and related CVEs. In this case, however, to avoid confusion and limit the potential for misinterpretation in the industry and our customer set, I am using this space to provide brief additional context. --------------------------------------------- https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security… ∗∗∗ Protecting your remote workforce from application-based attacks like consent phishing ∗∗∗ --------------------------------------------- [...] Today developers are building apps by integrating user and organizational data from cloud platforms to enhance and personalize their experiences. These cloud platforms are rich in data but in turn have attracted malicious actors seeking to gain unwarranted access to this data. One such attack is consent phishing, where attackers trick users into granting a malicious app access to sensitive data or other resources. --------------------------------------------- https://www.microsoft.com/security/blog/?p=91507 ∗∗∗ Unerwartete Kreditkartenabbuchung von shockdeals247.com? ∗∗∗ --------------------------------------------- Wurde von Ihrer Kreditkarte unerwartet Geld von shockdeals247.com abgebucht obwohl Sie dort keine Mitgliedschaft abgeschlossen haben? Können Sie sich nicht erklären, warum dieses Unternehmen Monat für Monat einen Betrag von Ihrem Konto abbucht? Sie sind höchstwahrscheinlich in eine Abo-Falle getappt! Hier erfahren Sie, wie Sie das Problem lösen können. --------------------------------------------- https://www.watchlist-internet.at/news/unerwartete-kreditkartenabbuchung-vo… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo-Alto-Firewalls: Root-Lücke lässt Schadcode passieren ∗∗∗ --------------------------------------------- Es gibt erneut wichtige Sicherheitsupdates für das Betriebssystem von Palo-Alto-Firewalls. Derzeit soll es noch keine Attacken geben. --------------------------------------------- https://heise.de/-4839716 ∗∗∗ Remote Code Execution Vulnerability in Zoom Client for Windows (0day) ∗∗∗ --------------------------------------------- [...] We analyzed the issue and determined it to be only exploitable on Windows 7 and older Windows systems. While Microsoft's official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft's Extended Security Updates or with 0patch. --------------------------------------------- https://blog.0patch.com/2020/07/remote-code-execution-vulnerability-in.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Debian (ffmpeg, fwupd, ruby2.5, and shiro), Fedora (freerdp, gssdp, gupnp, mingw-pcre2, remmina, and xrdp), openSUSE (chocolate-doom), Oracle (firefox and kernel), and Ubuntu (linux, linux-lts-xenial, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon and thunderbird). --------------------------------------------- https://lwn.net/Articles/825723/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Two issues have been identified in Citrix Hypervisor that may, if exploited, allow privileged code in an HVM guest VM to compromise or crash the host. These issues only apply in specific configurations; furthermore, Citrix believes that there would be [...] --------------------------------------------- https://support.citrix.com/article/CTX277456 ∗∗∗ Security advisory 2020-07-08 ∗∗∗ --------------------------------------------- OpenPGP application Resetting Code bug --------------------------------------------- https://www.yubico.com/support/security-advisories/ysa-2020-05/ ∗∗∗ Security advisory 2020-07-08 ∗∗∗ --------------------------------------------- Access code not checked for NDEF updates --------------------------------------------- https://www.yubico.com/support/security-advisories/ysa-2020-04/ ∗∗∗ Security advisory 2020-07-08 ∗∗∗ --------------------------------------------- Out of bounds read in libykpiv --------------------------------------------- https://www.yubico.com/support/security-advisories/ysa-2020-02/ ∗∗∗ Security Bulletin: Missing or insecure "Content-Security-Policy" header affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-missing-or-insecure-conte… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Netty vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ JSA11024 - 2020-07 Security Bulletin: Junos OS: Receipt of certain genuine BGP packets from any BGP Speaker causes RPD to crash. (CVE-2020-1640) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11024&actp=RSS ∗∗∗ JSA11023 - 2020-07 Security Advisory: Junos Space and Junos Space Security Director: Multiple vulnerabilities resolved in 20.1R1 release ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11023&actp=RSS ∗∗∗ JSA11025 - 2020-07 Security Bulletin: Junos OS and Junos OS Evolved: OpenSSL Security Advisory [20 Dec 2019] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11025&actp=RSS ∗∗∗ JSA11027 - 2020-07 Security Bulletin: Junos OS: A race condition on receipt of crafted LLDP packets leads to a memory leak and an LLDP crash. (CVE-2020-1641) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11027&actp=RSS ∗∗∗ JSA11026 - 2020-07 Security Bulletin: Junos OS: NFX150: Multiple vulnerabilities in BIOS firmware (INTEL-SA-00241) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11026&actp=RSS ∗∗∗ JSA11028 - 2020-07 Security Bulletin: Junos OS: MX Series: Services card might restart when DNS filtering is enabled (CVE-2020-1645) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11028&actp=RSS ∗∗∗ JSA11030 - 2020-07 Security Bulletin: Junos OS: RPD crash when executing specific "show ospf interface" commands from the CLI with OSPF authentication configured (CVE-2020-1643) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11030&actp=RSS ∗∗∗ JSA11031 - 2020-07 Security Bulletin: Junos OS: SRX Series: processing a malformed HTTP message when ICAP redirect service is enabled may can lead to flowd process crash or remote code execution (CVE-2020-1654) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11031&actp=RSS ∗∗∗ JSA11033 - 2020-07 Security Bulletin: Junos OS and Junos OS Evolved: RPD crash while processing a specific BGP update information. (CVE-2020-1646) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11033&actp=RSS ∗∗∗ JSA11032 - 2020-07 Security Bulletin: Junos OS and Junos OS Evolved: RPD crash due to specific BGP UPDATE packets (CVE-2020-1644) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11032&actp=RSS ∗∗∗ JSA11023 - 2020-07 Security Bulletin: Junos Space and Junos Space Security Director: Multiple vulnerabilities resolved in 20.1R1 release ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11023&actp=RSS -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2020
by Daily end-of-shift report 08 Jul '20

08 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-07-2020 18:00 − Mittwoch 08-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ „Ihre Site wurde gehackt“: Unternehmen werden per Mail erpresst ∗∗∗ --------------------------------------------- Zahlen Sie 3.000 USD in Form von Bitcoins oder der Ruf Ihres Unternehmens wird geschädigt. Damit drohen BetrügerInnen in einer aktuellen Welle von Erpressungsmails. Anstatt zu bezahlen, sollten Sie diese Mails einfach ignorieren! --------------------------------------------- https://www.watchlist-internet.at/news/ihre-site-wurde-gehackt-unternehmen-… ∗∗∗ Redirect auction ∗∗∗ --------------------------------------------- Weve already looked at links under old YouTube videos or in Wikipedia articles which at some point turned bad and began pointing to partner program pages, phishing sites, or even malware. It was as if the attackers were purposely buying up domains, but such a scenario always seemed to us too complicated. --------------------------------------------- https://securelist.com/redirect-auction/96944/ ∗∗∗ F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th) ∗∗∗ --------------------------------------------- While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/26322 ∗∗∗ Configuring a Windows Domain to Dynamically Analyze an ObfuscatedLateral Movement Tool ∗∗∗ --------------------------------------------- We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated memory dump for static analysis. Statically analyzing a large virtualized sample can take anywhere from several days to several weeks. Bypassing this time-consuming step presented an opportunity for collaboration between the FLARE reverse engineering team and [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/07/configuring-windows-dom… ∗∗∗ Mac ThiefQuest malware may not be ransomware after all ∗∗∗ --------------------------------------------- We discovered a new Mac malware, ThiefQuest, that appeared to be ransomware at first glance. However, once we dug in deeper, we found out its true identity—and intention. --------------------------------------------- https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be… ∗∗∗ Ransomware Characteristics and Attack Chains – What you Need to Know about Recent Campaigns ∗∗∗ --------------------------------------------- Ransomware has been around for decades going back all the way to 1989. Since then it has only magnified in scope and complexity. Now at a time when working remotely is becoming more universal and the world is trying to overcome the Covid-19 pandemic, ransomware has never been more prominent. --------------------------------------------- https://www.tripwire.com/state-of-security/featured/ransomware-characterist… ===================== = Vulnerabilities = ===================== ∗∗∗ Mitigating critical F5 BIG-IP RCE flaw not enough, bypass found ∗∗∗ --------------------------------------------- F5 BIG-IP customers who only applied recommended mitigations and havent yet patched their devices against the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability are now advised to update them against a recently found bypass. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitigating-critical-f5-big-i… ∗∗∗ VMSA-2020-0016 ∗∗∗ --------------------------------------------- VMware SD-WAN by VeloCloud updates address SQL-injection vulnerability (CVE-2020-3973) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0016.html ∗∗∗ Multiple Critical Vulnerabilities in Multiple Rittal Products Based on Same Software ∗∗∗ --------------------------------------------- Several devices from the manufacturer Rittal are vulnerable to Privilege Escalation, Least Privilege or Command Injection vulnerabilities. In addition, root backdoors and incorrectly configured system files are present on the devices. --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-critical-vulnerabilit… ∗∗∗ Critical Vulnerabilities Patched in Adning Advertising Plugin ∗∗∗ --------------------------------------------- On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could [...] --------------------------------------------- https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundcube), Fedora (chromium, firefox, and ngircd), Oracle (firefox and thunderbird), Scientific Linux (firefox), Slackware (seamonkey), SUSE (djvulibre, ffmpeg, firefox, freetds, gd, gstreamer-plugins-base, icu, java-11-openjdk, libEMF, libexif, librsvg, LibVNCServer, libvpx, Mesa, nasm, nmap, opencv, osc, perl, php7, python-ecdsa, SDL2, texlive-filesystem, and thunderbird), and Ubuntu (cinder, python-os-brick). --------------------------------------------- https://lwn.net/Articles/825587/ ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… ∗∗∗ Security Bulletin: Third party vulnerable library Jackson-Databind affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-third-party-vulnerable-li… ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Open Source used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL library affect OS Pattern Kit used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… ∗∗∗ Security Bulletin: Carbon Black Response application add on to IBM QRadar SIEM is vulnerable to cross site scripting (CVE-2020-4275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-carbon-black-response-app… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2020
by Daily end-of-shift report 07 Jul '20

07 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Montag 06-07-2020 18:00 − Dienstag 07-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HTTPS/TLS: Zwischenzertifikate von Tausenden Webseiten fehlerhaft ∗∗∗ --------------------------------------------- Viele Webseiten müssen ihre Zertifikate tauschen, da sie von Zwischenzertifikaten ausgestellt wurden, die ein Sicherheitsrisiko darstellen. --------------------------------------------- https://www.golem.de/news/https-tls-zwischenzertifikate-von-tausenden-webse… ∗∗∗ Company web names hijacked via outdated cloud DNS records ∗∗∗ --------------------------------------------- Why hack into a server when you can just send vistors to a fake alternative instead? --------------------------------------------- https://nakedsecurity.sophos.com/2020/07/07/company-web-names-hijacked-via-… ∗∗∗ Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th) ∗∗∗ --------------------------------------------- Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks Bit IP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed. --------------------------------------------- https://isc.sans.edu/diary/rss/26316 ∗∗∗ Vulnerability Management Maturity Model ∗∗∗ --------------------------------------------- I get it. You dread going into the office sometimes. It isn’t that you don’t like the people or the location. It’s that beast, waiting for you when you arrive, and it never seems to go away. You work hard at it, but you never seem to get ahead. You are responsible for the vulnerability management program within your organization. Either as part of a formal program or on an ad-hoc basis, it’s your baby. Except that it isn’t a baby, it is more of an untameable monster, a minotaur in the labyrinth, waiting to surprise you as you turn the corner. --------------------------------------------- https://www.sans.org/blog/vulnerability-management-maturity-model ∗∗∗ Vulnerabilities Digest: June 2020 ∗∗∗ --------------------------------------------- Highlights for June 2020 Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization. Massive local file inclusion (LFI) attempts have been discovered attempting to harvest WordPress and Magento credentials. Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites. --------------------------------------------- https://blog.sucuri.net/2020/07/vulnerabilities-digest-june-2020.html ∗∗∗ Passwortmanager gegen die Vergesslichkeit ∗∗∗ --------------------------------------------- Die Kennwortvorgaben von Webdiensten machen es fast unmöglich, alle Kennwörter im Kopf zu behalten. Passwortmanager machen das Leben leichter. --------------------------------------------- https://heise.de/-4798284 ∗∗∗ Credit card skimmer targets ASP.NET sites ∗∗∗ --------------------------------------------- This unusual web skimmer campaign goes after sites running Microsofts IIS servers with an outdated version of the ASP.NET framework. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/07/credit-card-skimmer-t… ∗∗∗ Free Microsoft Service Looks at OS Memory Snapshots to Find Malware ∗∗∗ --------------------------------------------- Microsoft on Monday unveiled Project Freta, a free service that allows users to find rootkits and other sophisticated malware in operating system memory snapshots. --------------------------------------------- https://www.securityweek.com/free-microsoft-service-looks-os-memory-snapsho… ∗∗∗ Purple Fox Exploit Kit Targets Vulnerabilities Linked to DarkHotel Group ∗∗∗ --------------------------------------------- The developers of the Purple Fox exploit kit (EK) have added two new exploits to their arsenal, including one for a vulnerability addressed in February this year. --------------------------------------------- https://www.securityweek.com/purple-fox-exploit-kit-targets-vulnerabilities… ∗∗∗ Pwning smart garage door openers ∗∗∗ --------------------------------------------- TL;DR We reversed a smart garage door opener, which appeared pretty secure at first: The firmware was encrypted, debug access was restricted, the web server wasn’t running as root, it [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/pwning-smart-garage-door-open… ∗∗∗ Vorsicht vor knuth-kredit.online: Vorschussbetrug statt Kreditvergabe ∗∗∗ --------------------------------------------- Die Watchlist Internet erreichen Meldungen verzweifelter KonsumentInnen, die auf ihre Kreditauszahlungen warten. Während die Beantragung eines Kredites auf knuth-kredit.online noch äußerst einfach abläuft, werden anschließend unzählige Gebühren vorab in Rechnung gestellt. So fallen beispielsweise Versicherungs-, Aktivierungs- und Anwaltsgebühren, Kautionen oder sonstige Kosten an. Ein Kredit wird nie ausbezahlt und alle Zahlungen sind verloren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-knuth-kreditonline-vors… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3), Fedora (gst), Mageia (libvirt, mariadb, pdns-recursor, and ruby), openSUSE (chocolate-doom, coturn, kernel, live555, ntp, python3, and rust, rust-cbindgen), Oracle (virt:ol), Red Hat (file, firefox, gettext, kdelibs, kernel, kernel-alt, microcode_ctl, nghttp2, nodejs:10, nodejs:12, php, qemu-kvm, ruby, and tomcat), SUSE (libjpeg-turbo, mozilla-nspr, mozilla-nss, mozilla-nss, nasm, openldap2, and permissions), and Ubuntu (coturn, glibc, nss, [...] --------------------------------------------- https://lwn.net/Articles/825504/ ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues including: [...] --------------------------------------------- https://support.citrix.com/article/CTX276688 ∗∗∗ Android/Pixel Patchday Juli ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0671 ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2020-8616 and CVE-2020-8617 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4387) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: An Information Disclosure vulnerability in IBM Websphere Libtery affects IBM License Key Server Administration & Reporting Tool and Administration Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure… ∗∗∗ XSA-328 - non-atomic modification of live EPT PTE ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-328.html ∗∗∗ XSA-327 - Missing alignment check in VCPUOP_register_vcpu_info ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-327.html ∗∗∗ XSA-321 - insufficient cache write-back under VT-d ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-321.html ∗∗∗ XSA-319 - inverted code paths in x86 dirty VRAM tracking ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-319.html ∗∗∗ XSA-317 - Incorrect error handling in event channel port allocation ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-317.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2020
by Daily end-of-shift report 06 Jul '20

06 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-07-2020 18:00 − Montag 06-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Neue Welle an betrügerischen Spam-Anrufen in Österreich ∗∗∗ --------------------------------------------- Die Zahl an ungewollten Anrufen ist aktuell wieder am Steigen, auch Robocalls werden mittlerweile in Österreich verzeichnet. --------------------------------------------- https://futurezone.at/digital-life/neue-welle-an-betruegerischen-spam-anruf… ∗∗∗ Pig in a poke: smartphone adware ∗∗∗ --------------------------------------------- Our support team continues to receive more and more requests from users complaining about intrusive ads on their smartphones from unknown sources. --------------------------------------------- https://securelist.com/pig-in-a-poke-smartphone-adware/97607/ ∗∗∗ The Gafgyt variant vbot seen in its 31 campaigns ∗∗∗ --------------------------------------------- Gafgyt botnets have a long history of infecting Linux devices to launch DDoS attacks. While dozens of variants have been detected, new variants are constantly emerging with changes in terms of register message, exploits, and attacking methods. --------------------------------------------- https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/ ∗∗∗ Intel Owl 1.0.0 released ∗∗∗ --------------------------------------------- Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and is for everyone who needs a single point to query for info about a specific file or observable. --------------------------------------------- https://www.honeynet.org/2020/07/05/intel-owl-release-v1-0-0/ ∗∗∗ Sicherheitsupdates F5 BIG-IP: Schadcode-Lücke im Konfigurationstool ∗∗∗ --------------------------------------------- BIG-IP Appliances von F5 sind über mehrere Lücken attackierbar. Darunter findet sich eine kritische Schwachstelle mit Höchstwertung, die Angreifer ausnutzen. --------------------------------------------- https://heise.de/-4836220 ∗∗∗ Let Me Out of Your Net - Egress Testing ∗∗∗ --------------------------------------------- Use-cases:IT Admin, Firewall Admin, or Security staff at a company and want to confirm what ports and protocols are allowed of your network.Pentester that intends to identify ports and protocols that can be used for a pentest to gain C2 outbound.Purple Team testing ports and protocol detection for C2.Egress testing is an exciting problem due to the uniqueness of most networks. You may find fully open networks like those found in many Silicon Valley companies or companies attempting to move to a [...] --------------------------------------------- https://malicious.link/post/2020/lmo-egress-testing/ ∗∗∗ Patchless AMSI bypass using SharpBlock ∗∗∗ --------------------------------------------- Introduction For those that followed my personal blog posts on Creating an EDR and Bypassing It, I developed a new tool called SharpBlock. The tool implements a Windows debugger to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Samba-Software für DoS-Attacken anfällig ∗∗∗ --------------------------------------------- In bestimmten Situationen könnten Angreifer Computer mit Samba-Software lahmlegen. --------------------------------------------- https://heise.de/-4836294 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, php7.0, and thunderbird), Fedora (ceph, gssdp, gupnp, libfilezilla, libldb, mediawiki, python-pillow, python36, samba, and xpdf), Mageia (curl, docker, firefox, libexif, libupnp, libvncserver, libxml2, mailman, ntp, perl-YAML, python-httplib2, tcpreplay, tomcat, and vlc), openSUSE (chocolate-doom, python3, and Virtualbox), Slackware (libvorbis), and SUSE (mozilla-nspr, mozilla-nss, systemd, tomcat, and zstd). --------------------------------------------- https://lwn.net/Articles/825412/ ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2020 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2020
by Daily end-of-shift report 03 Jul '20

03 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-07-2020 18:00 − Freitag 03-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unternehmen aufgepasst: Versand gefährlicher Mails im Namen des Bundeskanzleramts ∗∗∗ --------------------------------------------- „Die Entscheidung, Ihr Unternehmen aufgrund von Covid-19 zu schließen“ – unter diesem Betreff werden derzeit betrügerische Mails verschickt, die sich gezielt an Unternehmerinnen und Unternehmer richten. Die Kriminellen, die hinter dieser E-Mail stehen, geben sich dabei als Bundeskanzleramt aus und verschicken Schadsoftware. Öffnen Sie daher auf keinen Fall den Anhang! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-aufgepasst-versand-gefae… ∗∗∗ Ransomware EKANS nimmt Industriekontrollsysteme ins Visier ∗∗∗ --------------------------------------------- Die Schadsoftware funktioniert trotz zahlreicher Programmierfehler. Eine neue Variante verschlüsselt nicht nur Dateien, sie verändert auch die Einstellungen von Industriekontrollsystemen. EKANS ist zudem auf bestimmte Ziele ausgerichtet und greift Opfer nicht wahllos an. --------------------------------------------- https://www.zdnet.de/88381196/ransomware-ekans-nimmt-industriekontrollsyste… ∗∗∗ Still Scanning IP Addresses? You’re Doing it Wrong ∗∗∗ --------------------------------------------- The traditional approach to a vulnerability scan or penetration test is to find the IP addresses that you want tested, throw them in and kick things off. But doing a test based purely on IP addresses is a bad idea and can often miss things. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/still-scann… ∗∗∗ GoldenSpy Chapter 3: New and Improved Uninstaller ∗∗∗ --------------------------------------------- This blog shows our analysis of a new binary, now being distributed by Intelligent Tax software, that is identical in operations to the original GoldenSpy Uninstallers, but specifically designed to evade detection by the YARA rule provided in our blog. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-c… ∗∗∗ Dangerous Website Backups ∗∗∗ --------------------------------------------- It’s a well-known fact that website backups are important for mitigating a plethora of site issues. They can help restore a site after a compromise or even facilitate the investigative process by providing a clean code base to compare the current site state to. However, if a backup is not set up correctly, it can have the opposite effect — and may instead impose a security threat to your website. --------------------------------------------- https://blog.sucuri.net/2020/07/dangerous-website-backups.html ∗∗∗ Living Off Windows Land – A New Native File "downldr" ∗∗∗ --------------------------------------------- There are only a couple of default system-signed executables that let you download a file from a Web Server, and every security product and threat hunter specifically looks for them for signs of misuse or abuse by threat actors. --------------------------------------------- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-down… ∗∗∗ Try2Cry: Ransomware tries to worm ∗∗∗ --------------------------------------------- Try2Cry ransomware adopts USB flash drive spreading using LNK files. The last ransomware that did the same was the infamous Spora. The code of Try2Cry looks oddly familiar, though. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/07/36200-ransomware-tries-to-worm ===================== = Vulnerabilities = ===================== ∗∗∗ Would you like some RCE with your Guacamole? ∗∗∗ --------------------------------------------- [...] Apache Guacamole is a popular infrastructure for remote work, with more than 10 Million docker downloads worldwide. In our research, we discovered that Apache Guacamole is vulnerable to several critical Reverse RDP Vulnerabilities, and is also impacted by a few new vulnerabilities found in FreeRDP. In short, these vulnerabilities allow an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting [...] --------------------------------------------- https://research.checkpoint.com/2020/apache-guacamole-rce/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io and imagemagick), Fedora (alpine, firefox, hostapd, and mutt), openSUSE (opera), Red Hat (rh-nginx116-nginx), SUSE (ntp, python3, and systemd), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, [...] --------------------------------------------- https://lwn.net/Articles/825212/ ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.7 ESR ) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.6.1 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.6.1 ESR + CVE-2020-6820) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to a Prototype Pollution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0664 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0666 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2020
by Daily end-of-shift report 02 Jul '20

02 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-07-2020 18:00 − Donnerstag 02-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TrickBot malware now checks screen resolution to evade analysis ∗∗∗ --------------------------------------------- The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-… ∗∗∗ GoldenSpy backdoor installed by tax software gets remotely removed ∗∗∗ --------------------------------------------- As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/goldenspy-backdoor-installed… ∗∗∗ FakeSpy Android Malware Spread Via ‘Postal-Service’ Apps ∗∗∗ --------------------------------------------- New ‘smishing’ campaigns from the Roaming Mantis threat group infect Android users with the FakeSpy infostealer. --------------------------------------------- https://threatpost.com/fakespy-android-malware-spread-via-postal-service-ap… ∗∗∗ Setting up the Dshield honeypot and tcp-honeypot.py, (Wed, Jul 1st) ∗∗∗ --------------------------------------------- After Johannes did his Tech Tuesday presentation last week on setting up Dshield honeypots, I thought I'd walk you through how I setup my honeypots. --------------------------------------------- https://isc.sans.edu/diary/rss/26302 ∗∗∗ PhishINvite with Malicious ICS Files ∗∗∗ --------------------------------------------- Employing a popular type of file as an attachment to malicious emails is a common trick by cybercriminals to boost the success rate of their cyber-attacks. As iCalendars files are not included in the list of automatically blocked attachments by email clients like Outlook, the possibility of the maliciously crafted iCalendar falling to the targets’ mailbox is increased. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phishinvite… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and firefox-esr), Fedora (chromium and ntp), SUSE (ntp and unbound), and Ubuntu (libvncserver). --------------------------------------------- https://lwn.net/Articles/825070/ ∗∗∗ Cisco AnyConnect Secure Mobility Client for Mac OS File Corruption Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Smart and Managed Switches Session Management Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Digital Network Architecture Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Customer Voice Portal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Products Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Smart and Managed Switches Session Management Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects Rational Asset Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Asset Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-aff… ∗∗∗ Security Bulletin: Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-aff… ∗∗∗ Security Bulletin: Asset Analyzer (RAA) is affected by two WebSphere Application Server vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-asset-analyzer-raa-is-aff… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2020
by Daily end-of-shift report 01 Jul '20

01 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-06-2020 18:00 − Mittwoch 01-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC) ∗∗∗ --------------------------------------------- In this blog post we will revisit CVE-2019-19781, a Remote Code Execution vulnerability affecting Citrix NetScaler / ADC. We will explore how this issue has been widely abused by various actors and how a hacker turf war led to some actors "adversary patching" the vulnerability in order to prevent secondary compromise by competing adversaries – hiding the true number of vulnerable and compromised devices in the wild. --------------------------------------------- https://blog.fox-it.com/2020/07/01/a-second-look-at-cve-2019-19781-citrix-n… ∗∗∗ Massive Sicherheitsprobleme durch offene Git-Repositorys ∗∗∗ --------------------------------------------- In Deutschland sind Git-Repositorys auf tausenden Servern ungeschützt per Webbrowser zugänglich und Angreifer haben leichtes Spiel beim Abgreifen der Daten. --------------------------------------------- https://heise.de/-4795181 ∗∗∗ Vorsicht beim E-Bike-Kauf: Fake-Shop ebike-quadrat.com bietet günstige E-Bikes an! ∗∗∗ --------------------------------------------- Sommerzeit ist Fahrradzeit. Das denken sich wohl auch BetrügerInnen. Zum Beispiel die unseriösen BetreiberInnen des Fake-Shops ebike-quadrat.com. Auch wenn der Online-Shop auf den ersten Blick vertrauenswürdig wirkt, sollten Sie hier lieber nichts bestellen. Die angegebenen Kontaktdaten existieren genauso wenig wie die Firma selbst. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-e-bike-kauf-fake-shop-… ∗∗∗ EvilQuest: Neue Ransomware für macOS im Umlauf ∗∗∗ --------------------------------------------- Es ist erst die dritte Erpressersoftware, die exklusiv für Macs entwickelt wurde. Die Lösegeldforderung fällt mit 50 Dollar recht moderat aus. Dafür hinterlässt EvilQuest zusätzlich einen Keylogger und eine Reverse Shell. --------------------------------------------- https://www.zdnet.de/88381156/evilquest-neue-ransomware-fuer-macos-im-umlau… https://blog.malwarebytes.com/mac/2020/06/new-mac-ransomware-spreading-thro… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft verteilt wichtige Updates für Remote-Lücken in Windows 10 und Server ∗∗∗ --------------------------------------------- Außerplanmäßige, über den Microsoft Store verteilte Updates beseitigen zwei aus der Ferne ausnutzbare Sicherheitslücken in der Windows Codecs Library. --------------------------------------------- https://heise.de/-4800675 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, chromium, freerdp, imagemagick, sqlite, and tomcat8), Debian (coturn, imagemagick, jackson-databind, libmatio, mutt, nss, and wordpress), Fedora (libEMF, lynis, and php-PHPMailer), Red Hat (httpd24-nghttp2), and SUSE (ntp, openconnect, squid, and transfig). --------------------------------------------- https://lwn.net/Articles/824955/ ∗∗∗ PHOENIX CONTACT: Two Vulnerabilities in Automation Worx Suite ∗∗∗ --------------------------------------------- PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier can lead to a stack-based overflow. mwe file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier is vulnerable to out-of-bounds read remote code execution. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-023 ∗∗∗ Cellebrite EPR Decryption Hardcoded AES Key Material ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020070003 ∗∗∗ Reflected Cross-site scripting (XSS) in EQDKP Plus CMS ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/reflected-cross-site-scripting… ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0647 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200701-… ∗∗∗ Security Advisory - Race Condition Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200701-… ∗∗∗ Security Advisory - Type Confusion Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200701-… ∗∗∗ Security Advisory - Use After Free Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200701-… ∗∗∗ Security Advisory - Use After Free Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200701-… ∗∗∗ Security Advisory - CallStranger Vulnerability in UPnP Protocol ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200701-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a vulnerability in Websphere Application Server. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by vulnerability CVE-2020-4376 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: Potential vulnerability (SSRF) in Apache Solr affect IBM Operations Analytics – Log Analysis (CVE-2017-3164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-s… ∗∗∗ Security Bulletin: Host Header Injection vulnerability in IBM Operations Analytics – Log Analysis (pre-login scenario) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-host-header-injection-vul… ∗∗∗ Security Bulletin: A security vulnerabilities has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 . ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerabilitie… ∗∗∗ Security Bulletin: Insecure Path Attribute in IBM Operations Analytics – Log Analysis (CSRFToken , LtpaToken2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insecure-path-attribute-i… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure and denial of service (CVE-2020-4414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2020
by Daily end-of-shift report 30 Jun '20

30 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Montag 29-06-2020 18:00 − Dienstag 30-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sysmon and Alternate Data Streams, (Mon, Jun 29th) ∗∗∗ --------------------------------------------- Sysmon version 11.10, released a couple of days ago, adds support for capturing content of Alternate Data Streams. --------------------------------------------- https://isc.sans.edu/diary/rss/26292 ∗∗∗ Adventures in ATM Hacking ∗∗∗ --------------------------------------------- Previously, I had some experience with PoS (Point of Sale) devices and entertained myself with kiosks at hacking conferences, but never had touched an ATM before. My companion on this saga had already some fun hacking with these devices and had some precious insights to guide us during our engagement. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/adventures-… ∗∗∗ Enigmail warnt Nutzer vor manuellem Update auf Thunderbird 78 ∗∗∗ --------------------------------------------- Enigmail-Nutzer sollen mit dem Erscheinen von Thunderbird 78 nicht manuell auf diese Version aktualisieren – die E-Mail-Verschlüsselung ist noch nicht fertig. --------------------------------------------- https://heise.de/-4799240 ∗∗∗ BSI aktualisiert den Mindeststandard für Web-Browser ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat am 30. Juni 2020 den Mindeststandard für Web-Browser aktualisiert. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/Webbrowser_300620… ∗∗∗ Vorsicht, wenn Ihr Tinder-Match über lukrative Investitionsmöglichkeiten spricht ∗∗∗ --------------------------------------------- Der Watchlist Internet sind schon sehr viele Fälle bekannt, wo Menschen auf unseriösen Investment-Plattformen sehr viel Geld verloren haben. Aufmerksam wird man auf derartige Plattformen durch gefälschte Zeitungsbeiträge oder E-Mail-Angebote. Kriminelle bewerben ihre Plattformen aber auch vermehrt über Tinder-NutzerInnen, die von sehr gewinnbringenden Investitionsmöglichkeiten schwärmen und zu Zahlungen animieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-ihr-tinder-match-ueber… ∗∗∗ A hacker gang is wiping Lenovo NAS devices and asking for ransoms ∗∗∗ --------------------------------------------- Ransom notes signed by Cl0ud SecuritY hacker group are being found on old LenovoEMC NAS devices. --------------------------------------------- https://www.zdnet.com/article/a-hacker-gang-is-wiping-lenovo-nas-devices-an… ∗∗∗ Detecting adversarial behaviour by applying NLP techniques to command lines ∗∗∗ --------------------------------------------- [...] Methodology designed to automatically detect whether a system has been compromised needs to be able to tell the difference between benign and malicious command line operations. In order to build mechanisms capable of classifying command lines in this way, we first need to understand what they do – in other words, we need to be able to parse them in a similar way to how we parse natural languages. This article describes the process we’ve been using to develop methodology capable of parsing and categorizing command lines at F-Secure. --------------------------------------------- https://blog.f-secure.com/command-lines/ ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication ∗∗∗ --------------------------------------------- When Security Assertion Markup Language (SAML) authentication is enabled and the Validate Identity Provider Certificate option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2020-2021 ∗∗∗ Sicherheitsupdates sind da: Jetzt Root-Lücke in Netgear-Routern patchen ∗∗∗ --------------------------------------------- Angreifer könnten Router von Netgear attackieren und Schadcode ausführen. Abgesicherte Firmware-Versionen sind verfügbar. --------------------------------------------- https://heise.de/-4799957 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (coturn, drupal7, libvncserver, mailman, php5, and qemu), openSUSE (curl, graphviz, mutt, squid, tomcat, and unbound), Red Hat (chromium-browser, file, kernel, microcode_ctl, ruby, and virt:rhel), Slackware (firefox), and SUSE (mariadb-100, mutt, unzip, and xmlgraphics-batik). --------------------------------------------- https://lwn.net/Articles/824822/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4557 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Security vulnerability in Java SE affects Rational Build Forge (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4557 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in PHP (CVE-2020-7066, CVE-2020-7065, CVE-2020-7064) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects IBM Rational ClearQuest (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition affect IBM Rational Build Forge. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Agile Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11 (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-the-ib… ∗∗∗ OpenJPEG: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0645 ∗∗∗ Squid: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0644 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2020
by Daily end-of-shift report 29 Jun '20

29 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-06-2020 18:00 − Montag 29-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Laravel/Telescope: Die Sicherheitslücke bei einer Bank, die es nicht gibt ∗∗∗ --------------------------------------------- Ein Leser hat uns auf eine Sicherheitslücke auf der Webseite einer Onlinebank hingewiesen. Die Lücke war echt und betrifft auch andere Seiten - die Bank jedoch scheint es nie gegeben zu haben. --------------------------------------------- https://www.golem.de/news/laravel-telescope-die-sicherheitsluecke-bei-einer… ∗∗∗ Active Directory series: Unconstrained delegation ∗∗∗ --------------------------------------------- In this article series, we will look into the most famous ways that can be used to attack Active Directory and achieve persistence. Note: Attacks discussed in this series have already been publicly disclosed on different forums. This series is for educational purposes only. --------------------------------------------- https://resources.infosecinstitute.com/active-directory-series-unconstraine… ∗∗∗ Beware "secure DNS" scam targeting website owners and bloggers ∗∗∗ --------------------------------------------- If you run a website or a blog, watch out for emails promising "DNSSEC upgrades" - these scammers are after your whole site. --------------------------------------------- https://nakedsecurity.sophos.com/2020/06/29/beware-secure-dns-scam-targetin… ∗∗∗ The face of tomorrow's cybercrime: Deepfake ransomware explained ∗∗∗ --------------------------------------------- Deepfake ransomware is a mighty combination that several security experts fear would happen soon. But what is it exactly? Is it deepfake with a ransomware twist? Or ransomware with a sprinkling of deepfake tech? --------------------------------------------- https://blog.malwarebytes.com/ransomware/2020/06/the-face-of-tomorrows-cybe… ∗∗∗ Passwort‑Manager: nützliches Alltags‑Tool ∗∗∗ --------------------------------------------- In diesem Artikel erklären wir, was einen Passwort-Manager ausmacht und warum dieser als nützliches Tool in den Alltag integriert werden sollte. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/06/26/passwort-manager-im-allta… ∗∗∗ ebay-HändlerInnen aufgepasst: gezielte Phishing-Attacken ∗∗∗ --------------------------------------------- Wenn Sie Waren auf ebay verkaufen, dann nehmen Sie sich vor betrügerischen Nachrichten in Acht, in denen man Ihnen vorspielt, dass Kundschaft von einem Kauf zurücktreten möchte. Die Nachrichten werden im ebay-Design verschickt und fordern zur Antwort auf die entsprechende Anfrage auf. Der Link führt Sie auf eine gefälschte ebay-Website, auf der Ihre Daten direkt in den Händen Krimineller landen. --------------------------------------------- https://www.watchlist-internet.at/news/ebay-haendlerinnen-aufgepasst-geziel… ∗∗∗ Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL ∗∗∗ --------------------------------------------- Almost 110,000 online stores are still running the soon-to-be-outdated Magento 1.x CMS. --------------------------------------------- https://www.zdnet.com/article/adobe-mastercard-visa-warn-online-store-owner… ===================== = Vulnerabilities = ===================== ∗∗∗ Keine Überraschung nach Fraunhofer-Test: Viele Home-Router unsicher ∗∗∗ --------------------------------------------- Sicherheitsforscher des FKIE haben 127 verschiedene Home-Router untersucht und vermuten gravierende Sicherheitsmängel. Überraschen kann das niemanden mehr. --------------------------------------------- https://heise.de/-4798342 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libtasn1-6, libtirpc, mcabber, picocom, pngquant, trafficserver, and zziplib), Fedora (curl and xen), openSUSE (bluez, ceph, chromium, curl, grafana, grafana-piechart-panel,, graphviz, mariadb, and mercurial), Oracle (nghttp2), Red Hat (microcode_ctl), SUSE (mutt, python3-requests, and tomcat), and Ubuntu (glib-networking and mailman). --------------------------------------------- https://lwn.net/Articles/824717/ ∗∗∗ Security Advisory - Denial of Service Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200624-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200624-… ∗∗∗ Security Bulletin: IBM TNPM for Wireline is vulnarable to Cross Site Request Forgery(CSRF) and Cross Site Scripting(CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-for-wireline-is-… ∗∗∗ Security Bulletin: Speech to Text, Text to Speech ICP, WebSphere Application Server Liberty Fix ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-sp… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cross-site scripting (XSS) in Drupal (sa-contrib-2020-025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack due to an error within the Data Conversion logic. (CVE-2020-4310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM API Connect V 2018 (ova) is impacted by weak cryptographic algorithms (CVE-2020-4452) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v-2018-ov… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Integration Bus affected by multiple Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-affec… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 (CVE-2019-17592) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to cross-site request forgery (CSRF) (CVE-2020-13663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2020
by Daily end-of-shift report 26 Jun '20

26 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-06-2020 18:00 − Freitag 26-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Golang Worm Widens Scope to Windows, Adds Payload Capacity ∗∗∗ --------------------------------------------- A first-stage malware loader spotted in active campaigns has added additional exploits and a new backdoor capability. --------------------------------------------- https://threatpost.com/worm-golang-malware-windows-payloads/156924/ ∗∗∗ Browser-Hersteller verkürzen Zertifikats-Lebensdauer auf ein Jahr ∗∗∗ --------------------------------------------- Ab September dürfen HTTPS-Zertifikate nur noch auf maximal ein Jahr ausgestellt werden. --------------------------------------------- https://heise.de/-4796599 ∗∗∗ Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files ∗∗∗ --------------------------------------------- This credit card skimmer hides in plain sight, quite literally, as it resides inside the metadata of image files. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-wit… ∗∗∗ Achtung: Auf Instagram kursieren betrügerische Nachrichten ∗∗∗ --------------------------------------------- Seit kurzem melden uns Instagram-NutzerInnen, betrügerische Nachrichten, in denen sie aufgefordert werden, einem Link zu folgen. Achtung: Kriminelle, die diese Privatnachrichten zahlreich und willkürlich versenden, wollen nur an Ihre Zugangsdaten kommen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-auf-instagram-kursieren-betr… ∗∗∗ Angebliche E-Mail der Bundesregierung enthält Ransomware ∗∗∗ --------------------------------------------- Die Serie von Ransomware-Angriffen auf deutsche Unternehmen setzt sich fort. Eine neue Ransomware-Kampagne in Deutschland nutzt als Köder eine gefälschte E-Mail im Namen der Bundesregierung. --------------------------------------------- https://www.zdnet.de/88381006/angebliche-e-mail-der-bundesregierung-enthael… ===================== = Vulnerabilities = ===================== ∗∗∗ Micropatch is Available for Windows LNK Remote Code Execution Vulnerability (CVE-2020-1299) ∗∗∗ --------------------------------------------- Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1299, another "Stuxnet-like" critical LNK remote code execution issue that can get code executed on users computer just by viewing a folder with Windows Explorer.This vulnerability was patched by Microsoft with June 2020 Updates, but Windows 7 and Server 2008 users without Extended Security Updates remained vulnerable. --------------------------------------------- https://blog.0patch.com/2020/06/micropatch-is-available-for-windows-lnk.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (alpine), Fedora (fwupd, microcode_ctl, mingw-libjpeg-turbo, mingw-sane-backends, suricata, and thunderbird), openSUSE (uftpd), Red Hat (nghttp2), SUSE (ceph, curl, mutt, squid, tigervnc, and unbound), and Ubuntu (linux kernel and nvidia-graphics-drivers-390, nvidia-graphics-drivers-440). --------------------------------------------- https://lwn.net/Articles/824579/ ∗∗∗ Security Bulletin: Multiple vulnurabilities discovered in IBM® SDK, Java™ can affect Rational Software Architect Design Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnurabilities-… ∗∗∗ Security Bulletin: Information Disclosure in IBM Spectrum Protect Plus (CVE-2020-4565) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-the-ib… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: NVIDIA Windows GPU Display Driver has resolved several security vulnerabilities as described below. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-nvidia-windows-gpu-displa… ∗∗∗ Security Bulletin: NVIDIA Windows GPU Display driver is vulnerable to several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-nvidia-windows-gpu-displa… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 (CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2020
by Daily end-of-shift report 25 Jun '20

25 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-06-2020 18:00 − Donnerstag 25-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ European bank suffers biggest PPS DDoS attack, new botnet suspected ∗∗∗ --------------------------------------------- A bank in Europe was the target of a huge distributed denial-of-service (DDoS) attack that sent to its networking gear a flood of 809 million packets per second (PPS). --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-bank-suffers-bigges… ∗∗∗ Defending Exchange servers under attack ∗∗∗ --------------------------------------------- Exchange servers are high-value targets. If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use. Keeping these servers safe from these advanced attacks is of utmost importance. --------------------------------------------- https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-serve… ∗∗∗ The Golden Tax Department and the Emergence of GoldenSpy Malware ∗∗∗ --------------------------------------------- Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software that a Chinese bank requires corporations to install to conduct business operations in China. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-… ∗∗∗ Maersk, me & notPetya ∗∗∗ --------------------------------------------- [...] Establishing the exact content and format of this post has been difficult. It hasn’t been clear where to start. [...] I’ve tried to focus on the main timeline and the lessons. So this isn’t everything. But the experience we had at Maersk, or at least significant elements of it, could happen to any organisation. In fact, it does happen, to all kinds of organisations, all of the time, [...] --------------------------------------------- https://gvnshtn.com/maersk-me-notpetya/ ∗∗∗ Extending Drupal 7s End-of-Life - PSA-2020-06-24 ∗∗∗ --------------------------------------------- Previously, Drupal 7s end-of-life was scheduled for November 2021. Given the impact of COVID-19 on budgets and businesses, we will be extending the end of life until November 28, 2022. The Drupal Security Team will continue to follow the Security Team processes for Drupal 7 core and contributed projects. --------------------------------------------- https://www.drupal.org/psa-2020-06-24 ∗∗∗ Attackers Cryptojacking Docker Images to Mine for Monero ∗∗∗ --------------------------------------------- We identified a malicious Docker Hub account named "azurenql" that contained 8 repositories, hosting 6 malicious Monero mining images. --------------------------------------------- https://unit42.paloaltonetworks.com/cryptojacking-docker-images-for-mining-… ===================== = Vulnerabilities = ===================== ∗∗∗ Telnet Vulnerability Affecting Cisco Products: June 2020 ∗∗∗ --------------------------------------------- On February 28, 2020, APPGATE published a blog post regarding CVE-ID CVE-2020-10188, which is a vulnerability in Telnet servers (telnetd). For more information about this vulnerability, see the Details section. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple vulnerabilities in Danish company Mobile Industrial Robot s products ∗∗∗ --------------------------------------------- More than 10 different robot types are affected and operate from industrial spaces to public environments, such as airports and hospitals. --------------------------------------------- https://news.aliasrobotics.com/the-week-of-mobile-industrial-robots-bugs/ ∗∗∗ Mehrere Sicherheitslücken in Grafikkarten-Treiber von Nvidia gestopft ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Software und Treiber von Nvidia. Neben Windows ist auch Linux bedroht. --------------------------------------------- https://heise.de/-4794975 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libexif, php-horde-horde, and tcpreplay), openSUSE (rubygem-bundler), Oracle (docker-cli docker-engine, kernel, and ntp), Slackware (curl and libjpeg), and Ubuntu (mutt). --------------------------------------------- https://lwn.net/Articles/824474/ ∗∗∗ Security Bulletin: Speech to Text, Text to Speech ICP, WebSphere Application Server Liberty Fix ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-sp… ∗∗∗ Security Bulletin: Speech to Text, Text to Speech ICP, WebSphere Application Server Liberty Fix ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-sp… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection (CVE-2019-4650) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Speech to Text, Text to Speech ICP, WebSphere Application Server Liberty Fix ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-sp… ∗∗∗ Security Bulletin: ICP Speech to Text, Text to Speech Oracle Java Vulnerability Fix ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icp-speech-to-text-text-t… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2020-4223) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Bootable Media Creator (BoMC) is affected by a vulnerability in cURL (CVE-2019-5482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bootable-media-creato… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: ICP Speech to Text, Text to Speech – OpenSSL vulnerability fix. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-icp-speech-to-text-text-t… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2020
by Daily end-of-shift report 24 Jun '20

24 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-06-2020 18:00 − Mittwoch 24-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IT-Sicherheit: Etwa 80.000 Drucker sind im Internet offen ansteuerbar ∗∗∗ --------------------------------------------- Die Security-Organisation Shadowserver hat einen globalen IPP-Scan durchgeführt und viele Drucker gefunden, die offen Informationen teilen. --------------------------------------------- https://www.golem.de/news/it-sicherheit-etwa-80-000-drucker-sind-im-interne… ∗∗∗ What is DNS Poisoning and to Protect Your Enterprise Against it ∗∗∗ --------------------------------------------- Modern enterprise cybersecurity has evolved – that’s a true statement. If we were to travel back in time – say, 10 or 20 years – ago, we would have discovered, much to our stupefaction, that cybersecurity was nothing more than an auxiliary attribution, bestowed upon the (un)fortunate soul who had the (dubious privilege) of fulfilling [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-is-dns-poisoning/ ∗∗∗ Magnitude exploit kit – evolution ∗∗∗ --------------------------------------------- Exploit kits still play a role in today’s threat landscape and continue to evolve. For this blogpost I studied and analyzed the evolution of one of the most sophisticated exploit kits out there – Magnitude EK – for a whole year. --------------------------------------------- https://securelist.com/magnitude-exploit-kit-evolution/97436/ ∗∗∗ Sodinokibi Ransomware Now Scans Networks For PoS Systems ∗∗∗ --------------------------------------------- Attackers are compromising large companies with the Cobalt Strike malware, and then deploying the Sodinokibi ransomware. --------------------------------------------- https://threatpost.com/sodinokibi-ransomware-now-scans-networks-for-pos-sys… ∗∗∗ Hakbit Ransomware Attack Uses GuLoader, Malicious Microsoft Excel Attachments ∗∗∗ --------------------------------------------- Recent spearphishing emails spread the Hakbit ransomware using malicious Microsoft Excel attachments and the GuLoader dropper. --------------------------------------------- https://threatpost.com/hackbit-ransomware-attack-uses-guloader-malicious-mi… ∗∗∗ Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th) ∗∗∗ --------------------------------------------- Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm. --------------------------------------------- https://isc.sans.edu/diary/rss/26276 ∗∗∗ Three words you do not want to hear regarding a secure browser called SafePay... Remote. Code. Execution ∗∗∗ --------------------------------------------- How Bitdefenders security software was caught napping by ad-block bod Folks running Bitdefenders Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/06/24/bitdefender_… ∗∗∗ WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group ∗∗∗ --------------------------------------------- WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the Evil Corp group in 2020. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Recently Evil Corp has changed a number of TTPs related to their operations further described in this article. --------------------------------------------- https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-de… ∗∗∗ Gefälschte PayLife-Mails im Umlauf ∗∗∗ --------------------------------------------- Unter verschiedenen Vorwänden versuchen BetrügerInnen derzeit an Zugangs- und Kreditkartendaten von PayLife-KundInnen zu kommen. Kommt man den Aufforderungen in diesen Mails nicht nach, wird mit einer Sperre der Karte oder anderen Einschränkungen gedroht. Folgen Sie dem Link in diesen Mails nicht und laden Sie auch keine „Kartensicherheits-App“ herunter! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-paylife-mails-im-umlauf/ ∗∗∗ Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices ∗∗∗ --------------------------------------------- A new hybrid malware capable of cryptojacking and launching DDoS was discovered in the wild, which weve named "Lucifer." --------------------------------------------- https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybr… ∗∗∗ This sneaky malware goes to unusual lengths to cover its tracks ∗∗∗ --------------------------------------------- Glupteba creates a backdoor into infected Windows systems - and researchers think itll be offered to cyber criminals as an easy means of distributing other malware. --------------------------------------------- https://www.zdnet.com/article/this-sneaky-malware-goes-to-unusual-lengths-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke bedroht Magento-Shops ∗∗∗ --------------------------------------------- Angreifer könnten Onlineshops auf Magento-Basis attackieren und im schlimmsten Fall komplett übernehmen. --------------------------------------------- https://heise.de/-4793608 ∗∗∗ Kritische Lücke: Helpdesk-App auf Qnap-NAS lädt Angreifer ein ∗∗∗ --------------------------------------------- Qnap hat eine wichtige Aktualisierung für die Support-App Helpdesk veröffentlicht. --------------------------------------------- https://heise.de/-4794415 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, ntp, and unbound), Fedora (php-horde-horde and tcpreplay), openSUSE (chromium, java-1_8_0-openj9, mozilla-nspr, mozilla-nss, and opera), Oracle (gnutls, grafana, thunderbird, and unbound), Red Hat (candlepin and satellite, docker, microcode_ctl, openstack-keystone, openstack-manila and openstack-manila, and qemu-kvm-rhev), Scientific Linux (kernel and ntp), Slackware (ntp), SUSE (curl, libreoffice, libssh2_org, and php5), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/824378/ ∗∗∗ VMware Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0622 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in IBM Tivoli Netcool/OMNIbus Probe for Network Node Manager i (CVE-2009-3555) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Speech to Text, Text to Speech ICP WebSphere Application Server Liberty Fix ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-sp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2020
by Daily end-of-shift report 23 Jun '20

23 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Montag 22-06-2020 18:00 − Dienstag 23-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Comparing Office Documents with WinMerge, (Mon, Jun 22nd) ∗∗∗ --------------------------------------------- Sometimes I have to compare the internals of Office documents (OOXML files, e.g. ZIP container with XML files, ...). Since they are ZIP containers, I have to compare the files within. I used to do this with with zipdump.py tool, but recently, I started to use WinMerge because of its graphical user interface. --------------------------------------------- https://isc.sans.edu/diary/rss/26268 ∗∗∗ HTTP Request Smuggling: Abusing Reverse Proxies ∗∗∗ --------------------------------------------- SANS Penetration Testing blog about exploiting differences between web servers and their reverse proxies --------------------------------------------- https://www.sans.org/blog/http-request-smuggling-abusing-reverse-proxies?ms… ∗∗∗ XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers ∗∗∗ --------------------------------------------- We have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware. While the XORDDoS attack infiltrated the Docker server to infect all the containers hosted on it, the Kaiji attack deploys its own container that will contain its DDoS malware. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-b… ∗∗∗ Vorschussbetrug: Ein Opfer berichtet… ∗∗∗ --------------------------------------------- Vorschussbetrug funktioniert immer ähnlich: Ihnen wird per E-Mail mitgeteilt, dass Sie auserwählt wurden, einen sehr hohen Geldbetrag zu erhalten. Jedoch müssen Sie vorab eine Geldsumme überweisen – angeblich für Zertifikate, Spesen, die Abwicklung der Überweisung oder Ähnliches. Erst dann kann der Betrag an Sie übermittelt werden. Achtung: Den angeblichen Geldbetrag erhalten Sie nie und das vorab überwiesene Geld ist weg! --------------------------------------------- https://www.watchlist-internet.at/news/vorschussbetrug-ein-opfer-berichtet/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate Bitdefender: Websites könnten Schadcode auf PCs schleusen ∗∗∗ --------------------------------------------- In einer aktualisierten Version von Bitdefender Internet Security haben die Entwickler eine Sicherheitslücke geschlossen. Das Angriffsrisiko gilt als hoch. --------------------------------------------- https://heise.de/-4792200 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (thunderbird), Debian (wordpress), Fedora (ca-certificates, kernel, libexif, and tomcat), openSUSE (chromium, containerd, docker, docker-runc, golang-github-docker-libnetwork, fwupd, osc, perl, php7, and xmlgraphics-batik), Oracle (unbound), Red Hat (containernetworking-plugins, dpdk, grafana, kernel, kernel-rt, kpatch-patch, libexif, microcode_ctl, ntp, pcs, and skopeo), Scientific Linux (unbound), SUSE (kernel, mariadb, mercurial, and xawtv), and Ubuntu (mutt, nfs-utils). --------------------------------------------- https://lwn.net/Articles/824264/ ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0617 ∗∗∗ Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM API Connect V2018 (ova) is vulnerable to denial of service (CVE-2020-8551, CVE-2020-8552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v2018-ova… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2020-4323) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: PowerVC is impacted by an Openstack Nova vulnerability which could leak consoleauth tokens into log files (CVE-2015-9543) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-is-impacted-by-an… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Hard-coded passwords vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2020-4327) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2020-4413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ KLCERT-20-014: Session token exposed in Honeywell ControlEdge PLC and RTU ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/06/23/klce… ∗∗∗ KLCERT-20-013: Unencypted password transmission in Honeywell ControlEdge PLC and RTU ∗∗∗ --------------------------------------------- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2020/06/23/klce… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2020
by Daily end-of-shift report 22 Jun '20

22 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-06-2020 18:00 − Montag 22-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Top 8 tips for office security when employees are working from home ∗∗∗ --------------------------------------------- Who’s minding the store? Cybersecurity has become even more high profile during the current COVID-19 pandemic. A recent warning from the UK National Cyber Security Centre and the US Department of Homeland Security talks of state-backed hackers targeting healthcare organizations. Many other examples of pandemic-focused cyberattacks have popped up since the coronavirus appeared. --------------------------------------------- https://resources.infosecinstitute.com/top-8-tips-for-office-security-when-… ∗∗∗ Web skimming with Google Analytics ∗∗∗ --------------------------------------------- Recently, we identified several cases where Google Analytics was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. --------------------------------------------- https://securelist.com/web-skimming-with-google-analytics/97414/ ∗∗∗ Pi Zero HoneyPot , (Sat, Jun 20th) ∗∗∗ --------------------------------------------- The ISC has had a Pi honeypot(1) for the last couple of years, but I haven't had much time to try it on the Pi zero. Recently, I've had a chance to try it out, and it works great. --------------------------------------------- https://isc.sans.edu/diary/rss/26260 ∗∗∗ Hijacking DLLs in Windows ∗∗∗ --------------------------------------------- DLL Hijacking is a popular technique for executing malicious payloads. This post lists nearly 300 executables vulnerable to relative path DLL Hijacking on Windows 10 (1909), and shows how with a few lines of VBScript some of the DLL hijacks can be executed with elevated privileges, bypassing UAC. --------------------------------------------- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows ∗∗∗ Turn on MFA Before Crooks Do It For You ∗∗∗ --------------------------------------------- Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who dont take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Heres the story of one such incident. --------------------------------------------- https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/ ∗∗∗ Achtung vor gefährlicher "BawagPSK" Phishing-SMS ∗∗∗ --------------------------------------------- BetrügerInnen senden derzeit eine SMS-Nachricht im Namen der BAWAG P.S.K. aus. Als Absender wird keine Telefonnummer, sondern „BawagPSK“ angegeben. Laut der Nachricht müssen Sie einem Link folgen, um eine Anfrage zu Ihrem mobilen Banking zu bestätigen. Folgen Sie dem Link nicht! Er führt auf eine gefälschte Website und eingegebene Daten landen direkt in den Händen der Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-gefaehrlicher-bawagpsk-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Firmware-Bug gefährdet XG Firewalls von Sophos ∗∗∗ --------------------------------------------- Angreifer könnten über ein Schlupfloch in Sophos XG Firewalls Schadcode in Netzwerken ausführen. --------------------------------------------- https://heise.de/-4790793 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lynis, mutt, neomutt, ngircd, and rails), Mageia (gnutls), Oracle (thunderbird), Red Hat (chromium-browser, gnutls, grafana, thunderbird, and unbound), Scientific Linux (thunderbird and unbound), and SUSE (bind, java-1_8_0-openjdk, kernel, libgxps, and osc). --------------------------------------------- https://lwn.net/Articles/824113/ ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Elastic Elasticsearch ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: OpenSSL for IBM i is affected by CVE-2020-1967 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-affe… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Potential vulnerability with FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-w… ∗∗∗ Security Bulletin: Multiple potential vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-potential-vulner… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Apache Commons FileUpload (Publicly disclosed vulnerability) in IBM eDiscovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-fileupload… ∗∗∗ Security Bulletin: January 2020 Critical Patch Update for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-january-2020-critical-pat… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2020
by Daily end-of-shift report 19 Jun '20

19 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-06-2020 18:00 − Freitag 19-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers use fake Windows error logs to hide malicious payload ∗∗∗ --------------------------------------------- Hackers have been using fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-err… ∗∗∗ IBM Maximo Asset Management servers patched against attacks ∗∗∗ --------------------------------------------- Details are hazy but the overall story is clear: if you use IBM’s Maximo Asset Management, make sure you’re patched. --------------------------------------------- https://nakedsecurity.sophos.com/2020/06/19/ibm-maximo-asset-management-ser… ∗∗∗ Sicherheitsupdate für CMS: Drupal anfällig für Remote Code Execution ∗∗∗ --------------------------------------------- Die Drupal-Entwickler haben zwei Sicherheitslücken in mehreren Versionen des Content Management Systems geschlossen. --------------------------------------------- https://heise.de/-4789539 ∗∗∗ Security: Four zero-days spotted in attacks on honeypot systems ∗∗∗ --------------------------------------------- Previously unknown attacks used against fake systems show big problems remain with industrial systems security. --------------------------------------------- https://www.zdnet.com/article/security-four-zero-day-attacks-spotted-in-att… ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry Powered by Android Security Bulletin - June 2020 ∗∗∗ --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ Kritische 0day-Lücke in 79 Netgear-Router-Modellen ∗∗∗ --------------------------------------------- Über einen Fehler im eingebauten Webserver lassen sich die Geräte kapern – unter Umständen schon beim Besuch einer Webseite mit dem Exploit. --------------------------------------------- https://heise.de/-4789814 ∗∗∗ VMSA-2020-0014 ∗∗∗ --------------------------------------------- VMware Tools for macOS update addresses a denial-of-service vulnerability (CVE-2020-3972) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0014.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (dbus, kernel, microcode_ctl, mingw-glib-networking, moby-engine, and roundcubemail), Mageia (libjpeg), openSUSE (chromium and rmt-server), Oracle (kernel and microcode_ctl), Red Hat (rh-nodejs8-nodejs and thunderbird), Slackware (bind), and SUSE (adns, containerd, docker, docker-runc, golang-github-docker-libnetwork, dbus-1, fwupd, gegl, gnuplot, guile, java-1_7_1-ibm, java-1_8_0-ibm, kernel, mozilla-nspr, mozilla-nss, perl, and [...] --------------------------------------------- https://lwn.net/Articles/823736/ ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities affects IBM Engineering Requirements Management DOORS Next ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability identified in Apache ActiveMQ used in Cloud Pak System (CVE-2020-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-identified-… ∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-ser… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2020
by Daily end-of-shift report 18 Jun '20

18 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-06-2020 18:00 − Donnerstag 18-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FF Sandbox Escape (CVE-2020-12388) ∗∗∗ --------------------------------------------- In my previous blog post I discussed an issue with the Windows Kernel’s handling of Restricted Tokens which allowed me to escape the Chrome GPU sandbox. Originally I’d planned to use Firefox for the proof-of-concept as Firefox uses the same effective sandbox level as the Chrome GPU process for its content renderers. That means a FF content RCE would give code execution in a sandbox where you could abuse the Windows Kernel Restricted Tokens issue, [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-escape-cve-2020-1… ∗∗∗ BofA Phish Gets Around DMARC, Other Email Protections ∗∗∗ --------------------------------------------- The June campaign was targeted and aimed at stealing online banking credentials. --------------------------------------------- https://threatpost.com/bofa-phish-gets-around-dmarc-other-email-protections… ∗∗∗ Broken phishing accidentally exploiting Outlook zero-day, (Thu, Jun 18th) ∗∗∗ --------------------------------------------- When we think of zero-days, what comes to mind are usually RCEs or other high-impact vulnerabilities. Zero-days, however, come in all shapes and sizes and many of them are low impact, as is the vulnerability were going to discuss today. What is interesting about it, apart from it allowing a sender of an e-mail to include/change a link in an e-mail when it is forwarded by Outlook, is that I noticed it being exploited in a low-quality phishing e-mail by what appears to be a complete accident. --------------------------------------------- https://isc.sans.edu/diary/rss/26254 ∗∗∗ Gefährliche SMS von Notify stiehlt Apple-ID ∗∗∗ --------------------------------------------- Zahlreiche Leserinnen und Leser melden der Watchlist Internet eine SMS-Nachricht im Namen von Apple. Als Absender ist keine Nummer sondern „Notify“ angegeben. Angeblich wurde das Apple-Konto gesperrt. Dem Link zur Freischaltung darf nicht gefolgt werden! Hier werden Apple-ID und Kreditkartendaten gestohlen und missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-sms-von-notify-stiehlt-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phones Call Log Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Web Access feature of Cisco IP Phones could allow an unauthenticated, remote attacker to view sensitive information on an affected device. The vulnerability is due to improper access controls on the web-based management interface of an affected device. An attacker could exploit this vulnerability by sending malicious requests to the device, which could allow the attacker to bypass access restrictions. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Sicherheitsupdates: Cisco Webex Meetings kann sich an Fake-Updates verschlucken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa Data Center Network Manager, verschiedene Router und Webex Meetings veröffentlicht. --------------------------------------------- https://heise.de/-4787456 ∗∗∗ CPU-Sicherheitslücken bei AMD-Kombiprozessoren: BIOS-Updates kommen ∗∗∗ --------------------------------------------- AMDs Kombiprozessoren der Jahre 2016 bis 2019, also auch Ryzen-Modellen, fehlen Sicherheitschecks, um SMM-Code im RAM zu verstecken. --------------------------------------------- https://heise.de/-4788807 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7 and python-django), Fedora (glib-networking, kernel, kernel-headers, and nghttp2), openSUSE (adns, chromium, file-roller, and libEMF), SUSE (java-1_7_1-ibm), and Ubuntu (bind9 and nss). --------------------------------------------- https://lwn.net/Articles/823461/ ∗∗∗ Synology-SA-20:14 SRM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_14 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0598 ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0599 ∗∗∗ Microsoft Windows 10: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0601 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0609 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0604 ∗∗∗ Security Advisory - Improper Privilege Management Vulnerability in FusionShpere Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200617-… ∗∗∗ Security Bulletin: IBM API Connect V2018 is vulnerable to denial of service (CVE-2020-8551, CVE-2020-8552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v2018-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4469, CVE-2020-4471, CVE-2020-4470) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager (October 2019, January 2020 and April 2020 CPUs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2020-2654 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 – Includes Oracle Apr 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – CVE-2019-2949 (deferred from Oracle Oct 2019 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU for IBM MQ – Jan 2020 – Includes Oracle Jan 2020 CPU minus CVE-2020-2585, CVE-2020-2654, and CVE-2020-2590 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2020
by Daily end-of-shift report 17 Jun '20

17 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-06-2020 18:00 − Mittwoch 17-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Do cybercriminals play cyber games during quarantine? ∗∗∗ --------------------------------------------- Thanks to the coronavirus pandemic, the role of the Internet in our lives has undergone changes, including irreversible ones. We decided to take a closer look at the changes around us through the prism of information security, starting with the video game industry. --------------------------------------------- https://securelist.com/do-cybercriminals-play-cyber-games-during-quarantine… ∗∗∗ When NTP Kills Your Sandbox ∗∗∗ --------------------------------------------- If it’s common to say that “Everything is a Freaking DNS problem“, other protocols can also be the source of problems… NTP (“Network Time Protocol”) is also a good candidate! A best practice is to synchronize all your devices via NTP but also to set up the same timezone! We [...] --------------------------------------------- https://blog.rootshell.be/2020/06/17/when-ntp-kills-your-sandbox/ ∗∗∗ A Click from the Backyard | Analysis of CVE-2020-9332, a Vulnerable USB Redirection Software ∗∗∗ --------------------------------------------- [...] The vulnerability represents a new attack vector that allows attackers to create fake USB devices, fully trusted by the Windows operating system (kernel), to attack a machine in unconventional and unexpected ways. --------------------------------------------- https://labs.sentinelone.com/click-from-the-backyard-cve-2020-9332/ ∗∗∗ Ripple20 erschüttert das Internet der Dinge ∗∗∗ --------------------------------------------- Eine Reihe von teils kritischen Sicherheitslücken in einer TCP/IP-Implementierung gefährdet Geräte in Haushalten, Krankenhäusern und Industrieanlagen. --------------------------------------------- https://heise.de/-4786249 ∗∗∗ Embedded security fails in ICS ∗∗∗ --------------------------------------------- Over the last 5 years, we’ve seen an increasing use of open-source software in ICS (Industrial Control Systems) devices, with a move away from traditional RTOS (Real Time Operating System) [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/embedded-security-fails-in-ic… ∗∗∗ Vorsicht bei der Wohnungssuche: Günstige Traumwohnung könnte Betrug sein! ∗∗∗ --------------------------------------------- Es ist kaum zu glauben: Zentrale Lage in der Wiener Innenstadt. Eingerichtet mit neuesten Möbeln und Geräten. 87m2 und dazu noch eine Terrasse oder einen Balkon. Das Beste daran: Die Miete beträgt nur 450 Euro monatlich, weit unter dem Durchschnitt also. Kennen Sie ähnlich verlockende Wohnungsinserate? Wenn ja, sollten Sie vorsichtig sein und sich den Anbieter oder die Anbieterin genauer ansehen, bevor Sie bei dem verlockenden Schnäppchen zusagen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-guens… ===================== = Vulnerabilities = ===================== ∗∗∗ SaltStack FrameWork Vulnerabilities Affecting Cisco Products ∗∗∗ --------------------------------------------- On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs: CVE-2020-11651: Authentication Bypass Vulnerability CVE-2020-11652: Directory Traversal Vulnerability Cisco Modeling Labs Corporate Edition (CML), Cisco TelePresence IX5000 Series, and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ICS Advisory (ICSA-20-168-01) - Treck TCP/IP Stack ∗∗∗ --------------------------------------------- CISA is aware of a public report, known as "Ripple20" that details vulnerabilities found in the Treck TCP/IP stack. CISA is issuing this advisory to provide early notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-168-01 ∗∗∗ Linux-Kernel: ACPI-Bug hebelt Schutzmechanismen von UEFI Secure Boot aus ∗∗∗ --------------------------------------------- Ein Bug im Linux-Mainline-Kernel könnte Angreifern das Laden unsignierter Kernel-Module trotz UEFI Secure Boot ermöglichen. PoC-Code und ein Patch liegen vor. --------------------------------------------- https://heise.de/-4786877 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dbus and intel-ucode), CentOS (libexif), Debian (vlc), SUSE (xen), and Ubuntu (dbus, libexif, and nss). --------------------------------------------- https://lwn.net/Articles/823283/ ∗∗∗ Security Bulletin: WebSphere Application Server used in IBM WebSphere Application Server in IBM Cloud is vulnerable to a server-side request forgery vulnerability (CVE-2020-4365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2020 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4532 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM HTTP Server and IBM WebSphere Application Server used in IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2020
by Daily end-of-shift report 16 Jun '20

16 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Montag 15-06-2020 18:00 − Dienstag 16-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Java STRRAT ships with .crimson ransomware module ∗∗∗ --------------------------------------------- This Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows systems. It may soon be capable to infect without Java installed. --------------------------------------------- https://www.gdatasoftware.com/blog/strrat-crimson ∗∗∗ SOHO Device Exploitation ∗∗∗ --------------------------------------------- This blog describes one such session of auditing the Netgear R7000 router, analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. --------------------------------------------- https://blog.grimm-co.com/2020/06/soho-device-exploitation.html ∗∗∗ The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers ∗∗∗ --------------------------------------------- This writeup is a summary of my research on issues in handling copying and pasting in: browsers, popular WYSIWYG editors, and websites. --------------------------------------------- https://research.securitum.com/the-curious-case-of-copy-paste/ ∗∗∗ 19 Zero-Day Vulnerabilities Amplified by the Supply Chain ∗∗∗ --------------------------------------------- The JSOF research lab has discovered a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc. The 19 vulnerabilities, given the name Ripple20, affect hundreds of millions of devices (or more), and include multiple remote code execution vulnerabilities. The risks inherent in this situation are high. Just a few examples: data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to [...] --------------------------------------------- https://www.jsof-tech.com/ripple20/ ∗∗∗ Fake-Trachtenshops werben auf Facebook & Instagram ∗∗∗ --------------------------------------------- Auf Facebook und Instagram sind wir umgeben von Werbung, jedoch ist nicht jede Werbeschaltung seriös. Aktuell werben die Fake-Shops marjo-trachten.com, statuskelidmode.de und linennew.com intensiv mit Facebook-Anzeigen. Wer dort bestellt hat, wird trotz Bezahlung keine oder nur minderwertige Ware bekommen! --------------------------------------------- https://www.watchlist-internet.at/news/fake-trachtenshops-werben-auf-facebo… ∗∗∗ Warning issued over hackable security cameras ∗∗∗ --------------------------------------------- The owners of the vulnerable indoor cameras are advised to unplug the devices immediately --------------------------------------------- https://www.welivesecurity.com/2020/06/15/warning-issued-hackable-security-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Campaign Classic (APSB20-34), Adobe After Effects (APSB20-35), Adobe Illustrator (APSB20-37), Adobe Premiere Pro (APSB20-38), Adobe Premiere Rush (APSB20-39) and Adobe Audition (APSB20-40). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1884 ∗∗∗ Beckhoff Security Advisory 2020-002: EtherLeak in TwinCAT RT network driver ∗∗∗ --------------------------------------------- In case an network interface sends Ethernet frames with payloads smaller than the minimum frame length, memory content is disclosed within the padding. --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ Root-Lücke bedroht IBM Spectrum Protect Server ∗∗∗ --------------------------------------------- Unter anderem gefährliche Sicherheitslücken in IBMs Datenbankmanagementsystem Db2 gefährden Spectrum Protect Server. --------------------------------------------- https://heise.de/-4785158 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (galera, grafana, libjcat, libvirt, mariadb-connector-c, and perl), Gentoo (asterisk, bubblewrap, cyrus-imapd, faad2, json-c, openconnect, openjdk-bin, pcre2, PEAR-Archive_Tar, thunderbird, and tomcat), Mageia (mbedtls and scapy), openSUSE (libntlm, libupnp, prboom-plus, varnish, and xen), Oracle (libexif), Red Hat (kpatch-patch), Scientific Linux (libexif), SUSE (mariadb, nodejs6, and poppler), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/823199/ ∗∗∗ Synology-SA-20:13 CallStranger ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attack via a susceptible version of Synology Router Manager (SRM) or Media Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_13 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0588 ∗∗∗ Security Bulletin: Vulnerabilities addressed in IBM Cloud Pak System (CVE-2019-4521, CVE-2019-4095) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-addressed… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack due to an error within the Data Conversion logic. (CVE-2020-4310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU for WebSphere MQ Internet Pass-Thru – April 2020 – Includes Oracle April 2020 CPU (CVE-2020-2781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by OpenSSL vulnerabilities (CVE-2019-1547 and CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ and MQ Appliance could allow an authenticated user cause a denial of service due to a memory leak. (CVE-2020-4267) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-mq-appliance-c… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK April 2020 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by Network Security Services (NSS) vulnerabilities (CVE-2019-11729 and CVE-2019-11745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability in IBM Cloud Pak System (CVE-2019-4098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM MQ AMQP channels fail to block connections restricted by SSLPEER setting (CVE-2020-4320) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-amqp-channels-fail… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2020
by Daily end-of-shift report 15 Jun '20

15 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-06-2020 18:00 − Montag 15-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mirai Botnet Activity, (Sat, Jun 13th) ∗∗∗ --------------------------------------------- This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down (96.30.193.26) which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26234 ∗∗∗ What is the Gibberish Hack? ∗∗∗ --------------------------------------------- Discovering some random folder with numbers and letters you don’t remember on your website would make any website owner put on their detective cap. At first, you may think, “Did I leave my FTP client open and my cat ran across the keyboard?” But when you open the folder, you find a series of HTML files, each named with some kind of nonsensical phrases like “cheap-cool-hairstyles-photos.html.” If you open one of these files on the browser, you’ll likely be [...] --------------------------------------------- https://blog.sucuri.net/2020/06/gibberish-hack.html ===================== = Vulnerabilities = ===================== ∗∗∗ D-Link patcht älteren WLAN-Router DIR-865L – aber nur ein bisschen ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate für den WLAN-Router DIR865L schließt mehrere Sicherheitslücken. Eine kritische Schwachstelle bleibt aber offen. --------------------------------------------- https://heise.de/-4783566 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, libexif, mysql-connector-java, and thunderbird), Fedora (gnutls, grafana, kernel, kernel-headers, mingw-gnutls, mod_auth_openidc, NetworkManager, and pdns-recursor), Gentoo (adobe-flash, ansible, chromium, firefox, glibc, mailutils, nokogiri, readline, ssvnc, and webkit-gtk), Mageia (axel, bind, dbus, flash-player-plugin, libreoffice, networkmanager, and roundcubemail), openSUSE (java-1_8_0-openjdk, kernel, nodejs8, rubygem-bundler, [...] --------------------------------------------- https://lwn.net/Articles/823107/ ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM Spectrum Protect Plus (CVE-2020-1938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus vulnerable to Logjam (CVE-2015-4000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Multiple Java vulnerabilities affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability in MongoDB affects IBM Spectrum Protect Plus (CVE-2019-2389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mongodb-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4469, CVE-2020-4471, CVE-2020-4470) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Go programming language affects IBM Spectrum Protect Server (CVE-2019-16276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-go-progr… ∗∗∗ Security Bulletin: Db2 vulnerabilities affect IBM Spectrum Protect Server (CVE-2020-4230, CVE-2020-4135, CVE-2020-4204, CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-db2-vulnerabilities-affec… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects the IBM Spectrum Protect Server (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2019-4732, CVE-2019-2989, CVE-2019-2964) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Denial of Service vulnerability in Linux Kernel affects IBM Spectrum Protect Plus (CVE-2020-12114) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2020
by Daily end-of-shift report 12 Jun '20

12 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-06-2020 18:00 − Freitag 12-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers are quick to notice exposed Elasticsearch servers ∗∗∗ --------------------------------------------- Bad guys find unprotected Elasticsearch servers exposed on the web faster than search engines can index them. A study found that threat actors are mainly going for cryptocurrency mining and credential theft. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-quick-to-notice-… ∗∗∗ Intel patches chip flaw that could leak your cryptographic secrets ∗∗∗ --------------------------------------------- Intel chip features that were intended to help you do cryptography better could have leaked your inner secrets. --------------------------------------------- https://nakedsecurity.sophos.com/2020/06/12/intel-patches-chip-flaw-that-co… ∗∗∗ ConnectWise issues a slightly scary but unusually significant security advisory ∗∗∗ --------------------------------------------- Because IT service providers use ConnectWise to run your IT and this is its first-ever bug report ConnectWise isn't a vendor most Reg readers deal with directly, but the fact the company has just issued its first-ever security advisory deserves attention. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/06/12/connectwise_… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (tomcat), Debian (intel-microcode, libphp-phpmailer, mysql-connector-java, python-django, thunderbird, and xawtv), Fedora (kernel and thunderbird), Gentoo (perl), openSUSE (libexif and vim), Oracle (dotnet, kernel, microcode_ctl, and tomcat), Red Hat (net-snmp), Scientific Linux (libexif and tomcat), Slackware (kernel), and SUSE (adns, audiofile, ed, kvm, nodejs12, and xen). --------------------------------------------- https://lwn.net/Articles/822964/ ∗∗∗ Critical Vulnerabilities Expose Siemens LOGO! Controllers to Attacks ∗∗∗ --------------------------------------------- Siemens’ LOGO! programmable logic controllers (PLCs) are affected by critical vulnerabilities that can be exploited remotely to launch denial-of-service (DoS) attacks and modify the device’s configuration. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-expose-siemens-logo-c… ∗∗∗ 6 New Vulnerabilities Found on D-Link Home Routers ∗∗∗ --------------------------------------------- Six new D-Link vulnerabilities found in D-Links DIR-865L home cloud router. Consumers should patch ASAP. --------------------------------------------- https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-h… ∗∗∗ Vulnerabilities in Citrix Workspace app and Receiver for Windows ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in Citrix Workspace app and Receiver for Windows that could result in a local user escalating their privilege level to administrator during the uninstallation process. --------------------------------------------- https://support.citrix.com/article/CTX275460 ∗∗∗ Red Hat JBoss Application Server (JBoss): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0580 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0579 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0583 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei FusionAccess Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200610-… ∗∗∗ Security Advisory - FasterXML Jackson-databind Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200610-… ∗∗∗ Security Bulletin: Vulnerabilities CVE-2020-1927 and CVE-2020-1934 in Apache HTTP Server affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-cve-2020-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Workload Scheduler potentially vulnerable to cross site scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-workload-scheduler-po… ∗∗∗ Security Bulletin: IBM Event Streams is affected by Apache CXF vulnerability CVE-2019-12406 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Event Streams is affected by Go vulnerability CVE-2019-16276 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by WebSphere Liberty Profile vulnerability CVE-2019-4441 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerability CVE-2019-20330 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM API Connect V5 is vulnerable to cross site scripting (XSS) (CVE-2020-4251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-vul… ∗∗∗ Security Bulletin: IBM Event Streams is affected by kafka vulnerability CVE-2019-12399 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2020
by Daily end-of-shift report 10 Jun '20

10 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-06-2020 18:00 − Mittwoch 10-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zahlreiche Beschwerden zu Kammerjaeger.pro, elektro-24.info und anderen Handwerkern ∗∗∗ --------------------------------------------- Ungeziefer zuhause? Die BetreiberInnen von der Seite Kammerjaeger.pro sollten Sie bei Problemen mit Schädlingen lieber nicht beauftragen. Denn: KonsumentInnen berichten von überhöhten Zahlungsforderungen. Nachträgliche Beschwerden sind nicht möglich, da nach der Bezahlung niemand mehr erreichbar ist. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-beschwerden-zu-kammerjaeg… ∗∗∗ Neue Quiz-App: Testen Sie Ihr Wissen zum Thema Internetsicherheit! ∗∗∗ --------------------------------------------- Wissen Sie was Phishing bedeutet? Erkennen Sie einen Fake-Shop? Durchschauen Sie Abo-Fallen? Testen und stärken Sie Ihr Wissen mit der neuen Quiz-App zum Thema Internetsicherheit. --------------------------------------------- https://www.watchlist-internet.at/news/neue-quiz-app-testen-sie-ihr-wissen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft lässt über 120 Sicherheitsupdates auf Windows & Co. los ∗∗∗ --------------------------------------------- Wer Betriebssysteme und Software von Microsoft nutzt, sollte sicherstellen, dass die aktuellen Updates installiert sind. --------------------------------------------- https://heise.de/-4779414 ∗∗∗ Blackberry BSRT-2020-002 Input Validation Vulnerability in Server Configuration Management Impacts BlackBerry Workspaces Server (deployed with Appliance-X) ∗∗∗ --------------------------------------------- This advisory addresses an input validation vulnerability in the server configuration management of affected versions of BlackBerry Workspaces Server (deployed with Appliance-X) that could potentially allow a successful attacker to conduct an information disclosure, tampering or denial of service attack. BlackBerry is not aware of any exploitation of this vulnerability. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Intel IPAS: Security Advisories for June 2020 ∗∗∗ --------------------------------------------- * INTEL-SA-00266 2020.1 IPU – Intel SSD Advisory * INTEL-SA-00295 2020.1 IPU – Intel CSME, SPS, TXE, AMT and DAL Advisory * INTEL-SA-00320 2020.1 IPU – Special Register Buffer Data Sampling * INTEL-SA-00322 2020.1 IPU – BIOS Advisory * INTEL-SA-00366 Intel Innovation Engine Advisory --------------------------------------------- https://blogs.intel.com/technology/2020/06/ipas-security-advisories-for-jun… ∗∗∗ SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol ∗∗∗ --------------------------------------------- Cybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks. --------------------------------------------- https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html ∗∗∗ VMSA-2020-0013 ∗∗∗ --------------------------------------------- VMware Horizon Client for Windows update addresses privilege escalation vulnerability (CVE-2020-3961) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0013.html ∗∗∗ XSA-320 ∗∗∗ --------------------------------------------- Special Register Buffer speculative side channel --------------------------------------------- https://xenbits.xen.org/xsa/advisory-320.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gnutls, python-django, thunderbird, tomcat7, tomcat8, and tomcat9), CentOS (unbound), Debian (bluez, firefox-esr, kernel, and linux-4.9), Oracle (kernel), Red Hat (.NET Core, .NET Core 3.1, kernel, kernel-rt, libexif, microcode_ctl, pcs, and virt:rhel), SUSE (gnutls, java-1_7_0-ibm, kernel, microcode_ctl, nodejs10, nodejs8, rubygem-bundler, texlive, texlive-filesystem, thunderbird, and ucode-intel), and Ubuntu (intel-microcode, [...] --------------------------------------------- https://lwn.net/Articles/822719/ ∗∗∗ WAGO: PPPD in PFC100 and PFC200 Series is vulnerable to CVE-2020-8597 ∗∗∗ --------------------------------------------- WAGO PLCs pppd is vulnerable to CVE-2020-8597 in case the daemon has been activated. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-020 ∗∗∗ Citrix Hypervisor Security Updates ∗∗∗ --------------------------------------------- CTX275165 NewCitrix Hypervisor Security Updates Applicable Products: Citrix_Hypervisor_8_0, Citrix_Hypervisor_8_1, XenServer_7_0, XenServer_7_1_Cumulative_Update_2 [...] A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a host to observe the entropy provided by the CPU to other processes, virtual machines or the hypervisor that are, or have recently been, running, irrespective of whether they are running on the same processor core or thread. For example, if a process in one guest VM were to use the RDSEED instruction to get a random value to use as a secret encryption key, another process in a different VM might be able to observe the result of that RDSEED instruction and so determine the secret encryption key. --------------------------------------------- https://support.citrix.com/article/CTX275165 ∗∗∗ Security Advisory - Insufficient Input Verification of Some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200610-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200610-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200610-… ∗∗∗ Security Bulletin: IBM QRadar Network Packet Capture does not require that users should have strong passwords by default (CVE-2019-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting IBM Aspera Streaming for Video 3.8.0 and earlier (CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Go (CVE-2019-16276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified In Jackson Databind library shipped with IBM Global Mailbox (CVE-2019-14892, CVE-2019-14893) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux – January 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.6.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Various vulnerabilities affecting certain Aspera applications (CVE-2020-4432, CVE-2020-4433, CVE-2020-4434, CVE-2020-4435, CVE-2020-4436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-various-vulnerabilities-a… ∗∗∗ Dell BIOS & Computer: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0562 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2020
by Daily end-of-shift report 09 Jun '20

09 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Montag 08-06-2020 18:00 − Dienstag 09-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ CallStranger: Große Sicherheitslücke betrifft Millionen UPnP-Geräte ∗∗∗ --------------------------------------------- Eine Schwachstelle im UPnP-Standard ermöglicht Netzwerk-Scans und DDoS-Angriffe. Bis alle Hersteller Updates bereitstellen, dürfte es lange dauern. --------------------------------------------- https://www.golem.de/news/callstranger-grosse-sicherheitsluecke-betrifft-mi… ∗∗∗ Sicherheitslücke: GnuTLS setzt Session-Keys auf null ∗∗∗ --------------------------------------------- Eine gravierende Sicherheitslücke in GnuTLS führt dazu, dass TLS-1.2-Verbindungen nachträglich entschlüsselt werden können. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-gnutls-setzt-session-keys-auf-n… ∗∗∗ Verwundbare NAS mit Photo Station: QNAP meldet neue Angriffe auf alte Lücken ∗∗∗ --------------------------------------------- Die Ransomware "eCh0raix " nutzt derzeit alte Einfallstore, um QNAP-NAS mit Photo Station anzugreifen. Updates für QTS stehen seit letztem Jahr bereit. --------------------------------------------- https://heise.de/-4778457 ∗∗∗ So erkennen Sie betrügerische KäuferInnen auf willhaben, shpock und Co ∗∗∗ --------------------------------------------- Der Verkauf gebrauchter Gegenstände über shpock, willhaben, ebay und Co verläuft in der Regel unkompliziert und problemlos, es sei denn, Sie geraten an unseriöse KäuferInnen. Behaupten KäuferInnen, dass sie den Betrag inklusive einer Versicherungsgebühr bei DHL oder einem anderen Versandunternehmen hinterlegt haben, dann handelt es sich um Betrug. Brechen Sie den Kontakt ab und ignorieren weitere E-Mails. --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-betruegerische-kaeuf… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe: Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB20-30), Adobe Experience Manager (APSB20-31) and Adobe Framemaker (APSB20-32). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1882 ∗∗∗ [Security-announce] VMSA-2020-0012 - VMware ESXi, Workstation and Fusion updates address out-of-bounds read vulnerability (CVE-2020-3960) ∗∗∗ --------------------------------------------- Impacted Products: * VMware vSphere ESXi (ESXi) * VMware Workstation Pro / Player (Workstation) * VMware Fusion Pro / Fusion (Fusion) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0012.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libpam-tacplus), Gentoo (gnutls), Oracle (unbound), Scientific Linux (freerdp and unbound), and SUSE (firefox, java-11-openjdk, java-1_7_0-openjdk, java-1_8_0-openjdk, nodejs10, and ruby2.1). --------------------------------------------- https://lwn.net/Articles/822588/ ∗∗∗ Citrix Systems Workspace App: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- Die Citrix Workspace App ist eine Client Software, die es ermöglicht von zahlreichen Geräten wie Smartphones, Tablets und PCs auf Dokumente, Applikationen und Desktops zuzugreifen. Ein lokaler Angreifer kann mehrere Schwachstellen in Citrix Systems Workspace App ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0549 ∗∗∗ SAP Patchday Juni 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0555 ∗∗∗ Siemens SSA-817401: Missing Authentication Vulnerability in SIEMENS LOGO! ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-817401.txt ∗∗∗ Siemens SSA-927095: UltraVNC Vulnerabilities in SINUMERIK Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-927095.txt ∗∗∗ Siemens SSA-352504: Urgent/11 TCP/IP Stack Vulnerabilities in Siemens Power Meters ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-352504.txt ∗∗∗ Siemens SSA-462066: Vulnerability known as TCP SACK PANIC in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-462066.txt ∗∗∗ Siemens SSA-480230: Denial-of-Service in Webserver of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt ∗∗∗ Siemens SSA-689942: Denial-of-Service and DLL Hijacking Vulnerabilities in Multiple SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-689942.txt ∗∗∗ Siemens SSA-312271: Unquoted Search Path Vulnerabilities in Windows-based Industrial Software Applications ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-312271.txt ∗∗∗ Security Bulletin: Vulnerability in Dojo Toolkit affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dojo-too… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2020
by Daily end-of-shift report 08 Jun '20

08 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-06-2020 18:00 − Montag 08-06-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake ransomware decryptor double-encrypts desperate victims files ∗∗∗ --------------------------------------------- A fake decryptor for the STOP Djvu Ransomware is being distributed that lures already desperate people with the promise of free decryption. Instead of getting their files back for free, they are infected with another ransomware that makes their situation even worse. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-ransomware-decryptor-do… ∗∗∗ SMBGhost: Code für Windows-Exploit veröffentlicht ∗∗∗ --------------------------------------------- Auf Github ist nutzbarer Code für eine Sicherheitslücke im SMBv3-Protokoll veröffentlicht worden. Verwundbare Systeme sollten dringend gepatcht werden. --------------------------------------------- https://www.golem.de/news/smbghost-code-fuer-windows-exploit-veroeffentlich… ∗∗∗ Evasion Tactics in Hybrid Credit Card Skimmers ∗∗∗ --------------------------------------------- The most common type of Magento credit card stealing malware is client-side JavaScript that grabs data entered in a checkout form and sends it to a third-party server controlled by the attackers. Though popular with bad actors, one of the drawbacks of this approach is that it’s possible to track requests to suspicious servers if you monitor the traffic generated by checkout pages — or any other infected pages. A lesser-known, but still very popular, type of skimmer can instead be [...] --------------------------------------------- https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimm… ∗∗∗ Abo-Falle statt Gebrauchsanweisung auf anleitungenfinden.com ∗∗∗ --------------------------------------------- Sind Sie gerade auf der Suche nach einer Gebrauchsanweisung für Ihr Smartphone, Ihren Fernseher, ein Haushaltsgerät oder ähnliches? Dann nehmen Sie sich vor der Website anleitungefinden.com in Acht. Für den Betrag von 0,95 Euro sollen Sie die gewünschte Anleitung für Ihr Gerät erhalten. Tatsächlich schließen Sie damit aber ein verstecktes Abonnement über 49,95 Euro monatlich ab, das automatisch von Ihrer Kreditkarte abgebucht wird. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-gebrauchsanweisung-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, dbus, gnutls28, graphicsmagick, libupnp, and nodejs), Fedora (gnutls, kernel, libarchive, php-phpmailer6, and sympa), openSUSE (axel, GraphicsMagick, libcroco, libreoffice, libxml2, and xawtv), Oracle (bind, firefox, freerdp, and kernel), Red Hat (bind, freerdp, and unbound), Scientific Linux (firefox), SUSE (dpdk, file-roller, firefox, gnuplot, libexif, php7, php72, slurm_20_02, and vim), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/822512/ ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 – Includes Oracle Apr 2020 CPU minus CVE-2020-2773 affects Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to server side request forgery (SSRF) (CVE-2020-4529) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: There is an information disclosure vulnerability in Liberty for Java (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-is-an-information-d… ∗∗∗ Security Bulletin: Potential spoofing attack in Liberty for Java (CVE-2020-4421) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-spoofing-attack… ∗∗∗ Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2949-may-affect-… ∗∗∗ Red Hat OpenShift Application Runtimes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0543 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0542 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0544 ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0548 ∗∗∗ Perl: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0546 ∗∗∗ ImageMagick: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0545 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2020
by Daily end-of-shift report 05 Jun '20

05 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-06-2020 18:00 − Freitag 05-06-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ongoing eCh0raix ransomware campaign targets QNAP NAS devices ∗∗∗ --------------------------------------------- After remaining relatively quiet over the past few months, the threat actors behind the eCh0raix Ransomware have launched a brand new campaign targeting QNAP storage devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-… ∗∗∗ Understanding the Payload-Less Email Attacks Evading Your Security Team ∗∗∗ --------------------------------------------- Business email compromise (BEC) attacks represent a small percentage of email attacks, but disproportionately represent the greatest financial risk. --------------------------------------------- https://threatpost.com/understanding-payload-less-email-attacks/156299/ ∗∗∗ Botnet blasts WordPress sites with configuration download attacks ∗∗∗ --------------------------------------------- A million sites attacked by 20,000 different computers. --------------------------------------------- https://nakedsecurity.sophos.com/2020/06/05/botnet-blasts-wordpress-sites-w… ∗∗∗ Not so FastCGI!, (Fri, Jun 5th) ∗∗∗ --------------------------------------------- This past month, we've seen some new and different scans targeting tcp ports between 8000 and 10,000. The first occurrence was on 30 April 2020 and originated from ip address 23.95.67.187 and containing payload: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26208 ∗∗∗ IBM Releases Open Source Toolkits for Processing Data While Encrypted ∗∗∗ --------------------------------------------- IBM this week announced the availability of open source toolkits that allow for data to be processed while it’s still encrypted. --------------------------------------------- https://www.securityweek.com/ibm-releases-open-source-toolkits-processing-d… ∗∗∗ Achtung: Gewinn24.de fordert hohe Geldsummen am Telefon ∗∗∗ --------------------------------------------- „Guten Tag, Inkassobüro XY spricht. Sie haben einen Abo-Vertrag mit Gewinn24 abgeschlossen und sind mit Ihrer Zahlung im Rückstand“. So oder so ähnlich beginnen BetrügerInnen, die im Auftrag von Gewinn24.de anrufen, das Telefongespräch. Ein vermeintliches Inkassobüro erklärt am Telefon, dass die Kosten für ein Abo mit Gewinn24.de nicht bezahlt wurden. Die Opfer wissen jedoch selten von so einem Abo. Das ist auch nicht verwunderlich: [...] --------------------------------------------- https://www.watchlist-internet.at/news/achtung-gewinn24de-fordert-hohe-geld… ∗∗∗ New Sandbox Evasions spot in VBS samples ∗∗∗ --------------------------------------------- While hidden Macro 4.0 samples are on the rise, we recently spotted some very interesting evasive VBS samples. In this short blog post, we will look at sample files#_56117.vbs, MD5: 147091e61ec59f67ab598d26f15ad0e7 and outline some of the evasive tricks. --------------------------------------------- http://blog.joesecurity.org/2020/06/new-evasive-vbs-samples-spot.html ∗∗∗ Ransomware nimmt Windows- und Linux-Systeme mit neuartigem Angriff ins Visier ∗∗∗ --------------------------------------------- Die Hintermänner programmieren die Erpressersoftware in Java. Die Verteilung erfolgt über eine Java-Image-Datei. Sicherheitsforschern zufolge hilft das Vorgehen bei der Verschleierung der Aktivitäten der Malware. --------------------------------------------- https://www.zdnet.de/88380548/ransomware-nimmt-windows-und-linux-systeme-mi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security: Sicherheitslücken betreffen praktisch alle Qnap-NAS-Systeme ∗∗∗ --------------------------------------------- Gleich drei Security-Probleme sind von Qnap gemeldet worden. Das Unternehmen rät zu einem sofortigen Update des Betriebssystems. --------------------------------------------- https://www.golem.de/news/security-sicherheitsluecken-betreffen-praktisch-a… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, and freerdp), Debian (netqmail and python-django), Fedora (cacti, cacti-spine, dbus, firefox, gjs, mbedtls, mozjs68, and perl), Oracle (freerdp and kernel), Scientific Linux (bind and firefox), Slackware (mozilla), SUSE (krb5-appl, libcroco, libexif, libreoffice, libxml2, qemu, transfig, and vim), and Ubuntu (firefox, freerdp, and python-django). --------------------------------------------- https://lwn.net/Articles/822342/ ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4449) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Session is not invalidated After Logout ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-session-is-not-invalidate… ∗∗∗ Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND (CVE-2020-4448) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vul… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by multiple vulnerabilities in libssh2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server that is installed with IBM SPSS Analytic Server (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by a vulnerability in libssh2 (CVE-2016-0787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2020
by Daily end-of-shift report 04 Jun '20

04 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-06-2020 18:00 − Donnerstag 04-06-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sophisticated Info-Stealer Targets Air-Gapped Devices via USB ∗∗∗ --------------------------------------------- The newly discovered USBCulprit malware is part of the arsenal of an APT known as Cycldek, which targets government entities. --------------------------------------------- https://threatpost.com/info-stealer-air-gapped-devices-usb/156262/ ∗∗∗ AddTrust: Auswirkungen auf E-Mail-Dienste durch abgelaufenes Zertifkat ∗∗∗ --------------------------------------------- Obwohl das abgelaufene AddTrust-Zwischenzertifikat in erster Linie alte Clients betrifft, kann es durchaus Auswirkungen auf den regulären E-Mail-Betrieb haben. --------------------------------------------- https://heise.de/-4774588 ∗∗∗ Bekannte stecken coronabedingt im Ausland und brauchen Geld? ∗∗∗ --------------------------------------------- Kriminelle nützen gehackte E-Mail-Accounts, übernommene Facebook-Konten und Ähnliches, um ihren Opfern Geld aus der Tasche zu ziehen. So kann es passieren, dass Sie scheinbar von einer guten Freundin oder einem guten Freund eine Nachricht bekommen. Diese säßen im Ausland fest und könnten wegen Covid-19 nicht zurück nach Hause kommen. Um ihnen zu helfen, sollen Sie ihnen Geld per Bargeldtransferdienst schicken. Vorsicht: es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/bekannte-stecken-coronabedingt-im-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für IOS, NX-OS und Co. – Cisco flickt seine Netzwerkbetriebssysteme ∗∗∗ --------------------------------------------- Ein ganzes Bündel frisch veröffentlichter Updates behebt zahlreiche Sicherheitsprobleme, von denen viele als "High" bis "Critical" eingestuft wurden. --------------------------------------------- https://heise.de/-4774667 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox and prboom-plus), Oracle (bind), Red Hat (firefox), and SUSE (osc). --------------------------------------------- https://lwn.net/Articles/822220/ ∗∗∗ MISP 2.4.126 released (Spring release edition) ∗∗∗ --------------------------------------------- [...] This version includes a security fix and various quality of life improvements.Security fix - fixed XSSFixed a persistent XSS (CVE-2020-13153) that could be triggered by correlating an attribute via the freetext import tool with an attribute that contains a javascript payload in the comment field. --------------------------------------------- https://www.misp-project.org/2020/06/04/MISP.2.4.126.released.html ∗∗∗ HPESBHF04005 rev.1 - HPE Edgeline EL300 Converged Edge System Running HPE Integrated System Manager (iSM), Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ GnuTLS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0532 ∗∗∗ Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-022 ∗∗∗ Security Bulletin: IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2020-4509) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-is-vulnerable-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services v2.1.1 (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Python affects IBM Cloud App Management (CVE-2020-8492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Apache CXF affects IBM Cloud App Management (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of a Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Three vulnerabilities in Nimbus JOSE+JWT affect IBM Spectrum Conductor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-three-vulnerabilities-in-… ∗∗∗ Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php ∗∗∗ Cayin Content Management Server 11.0 Root Remote Command Injection ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php ∗∗∗ Cayin Signage Media Player 3.0 Root Remote Command Injection ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2020
by Daily end-of-shift report 03 Jun '20

03 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-06-2020 18:00 − Mittwoch 03-06-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mukashi malware: What it is, how it works and how to prevent it | Malware spotlight ∗∗∗ --------------------------------------------- Learning from the past can be an important part of future success in any endeavor, including cyberattacks. Attack groups observe this concept and apply it when they create new attack campaigns before they are released into the wild. Mukashi is an example of a malware that uses what has worked well for attackers in [...] --------------------------------------------- https://resources.infosecinstitute.com/mukashi-malware-what-it-is-how-it-wo… ∗∗∗ System Takeover Through New SAP ASE Vulnerabilities ∗∗∗ --------------------------------------------- Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments. This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/system-take… ∗∗∗ Jetzt patchen! Weltweit immer noch mehr als 1 Millionen Exim-Server attackierbar ∗∗∗ --------------------------------------------- Die National Security Agency (NSA) warnt vor Attacken auf Exim-Mailserver. Sicherheitsupdates sind schon länger verfügbar. --------------------------------------------- https://heise.de/-4772712 ∗∗∗ Large Scale Attack Campaign Targets Database Credentials ∗∗∗ --------------------------------------------- Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files. The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of [...] --------------------------------------------- https://www.wordfence.com/blog/2020/06/large-scale-attack-campaign-targets-… ∗∗∗ Zahlreiche China-Shops werben auf Facebook mit günstiger Damenmode ∗∗∗ --------------------------------------------- Das Unternehmen „Chicv International Holding Limited“ ist schon länger bekannt, da es für zahlreiche Online-Shops verantwortlich ist. Laut Erfahrungsberichten von KonsumentInnen treffen die bestellten Produkte von diesen Shops – wenn überhaupt – sehr spät ein. Sind die Waren schließlich angekommen, zeigt sich schnell, dass diese nichts mit den Bildern und Beschreibungen im Online-Shop zu tun haben. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-china-shops-werben-auf-fa… ∗∗∗ Sophos Web Appliance: Certificate validation failed for sites signed by Sectigo root CA ∗∗∗ --------------------------------------------- Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due to certificate AddTrust External CA Root expired on May 30th 2020. --------------------------------------------- https://community.sophos.com/kb/en-US/135544 ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Firefox und Tor Browser könnten private Schlüssel leaken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in den Webbrowsern Firefox, Firefox ESR und Tor Browser gefährden Computer. --------------------------------------------- https://heise.de/-4772615 ∗∗∗ Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two vulnerabilities in the popular Zoom video chatting application that could allow a malicious user to execute arbitrary code on victims’ machines. --------------------------------------------- https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-executi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk, perl-Email-MIME, perl-Email-MIME-ContentType, and slurm), openSUSE (imapfilter, mailman, and python-rpyc), Red Hat (bind and firefox), SUSE (evolution-data-server, python, qemu, and w3m), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/822136/ ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200603-… ∗∗∗ Security Advisory - Improper Handling of Exceptional Condition Vulnerability in Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200603-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Access Control vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Hard-coded passwords vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: The vanruability (net.sf.ehcache blocking in FasterXML jackson-databind has an unknown impact) found Network Performance Insight (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-vanruability-net-sf-e… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ June 2, 2020 TNS-2020-04 [R1] Nessus Network Monitor 5.11.1 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-04 ∗∗∗ docker: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0524 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2020
by Daily end-of-shift report 02 Jun '20

02 Jun '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-05-2020 18:00 − Dienstag 02-06-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Critical Exim bugs being patched but many servers still at risk ∗∗∗ --------------------------------------------- Patching Exim mail servers is not going fast enough and members of the Russian hacker group Sandworm are actively exploiting three critical vulnerabilities that allow executing remote command or code remotely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-exim-bugs-being-pat… ∗∗∗ How to scan email headers for phishing and malicious content ∗∗∗ --------------------------------------------- Phishing emails are one of the most common attack vectors used by cybercriminals. They can be used to deliver a malicious payload or steal user credentials from their target. Spearphishing emails are designed to be more specifically targeted and more believable to their intended victims. By crafting a pretext that is extremely personal to [...] --------------------------------------------- https://resources.infosecinstitute.com/how-to-scan-email-headers-for-phishi… ∗∗∗ In-depth analysis of the new Team9 malware family ∗∗∗ --------------------------------------------- Publicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar [1]’) appears to be a new malware being developed by the group behind Trickbot. Even though the development of the malware appears to be recent, [...] --------------------------------------------- https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malwa… ∗∗∗ Apple schließt kritische Lücke in Anmeldedienst "Sign in with Apple" ∗∗∗ --------------------------------------------- In Apples bequemem Anmeldedienst klaffte eine kritische Sicherheitslücke, mit der sich beliebige Nutzerkonten übernehmen ließen. Sie ist inzwischen geschlossen. --------------------------------------------- https://heise.de/-4770560 ∗∗∗ How I tricked Symantec with a Fake Private Key ∗∗∗ --------------------------------------------- Lately, some attention was drawn to a widespread problem with TLS certificates. Many people are accidentally publishing their private keys. Sometimes they are released as part of applications, in Github repositories or with common filenames on web servers. If a private key is compromised, a certificate authority is obliged to revoke it. The Baseline Requirements – a set of rules that browsers and certificate authorities agreed upon – regulate this and say that in such a case a [...] --------------------------------------------- https://blog.hboeck.de:443/archives/888-How-I-tricked-Symantec-with-a-Fake-… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the firmware of the Cisco UCS C-Series Rack Servers could allow an authenticated, physical attacker to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot validation checks and load a compromised software image on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass certain security boundaries or cause a denial of service (DoS) condition on an affected device.The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, bind, freerdp, and unbound), CentOS (bind, freerdp, and git), Debian (python-httplib2), Fedora (ant, kernel, sqlite, and sympa), openSUSE (java-11-openjdk and qemu), Oracle (bind), Red Hat (freerdp), Scientific Linux (python-pip and python-virtualenv), Slackware (firefox), SUSE (qemu), and Ubuntu (Apache Ant, ca-certificates, flask, and freerdp2). --------------------------------------------- https://lwn.net/Articles/822036/ ∗∗∗ VMware Cloud Director Vulnerability Has Major Impact for Cloud Providers ∗∗∗ --------------------------------------------- A recently patched vulnerability affecting VMware Cloud Director has a major impact for cloud services providers as it can allow an attacker to take full control of all private clouds hosted on the same infrastructure, cybersecurity firm Citadelo revealed on Monday. --------------------------------------------- https://www.securityweek.com/vmware-cloud-director-vulnerability-has-major-… ∗∗∗ Androids June 2020 Patches Fix Critical RCE Vulnerabilities ∗∗∗ --------------------------------------------- Google has started rolling out the June 2020 security patches for the Android operating system, which address a total of 43 vulnerabilities, including several rated critical. --------------------------------------------- https://www.securityweek.com/androids-june-2020-patches-fix-critical-rce-vu… ∗∗∗ [20200604] - Core - XSS in jQuery.htmlPrefilter ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/816-20200604-core-xss-in-j… ∗∗∗ [20200603] - Core - XSS in com_modules tag options ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/815-20200603-core-xss-in-c… ∗∗∗ [20200605] - Core - CSRF in com_postinstall ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/817-20200605-core-csrf-in-… ∗∗∗ [20200602] - Core - Inconsistent default textfilter settings ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/814-20200602-core-inconsis… ∗∗∗ [20200601] - Core - XSS in modules heading tag option ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/813-20200601-core-xss-in-m… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: CVE-2019-4667 Lack of Built in HSTS option ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4667-lack-of-bui… ∗∗∗ Security Bulletin: Vulnerabilities in Open Source Python affects IBM Tivoli Application Dependency Discovery Manager (CVE-2019-18348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-open-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU minus CVE-2020-2585, CVE-2020-2654, and CVE-2020-2590 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: WebSphere liberty is vulnerable to a DOS (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server Liberty (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ NTP vulnerability CVE-2020-11868 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44305703?utm_source=f5support&utm_mediu… ∗∗∗ PEPPERL+FUCHS, PACTware: Two password vulnerabilities found ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-017 ∗∗∗ PHOENIX CONTACT FL MGUARD, TC MGUARD, TC ROUTER and TC CLOUD CLIENT: PPPD vulnerable to CVE-2020-8597 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-018 ∗∗∗ Red Hat OpenShift Application Runtimes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0516 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.05.2020
by Daily end-of-shift report 29 May '20

29 May '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-05-2020 18:00 − Freitag 29-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 200K sites with buggy WordPress plugin exposed to wipe attacks ∗∗∗ --------------------------------------------- Two high severity security vulnerabilities found in the PageLayer plugin can let attackers to potentially wipe the contents or take over WordPress sites using vulnerable plugin versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/200k-sites-with-buggy-wordpr… ∗∗∗ Sicherheit: OpenSSH kündigt RSA mit SHA-1 ab ∗∗∗ --------------------------------------------- Obwohl SHA-1 angreifbar ist, kommt es immer noch häufig zum Einsatz. Auch bei SSH. Das soll sich ändern. --------------------------------------------- https://www.golem.de/news/sicherheit-openssh-kuendigt-rsa-mit-sha-1-an-2005… ∗∗∗ Inside the Hoaxcalls Botnet: Both Success and Failure ∗∗∗ --------------------------------------------- The DDoS group sets itself apart by using exploits -- but it doesnt always pan out. --------------------------------------------- https://threatpost.com/inside-hoaxcalls-botnet-success-failure/156107/ ∗∗∗ Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module ∗∗∗ --------------------------------------------- TrickBot, one of the most commonly distributed malwares used in phishing emails, just updated its mworm module, making it harder to detect. --------------------------------------------- https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-upda… ∗∗∗ Kaspersky warnt vor Angriffen auf deutsche Industrieunternehmen ∗∗∗ --------------------------------------------- Sie richten sich gegen die Lieferkette. Neben Deutschland sind auch Großbritannien und Japan betroffen. Die unbekannten Täter greifen Firmen mit maßgeschneiderten Phishing-Mails an und schleusen eine Malware ein, die Authentifizierungsdaten für Windows-Konten stiehlt. --------------------------------------------- https://www.zdnet.de/88380387/kaspersky-warnt-vor-angriffen-auf-deutsche-in… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2020-0011 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMware Remote Console and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3957, CVE-2020-3958, CVE-2020-3959) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0011.html ∗∗∗ VMSA-2020-0007.1 ∗∗∗ --------------------------------------------- VMware vRealize Log Insight addresses Cross Site Scripting (XSS) and Open Redirect vulnerabilities (CVE-2020-3953, CVE-2020-3954) [...] 5. Change log 2020-04-14 VMSA-2020-0007 Initial security advisory. 2020-05-28: VMSA-2020-0007.1 It was determined that the fixes for CVE-2020-3953 included in 8.1.0 were not complete. This has been corrected in the 8.1.1 release. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0007.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libexif and tomcat8), Fedora (python38), openSUSE (libxslt), Oracle (git), Red Hat (bind, freerdp, and git), Scientific Linux (git), SUSE (qemu and tomcat), and Ubuntu (apt, json-c, kernel, linux, linux-raspi2, linux-raspi2-5.3, and openssl). --------------------------------------------- https://lwn.net/Articles/821794/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Reverse tabnabbing vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4490 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by vulnerability CVE-2020-4352 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed multiple Security Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0514 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0513 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2020
by Daily end-of-shift report 28 May '20

28 May '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-05-2020 18:00 − Donnerstag 28-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Octopus Scanner malware spreads via GitHub supply chain attack ∗∗∗ --------------------------------------------- Security researchers have found a new malware that finds and backdoors open-source NetBeans projects hosted on the GitHub web-based code hosting platform to spread to Windows, Linux, and macOS systems and deploy a Remote Administration Tool (RAT). --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-octopus-scanner-malware-… ∗∗∗ The zero-day exploits of Operation WizardOpium ∗∗∗ --------------------------------------------- Back in October 2019 we detected a classic watering-hole attack that exploited a chain of Google Chrome and Microsoft Windows zero-days. In this blog post we’d like to take a deep technical dive into the attack. --------------------------------------------- https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/ ∗∗∗ Inside a ransomware gang’s attack toolbox ∗∗∗ --------------------------------------------- Ransomwares changed a lot over the years - heres a peek into a criminal gangs current toolbox [...] --------------------------------------------- https://nakedsecurity.sophos.com/2020/05/28/inside-a-ransomware-gangs-attac… ∗∗∗ NetWalker Ransomware – What You Need to Know ∗∗∗ --------------------------------------------- What is NetWalker? NetWalker (also known as Mailto) is the name given to a sophisticated family of Windows ransomware that has targeted corporate computer networks, encrypting the files it finds, and demanding that a cryptocurrency payment is made for the safe recovery of the encrypted data. Ransomware is nothing new. Why should I particularly care [...] --------------------------------------------- https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-wh… ∗∗∗ Massenhaft betrügerische DHL-Nachrichten von SMSinfo ∗∗∗ --------------------------------------------- Unzählige Watchlist Internet Leserinnen und Leser melden uns momentan eine gefälschte SMS-Nachricht von DHL. Die Kriminellen geben sich als Versanddienstleister aus und behaupten in der Nachricht von SMSinfo, dass ein Teil der Portokosten fehlen würde. Die Nachricht muss ignoriert werden, denn die Zahlung des verlangten Betrags führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/massenhaft-betruegerische-dhl-nachri… ∗∗∗ Microsoft warns about attacks with the PonyFinal ransomware ∗∗∗ --------------------------------------------- PonyFinal infections have been reported in India, Iran, and the US. --------------------------------------------- https://www.zdnet.com/article/microsoft-warns-about-attacks-with-the-ponyfi… ∗∗∗ Cybereason: Valak-Malware greift Unternehmen und den USA und Deutschland an ∗∗∗ --------------------------------------------- In nur sechs Monaten wird aus einem Malware-Loader eine Schadsoftware mit modularer Architektur. Die Verbreitung von Valak erfolgt derzeit über speziell gestaltete Word-Dateien. Das eigentliche Ziel sind Exchange-Server, um E-Mails und Zertifikate zu stehlen. --------------------------------------------- https://www.zdnet.de/88380246/cybereason-valak-malware-greift-unternehmen-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple sends out 11 security alerts – get your fixes now! ∗∗∗ --------------------------------------------- Apples current round of updates have been officially anounced in the companys latest Security Advisory emails. --------------------------------------------- https://nakedsecurity.sophos.com/2020/05/27/apple-sends-out-11-security-ale… ∗∗∗ Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021 ∗∗∗ --------------------------------------------- This module enables you to force a password update when using password reset link. The module doesnt sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-021 ∗∗∗ Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2020-020 ∗∗∗ --------------------------------------------- Drupal Commerce is used to build eCommerce websites and applications. Its possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never assigned an [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2020-020 ∗∗∗ SaltStack FrameWork Vulnerabilities Affecting Cisco Products ∗∗∗ --------------------------------------------- On April 29, 2020, the Salt Open Core team notified their community regarding the following two CVE-IDs: CVE-2020-11651: Authentication Bypass Vulnerability CVE-2020-11652: Directory Traversal Vulnerability Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is running the salt-master service that is affected by these vulnerabilities. Cisco has released software updates that address these [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dovecot, dpdk, knot-resolver, and unbound), Mageia (ant, libexif, and php), SUSE (libmspack), and Ubuntu (php5, php7.0, php7.2, php7.3, php7.4 and unbound). --------------------------------------------- https://lwn.net/Articles/821659/ ∗∗∗ SWARCO: Critical Vulnerability in CPU LS4000 ∗∗∗ --------------------------------------------- A critical Vulnerability was found in SWARCO TRAFFIC SYSTEMS CPU LS4000 --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-016 ∗∗∗ ADVISORY: Phish Threat Outlook plugin reporting non-campaign emails are failing to send ∗∗∗ --------------------------------------------- Reporting non-campaign emails (ie spam or actual phishing emails) through the Phish Threat Report Message add-on are not being delivered to the configured administrators. --------------------------------------------- https://community.sophos.com/kb/en-US/135524 ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4233) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2018-1058, CVE-2018-10936, CVE-2019-9193) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in the Apache CXF library used in WebSphere Application Server Liberty Core affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-apac… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities (CVE-2019-11729, CVE-2019-11745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4419) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4245) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0510 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2020
by Daily end-of-shift report 27 May '20

27 May '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-05-2020 18:00 − Mittwoch 27-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Netgear-Router: Update-Prozess unsicher, Hersteller schweigt ∗∗∗ --------------------------------------------- Der Firmware-Updater einiger Netgear-Router wie dem Nighthawk R7000 ist offenbar unsicher. Dies hat das IoT-Lab der University of Applied Sciences Upper Austria (FH Oberösterreich) herausgefunden. Ob und wie der Hersteller auf das Problem reagiert ist indes völlig unklar – der Hersteller hüllt sich seit Wochen in Schweigen. --------------------------------------------- https://heise.de/-4766025 ∗∗∗ Micropatch Available for User-Mode Power Service Memory Corruption (CVE-2020-1015) ∗∗∗ --------------------------------------------- Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1015, a memory corruption vulnerability in User-Mode Power Service that could allow a local attacker to execute arbitrary code as Local System.This vulnerability was patched by Microsoft with April 2020 Updates, but Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable. --------------------------------------------- https://blog.0patch.com/2020/05/micropatch-available-for-user-mode.html ∗∗∗ Vorsicht bei Privatverkauf: Betrug mit Speditionen boomt! ∗∗∗ --------------------------------------------- Der Weg über angebliche Speditionen ist eine beliebte Betrugsmasche beim Privatverkauf. Vor allem teure Waren, die auf Kleinanzeigenportale inseriert werden, locken BetrügerInnen an. Die vermeintlichen KäuferInnen erklären, dass sie im Ausland sind und daher der Kauf über eine Spedition abgewickelt werden soll. Hier gilt es vorsichtig zu sein, denn die Opfer werden aufgefordert das Geld für die Spedition zu überweisen. Das Unternehmen existiert jedoch gar --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-privatverkauf-betrug-mi… ∗∗∗ New fuzzing tool finds 26 USB bugs in Linux, Windows, macOS, and FreeBSD ∗∗∗ --------------------------------------------- Eighteen of the 26 bugs impact Linux. Eleven have been patched already. --------------------------------------------- https://www.zdnet.com/article/new-fuzzing-tool-finds-26-usb-bugs-in-linux-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7 and unbound), Fedora (libEMF and transmission), Mageia (dojo, log4net, nginx, nodejs-set-value, sleuthkit, and transmission), Red Hat (rh-maven35-jackson-databind), SUSE (dpdk and mariadb-connector-c), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/821530/ ∗∗∗ BOSCH-SA-363824-BT ∗∗∗ --------------------------------------------- Multiple Vulnerabilities in Bosch Recording Station (BRS) --------------------------------------------- https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-sa-36… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Kr00k Vulnerability in Broadcom Wi-Fi chips ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Stack Buffer Overflow Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200527-… ∗∗∗ Security Bulletin: IBM Spectrum Scale GUI is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-gui-is… ∗∗∗ Security Bulletin: IBM Spectrum Scale GUI is affected by weak cryptographic algorithm (CVE-2020-4350) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-gui-is… ∗∗∗ Security Bulletin: User Credentials submitted using GET method ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-user-credentials-submitte… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud Tiering(CVE-2020-7238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: IBM Spectrum Scale GUI is affected by weak crypto algorithm (CVE-2020-4349) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-gui-is… ∗∗∗ Security Bulletin: IBM Spectrum Scale GUI is affected by weak crypto algorithm (CVE-2020-4379) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-gui-is… ∗∗∗ Security Bulletin: Multiple vulnerabilities in netty affect IBM Spectrum Scale Transparent Cloud Tiering (CVE-2019-20445, CVE-2019-20444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Scale GUI is affected by verbose error message (CVE-2020-4357) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-gui-is… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affects IBM Virtualization Engine TS7700 – January 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in netty affects IBM Spectrum Scale Transparent Cloud Tiering(CVE-2020-7238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2020
by Daily end-of-shift report 26 May '20

26 May '20

===================== = End-of-Day report = ===================== Timeframe: Montag 25-05-2020 18:00 − Dienstag 26-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dumping COVID-19.jar with Java Instrumentation ∗∗∗ --------------------------------------------- There is a generic and easy way to unpack Java malware that is not well-known yet. For demonstration I use a recent JAR malware sample that jumps on the COVID-19 bandwagon. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/05/36083-dumping-covid-19jar-with-j… ∗∗∗ These Aren’t the Phish You’re Looking For ∗∗∗ --------------------------------------------- An Effective Technique for Avoiding Blacklists --------------------------------------------- https://medium.com/@curtbraz/these-arent-the-phish-you-re-looking-for-7374c… ∗∗∗ Fünf Zero-Day-Lücken veröffentlicht – Microsoft will erst später patchen ∗∗∗ --------------------------------------------- Das Team der Zero Day Initiative hat Informationen zu fünf Sicherheitslücken veröffentlicht, nachdem Microsoft die gesetzte Frist nicht einhielt. --------------------------------------------- https://heise.de/-4765191 ∗∗∗ Projekt SiSyPHuS Win10: Ergebnisse der Analyse zu PowerShell ∗∗∗ --------------------------------------------- Im Rahmen der Sicherheitsanalyse von Windows 10 (Projekt SiSyPHuS Win10) hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) die Ergebnisse der Analyse zu PowerShell veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/SiSyPHuS_Powershe… ∗∗∗ ludwig-therese.net ist Fake ∗∗∗ --------------------------------------------- Auf der Suche nach einem Dirndl oder einer Lederhose? Viele KonsumentInnen gelangen momentan über betrügerische Werbeschaltungen auf Facebook und Instagram zum Fake-Shop ludwig-therese.net. ludwig-therese.net ist eine Kopie des seriösen Shops ludwig-therese.de. Wer bei ludwig-therese.net bestellt, erhält trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/ludwig-theresenet-ist-fake/ ∗∗∗ RangeAmp attacks can take down websites and CDN servers ∗∗∗ --------------------------------------------- Twelve of thirteen CDN providers said they fixed or planned to fix the problem. --------------------------------------------- https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-c… ∗∗∗ Do Androids dream of equal security? ∗∗∗ --------------------------------------------- Several pieces of research published by F-Secure Labs demonstrate that region-specific default configurations and settings in some flagship Android devices are creating security problems that affect people in some countries but not others. --------------------------------------------- https://blog.f-secure.com/android-security/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps ∗∗∗ --------------------------------------------- Remember Strandhogg? A security vulnerability affecting Android that malicious apps can exploit to masquerade as any other app installed on a targeted device to display fake interfaces to the users, tricking them into giving away sensitive information. Late last year, at the time of its public disclosure, researchers also confirmed that some attackers were already exploiting the flaw in the [...] --------------------------------------------- https://thehackernews.com/2020/05/stranhogg-android-vulnerability.html ∗∗∗ Apple Mail: iOS-Updates beseitigen offenbar schwere Lücke ∗∗∗ --------------------------------------------- Mit iOS 13.5 und 12.4.7 hat Apple Sicherheitsforschern zufolge Schwachstellen behoben, die eine Manipulation der E-Mail-Inbox ermöglichten. --------------------------------------------- https://heise.de/-4764378 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sqlite3), Fedora (libarchive and netdata), openSUSE (dom4j, dovecot23, gcc9, and memcached), Red Hat (devtoolset-9-gcc, httpd24-httpd and httpd24-mod_md, ipmitool, kernel, kpatch-patch, openvswitch, openvswitch2.11, openvswitch2.13, rh-haproxy18-haproxy, and ruby), and SUSE (freetds, jasper, libxslt, and sysstat). --------------------------------------------- https://lwn.net/Articles/821441/ ∗∗∗ FortiClient for Windows Insecure Temporary File vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-040 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2020
by Daily end-of-shift report 25 May '20

25 May '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-05-2020 18:00 − Montag 25-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Discord client turned into a password stealer by updated malware ∗∗∗ --------------------------------------------- A threat actor converted the AnarchyGrabber trojan into a new malware that steals passwords and user tokens, disables 2FA, and spreads malware to a victims friends. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-client-turned-into-a… ∗∗∗ Portscan: Ebay.de scannt den Rechner auf offene Ports ∗∗∗ --------------------------------------------- Mit einem Javascript werden 14 Ports auf dem lokalen PC abgeklopft. --------------------------------------------- https://www.golem.de/news/portscan-ebay-de-scannt-den-rechner-auf-offene-po… ∗∗∗ 70 Percent of Mobile, Desktop Apps Contain Open-Source Bugs ∗∗∗ --------------------------------------------- A lack of awareness about where and how open-source libraries are being used is problematic, researchers say. --------------------------------------------- https://threatpost.com/70-of-apps-open-source-bugs/156040/ ∗∗∗ New activity of DoubleGuns‘ gang, control hundreds of thousands of bots via public cloud service ∗∗∗ --------------------------------------------- Recently, our DNS data based threat monitoning system DNSmon flagged a suspicious domain pro.csocools.com. The system estimates the scale of infection may well above hundreds of thousands of users. By analyzing the related samples and C2s,We traced its family back to the ShuangQiang(double gun) campaign, [...] --------------------------------------------- https://blog.netlab.360.com/shuangqiang/ ∗∗∗ AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd) ∗∗∗ --------------------------------------------- Attackers are always trying to find new ways to deliver malicious code to their victims. Microsoft Word and Excel are documents that can be easily weaponized by adding malicious VBA macros. Today, they are one of the most common techniques to compromise a computer. Especially because Microsoft implemented automatically executed macros when the document is opened. In Word, the macro must be named AutoOpen(). In Excel, the name must be Workbook_Open(). However, PowerPoint does not support this [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26162 ∗∗∗ Securing SSH: What To Do and What Not To Do ∗∗∗ --------------------------------------------- The SSH service is critical, ensuring its security is key. This blog will describe how best to secure the SSH service from threat actors. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/securing-ss… ∗∗∗ Thousands of enterprise systems infected by new Blue Mockingbird malware gang ∗∗∗ --------------------------------------------- Hackers are exploiting a dangerous and hard to patch vulnerability to go after enterprise servers. --------------------------------------------- https://www.zdnet.com/article/thousands-of-enterprise-systems-infected-by-n… ∗∗∗ Insidious Android malware gives up all malicious features but one to gain stealth ∗∗∗ --------------------------------------------- ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security --------------------------------------------- https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Apples iPhone und iPad: Aktueller Jailbreak für iOS 13.5 nutzt Zero-Day-Lücke aus ∗∗∗ --------------------------------------------- Kurz nach der Veröffentlichung von iOS 13.5 ist ein Jailbreak erschienen. Damit wird das Sicherheitssystem in iOS und iPadOS ausgehebelt. --------------------------------------------- https://www.golem.de/news/apples-iphone-und-ipad-aktueller-jailbreak-fuer-i… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, dovecot, openconnect, and powerdns-recursor), Debian (cracklib2, feh, netqmail, ruby-rack, tomcat7, and transmission), Fedora (dovecot, kernel, log4net, openconnect, python-markdown2, and unbound), Mageia (ansible, clamav, dovecot, file-roller, glpi, kernel, kernel-linus, libntlm, microcode, nmap, pdns-recursor, unbound, viewvc, and wireshark), openSUSE (ant, autoyast2, dpdk, file, freetype2, gstreamer-plugins-base, imapfilter, libbsd, [...] --------------------------------------------- https://lwn.net/Articles/821347/ ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on FOX615 Multiservice-Multiplexer ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1KHW003578&Language… ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on Relion 670, Relion 650, SAM600-IO Series ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1MRG035816&Language… ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on AFS66x ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1MRG000001&Language… ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on NSD570 Teleprotection Equipment ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1KHW003577&Language… ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on ETL600 Power Line Carrier System ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1KHW003576&Language… ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on REB500 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1KHL501885&Language… ∗∗∗ 2020-05-25: Cybersecurity Advisory - WindRiver VxWorks IPNet Vulnerabilities, impact on RTU500 series ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=1KGT090327&Language… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Netty vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-ze ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vyatta-5600-vrouter-softw… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Netty vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Grafana: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0495 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2020
by Daily end-of-shift report 22 May '20

22 May '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-05-2020 18:00 − Freitag 22-05-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Drahtlos-Standard: Bluetooth-Sicherheitslücke betrifft praktisch alle Geräte ∗∗∗ --------------------------------------------- Bluetooth erfordert beim Verbindungsaufbau keine beidseitige Authentifizierung. Der Angriff Bias funktioniert als Master und als Slave. --------------------------------------------- https://www.golem.de/news/drahtlos-standard-bluetooth-sicherheitsluecke-bet… ∗∗∗ Sarwent Malware Continues to Evolve With Updated Command Functions ∗∗∗ --------------------------------------------- Sarwent has received little attention from researchers, but this backdoor malware is still being actively developed, with new commands and a focus on RDP. --------------------------------------------- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ ∗∗∗ Shining a light on “Silent Night” Zloader/Zbot ∗∗∗ --------------------------------------------- The latest Malwarebytes Threat Intel report focuses on Silent Night, a new banking Trojan recently tracked as Zloader/Zbot. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloa… ∗∗∗ Vulnerability Spotlight: Memory corruption vulnerability in GNU Glibc leaves smart vehicles open to attack ∗∗∗ --------------------------------------------- Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the [...] --------------------------------------------- https://blog.talosintelligence.com/2020/05/cve-2020-6096.html ∗∗∗ Bequemlichkeit vs. Sicherheit bei Smart‑Home Geräten ∗∗∗ --------------------------------------------- Trotz der wachsenden Akzeptanz von Smart-Home-Geräten, sollten wir unsere Privatsphäre und Sicherheit nicht der Bequemlichkeit opfern. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/05/20/bequemlichkeit-vs-sicherh… ∗∗∗ Tools Used in GhostDNS Router Hijack Campaigns Dissected ∗∗∗ --------------------------------------------- The source code of the GhostDNS exploit kit (EK) has been obtained and analyzed by researchers. GhostDNS is used to compromise a wide range of routers to facilitate phishing -- perhaps more accurately, pharming -- for banking credentials. Target routers are mostly, but not solely, located in Latin America. --------------------------------------------- https://www.securityweek.com/tools-used-ghostdns-router-hijack-campaigns-di… ∗∗∗ Ragnar Locker Ransomware Uses Virtual Machines for Evasion ∗∗∗ --------------------------------------------- The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection, Sophos reveals. --------------------------------------------- https://www.securityweek.com/ragnar-locker-ransomware-uses-virtual-machines… ∗∗∗ Free ImmuniWeb Tool Allows Organizations to Check Dark Web Exposure ∗∗∗ --------------------------------------------- Web security company ImmuniWeb this week announced a free tool that allows businesses and government organizations to check their dark web exposure. --------------------------------------------- https://www.securityweek.com/free-immuniweb-tool-allows-organizations-check… ∗∗∗ Wahre Liebe oder Betrug? So finden Sie es heraus! ∗∗∗ --------------------------------------------- Egal ob auf Sozialen Netzwerken wie Facebook oder Instagram, auf Online-Partnerbörsen oder einfach per Mail - immer wieder melden uns LeserInnen sogenannte Love- oder Romance-Scammer. Durch Liebesbeteuerungen und Geschichten aus Ihrem Alltag erschleichen sich die BetrügerInnen das Vertrauen der Opfer. Tatsächlich geht es aber auch bei dieser Betrugsmasche nur um eines: Geld. --------------------------------------------- https://www.watchlist-internet.at/news/wahre-liebe-oder-betrug-so-finden-si… ∗∗∗ Spectra: Neuartiger Angriff überwindet Trennung von WLAN und Bluetooth ∗∗∗ --------------------------------------------- Er richtet sich gegen Combo-Chips der Hersteller Broadcom und Cypress. Sie finden sich unter anderem in iPhones, MacBooks und Galaxy-S-Smartphones. Spectra nutzt Schwachstellen in einer Funktion, die einen schnellen Wechsel von einer Funktechnik zur anderen erlaubt. --------------------------------------------- https://www.zdnet.de/88380022/spectra-neuartiger-angriff-ueberwindet-trennu… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003 ∗∗∗ --------------------------------------------- Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupal_goto() function. --------------------------------------------- https://www.drupal.org/sa-core-2020-003 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002 ∗∗∗ --------------------------------------------- The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are [...] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others. --------------------------------------------- https://www.drupal.org/sa-core-2020-002 ∗∗∗ Apple Security Update: Xcode 11.5 ∗∗∗ --------------------------------------------- Impact: A crafted git URL that contains a newline in it may cause credential information to be provided for the wrong host --------------------------------------------- https://support.apple.com/en-us/HT211183 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (keycloak, qemu, and thunderbird), Debian (dovecot), Fedora (abcm2ps and oddjob), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and kernel-rt), SUSE (ant, bind, and freetype2), and Ubuntu (bind9 and linux, linux-aws, linux-aws-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3,linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 ). --------------------------------------------- https://lwn.net/Articles/821093/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipmitool, kernel, squid, and thunderbird), Debian (pdns-recursor), Fedora (php and ruby), Red Hat (dotnet and dotnet3.1), SUSE (dom4j, dovecot23, memcached, and tomcat), and Ubuntu (clamav, libvirt, and qemu). --------------------------------------------- https://lwn.net/Articles/821205/ ∗∗∗ Hackers Can Target Rockwell Industrial Software With Malicious EDS Files ∗∗∗ --------------------------------------------- Rockwell Automation recently patched two vulnerabilities related to EDS files that can allow malicious actors to expand their access within a targeted organization’s OT network. --------------------------------------------- https://www.securityweek.com/hackers-can-target-rockwell-industrial-softwar… ∗∗∗ 2020-05-21: SECURITY ABB Device Library Wizard Information Disclosure Vulnerability (2PAA121681) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121681&Language… ∗∗∗ Cisco AMP for Endpoints Linux Connector and AMP for Endpoints Mac Connector Software Memory Buffer Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Contact Center Express Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Collaboration Provisioning Software SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Network Registrar DHCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco AMP for Endpoints Mac Connector Software File Scan Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ [webapps] PHPFusion 9.03.50 - Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/48497 ∗∗∗ CVE-2004-0230 Blind Reset Attack Using the RST/SYN Bit ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-16-039 ∗∗∗ Linux kernel vulnerability CVE-2019-19059 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06554372 ∗∗∗ Linux kernel vulnerability CVE-2019-19062 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84797753 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2020
by Daily end-of-shift report 20 May '20

20 May '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-05-2020 18:00 − Mittwoch 20-05-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Netwalker Fileless Ransomware Injected via Reflective Loading ∗∗∗ --------------------------------------------- Ransomware in itself poses a formidable threat for organizations. As a fileless threat, the risk is increased as it can more effectively evade detection. We discuss how Netwalker ransomware is deployed filelessly through reflective DLL injection. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-filel… ∗∗∗ Studie: Kriminelle wollen nur Geld, Unternehmen stellen Daten selbst ins Feuer ∗∗∗ --------------------------------------------- Eine Analyse von knapp 4000 Cyber-Angriffen belegt, dass Passwortdiebstahl nach wie vor hoch im Kurs steht und Admins vor allem Cloud-Dienste nicht beherrschen. --------------------------------------------- https://heise.de/-4725579 ∗∗∗ 10 best practices for MSPs to secure their clients and themselves from ransomware ∗∗∗ --------------------------------------------- For MSPs, securing themselves from ransomware is just as much a practice in securing clients. See how to save data—and money—with these best practices. --------------------------------------------- https://blog.malwarebytes.com/how-tos-2/2020/05/10-best-practices-for-msps-… ∗∗∗ The wolf is back... ∗∗∗ --------------------------------------------- Thai Android devices and users are being targeted by a modified version of DenDroid we are calling "WolfRAT," now targeting messaging apps like WhatsApp, Facebook Messenger and Line. We assess with high confidence that this modified version is operated by the infamous Wolf Research.This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being [...] --------------------------------------------- https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html ∗∗∗ 3 Ways to Reduce Insider Cyberattacks on Industrial Control Systems ∗∗∗ --------------------------------------------- When power grids, water networks and gas utility systems are targeted by cyberattacks, systems that are essential to our everyday lives are affected. While the damage potential due to external [...] --------------------------------------------- https://blog.se.com/cyber-security/2020/05/06/three-ways-to-reduce-insider-… ∗∗∗ The Elementor Attacks: How Creative Hackers Combined Vulnerabilities to Take Over WordPress Sites ∗∗∗ --------------------------------------------- On May 6, our Threat Intelligence team was alerted to a zero-day vulnerability present in Elementor Pro, a WordPress plugin installed on approximately 1 million sites. That vulnerability was being exploited in conjunction with another vulnerability found in Ultimate Addons for Elementor, a WordPress plugin installed on approximately 110,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/05/the-elementor-attacks-how-creative-h… ∗∗∗ SMS von Raiffeisen mit Link ist Fake ∗∗∗ --------------------------------------------- Momentan sind gefälschte Raiffeisen-SMS im Umlauf. Darin werden Sie aufgefordert, die PushTAN Registrierung abzuschließen. Dafür müssen Sie lediglich auf den angeführten Link klicken. Doch Vorsicht: Dieser Link führt nicht auf die echte Login-Seite, sondern auf eine Phishing-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-raiffeisen-mit-link-ist-fake/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2020-0010 ∗∗∗ --------------------------------------------- VMware Cloud Director updates address Code Injection Vulnerability (CVE-2020-3956) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0010.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and clamav), Fedora (kernel, moodle, and transmission), Oracle (kernel), Red Hat (ipmitool, kernel, ksh, and ruby), Slackware (bind and libexif), SUSE (dpdk, openconnect, python, and rpmlint), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv and linux-gke-5.0, linux-oem-osp1). --------------------------------------------- https://lwn.net/Articles/820948/ ∗∗∗ Researchers Divulge Details on Five Windows Zero Days ∗∗∗ --------------------------------------------- Zero Day Initiative Researchers Publish Five Windows Zero Days read more --------------------------------------------- https://www.securityweek.com/researchers-divulge-details-five-windows-zero-… ∗∗∗ Security Advisory - Information Leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200520-… ∗∗∗ Security Advisory - Use After Free Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200520-… ∗∗∗ Security Bulletin: IBM Security Access Manager is vulnerable to a bypass security vulnerability (CVE-2020-4461) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-access-manag… ∗∗∗ Security Bulletin: A security vulnerability has been identified in SQLite shipped with IBM Watson Machine Learning Community Edition (WMLCE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in the sqlite package shipped with IBM Watson Machine Learning Community Edition (WMLCE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-4260 SOME SECURE PROPERTIES CAN BE REVEALED VIA GENERIC PROCESSES ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4260-some-secure… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Pillow shipped with IBM Watson Machine Learning Community Edition (WMLCE) containers ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in nanopb shipped with IBM Watson Machine Learning Community Edition (WMLCE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in FFMpeg shipped with IBM Watson Machine Learning Community Edition (WMLCE) containers ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ HPESBHF04004 rev.1 - HPE Superdome Flex Server Remote Management Controller (RMC), Local Elevation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03991 rev.1 - HPE Nimble Storage, Remote Access to Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03992 rev.1 - HPE Nimble Storage, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Adobe Creative Cloud: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0487 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0485 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2020
by Daily end-of-shift report 19 May '20

19 May '20

===================== = End-of-Day report = ===================== Timeframe: Montag 18-05-2020 18:00 − Dienstag 19-05-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NXNSAttack: Effizienter Angriff auf Nameserver ∗∗∗ --------------------------------------------- Eine neue Form von Denial-of-Service-Angriff nutzt die DNS-Architektur, um mit wenig Aufwand viel Serverlast und Traffic zu erzeugen. --------------------------------------------- https://www.golem.de/news/nxnsattack-effizienter-angriff-auf-nameserver-200… ∗∗∗ Phishers are trying to bypass Office 365 MFA via rogue apps ∗∗∗ --------------------------------------------- Phishers are trying to bypass the multi-factor authentication (MFA) protection on users’ Office 365 accounts by tricking them into granting permissions to a rogue application. The app allows attackers to access and modify the contents of the victim’s account, but also to retain that access indefinitely, Cofense researchers warn. --------------------------------------------- https://www.helpnetsecurity.com/2020/05/19/office-365-bypass-mfa/ ∗∗∗ Hohe Kosten statt Krediten auf kreditvolks-online.com ∗∗∗ --------------------------------------------- Die betrügerische Website kreditvolks-online.com wirbt momentan mit günstigen Krediten um Kundschaft. Die Kriminellen hinter der Website missbrauchen dabei beispielsweise das Logo der Volksbank, der Bawag P.S.K., der Commerzbank oder der Deutsche Kreditbank AG, um Vertrauen zu stiften. Bevor angebliche Kredite ausgezahlt werden, müssen zahlreiche Gebühren bezahlt werden. Eine tatsächliche Auszahlung findet schlussendlich nie statt und alle Zahlungen sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/hohe-kosten-statt-krediten-auf-kredi… ∗∗∗ FBI warns about attacks on Magento online stores via old plugin vulnerability ∗∗∗ --------------------------------------------- FBI says hackers have been planting card skimmers on online stores by exploiting a 2017 bug in the MAGMI plugin. --------------------------------------------- https://www.zdnet.com/article/fbi-warns-about-attacks-on-magento-online-sto… ∗∗∗ Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks ∗∗∗ --------------------------------------------- A firmware patch has been released last year, in November. --------------------------------------------- https://www.zdnet.com/article/hundreds-of-thousands-of-qnap-devices-vulnera… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#534195: Bluetooth devices supporting LE and specific BR/EDR implementations are vulnerable to method confusion attacks ∗∗∗ --------------------------------------------- [...] It is possible for an unauthenticated, adjacent attacker to man-in-the-middle (MITM) attack the pairing process and force each victim device into a different Association Model, possibly granting the attacker the ability to initiate any Bluetooth operation on either attacked device. --------------------------------------------- https://kb.cert.org/vuls/id/534195 ∗∗∗ VU#647177: Bluetooth devices supporting BR/EDR are vulnerable to impersonation attacks ∗∗∗ --------------------------------------------- [...] It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS). --------------------------------------------- https://kb.cert.org/vuls/id/647177 ∗∗∗ Sicherheitsupdate: Nitro PDF Pro könnte Daten leaken ∗∗∗ --------------------------------------------- Die Entwickler der PDF-Anwendung Nitro PDF Pro haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-4724062 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk and exim4), Fedora (openconnect, perl-Mojolicious, and php), Red Hat (kernel and kpatch-patch), Slackware (sane), and Ubuntu (bind9, dpdk, exim4, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-snapdragon, and linux, linux-aws, linux-lts-xenial, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/820859/ ∗∗∗ F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/05/warn… ∗∗∗ LibreOffice: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/05/warn… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Solr (lucene) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: InfoSphere Information Server is affected by multiple vulnerabilities in Kubernetes ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-infosphere-information-se… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged user to cause denial of service in kernal ( CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect B2B API of IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged user to cause denial of service( CVE-2020-4412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Rowhammer hardware vulnerability CVE-2020-10255 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K60570139 ∗∗∗ Adobe Creative Cloud: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0476 ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0474 ∗∗∗ Dovecot: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0479 ∗∗∗ Ruby on Rails: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0477 ∗∗∗ MISP: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0480 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2020
by Daily end-of-shift report 18 May '20

18 May '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-05-2020 18:00 − Montag 18-05-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Disruption on the horizon ∗∗∗ --------------------------------------------- [...] As cyber security professionals we are often caught in the wake of disruptive changes as a result of technology adoption (i.e. Cloud), changes in operational paradigms (i.e. DevOps), or regulatory/compliance developments (i.e. GDPR, CCPA, etc.). Recognizing this, how can we proactively identify such changes before they start to impact our operations? --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/disruption-on-the-h… ∗∗∗ Antivirus & Multiple Detections, (Sun, May 17th) ∗∗∗ --------------------------------------------- "When a file contains more than one signature, for example EICAR and a real virus, what will the antivirus report?". --------------------------------------------- https://isc.sans.edu/diary/rss/26134 ∗∗∗ WordPress Malware Collects Sensitive WooCommerce Data ∗∗∗ --------------------------------------------- During a recent investigation, our team found malicious code that reveals how attackers are performing reconnaissance to identify if sites are actively using WooCommerce in a compromised hosting environment. These compromised websites are victims of the ongoing wave of exploits against vulnerable WordPress plugins. --------------------------------------------- https://blog.sucuri.net/2020/05/wordpress-malware-collects-sensitive-woocom… ∗∗∗ Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format ∗∗∗ --------------------------------------------- Abusing legacy functionality built into the Microsoft Office suite is a tale as old as time. One functionality that is popular with red teamers and maldoc authors is using Excel 4.0 Macros to embed standard malicious behavior in Excel files and then execute phishing campaigns with these documents. These macros, which are fully documented online, can make web requests, execute shell commands, access win32 APIs, and have many other capabilities which are desirable to malware authors. --------------------------------------------- https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/ ∗∗∗ Mandrake Android Spyware Remained Undetected for 4 Years ∗∗∗ --------------------------------------------- Security researchers at Bitdefender have identified a highly sophisticated Android spyware platform that managed to remain undetected for four years. --------------------------------------------- https://www.securityweek.com/mandrake-android-spyware-remained-undetected-4… ∗∗∗ Ethical dilemmas with responsible disclosure ∗∗∗ --------------------------------------------- We do a LOT of disclosures, probably starting one a day on average. Between us, we spend a man day or so per week just managing disclosures. It creates pain [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/ethical-dilemmas-with-respons… ∗∗∗ The ProLock ransomware doesn’t tell you one important thing about decrypting your files ∗∗∗ --------------------------------------------- Have your computers been hit by the ProLock ransomware? You might want to read this before you pay any money to the criminals behind the attack. --------------------------------------------- https://www.grahamcluley.com/prolock-ransomware-decryption/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical WordPress plugin bug allows for automated takeovers ∗∗∗ --------------------------------------------- Attackers can exploit a critical vulnerability in the WP Product Review Lite plugin installed on over 40,000 WordPress sites to inject malicious code and potentially take over vulnerable websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bu… ∗∗∗ PHOENIX CONTACT improper access control exists on FL NAT devices when using MAC-based port security (Update A) ∗∗∗ --------------------------------------------- [...] Update 2020-05-18: Firmware V2.90 is released and available for download. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-020 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j1.2, exim4, libexif, and openconnect), Fedora (chromium, condor, java-1.8.0-openjdk, java-1.8.0-openjdk-aarch32, mingw-ilmbase, mingw-OpenEXR, sleuthkit, and squid), Mageia (jbig2dec, libreswan, netkit-telnet, ntp, and suricata), openSUSE (mailman and nextcloud), SUSE (autoyast2, file, git, gstreamer-plugins-base, libbsd, libvirt, libvpx, libxml2, mailman, and openexr), and Ubuntu (dovecot and json-c). --------------------------------------------- https://lwn.net/Articles/820814/ ∗∗∗ WebKitGTK 2.29.1 released! ∗∗∗ --------------------------------------------- This is the first development release leading toward 2.30 series.What’s new in the WebKitGTK 2.29.1 release? Stop using GTK theming to render form controls. Add API to disable GTK theming for scrollbars too. Fix several race conditions and threading issues in the media player. Add USER_AGENT_BRANDING build option. Add paste as plain text option to the context menu for rich editable content. Fix several crashes and rendering issues. --------------------------------------------- https://webkitgtk.org/2020/05/18/webkitgtk2.29.1-released.html ∗∗∗ Cisco Firepower Detection Engine Secure Sockets Layer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabiliity in IBM Java shipped with IBM Transformation Extender Advanced (CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabiliity-in-ibm-jav… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java shipped with IBM Transformation Extender Advanced (CVE-2018-1656, CVE-2018-12539) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple IBM Runtime Environments Java Technology Edition vulnerabilities affect IBM Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-runtime-envi… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: Vulnerability CVE-2020-4345 in SQL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2020-43… ∗∗∗ Security Bulletin: Security vulnerability in WAS Liberty used by IBM Transformation Extender Advanced (CVE-2017-1681) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java shipped with IBM Transformation Extender Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: vulnerabilities in in IBM® Runtime Environment Java™ Version 8 affect IBM WIoTP MessageGateway (CVE-2020-2805, CVE-2020-2803, CVE-2020-2781, CVE-2020-2755, CVE-2020-2754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-in-ibm… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect B2B API of IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Linux kernel vulnerability CVE-2019-20636 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45501314 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0472 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2020
by Daily end-of-shift report 15 May '20

15 May '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-05-2020 18:00 − Freitag 15-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProLock Ransomware teams up with QakBot trojan for network access ∗∗∗ --------------------------------------------- ProLock is a relatively new malware on the ransomware scene but has quickly attracted attention by targeting businesses and local governments and demanding huge ransoms for file decryption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/prolock-ransomware-teams-up-… ∗∗∗ RATicate drops info stealing malware and RATs on industrial targets ∗∗∗ --------------------------------------------- Security researchers from Sophos have identified a hacking group that abused NSIS installers to deploy remote access tools (RATs) and information-stealing malware in attacks targeting industrial companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raticate-drops-info-stealing… ∗∗∗ Angriffe auf Hochleistungsrechner: Waren es Krypto-Miner? ∗∗∗ --------------------------------------------- Zahlreiche Hochleistungsrechenzentren sind nach Angriffen vom Netz. Hinweise deuten auf Krypto-Mining, doch für den Chef des LRZ greift das zu kurz. --------------------------------------------- https://heise.de/-4722488 ∗∗∗ The Unattributable "db8151dd" Data Breach ∗∗∗ --------------------------------------------- I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. Its about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Heres what I know: [...] --------------------------------------------- https://www.troyhunt.com/the-unattributable-db8151dd-data-breach/ ∗∗∗ Erpressungsmails mit echtem Passwort im Umlauf ∗∗∗ --------------------------------------------- In letzter Zeit häufen sich Beschwerden von Internet-NutzerInnen zu Erpressungsmails. Die Erpresser geben dabei an, ein Masturbationsvideo von den Betroffenen zu besitzen und fordern dazu auf einen bestimmten Betrag in Form von Bitcoins zu bezahlen. Die AdressatInnen sind von dieser Masche besonders verunsichert, da die Hacker ein echtes Passwort als scheinbaren Beweis kennen. Doch es besteht kein Grund zur Sorge. Die Erpresser haben weder ihren Computer gehackt, noch belastendes Material [...] --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsmails-mit-echtem-passwort… ∗∗∗ Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways ∗∗∗ --------------------------------------------- New Hoaxcalls and Mirai botnet campaigns found targeting end-of-life Symantec Secure Web Gateways via Remote Code Execution vulnerability.The post Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apt, inetutils, and log4net), Fedora (kernel, mailman, and viewvc), Gentoo (chromium, freerdp, libmicrodns, live, openslp, python, vlc, and xen), Oracle (.NET Core, container-tools:1.0, and kernel), Red Hat (kernel-rt), Scientific Linux (kernel), SUSE (kernel, libvirt, python-PyYAML, and syslog-ng), and Ubuntu (json-c). --------------------------------------------- https://lwn.net/Articles/820634/ ∗∗∗ Vulnerabilities in SoftPAC Virtual Controller Expose OT Networks to Attacks ∗∗∗ --------------------------------------------- Vulnerabilities discovered by a researcher at industrial cybersecurity firm Claroty in Opto 22’s SoftPAC virtual programmable automation controller (PAC) expose operational technology (OT) networks to attacks. --------------------------------------------- https://www.securityweek.com/vulnerabilities-softpac-virtual-controller-exp… ∗∗∗ Cisco Firepower Threat Defense Software Generic Routing Encapsulation Tunnel IPv6 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software VPN System Logging Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco MDS 9000 Series Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerability in embedded IBM Websphere Application Server Liberty affects IBM Watson Compare and Comply for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-embedded… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio April 2020 CPU plus deferred CVE-2019-2949 and CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in OpenSSL, a product which ships with IBM Tivoli Nework Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting that affects Liberty for Java for IBM Cloud (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ PostgreSQL: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0471 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2020
by Daily end-of-shift report 14 May '20

14 May '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-05-2020 18:00 − Donnerstag 14-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ COMpfun authors spoof visa application with HTTP status-based Trojan ∗∗∗ --------------------------------------------- In autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. Later in November 2019 we revealed a new Trojan using the same code base as COMPFun. --------------------------------------------- https://securelist.com/compfun-http-status-based-trojan/96874/ ∗∗∗ Patch Tuesday Revisited - CVE-2020-1048 isnt as "Medium" as MS Would Have You Believe, (Thu, May 14th) ∗∗∗ --------------------------------------------- Looking at our patch Tuesday list, I looked a bit closer at CE-2020-1048 (Print Spooler Privilege Escalation) and Microsoft&#;x26;#;39;s ratings for that one. Microsoft rated this as: --------------------------------------------- https://isc.sans.edu/diary/rss/26124 ∗∗∗ Danger zone! Brit research supercomputer ARCHERs login nodes exploited in cyber-attack, admins reset passwords and SSH keys ∗∗∗ --------------------------------------------- Assault on TOP500-listed machine may have hit Euro HPC too, warn sysops Updated One of Britains most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys.… --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/13/uk_arche… ∗∗∗ Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access ∗∗∗ --------------------------------------------- On April 21st, our Threat Intelligence team discovered a vulnerability in Site Kit by Google, a WordPress plugin installed on over 300,000 sites. This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. We filed a security issue report ...Read MoreThe post Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access appeared first on Wordfence. --------------------------------------------- https://www.wordfence.com/blog/2020/05/vulnerability-in-google-wordpress-pl… ===================== = Vulnerabilities = ===================== ∗∗∗ reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019 ∗∗∗ --------------------------------------------- Project: reCAPTCHA v3Date: 2020-May-13Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassDescription: The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3.If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms.This vulnerability only affects forms that are protected by reCaptcha v3 and have --------------------------------------------- https://www.drupal.org/sa-contrib-2020-019 ∗∗∗ Webform - Critical - Access bypass - SA-CONTRIB-2020-018 ∗∗∗ --------------------------------------------- Project: WebformDate: 2020-May-13Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: This webform module enables you to build a Term checkboxes element.The module doesnt sufficiently check term view access when rendering Term checkboxes elements. Unpublished terms will always appear in the Term checkboxes element.Solution: Install the latest version:If you use the Webform module for Drupal 8.x, upgrade to Webform --------------------------------------------- https://www.drupal.org/sa-contrib-2020-018 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apt and libreswan), Fedora (glpi, grafana, java-latest-openjdk, mailman, and oddjob), Oracle (container-tools:2.0, container-tools:ol8, kernel, libreswan, squid:4, and thunderbird), SUSE (apache2, grafana, and python-paramiko), and Ubuntu (apt and libexif). --------------------------------------------- https://lwn.net/Articles/820520/ ∗∗∗ Security Bulletin: Multiple vulnerabilities have been Identified In WebSphere Liberty Server shipped with IBM Global Mailbox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM MQ Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been Identified In Jackson Databind library shipped with IBM Global Mailbox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Information Disclosure Security Vulnerability Afftects IBM Stering B2B Integrator GPM Web App (CVE-2020-4299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-se… ∗∗∗ Security Bulletin: Jackson-databind Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-20330) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-security… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jetty Affect IBM Sterling B2B Integrator (CVE-2018-12545, CVE-2019-10241) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple memory corruption vulnerabilities in IBM i2 Analyst's Notebook and IBM i2 Analyst's Notebook Premium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-memory-corruptio… ∗∗∗ Security Bulletin: Permission security vulnerability exists in IBM Sterling File Gateway (CVE-2020-4259) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-permission-security-vulne… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in PHP (CVE-2020-7069, CVE-2020-7059) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2020
by Daily end-of-shift report 13 May '20

13 May '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-05-2020 18:00 − Mittwoch 13-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ US govt shares list of most exploited vulnerabilities since 2016 ∗∗∗ --------------------------------------------- US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-govt-shares-list-of-most-… ∗∗∗ Ramsay Malware Targets Air-Gapped Networks ∗∗∗ --------------------------------------------- The cyber-espionage toolkit is under active development. --------------------------------------------- https://threatpost.com/ramsay-malware-air-gapped-networks/155695/ ∗∗∗ Angreifer könnten Symantec Endpoint Protection als Sprungbrett nutzen ∗∗∗ --------------------------------------------- Symantecs Entwickler haben mehrere Sicherheitslücken in Endpoint Protection und Endpoint Protection Manager geschlossen. --------------------------------------------- https://heise.de/-4720697 ∗∗∗ Tinder-Bots betrügen mit scheinbarer Verifizierung ∗∗∗ --------------------------------------------- Internet-BetrügerInnen treiben auch auf Dating-Plattform ihr Unwesen und versuchen den Menschen durch Flirten Geld aus der Tasche zu ziehen. Bei einer dieser Betrugsmaschen geben Fake-Profile auf Tinder vor, dass sie sich sicherer fühlen würden, wenn sich das Tinder-Match verifizieren lässt. Das Opfer dieser Masche erhält einen Link dafür. Doch tatsächlich geht es dabei nicht darum, Vertrauen und Sicherheit vor einem Date herzustellen, [...] --------------------------------------------- https://www.watchlist-internet.at/news/tinder-bots-betruegen-mit-scheinbare… ===================== = Vulnerabilities = ===================== ∗∗∗ Unmittelbar Patchen: Kritische Schwachstelle in SAP® ABAP Systemen (CVE-2020-6262) ∗∗∗ --------------------------------------------- Das SEC Consult Vulnerability Lab hat eine kritische Code-Injection-Schwachstelle (CVE-2020-6262), mit einem CVSSv3 Score von 9.9, in SAP® Service Data Download (ein Teil des SAP® Solution Manager Plugin ST-PI), identifiziert. --------------------------------------------- https://www.sec-consult.com/./blog/2020/05/unmittelbar-patchen-kritische-sc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-1.8.0-openjdk and seamonkey), Gentoo (firefox, lrzip, qemu, squid, and thunderbird), Oracle (thunderbird), Red Hat (buildah, kernel, kernel-alt, kernel-rt, kpatch-patch, podman, python-pip, python-virtualenv, and qemu-kvm), Scientific Linux (kernel), Slackware (mariadb), SUSE (openconnect), and Ubuntu (file, firefox, iproute2, pulseaudio, and squid, squid3). --------------------------------------------- https://lwn.net/Articles/820409/ ∗∗∗ Mai-Patchday: Microsoft schließt 111 Sicherheitslücken ∗∗∗ --------------------------------------------- Es ist der drittgrößte Patchday in der Geschichte des Unternehmens. Anfällig sind unter anderem Windows, SharePoint, Edge und Internet Explorer. Eine Lücke in Windows erlaubt sogar eine Remotecodeausführung mit erweiterten Benutzerrechten. --------------------------------------------- https://www.zdnet.de/88379702/mai-patchday-microsoft-schliesst-111-sicherhe… ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200513-… ∗∗∗ Security Advisory - Integer Overflow Vulnerability in Android affects Several Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200513-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200513-… ∗∗∗ Security Bulletin: [All] Apache Tomcat (core only) (Publicly disclosed vulnerability) CVE-2020-1935, CVE-2019-17569 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-all-apache-tomcat-core-on… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK Oct 2019 and Jan 2020 CPU affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Information Disclosure Security Vulnerability Exists in IBM Sterling B2B Integrator (CVE-2020-4312) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-se… ∗∗∗ FreeBSD: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0453 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2020
by Daily end-of-shift report 12 May '20

12 May '20

===================== = End-of-Day report = ===================== Timeframe: Montag 11-05-2020 18:00 − Dienstag 12-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Astaroth’s New Evasion Tactics Make It ‘Painful to Analyze’ ∗∗∗ --------------------------------------------- The infostealer has gone above and beyond in its new anti-analysis and obfuscation tactics. --------------------------------------------- https://threatpost.com/astaroths-evasion-tactics-painful-analyze/155633/ ∗∗∗ Anubis Malware Upgrade Logs When Victims Look at Their Screens ∗∗∗ --------------------------------------------- Threat actors are cooking up new features for the sophisticated banking trojan that targets Google Android apps and devices. --------------------------------------------- https://threatpost.com/anubis-malware-upgrade-victims-screens/155644/ ∗∗∗ Analyzing Dark Crystal RAT, a C# backdoor ∗∗∗ --------------------------------------------- [...] The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C# variant of Dark Crystal RAT (DCRat) that the threat intel team passed to us. We reviewed open source intelligence and prior work, performed sandbox testing, and reverse engineered the Dark Crystal RAT to review its capabilities [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-… ∗∗∗ Profilbesuche auf Facebook erkennen – Geht das? ∗∗∗ --------------------------------------------- Auf Facebook kursiert momentan ein Link, der es angeblich ermöglicht, Profilzugriffe anzuzeigen. Das macht natürlich neugierig. Doch Vorsicht: Sie landen auf einer Phishing-Seite! Kriminelle greifen Ihre Facebook-Login-Daten ab und posten betrügerische Beiträge in Ihrem Namen. Und: Facebook bietet kein Tool an, dass Ihnen anzeigt, wer auf Ihrem Profil war. --------------------------------------------- https://www.watchlist-internet.at/news/profilbesuche-auf-facebook-erkennen-… ∗∗∗ Rückblick auf das erste Drittel 2020 ∗∗∗ --------------------------------------------- Jänner: BMEIA, Shitrix, BlueGate – ein besinnlicher Jahresbeginn Februar: Die (fast) letzten Augenblicke von TLS März und April: COVID-19 oder "Im Cyber nix neues" --------------------------------------------- https://cert.at/de/blog/2020/5/ruckblick-auf-das-erste-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical vulnerabilities in Acrobat, Reader, and DNG SDK ∗∗∗ --------------------------------------------- Adobe has released security updates for Adobe Acrobat, Reader, and Adobe DNG Software Development Kit that resolve a combined total of thirty-six security vulnerabilities in the three products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnera… ∗∗∗ Siemens SSA-352504: Urgent/11 TCP/IP Stack Vulnerabilities in Siemens Power Meters ∗∗∗ --------------------------------------------- Siemens low & high voltage power meters are affected by multiple security vulnerabilities due to the underlying Wind River VxWorks network stack. This stack is affected by eleven vulnerabilities known as the "URGENT/11". --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-352504.txt ∗∗∗ TYPO3 Core version 10.4.2 fixes multiple vulnerabilities ∗∗∗ --------------------------------------------- TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms ∗∗∗ TYPO3 - vulnerabilities in multiple extensions - 2020-05-12 ∗∗∗ --------------------------------------------- TYPO3-EXT-SA-2020-004: SQL Injection in extension "phpMyAdmin" (phpmyadmin) TYPO3-EXT-SA-2020-005: Multiple vulnerabilities in extension "Direct Mail" (direct_mail) TYPO3-EXT-SA-2020-006: Broken Access Control in extension "gForum" (g_forum) TYPO3-EXT-SA-2020-007: Sensitive Data Exposure in extension "Job Fair" (jobfair) TYPO3-EXT-SA-2020-008: Cross-Site Scripting in "SVG Sanitizer" (svg_sanitizer) --------------------------------------------- https://typo3.org/help/security-advisories/typo3-extensions ∗∗∗ Sicherheitspatches: Online-Foren über vBulletin-Lücke attackierbar ∗∗∗ --------------------------------------------- Es sind mehrere abgesicherte Version der Foren-Software vBulletin erschienen. --------------------------------------------- https://heise.de/-4719217 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (a2ps and qutebrowser), openSUSE (cacti, cacti-spine, ghostscript, and python-markdown2), Oracle (kernel), Red Hat (chromium-browser, libreswan, and qemu-kvm-ma), Scientific Linux (thunderbird), and SUSE (kernel and libvirt). --------------------------------------------- https://lwn.net/Articles/820307/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/2020/05/ ∗∗∗ Bitdefender Antivirus: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0441 ∗∗∗ Exim: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0444 ∗∗∗ Symantec Endpoint Protection: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0443 ∗∗∗ SAP Patchday Mai 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0442 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0449 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0448 ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0445 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2020
by Daily end-of-shift report 11 May '20

11 May '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-05-2020 18:00 − Montag 11-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sodinokibi ransomware can now encrypt open and locked files ∗∗∗ --------------------------------------------- The Sodinokibi (REvil) ransomware has added a new feature that makes it easier to encrypt all files, even those that are opened and locked by another process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-can-no… ∗∗∗ Thunderspy: Nicht patchbare Sicherheitslücken in Thunderbolt ∗∗∗ --------------------------------------------- Mit einem Schraubendreher und einem SPI-Programmer lassen sich zentrale Sicherheitsfunktionen von Thunderbolt deaktivieren. --------------------------------------------- https://www.golem.de/news/thunderspy-nicht-patchbare-sicherheitsluecken-in-… ∗∗∗ Sphinx Malware Returns to Riddle U.S. Targets ∗∗∗ --------------------------------------------- The banking trojan has upgraded and is seeing a resurgence on the back of coronavirus stimulus payment themes. --------------------------------------------- https://threatpost.com/sphinx-riddle-us-targets-modifications/155621/ ∗∗∗ Lieferzeiten & Zahlung beim Online-Shopping: Das sind Ihre Rechte ∗∗∗ --------------------------------------------- Der Watchlist Internet werden in letzter Zeit vermehrt Online-Shops gemeldet, die zwar nicht unbedingt Fake-Shops sind, sich jedoch durch verzögerte Lieferzeiten nicht an geltende Gesetze halten. Aber welche Rechte haben Sie als Konsumentin oder Konsument eigentlich? Was können Sie machen, wenn sich ein Online-Shop nicht an die vereinbarte Lieferzeit hält? Wann müssen Sie Bestellungen bezahlen? Wie können Sie Ihre Rechte geltend machen? --------------------------------------------- https://www.watchlist-internet.at/news/lieferzeiten-zahlung-beim-online-sho… ∗∗∗ Intel und Microsoft entwickeln Deep-Learning-Technik zur Malware-Analyse ∗∗∗ --------------------------------------------- Das Stamina genannte Projekt wandelt Dateien in Graustufen-Bilder um. Microsoft analysiert die Bilder auf Textur- und Struktur-Muster. Bei Tests erreicht das System eine Genauigkeit von mehr als 99 Prozent. --------------------------------------------- https://www.zdnet.de/88379578/intel-und-microsoft-entwickeln-deep-learning-… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities Patched in Page Builder by SiteOrigin Affects Over 1 Million Sites ∗∗∗ --------------------------------------------- On Monday, May 4, 2020, the Wordfence Threat Intelligence team discovered two vulnerabilities present in Page Builder by SiteOrigin, a WordPress plugin actively installed on over 1,000,000 sites. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. --------------------------------------------- https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-buil… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and firefox), Debian (libntlm, squid, thunderbird, and wordpress), Fedora (chromium, community-mysql, crawl, roundcubemail, and xen), Mageia (chromium-browser-stable), openSUSE (chromium, firefox, LibVNCServer, openldap2, opera, ovmf, php7, python-PyYAML, rpmlint, rubygem-actionview-5_1, slirp4netns, sqliteodbc, squid, thunderbird, and webkit2gtk3), Oracle (firefox, git, gnutls, kernel, libvirt, squid, and targetcli), Red Hat [...] --------------------------------------------- https://lwn.net/Articles/820196/ ∗∗∗ VMware to Patch Recent Salt Vulnerabilities in vROps ∗∗∗ --------------------------------------------- VMware is working on patches for its vRealize Operations Manager (vROps) product to fix two recently disclosed Salt vulnerabilities that have already been exploited to hack organizations. read more --------------------------------------------- https://www.securityweek.com/vmware-patch-recent-salt-vulnerabilities-vrops ∗∗∗ Data leak, phishing security flaws disclosed in Oracle iPlanet Web Server ∗∗∗ --------------------------------------------- Security patches will not be issued to fix the problems. --------------------------------------------- https://www.zdnet.com/article/data-leak-phishing-security-flaws-exposed-in-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200506-… ∗∗∗ Security Bulletin: CVE-2019-4667 Lack of Built in HSTS option ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4667-lack-of-bui… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affects IBM Cloud Private (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – Node.js (CVE-2019-15605, CVE-2019-15606) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-s… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2020
by Daily end-of-shift report 08 May '20

08 May '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-05-2020 18:00 − Freitag 08-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Blue Mockingbird Monero-Mining Campaign Exploits Web Apps ∗∗∗ --------------------------------------------- The cybercriminals are using a deserialization vulnerability, CVE-2019-18935, to achieve remote code execution before moving laterally through the enterprise. --------------------------------------------- https://threatpost.com/blue-mockingbird-monero-mining/155581/ ∗∗∗ Navigating the MAZE: Tactics, Techniques and Procedures Associated WithMAZE Ransomware Incidents ∗∗∗ --------------------------------------------- Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-proc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, salt, and webkit2gtk), Fedora (firefox, mingw-gnutls, nss, and teeworlds), Mageia (firefox, libvncserver, matio, qt4, roundcubemail, samba, thunderbird, and vlc), Oracle (firefox and squid), SUSE (firefox, ghostscript, openldap2, rmt-server, syslog-ng, and webkit2gtk3), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/819969/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0436 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities exist in IBM Data Risk Manager (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429, and CVE-2020-4430) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-… ∗∗∗ Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2020 CPU plus deferred CVE-2019-2949 and CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in dependent libraries affect IBM® Db2® leading to denial of service or privilege escalation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2020
by Daily end-of-shift report 07 May '20

07 May '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-05-2020 18:00 − Donnerstag 07-05-2020 18:00 Handler: n/a Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefährliche Schadsoftware-Mail im Namen von A1 ∗∗∗ --------------------------------------------- Nehmen Sie sich vor einer gefälschten A1-Mail mit dem Betreff *Wichtige Mitteilung* in Acht. Es handelt sich um eine Nachricht, die von Kriminellen verschickt wird, die Schadsoftware auf Ihrem Smartphone installieren wollen. Wenn Sie den Aufforderungen nachkommen, können die VerbrecherInnen sensible Daten von Ihrem Mobiltelefon stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-schadsoftware-mail-im-n… ∗∗∗ Large scale Snake Ransomware campaign targets healthcare, more ∗∗∗ --------------------------------------------- The operators of the Snake Ransomware have launched a worldwide campaign of cyberattacks that have infected numerous businesses and at least one health care organization over the last few days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware… ∗∗∗ Cisco Webex phishing uses fake cert errors to steal credentials ∗∗∗ --------------------------------------------- A highly convincing series of phishing attacks are using fake certificate error warnings with graphics and formatting lifted from Cisco Webex emails to steal users account credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-webex-phishing-uses-fa… ∗∗∗ Keep your IR on the Ball ∗∗∗ --------------------------------------------- Even with the myriad of security tools we have at our disposal today, cybercriminals are still able to penetrate our networks. Is it really necessary to have a Cyber Incident Response Plan in place? --------------------------------------------- https://www.domaintools.com/resources/blog/keep-your-ir-on-the-ball ∗∗∗ How a favicon delivered a web credit card skimmer to victims ∗∗∗ --------------------------------------------- Cyber crooks deploying web credit card skimmers on compromised Magento websites have a new trick up their sleeve: favicons that “turn” malicious when victims visit a checkout page. --------------------------------------------- https://www.helpnetsecurity.com/2020/05/07/favicons-card-skimmers/ ∗∗∗ Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk ∗∗∗ --------------------------------------------- On May 6, 2020, our Threat Intelligence team received reports of active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of compromised sites to confirm this activity. As this is an active attack, we wanted to alert you so that you can take [...] --------------------------------------------- https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB20-24) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB20-24) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, May 12, 2020. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well as the Adobe PSIRT Blog. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1869 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco has released 34 Security Advisories for multiple products on 2020-05-06. 12 rated "High" 22 rated "Medium" --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, keystone, mailman, and tomcat9), Fedora (ceph, firefox, java-1.8.0-openjdk, libldb, nss, samba, seamonkey, and suricata), Oracle (kernel), Scientific Linux (firefox and squid), SUSE (libvirt, php7, slirp4netns, and webkit2gtk3), and Ubuntu (linux-firmware and openldap). --------------------------------------------- https://lwn.net/Articles/819761/ ∗∗∗ For six years Samsung smartphone users have been at risk from critical security bug. Patch now ∗∗∗ --------------------------------------------- Samsung has released a security update for its popular Android smartphones which includes a critical fix for a vulnerability that affects all devices sold by the manufacturer since 2014. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/six-yea… ∗∗∗ Joomla: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0425 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0424 ∗∗∗ [webapps] Draytek VigorAP 1000C - Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/48436 ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics Subscription ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability CVE-2020-8492 in Python affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2020-84… ∗∗∗ Security Bulletin: Vulnerability CVE-2019-18348 in Python affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2019-18… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2949-may-affect-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics Subscription ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2019-1551 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2020
by Daily end-of-shift report 06 May '20

06 May '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-05-2020 18:00 − Mittwoch 06-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Betrügerische FinanzOnline E-Mails im Umlauf ∗∗∗ --------------------------------------------- „Ihre Steuerrückerstattung von 1.850 EUR wurde zurückerstattet“ heißt es in einer E-Mail, angeblich vom Finanzamt. Doch Vorsicht: Dieses E-Mail stammt nicht vom Finanzamt, sondern von Kriminellen. Klicken Sie keinesfalls auf den Link, Sie landen auf einer gefälschten FinanzOnline-Seite. Kriminelle stehlen mit dieser nachgebauten FinanzOnline-Website sensible Daten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-betruegerische-finanzonline… ∗∗∗ Least Privilege: The Most Effective Approach to Endpoint Security ∗∗∗ --------------------------------------------- I always try to remind people that the principle of least privilege is not just about security, but about productivity as well. I have multiple customers who have decreased the number of tickets to their service desk by a whopping 75% by getting rid of end-user admin rights. --------------------------------------------- https://www.beyondtrust.com/blog/entry/least-privilege-the-most-effective-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libmicrodns and salt), Debian (graphicsmagick, salt, sqlite3, and wordpress), Fedora (java-11-openjdk), openSUSE (chromium and sqliteodbc), Red Hat (firefox, squid, and squid:4), Slackware (firefox and thunderbird), SUSE (ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, [...] --------------------------------------------- https://lwn.net/Articles/819600/ ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Go (CVE-2019-16276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere does not have device jailbreak detection. (CVE-2019-4266) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-does-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Information disclosure vulnerability affecting IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4446 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Potential spoofing attack in Webshere Application Server (CVE-2020-4421) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-spoofing-attack… ∗∗∗ Security Bulletin: IBM InfoSphere QualityStage is affected by a Cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-qualitysta… ∗∗∗ HPESBHF03966 rev.1 - HPE Servers with certain Intel Core and Xeon Processors System Memory Management (SMM), Local Disclosure of Privileged Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03934 rev.1 - HPE CloudLIne servers using AMI BMC Remote Unauthorized Disclosure of Information, Unauthorized Modification and Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03961 rev.1 - Certain HPE Servers with 6th Generation Intel Core Processors and greater supporting SGX and TXT, Local Disclosure of Privileged Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2020
by Daily end-of-shift report 05 May '20

05 May '20

===================== = End-of-Day report = ===================== Timeframe: Montag 04-05-2020 18:00 − Dienstag 05-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Weitere Zero-Day-Schwachstelle in iOS: Apps können aus Sandbox ausbrechen ∗∗∗ --------------------------------------------- Mit manipulierten XML-Kommentaren ist es Apps auf iPhone und iPad offenbar möglich, sich ungehindert beliebige Berechtigungen einzuräumen. --------------------------------------------- https://heise.de/-4714373 ∗∗∗ Dell OS Recovery: Lücke in älteren Wiederherstellungs-Images für Windows 10 ∗∗∗ --------------------------------------------- Client-Systeme von Dell, auf denen Windows 10 mit einem älteren Recovery-Image wiederhergestellt wurde, benötigen ein Sicherheitsupdate. --------------------------------------------- https://heise.de/-4714810 ∗∗∗ New VCrypt Ransomware locks files in password-protected 7ZIPs ∗∗∗ --------------------------------------------- A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-vcrypt-ransomware-locks-… ∗∗∗ LockBit ransomware self-spreads to quickly encrypt 225 systems ∗∗∗ --------------------------------------------- A feature of the LockBit ransomware allows threat actors to breach a corporate network and deploy their ransomware to encrypt hundreds of devices in just a few hours. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-self-spre… ∗∗∗ Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems ∗∗∗ --------------------------------------------- Researchers warn commercial airplane systems can be spoofed impacting flight safety of nearby aircraft. --------------------------------------------- https://threatpost.com/airplane-hack-exposes-weaknesses-of-alert-and-avoida… ∗∗∗ New Kaiji Botnet Targets IoT, Linux Devices ∗∗∗ --------------------------------------------- The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language. --------------------------------------------- https://threatpost.com/kaiji-botnet-iot-linux-devices/155463/ ∗∗∗ Nearly a Million WP Sites Targeted in Large-Scale Attacks ∗∗∗ --------------------------------------------- Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat [...] --------------------------------------------- https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Google macht verschiedene Android-Versionen sicherer ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android. Zwei Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4714596 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, ntp, and roundcube), Fedora (libldb and samba), Mageia (chromium-browser-stable, crawl, dolphin-emu, exiv2, fortune-mod, gnuchess, kernel, libsndfile, openexr, openldap, openvpn, qtbase5, ruby-json, squid, teeworlds, and webkit2), Red Hat (sqlite), and SUSE (icu, mailman, nginx, rmt-server, rpmlint, and rubygem-actionview-5_1). --------------------------------------------- https://lwn.net/Articles/819517/ ∗∗∗ Citrix ShareFile storage zones Controller multiple security updates ∗∗∗ --------------------------------------------- Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users’ documents and folders. --------------------------------------------- https://support.citrix.com/article/CTX269106 ∗∗∗ Security Bulletin: Java Vulnerability Impacts IBM Control Center (CVE-2019-4723) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-impact… ∗∗∗ Security Bulletin: Vulnerability in Ubuntu affects IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ubuntu-a… ∗∗∗ Security Bulletin: Muluple vulnerabilities in Ubuntu affect IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-muluple-vulnerabilities-i… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Automation Manager – Go (CVE-2019-17596) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Ubuntu affects IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ubuntu-a… ∗∗∗ Security Bulletin: Websphere denial-of-service vulnerability affects IBM Control Center (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-denial-of-servi… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Automation Manager – Node.js (CVE-2019-10747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Websphere denial-of-service vulnerability affects IBM Control Center (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-denial-of-servi… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Ubuntu affect IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Digital Payments (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2020
by Daily end-of-shift report 04 May '20

04 May '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-04-2020 18:00 − Montag 04-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New phishing campaign packs an info-stealer, ransomware punch ∗∗∗ --------------------------------------------- A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-campaign-packs-… ∗∗∗ Jetzt patchen! Angreifer attackieren Oracle WebLogic Server ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer unter anderem auf eine kritische Sicherheitslücke in Oracle WebLogic Server abgesehen. --------------------------------------------- https://heise.de/-4713619 ∗∗∗ Power Supply Can Turn Into Speaker for Data Exfiltration Over Air Gap ∗∗∗ --------------------------------------------- A researcher has demonstrated that threat actors could exfiltrate data from an air-gapped device over an acoustic channel even if the targeted machine does not have any speakers, by abusing the power supply. --------------------------------------------- https://www.securityweek.com/power-supply-can-turn-speaker-data-exfiltratio… ∗∗∗ Vorsicht vor gefährlichen VPN-Diensten ∗∗∗ --------------------------------------------- VPN-Dienste sind momentan gefragt wie nie zuvor. „Virtuelle private Netzwerke“ erhalten besonders durch verstärktes Home-Office Zulauf. Sie ermöglichen beispielsweise sicheren Zugriff auf Firmennetzwerke von zu Hause aus. Doch Vorsicht: Die hohe Nachfrage wird von Kriminellen ausgenützt. Sie kopieren Websites echter VPN-Dienste und laden gefährliche Schadsoftware auf die Systeme ihrer Opfer! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaehrlichen-vpn-diens… ∗∗∗ CursedChrome turns your browser into a hackers proxy ∗∗∗ --------------------------------------------- CursedChrome shows how hackers can take full control over your Chrome browser using just one extension. --------------------------------------------- https://www.zdnet.com/article/cursedchrome-turns-your-browser-into-a-hacker… ∗∗∗ Angriffe auf Salt, LineageOS, Ghost und Digicert ∗∗∗ --------------------------------------------- Hacker nutzen Schwachstellen aus, um Systeme zu attackieren. Im Blickpunkt stehen aktuell der SaltStack, das Handy-Betriebssystem LineageOS, die Bloggerplattform Ghost und der Zertifizierungsanbieter Digicert. --------------------------------------------- https://www.zdnet.de/88379335/angriffe-auf-salt-lineageos-ghost-und-digicer… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, python-twisted-web, and thunderbird), Debian (dom4j, miniupnpc, otrs2, pound, ruby2.1, vlc, w3m, and yodl), Fedora (git, java-latest-openjdk, mingw-libxml2, php-horde-horde, pxz, sqliteodbc, and xen), Gentoo (cacti, django, fontforge, and libu2f-host), openSUSE (cacti, cacti-spine, chromium, python-typed-ast, and salt), Red Hat (gnutls and kernel), SUSE (kernel), and Ubuntu (edk2). --------------------------------------------- https://lwn.net/Articles/819200/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mailman, openldap, pound, tomcat8, and trafficserver), Fedora (chromium, java-11-openjdk, kernel, openvpn, pxz, and rubygem-json), openSUSE (apache2, bouncycastle, chromium, git, python-typed-ast, resource-agents, ruby2.5, samba, squid, webkit2gtk3, and xen), Slackware (seamonkey), SUSE (LibVNCServer and permissions), and Ubuntu (mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/819394/ ∗∗∗ TP-Link Patches Multiple Vulnerabilities in NC Cloud Cameras ∗∗∗ --------------------------------------------- TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. --------------------------------------------- https://www.securityweek.com/tp-link-patches-multiple-vulnerabilities-nc-cl… ∗∗∗ Synology-SA-20:11 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of SRM. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_11 ∗∗∗ Synology-SA-20:10 WordPress ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_10 ∗∗∗ Security Bulletin: Vulnerability in Xerces-C (CVE-2018-1311) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-xerces-c… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: OpenSSL disclosed vulnerability affects MessageGatweay (CVE-2020-1967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-disclosed-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2019-1551 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0409 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2020
by Daily end-of-shift report 30 Apr '20

30 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-04-2020 18:00 − Donnerstag 30-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Sway abused in PerSwaysion spear-phishing operation ∗∗∗ --------------------------------------------- Multiple threat actors running phishing attacks on corporate targets have been counting on Microsoft Sway service to trick victims into giving their Office 365 login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-per… ∗∗∗ „Sarah“ verschickt gefälschte HOFER-Umfrage ∗∗∗ --------------------------------------------- Unter dem Namen „Sarah“ verschicken Kriminelle derzeit willkürlich SMS mit einem Link, der zu einem gefälschten HOFER-Treueprogramm führt. Versprochen werden exklusive Preise, sofern an einer Umfrage zur Kundenzufriedenheit teilgenommen wird. Wir haben uns das vermeintliche Treueprogramm genauer angeschaut. Unser Fazit: Die versprochenen Preise erhalten Sie nicht. Stattdessen hoffen die BetrügerInnen, dass sie ein Abo abschließen. Dieses würde Sie [...] --------------------------------------------- https://www.watchlist-internet.at/news/sarah-verschickt-gefaelschte-hofer-u… ∗∗∗ Cybercriminals are using Google reCAPTCHA to hide their phishing attacks ∗∗∗ --------------------------------------------- Security researchers say that they are seeing cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns. --------------------------------------------- https://hotforsecurity.bitdefender.com/blog/cybercriminal-are-using-google-… ∗∗∗ Cybereason warnt vor neuem mobilen Banking-Trojaner ∗∗∗ --------------------------------------------- EventBot ist erst seit März 2020 im Umlauf. Die Malware stiehlt Daten von Finanz-Apps und hebelt die 2-Faktor-Authentifizierung auf. Die Hintermänner sind so in der Lage, geschäftliche und private Finanztransaktionen zu kapern. --------------------------------------------- https://www.zdnet.de/88379272/cybereason-warnt-vor-neuem-mobilen-banking-tr… ===================== = Vulnerabilities = ===================== ∗∗∗ Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now ∗∗∗ --------------------------------------------- The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/30/salt_aut… ∗∗∗ WordPress Releases Security Update ∗∗∗ --------------------------------------------- WordPress 5.4 and prior versions are affected by multiple vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected website. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.4.1. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/30/wordpress-releases… ∗∗∗ macOS: Sandbox-Ausbruch per Editor ∗∗∗ --------------------------------------------- In TextEdit steckt ein Bug, mit dem böswillige Apps eigentlich verbotene Kommandos ausführen können. --------------------------------------------- https://heise.de/-4712045 ∗∗∗ High Severity Vulnerability Patched in Ninja Forms ∗∗∗ --------------------------------------------- On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version. --------------------------------------------- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, git, and webkit2gtk), Debian (nodejs and tiff), Fedora (libxml2, php-horde-horde, pxz, and sqliteodbc), Oracle (python-twisted-web), Red Hat (chromium-browser, git, and rh-git218-git), Scientific Linux (python-twisted-web), SUSE (ceph, kernel, munge, openldap2, salt, squid, and xen), and Ubuntu (mailman, python3.8, samba, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/819064/ ∗∗∗ Synology-SA-20:08 Cloud Station Backup ∗∗∗ --------------------------------------------- A vulnerability allows local users to execute arbitrary code via a susceptible version of Cloud Station Backup. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_08_Cloud… ∗∗∗ Synology-SA-20:07 Synology Calendar ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to download arbitrary files or hijack the authentication of administrators via a susceptible version of Synology Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_07_Synol… ∗∗∗ Synology-SA-20:06 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of DSM. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_06_DSM ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- An issue has been discovered in Citrix Hypervisor that, if exploited, could potentially allow an attacker on the management network to enumerate valid administrative account usernames. Note that this attack does not disclose the corresponding passwords [...] --------------------------------------------- https://support.citrix.com/article/CTX272237 ∗∗∗ Security Advisory - Invalid Pointer Access Vulnerability in Huawei OceanStor Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200429-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability found by vFinder in IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0402 ∗∗∗ The BIG-IP AFM ACL and IPI features may not function as designed ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K72423000 ∗∗∗ Intel QAT cryptography driver vulnerability CVE-2020-5882 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43815022 ∗∗∗ The BIG-IP ASM system may fail to mask a configured sensitive parameter in the Referer header value ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33572148 ∗∗∗ BIG-IP APM logs may contain random data after the APM session ID ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43404365 ∗∗∗ BIG-IP SSL connection Alert Timeout security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25165813 ∗∗∗ BIG-IP may not detect invalid Transfer-Encoding headers ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10701310 ∗∗∗ HPESBMU03997 rev.1 - HPE Smart Update Manager (SUM), Remote Unauthorized Access ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ OpenLDAP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2020
by Daily end-of-shift report 29 Apr '20

29 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-04-2020 18:00 − Mittwoch 29-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Would You Have Fallen for This Phone Scam? ∗∗∗ --------------------------------------------- You may have heard that todays phone fraudsters like to use use caller ID spoofing services to make their scam calls seem more believable. But you probably didnt know that your bank may be making it super easy for thieves to impersonate the bank, by giving away information about recent transactions on your account via automated, phone-based customer support systems. --------------------------------------------- https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-sc… ∗∗∗ Cloud Under Pressure: Keeping AWS Projects Secure ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) allow organizations to take advantage of numerous services and capabilities. As the number of available options under the cloud infrastructure of the company grows, so too do the security risks and the possible weaknesses. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cloud/c… ∗∗∗ Google Researchers Find Multiple Vulnerabilities in Apples ImageIO Framework ∗∗∗ --------------------------------------------- Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple’s iOS and macOS operating systems. --------------------------------------------- https://www.securityweek.com/google-researchers-find-multiple-vulnerabiliti… ∗∗∗ Emotet C2 and RSA Key Update - 04/28/2020 23:59 ∗∗∗ --------------------------------------------- Emotet C2 and RSA Key - Update 04/28/2020 at 23:59 UTC News: Still no Emotet back this week for spamming but once again more shennanigans with Trickbot installs doing option 42 to drop Emotet E2 as shown by Fate112 in his post here: https://twitter.com/tosscoinwitcher/status/1255259004164542464 Watch for the falling C2 combos… seems like they are doing a lot of spring cleaning as counts plummet as of late. Key and current C2 list below for each Epoch [...] --------------------------------------------- https://paste.cryptolaemus.com/emotet/2020/04/28/emotet-c2-rsa-update-04-28… ∗∗∗ Check Point: Android-Ransomware verschlüsselt Dateien angeblich im Namen des FBI ∗∗∗ --------------------------------------------- Die Erpressersoftware fordert im Namen der US-Bundespolizei ein Lösegeld von 500 Dollar. Sie kann aber auch die vollständige Kontrolle über ein Smartphone übernehmen und weitere schädliche Apps installieren. Check Point vermutet die Hintermänner in Russland. --------------------------------------------- https://www.zdnet.de/88379222/check-point-android-ransomware-verschluesselt… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Updates Available for Magento | APSB20-22 ∗∗∗ --------------------------------------------- Magento has released updates for Magento Commerce and Open Source editions. These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings). Successful exploitation could lead to arbitrary code execution. --------------------------------------------- https://helpx.adobe.com/security/products/magento/apsb20-22.html ∗∗∗ VMSA-2020-0008 ∗∗∗ --------------------------------------------- VMware ESXi patches address Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3955) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0008.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, openjdk-7, openjdk-8, and openldap), Fedora (openvpn), openSUSE (teeworlds and vlc), Red Hat (bind, binutils, bluez, container-tools:1.0, container-tools:2.0, container-tools:rhel8, cups, curl, dnsmasq, dpdk, e2fsprogs, edk2, evolution, exiv2, fontforge, freeradius:3.0, gcc, gdb, glibc, GNOME, grafana, GStreamer, libmad, and SDL, haproxy, ibus and glib2, irssi, kernel, kernel-rt, liblouis, libmspack, libreoffice, libsndfile, libtiff, libxml2, [...] --------------------------------------------- https://lwn.net/Articles/818950/ ∗∗∗ Advisory: Sophos XG Firewall: Asnarok Vulnerability - Actions required for SFM/CFM managed devices ∗∗∗ --------------------------------------------- This article outlines the remediation steps for XG Firewalls with severed connections to SFM and CFM central management product. --------------------------------------------- https://community.sophos.com/kb/en-US/135429 ∗∗∗ Advisory - Sophos XG Firewall v18: Upgrade from v17.5.x to v18 Build_354 will take longer than previous upgrades ∗∗∗ --------------------------------------------- https://community.sophos.com/kb/en-US/135437 ∗∗∗ April 28, 2020 TNS-2020-03 [R1] Nessus Agent 7.6.3 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-03 ∗∗∗ Red Hat Security Advisories ∗∗∗ --------------------------------------------- https://access.redhat.com/errata/#/?q=&p=1&sort=portal_publication_date%20d… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Vulnerabilities exist in Watson Explorer (CVE-2019-4720, CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-… ∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2020 CPU (CVE-2020-2583, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in in IBM® Runtime Environment Java™ Version affects IBM WIoTP MessageGateway (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-in-ibm… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: Sensitive Information Disclosed in Logs (CVE-2019-4286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-dis… ∗∗∗ Security Bulletin: Vulnerability in nss, nss-softokn, nss-util vulnerability (CVE-2019-11729 and CVE-2019-11745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nss-nss-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2020
by Daily end-of-shift report 28 Apr '20

28 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 27-04-2020 18:00 − Dienstag 28-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Achtung Schadsoftware: Bundeskriminalamt warnt vor gefälschter Polizei-Mail ∗∗∗ --------------------------------------------- Zurzeit kursiert eine Mail mit dem Betreff "Letzte Einladung der Polizei". Darin werden die Empfänger aufgefordert, mit der Polizei Kontakt aufzunehmen und die Anhänge zu öffnen. Dabei handelt es sich mit hoher Wahrscheinlichkeit um Schadsoftware. --------------------------------------------- http://www.bmi.gv.at/news.aspx?id=414F7246445856707A58773D ∗∗∗ Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th) ∗∗∗ --------------------------------------------- While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019. --------------------------------------------- https://isc.sans.edu/diary/rss/26062 ∗∗∗ Cybercrime: Führungskräfte geduldig ausspionieren und dann ausnehmen ∗∗∗ --------------------------------------------- Über Man-in-the-Middle-Attacken greift die "Florentiner Bankengruppe" gezielt Entscheidungsträger an – ein erfolgreiches Spiel auf Zeit. --------------------------------------------- https://heise.de/-4710607 ∗∗∗ New Version of Infection Monkey Maps to MITRE ATT&CK Framework ∗∗∗ --------------------------------------------- Guardicores open source breach and attack simulation platform Infection Monkey now maps its attack results to the MITRE ATT&CK framework, allowing users to quickly discover internal vulnerabilities and rapidly fix them. --------------------------------------------- https://www.securityweek.com/new-version-infection-monkey-maps-mitre-attck-… ∗∗∗ Website-BetreiberInnen aufgepasst: Erpressungsmails im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Website-BetreiberInnen erhalten aktuell betrügerische Erpressungsmails. Kriminelle behaupten auf Englisch, sie hätten Ihre Website gehackt und nun Zugriff auf sämtliche Datensätze. Diese drohen sie zu veröffentlichen und Ihre KundInnen über das angebliche Datenleck zu informieren. Damit das nicht geschieht fordern sie 2000 USD in Form von Bitcoins. Gehen Sie nicht darauf ein, es handelt sich um ein betrügerisches Spam-E-Mail! --------------------------------------------- https://www.watchlist-internet.at/news/website-betreiberinnen-aufgepasst-er… ∗∗∗ Anatomy of Formjacking Attacks ∗∗∗ --------------------------------------------- A detailed look at the fast-growing crime of formjacking, where cybercriminals hack a website to collect sensitive user information and steal credit card numbers. --------------------------------------------- https://unit42.paloaltonetworks.com/anatomy-of-formjacking-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Bridge (APSB20-19) and Adobe Illustrator (APSB20-20). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1864 ∗∗∗ High-Severity Vulnerabilities Patched in LearnPress ∗∗∗ --------------------------------------------- On March 16, 2020, LearnPress – WordPress LMS Plugin, a WordPress plugin with over 80,000 installations, patched a high-severity vulnerability that allowed subscriber-level users to elevate their permissions to those of an “LP Instructor”, a custom role with capabilities similar to the WordPress “author” role, including the ability to upload files and create posts containing [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patche… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, qemu-kvm, and thunderbird), Debian (qemu and ruby-json), Fedora (chromium, haproxy, and libssh), openSUSE (cacti, cacti-spine and teeworlds), Oracle (kernel), SUSE (apache2, git, kernel, ovmf, and xen), and Ubuntu (cups, file-roller, and re2c). --------------------------------------------- https://lwn.net/Articles/818821/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0005 ∗∗∗ --------------------------------------------- Date Reported: April 27, 2020 Advisory ID: WSA-2020-0005 CVE identifiers: CVE-2020-3885, CVE-2020-3894,CVE-2020-3895, CVE-2020-3897,CVE-2020-3899, CVE-2020-3900,CVE-2020-3901, CVE-2020-3902. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2020-3885 Versions affected: WebKitGTK before 2.28.0 and WPE WebKit before2.28.0. Credit to Ryan Pickren (ryanpickren.com). Impact: A file URL may be incorrectly processed. Description: Alogic issue was addressed with improved [...] --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0005.html ∗∗∗ IntelMQ Manager release 2.1.1 fixes critical security issue ∗∗∗ --------------------------------------------- The IntelMQ Manager version 2.1.1 released yesterday fixes a Remote Code Execution flaw (CWE-78: OS Command Injection). The documentation for version 2.1.1 and installation instructions can be found on our GitHub repository. Always run IntelMQ Manager instances in private networks with proper authentication & TLS. Further, restrict access to the tool to web-browsers which can only access internal web-sites, as workaround for existing CSRF issues. See also our security considerations with [...] --------------------------------------------- https://cert.at/en/blog/2020/4/intelmq-manager-release-211-fixes-critical-s… ∗∗∗ Security Bulletin: CVE-2019-1552 vulnerability in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-1552-vulnerabili… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a denial of service that affect TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: NVIDIA Windows and Linux GPU Display drivers are have resolved several security vulnerabilities as described below. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-nvidia-windows-and-linux-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a denial of service that affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows(IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2020 CPU (CVE-2020-2583, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ HPESBHF03970 rev.1 - HPE Products with Intel Ethernet 700 Series Processors, Local Escalation of Privilege, Local Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0377 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2020
by Daily end-of-shift report 27 Apr '20

27 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-04-2020 18:00 − Montag 27-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware ∗∗∗ --------------------------------------------- A new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise and gain full access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-… ∗∗∗ Asnarök malware exploits firewall zero-day to steal credentials ∗∗∗ --------------------------------------------- Some Sophos firewall products were attacked with a new Trojan malware, dubbed Asnarök by researchers cyber-security firm Sophos, to steal usernames and hashed passwords starting with April 22 according to an official timeline. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asnar-k-malware-exploits-fir… ∗∗∗ Shade Ransomware shuts down, releases 750K decryption keys ∗∗∗ --------------------------------------------- The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shade-ransomware-shuts-down-… ∗∗∗ Eight Common OT / Industrial Firewall Mistakes ∗∗∗ --------------------------------------------- Firewalls are easy to misconfigure. While the security consequences of such errors may be acceptable for some firewalls, the accumulated risks of misconfigured firewalls in a defense-in-depth OT network architecture are generally unacceptable. --------------------------------------------- https://threatpost.com/waterfall-eight-common-ot-industrial-firewall-mistak… ∗∗∗ Understanding the basics of API security ∗∗∗ --------------------------------------------- This is the first of a series of articles that introduces and explains application programming interfaces (API) security threats, challenges, and solutions for participants in software development, operations, and protection. --------------------------------------------- https://www.helpnetsecurity.com/2020/04/27/basics-api-security/ ∗∗∗ GDPR.EU has er… a data leakage issue ∗∗∗ --------------------------------------------- The web site GDPR.EU is an advice site ‘operated by Proton Technologies AG, co-funded by … the EU Horizon Framework’. It’s full of useful advice for organisations that need to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/gdpr-eu-has-er-a-data-leakage… ===================== = Vulnerabilities = ===================== ∗∗∗ Hacker nutzen Zero-Day-Lücke in Sophos-Firewall aus ∗∗∗ --------------------------------------------- Unbekannte stehlen Dateien mit Anmeldedaten von Firewall-Administratoren und lokalen Nutzern. Sophos findet keinen Hinweis auf einen Missbrauch dieser Daten. Inzwischen steht ein Notfall-Update für die Schwachstelle zur Verfügung. --------------------------------------------- https://www.zdnet.de/88379086/hacker-nutzen-zero-day-luecke-in-sophos-firew… ∗∗∗ Duplicated Vulnerabilities in WordPress Plugins ∗∗∗ --------------------------------------------- During a recent plugin audit, we noticed a weird pattern among many plugins responsible for performing a specific task: Duplicating a page or a post. With a bit of research, we came to the following conclusion: Many of these plugins came from the same source — and contained the same vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2020/04/duplicated-vulnerabilities-in-wordpress-plu… ∗∗∗ Authentication bypass in FortiMail and FortiVoiceEntreprise ∗∗∗ --------------------------------------------- An improper authentication vulnerability in FortiMail and FortiVoiceEntreprise may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-045 ∗∗∗ High Severity Vulnerability Patched in Real-Time Find and Replace Plugin ∗∗∗ --------------------------------------------- On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium), Debian (eog, jsch, libgsf, mailman, ncmpc, openjdk-11, php5, python-reportlab, radicale, and rzip), Fedora (ansible, dolphin-emu, git, gnuchess, liblas, openvpn, php, qt5-qtbase, rubygem-rake, snakeyaml, webkit2gtk3, and wireshark), Mageia (chromium-browser-stable, git, java-1.8.0-openjdk, kernel, kernel-linus, mp3gain, and virtualbox), openSUSE (crawl, cups, freeradius-server, kubernetes, and otrs), SUSE (apache2, kernel, pam_radius, [...] --------------------------------------------- https://lwn.net/Articles/818763/ ∗∗∗ JSA11021 - 2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021&actp=RSS ∗∗∗ HPESBHF03945 rev.1 - HPE Servers using Supplemental Update / Online ROM Flash Component for Linux, Local Execution of Arbitrary Code. ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ OTRS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0372 ∗∗∗ ILIAS: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0370 ∗∗∗ Postfix: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0376 ∗∗∗ Security Bulletin: IBM Integration Bus affected by multiple Apache Tomcat (core only) vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-affec… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Websphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2019 CPU (CVE-2019-2964, CVE-2019-2989 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2020
by Daily end-of-shift report 24 Apr '20

24 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-04-2020 18:00 − Freitag 24-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Protecting your organization against password spray attacks ∗∗∗ --------------------------------------------- If your users sign in with guessable passwords, you may be at risk of a password spray attack.The post Protecting your organization against password spray attacks appeared first on Microsoft Security. --------------------------------------------- https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-… ∗∗∗ Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th) ∗∗∗ --------------------------------------------- For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stage of the attack on the victims computer. The attacker has many ways to fetch the next stage. He can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26048 ∗∗∗ Gefahren durch Webshells: NSA nennt beliebte Einfallstore für Server-Angriffe ∗∗∗ --------------------------------------------- US- und australische Behörden geben Tipps zum Aufspüren von Webshells und nennen einige teils recht alte, bei Angreifern aber noch immer beliebte Lücken. --------------------------------------------- https://heise.de/-4709470 ∗∗∗ When in Doubt: Hang Up, Look Up, & Call Back ∗∗∗ --------------------------------------------- Many security-conscious people probably think theyd never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Heres how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse. --------------------------------------------- https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/ ===================== = Vulnerabilities = ===================== ∗∗∗ Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution ∗∗∗ --------------------------------------------- The FTTH provisioning solution suffers from an unauthenticated remote code execution vulnerability due to an unsafe deserialization of Java objects (ViewState) triggered via the javax.faces.ViewState HTTP POST parameter. The deserialization can cause the vulnerable JSF web application to execute arbitrary Java functions, malicious Java bytecode, and system shell commands with root privileges. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-openssl), Debian (git), Gentoo (chromium, firefox, git, and openssl), Oracle (kernel and python-twisted-web), Red Hat (python-twisted-web), Scientific Linux (python-twisted-web), and SUSE (file-roller, kernel, and resource-agents). --------------------------------------------- https://lwn.net/Articles/818565/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBMJava SDK affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service attack caused by an authenticated user crafting a malicious message (CVE-2019-4656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM Cloud App Management is vulnerable to cross-site request forgery (CVE-2019-4750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-app-management-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Cloud App Management (CVE-2020-2593) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a tcpdump vulnerability (CVE-2018-19519) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service attack due to an error in the Channel processing function. (CVE-2019-4762) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4267) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ BIG-IQ HA vulnerability CVE-2020-5870 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K69422435 ∗∗∗ BIG-IQ HA vulnerability CVE-2020-5869 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28855111 ∗∗∗ BIG-IQ Grafana vulnerability CVE-2020-5868 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37130415 ∗∗∗ HPESBHF03947 rev.1 - HPE UIoT, Remote Unauthorized Access and Access to Sensitive Data ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0362 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2020
by Daily end-of-shift report 23 Apr '20

23 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-04-2020 18:00 − Donnerstag 23-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhones durch Zero-Day-Lücken in Apple Mail angreifbar ∗∗∗ --------------------------------------------- iOS-Nutzer sollten die Mail-App vorübergehend nicht benutzen, warnen Sicherheitsforscher. Schwachstellen erlauben unbemerktes Code-Einschleusen. --------------------------------------------- https://heise.de/-4707901 ∗∗∗ New Data Center Requirements - Can You Help Host Shadowserver? ∗∗∗ --------------------------------------------- Shadowserver urgently needs to move our current data center by August 2020. We are blogging our data center requirements for hosting and colocation providers, or other companies who might be able to help provide a new home for our public benefit services for the global Internet. Please reach out and get in touch if you can help. --------------------------------------------- https://www.shadowserver.org/news/new-data-center-requirements-can-you-help… ∗∗∗ Maze Ransomware – What You Need to Know ∗∗∗ --------------------------------------------- What’s this Maze thing I keep hearing about? Maze is a particularly sophisticated strain of Windows ransomware that has hit companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data. There’s been plenty of ransomware before. What makes Maze so special? --------------------------------------------- https://www.tripwire.com/state-of-security/featured/maze-ransomware-what-yo… ∗∗∗ Researchers Turn Antivirus Software Into Destructive Tools ∗∗∗ --------------------------------------------- A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal. --------------------------------------------- https://www.securityweek.com/researchers-turn-antivirus-software-destructiv… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openssl), openSUSE (freeradius-server, kernel, thunderbird, and vlc), Oracle (git, java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), SUSE (ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, [...] --------------------------------------------- https://lwn.net/Articles/818481/ ∗∗∗ Security Advisory - Three Out of Bounds Vulnerabilities in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei OSD Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerabilities in OpenSSL (CVE-2019-1547 and CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-nextscale-fan-power-c… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System 3000(CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Symphony and IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring insufficient default file/folder permissions on windows. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-ins… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Elastic Storage System (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to side channel attack with Intel CPUs (CVE-2019-11135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ NGINX Controller sensitive command-line arguments vulnerability CVE-2020-5866 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11922628 ∗∗∗ NGINX Controller vulnerability CVE-2020-5864 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27205552 ∗∗∗ NGINX Controller insecure database transport vulnerability CVE-2020-5865 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21009022 ∗∗∗ NGINX Controller vulnerability CVE-2020-5867 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00958787 ∗∗∗ HPESBHF03988 rev.1 - HPE Onboard Administrator, Remote Reflected Cross Site Scripting ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBNS03996 rev.1 - HPE NonStop Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Squid: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0360 ∗∗∗ Red Hat JBoss A-MQ: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0361 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2020
by Daily end-of-shift report 22 Apr '20

22 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-04-2020 18:00 − Mittwoch 22-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ You Wont Believe what this One Line Change Did to the Chrome Sandbox ∗∗∗ --------------------------------------------- The Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-o… ∗∗∗ New iPhone Zero-Day Discovered ∗∗∗ --------------------------------------------- Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release: Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said "we were a bit surprised about who was targeted." --------------------------------------------- https://www.schneier.com/blog/archives/2020/04/new_iphone_zero.html ∗∗∗ NSA, ASD Release Guidance for Mitigating Web Shell Malware ∗∗∗ --------------------------------------------- The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have jointly released a Cybersecurity Information Sheet (CSI) on mitigating web shell malware. Malicious cyber actors are increasingly deploying web shell malware on victim web servers to execute arbitrary system commands. By deploying web shell malware, cyber attackers can gain persistent access to compromised networks. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/22/nsa-asd-release-gu… ∗∗∗ Achtung vor Shops mit service6(a)vinayotap.com E-Mail-Adressen ∗∗∗ --------------------------------------------- Derzeit melden LeserInnen der Watchlist Internet vermehrt neue Fake-Shops, die vor allem eines gemeinsam haben: Sie verweisen alle auf die E-Mail-Adresse --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-shops-mit-service6vinayo… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D ∗∗∗ --------------------------------------------- The flaws exist in Autodesks FBX library, integrated in Microsofts Office, Office 365 ProPlus and Paint 3D applications. --------------------------------------------- https://threatpost.com/microsoft-issues-out-of-band-security-update-for-off… ∗∗∗ Zero-Day-Lücken in IBM Data Risk Manager - Forscher-Report ignoriert ∗∗∗ --------------------------------------------- Sicherheitsforscher haben im Überwachungstool IBM Data Risk Manager vier Lücken entdeckt - drei gelten als kritisch. Erste Patches sind bereits da. --------------------------------------------- https://heise.de/-4707165 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (java-1.7.0-openjdk and java-1.8.0-openjdk), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, and kernel), Scientific Linux (kernel), Slackware (git), SUSE (openssl-1_1 and puppet), and Ubuntu (binutils and thunderbird). --------------------------------------------- https://lwn.net/Articles/818359/ ∗∗∗ 2020-04-21: Multiple vulnerabilities in B&R Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-… ∗∗∗ 2020-04-21: TPM-Fail vulnerability in several B&R products ∗∗∗ --------------------------------------------- https://www.br-automation.com/en/downloads/022020-tpm-fail/ ∗∗∗ 2020-04-22: UPS Adapter CS141 – Path traversal vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A4579&Lan… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei PCManager Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Bulletin: CVE-2020-4202IBM UrbanCode Deploy (UCD) could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4202ibm-urbancod… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System 3000 (CVE-2020-1734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff… ∗∗∗ Security Bulletin: CVE-2019-4668 Pattern integration passwords stored in db without current encryption ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4668-pattern-int… ∗∗∗ Security Bulletin: CVE-2014-3524 CSV Injection in reports ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2014-3524-csv-injecti… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by a vulnerability where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0355 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0351 ∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0357 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2020
by Daily end-of-shift report 21 Apr '20

21 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 20-04-2020 18:00 − Dienstag 21-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 SMBGhost RCE exploit demoed by researchers ∗∗∗ --------------------------------------------- A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 wormable pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-expl… ∗∗∗ SpectX: Log Parser for DFIR, (Tue, Apr 21st) ∗∗∗ --------------------------------------------- I hope this finds you all safe, healthy, and sheltered to the best of your ability. In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases. --------------------------------------------- https://isc.sans.edu/diary/rss/26040 ∗∗∗ Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining ∗∗∗ --------------------------------------------- Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l3TOyRDK1yA/ ∗∗∗ Grouping Linux IoT Malware Samples With Trend Micro ELF Hash ∗∗∗ --------------------------------------------- We created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters Linux IoT malware created using ELF files. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tFHtqxisecc/ ∗∗∗ Kerberos Tickets on Linux Red Teams ∗∗∗ --------------------------------------------- At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own, but the best value is obtaining data, such as Kerberos tickets, that will facilitate lateral movement techniques. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-lin… ∗∗∗ Unsichere Deserialisierung gefährdet Steam-Spiele ∗∗∗ --------------------------------------------- Viele Videospiele, die .Net oder Unity verwenden, sind angreifbar und führen Schadcode aus. Steam bietet die Möglichkeit einer wurmähnlichen Infektion. --------------------------------------------- https://heise.de/-4706122 ∗∗∗ 46% of SMBs have been targeted by ransomware, 73% have paid the ransom ∗∗∗ --------------------------------------------- Ransomware attacks are not at all unusual in the SMB community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom, Infrascale reveals. Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack. --------------------------------------------- https://www.helpnetsecurity.com/2020/04/21/paying-ransom/ ∗∗∗ BSI aktualisiert den Mindeststandard TLS ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat zum 9. April 2020 den "Mindeststandard zur Verwendung von Transport Layer Security (TLS)" aktualisiert. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/AktualisierterMST… ∗∗∗ Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC ∗∗∗ --------------------------------------------- A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges. --------------------------------------------- https://www.securityweek.com/microsoft-will-not-patch-security-bypass-flaw-… ∗∗∗ Zahlungsaufforderungen von angeblichen Streamingdiensten sind Fake ∗∗∗ --------------------------------------------- bodaflix.de, ebaflix.de, teraflix.de, nodaflix.de – angeblich kostenlose Streamingdienste. Nach einer Registrierung erhalten Sie jedoch eine Zahlungsaufforderung über 395,88 Euro. Wird diese ignoriert, folgen meist weitere Zahlungsaufforderungen und Mahnungen von vermeintlichen Inkassobüros. Überweisen Sie kein Geld und antworten Sie auch nicht! Es handelt sich um ein betrügerisches Schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderungen-von-angeblich… ∗∗∗ Hey there! Are you using WhatsApp? Your account may be hackable ∗∗∗ --------------------------------------------- Can someone take control of your WhatsApp account by just knowing your phone number? We ran a small test to find out. --------------------------------------------- https://www.welivesecurity.com/2020/04/20/hey-there-using-whatsapp-your-acc… ===================== = Vulnerabilities = ===================== ∗∗∗ P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting ∗∗∗ --------------------------------------------- The controller suffers from CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a [...] --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php ∗∗∗ [R2] Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc leverages third-party software to help provide underlying functionality. One third-party component (jQuery) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2020-02 ∗∗∗ Versionsverwaltung: Erneute Sicherheitswarnung für Git ∗∗∗ --------------------------------------------- Updates beheben eine Schwachstelle in Git, die der jüngsten ähnelt und ebenfalls die Credential-Helper-Programme betrifft. --------------------------------------------- https://heise.de/-4706272 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (webkit2gtk), Debian (awl, git, and openssl), Red Hat (chromium-browser, git, http-parser, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, qemu-kvm-ma, rh-git218-git, and rh-maven35-jackson-databind), Scientific Linux (advancecomp, avahi, bash, bind, bluez, cups, curl, dovecot, doxygen, evolution, expat, file, firefox, gettext, git, GNOME, httpd, ImageMagick, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, kernel, lftp, [...] --------------------------------------------- https://lwn.net/Articles/818223/ ∗∗∗ High-Severity Vulnerability in OpenSSL Allows DoS Attacks ∗∗∗ --------------------------------------------- An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos… ∗∗∗ [20200403] - Core - Incorrect access control in com_users access level deletion function ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/811-20200403-core-incorrect-ac… ∗∗∗ [20200402] - Core - Missing checks for the root usergroup in usergroup table ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/810-20200402-core-missing-chec… ∗∗∗ [20200401] - Core - Incorrect access control in com_users access level editing function ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/809-20200401-core-incorrect-ac… ∗∗∗ 2020-04-21: SECURITY ABB Central Licensing System Vulnerabilities, impact on System 800xA, Compact HMI and Control Builder Safe ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&Language… ∗∗∗ 2020-04-21: SECURITY Multiple Vulnerabilities in ABB Central Licensing System ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&Language… ∗∗∗ 2020-04-21: SECURITY Inter process communication vulnerability in System 800xA ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&Language… ∗∗∗ Security Bulletin: A denial of service vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-denial-of-service-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2020
by Daily end-of-shift report 20 Apr '20

20 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-04-2020 18:00 − Montag 20-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft helped stop a botnet controlled via an LED light console ∗∗∗ --------------------------------------------- Microsoft says that its Digital Crimes Unit (DCU) discovered and helped take down a botnet of 400,000 compromised devices controlled with the help of an LED light control console. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-helped-stop-a-botn… ∗∗∗ KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26014 ∗∗∗ KPOT AutoIt Script: Analysis, (Mon, Apr 20th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26012 ∗∗∗ Finding Zoom Meeting Details in the Wild ∗∗∗ --------------------------------------------- The popular web conference platform Zoom has been in the storm for a few weeks. With the COVID19 pandemic, more and more people are working from home and the demand for web conference tools has been growing. --------------------------------------------- https://blog.rootshell.be/2020/04/18/finding-zoom-meeting-details-in-the-wi… ∗∗∗ Clipboard hijacking malware found in 725 Ruby libraries ∗∗∗ --------------------------------------------- Security researchers from ReversingLabs say theyve discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users clipboards. The malicious packages were uploaded on RubyGems between February 16 and 25 by two accounts [...] --------------------------------------------- https://www.zdnet.com/article/clipboard-hijacking-malware-found-in-725-ruby… ∗∗∗ PayPal über Google Pay: Lücke von Februar anscheinend klammheimlich behoben ∗∗∗ --------------------------------------------- Die Lücke, die unautorisierte PayPal-Abbuchungen via Google Pay erlaubte, wurde anscheinend – erst kürzlich – von PayPal gefixt. --------------------------------------------- https://heise.de/-4704339 ∗∗∗ Warten auf Patches: Schwachstellen in Nagios XI gefährden Netzwerke ∗∗∗ --------------------------------------------- Die Monitoring-Software für komplexe IT-Infrastrukturen Nagios XI ist verwundbar. Abhilfe gibt es noch nicht. --------------------------------------------- https://heise.de/-4704444 ∗∗∗ Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers ∗∗∗ --------------------------------------------- Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn. --------------------------------------------- https://www.securityweek.com/several-botnets-using-zero-day-vulnerability-t… ∗∗∗ In eigener Sache: CERT.at/nic.at sucht Verstärkung (Research Engineer Internet, Vollzeit) ∗∗∗ --------------------------------------------- Unser Research- & Developmentteam sucht für ein Projekt mit CERT.at und Security-Bezug eine/n Research Engineer (m/w, Vollzeit mit 38,5 Stunden) zum ehestmöglichen Einstieg. Dienstort ist Wien. Details finden sich auf der nic.at Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2020/4/in-eigener-sache-certatnicat-sucht-verstarku… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability ∗∗∗ --------------------------------------------- The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-224 ∗∗∗ Kritische Sicherheitslücke in mehreren Xilinx-FPGAs ∗∗∗ --------------------------------------------- Bei Xilinx-FPGAs der Serie 7 (Spartan-7, Artix-7, Kintex-7, Virtex-7) und Virtex-6 lässt sich die Verschlüsselung der Bitstream-Konfigurationsdaten aushebeln. --------------------------------------------- https://heise.de/-4706002 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openvpn), Debian (awl, file-roller, jackson-databind, and shiro), Fedora (chromium, git, and libssh), Mageia (php, python-bleach, and webkit2), openSUSE (chromium, gstreamer-rtsp-server, and mp3gain), Oracle (thunderbird and tigervnc), SUSE (thunderbird), and Ubuntu (file-roller and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/817987/ ∗∗∗ Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020040108 ∗∗∗ Toshiba Electronic Devices & Storage software registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13467854/ ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server shipped with Jazz for Service Management (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Nimbus-JOSE-JWT affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0347 ∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX270837 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2020
by Daily end-of-shift report 17 Apr '20

17 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-04-2020 18:00 − Freitag 17-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fehlerhaftes Update legt Virenschutz in Windows 10 lahm ∗∗∗ --------------------------------------------- Die MS-Virenwächter fielen nach einem Update aus. Die betroffenen Programme können manuell aktualisiert werden. --------------------------------------------- https://futurezone.at/produkte/fehlerhaftes-update-legt-virenschutz-in-wind… ∗∗∗ Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th) ∗∗∗ --------------------------------------------- STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run. --------------------------------------------- https://isc.sans.edu/diary/rss/26032 ∗∗∗ Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) ∗∗∗ --------------------------------------------- Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/26030 ∗∗∗ Excel Malspam: Password Protected ... Not! ∗∗∗ --------------------------------------------- Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/excel-malsp… ∗∗∗ Web Skimmer with a Domain Name Generator ∗∗∗ --------------------------------------------- Our security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a Magento database. The malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to hxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed one interesting feature of the script — instead of using one predefined domain, it generates domain names based on the current date. --------------------------------------------- https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.ht… ∗∗∗ Continued Threat Actor Exploitation Post Pulse Secure VPN Patching ∗∗∗ --------------------------------------------- [...] This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/aa20-107a ∗∗∗ Sophos zieht problematisches Firmware-Update 9.703 für UTM zurück ∗∗∗ --------------------------------------------- Achtung, nicht installieren: Das Firmware-Update 9.703 für Sophos UTM-Appliances wurde vom Hersteller wegen gravierender Probleme wieder zurückgezogen. --------------------------------------------- https://heise.de/-4704634 ∗∗∗ New AgentTesla variant steals WiFi credentials ∗∗∗ --------------------------------------------- The popular infostealer AgentTesla recently added a new feature that can steal WiFi usernames and passwords, which can potentially be used to spread the malware. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-varian… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Update for Xcode ∗∗∗ --------------------------------------------- Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 11.4.1 and apply the necessary update. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/17/apple-releases-sec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache and chromium), Debian (webkit2gtk), Fedora (firefox, nss, and thunderbird), Mageia (chromium-browser-stable and git), openSUSE (gnuhealth), Oracle (thunderbird), Red Hat (kernel-alt, thunderbird, and tigervnc), Scientific Linux (thunderbird), Slackware (openvpn), and SUSE (freeradius-server and libqt4). --------------------------------------------- https://lwn.net/Articles/817720/ ∗∗∗ Foxit Reader und Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0344 ∗∗∗ Security Bulletin: IBM TRIRIGA Application Platform discloses error messages that could aid an attacker formulate future attacks (CVE-2020-4277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-application-p… ∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server and Liberty affects IBM Cloud App Management (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Insecure Permissions (CVE-2019-4446) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct FTP+ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4749) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4644) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2020
by Daily end-of-shift report 16 Apr '20

16 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-04-2020 18:00 − Donnerstag 16-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Polizei warnt vor Fake-Mail von Gesundheitsministerium ∗∗∗ --------------------------------------------- Das gefälschte E-Mail enthält einen Trojaner, der die Daten am Computer verschlüsselt und Lösegeld fordert. --------------------------------------------- https://futurezone.at/digital-life/polizei-warnt-vor-fake-mail-von-gesundhe… ∗∗∗ Sicherheitsupdates: Root-Lücken gefährden IP-Telefone von Cisco ∗∗∗ --------------------------------------------- Verschiedene Produkte des Netzwerkausrüsters Cisco sind verwundbar. Mehrere Lücken gelten als "kritisch". --------------------------------------------- https://heise.de/-4703471 ===================== = Vulnerabilities = ===================== ∗∗∗ JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010 ∗∗∗ --------------------------------------------- Project: JSON:API Version: 8.x-1.26 Date: 2020-April-15 Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Unsupported Description: This module provides a JSON API standards-compliant API for accessing andmanipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2020-010 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git), Fedora (cacti, cacti-spine, chromium, golang-github-buger-jsonparser, kernel, kernel-headers, and kernel-tools), openSUSE (ansible, git, and mp3gain), Oracle (container-tools:ol8, nodejs:10, and virt:ol), Red Hat (chromium-browser, ipmitool, and thunderbird), Slackware (bind), SUSE (quartz), and Ubuntu (php5, php7.0, php7.2, php7.3). --------------------------------------------- https://lwn.net/Articles/817649/ ∗∗∗ CA API Developer Portal 4.2.x / 4.3.1 Access Bypass / Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020040090 ∗∗∗ Cisco IP Phones Web Application Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller 802.11 Generic Advertisement Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller CAPWAP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Mobility Express Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Aironet Series Access Points Client Packet Processing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack due to an error in the Channel processing function. (CVE-2019-4762) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server may be vulnerable to attacks based on privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2020-4338) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: CVE-2020-4260 Secure properties can be revealed using a generic process ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4260-secure-prop… ∗∗∗ Security Bulletin: OpenSSL Vulnerability Affects IBM Sterling Connect:Express for UNIX (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within cURL libcurl (CVE-2019-15601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: Multiple Apache CXF vulnerabilities identified in IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-cxf-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2020
by Daily end-of-shift report 15 Apr '20

15 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-04-2020 18:00 − Mittwoch 15-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Microsoft schließt über 100 Lücken, drei Windows-Lücken unter Beschuss ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schützen Windows & Co. 17 Schwachstellen sind mit dem Angriffsrisiko "kritisch" eingestuft. --------------------------------------------- https://heise.de/-4702540 ∗∗∗ Sicherheitswarnungen für Git und GitHub ∗∗∗ --------------------------------------------- Eine Schwachstelle in Git ermöglicht das Umleiten von Credentials, und GitHub warnt vor einer Welle von Phishing-Mails. --------------------------------------------- https://heise.de/-4702519 ∗∗∗ Medikamente sicher und legal online kaufen ∗∗∗ --------------------------------------------- Apotheken sind in Österreich trotz Corona-Krise geöffnet. Dennoch wollen Menschen die Ansteckungsgefahr in den Apotheken vermeiden und kaufen rezeptfreie Medikamente online. Es gibt jedoch zahlreiche Fake-Apotheken im Internet, die mit scheinbar rezeptfreien Medikamenten werben. Mit dem EU-Sicherheitslogo erkennen Sie legale Apotheken und können Medikamente ohne Risiko legal online kaufen. --------------------------------------------- https://www.watchlist-internet.at/news/medikamente-sicher-und-legal-online-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Office April security updates fix critical RCE bugs ∗∗∗ --------------------------------------------- Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-april-secur… ∗∗∗ Eaton HMiSoft VU3 ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in Eatons HMiSoft VU3 human-machine interface (HMI). --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-01 ∗∗∗ Triangle MicroWorks DNP3 Outstation Libraries ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Triangle MicroWorks DNP3 components and source code libraries. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-02 ∗∗∗ Triangle MicroWorks SCADA Data Gateway ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, out-of-bounds read, and type confusion vulnerabilities in the Triangle MicroWorks SCADA Data Gateway. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-03 ∗∗∗ VMSA-2020-0007 ∗∗∗ --------------------------------------------- VMware vRealize Log Insight addresses Cross Site Scripting (XSS) and Open Redirect vulnerabilities (CVE-2020-3953, CVE-2020-3954) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0007.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, graphicsmagick, php-horde-data, and php-horde-trean), Mageia (apache, gnutls, golang, krb5-appl, libssh, libvncserver, mediawiki, thunderbird, tor, and wireshark), openSUSE (chromium, nagios, and thunderbird), Oracle (kernel and krb5-appl), Red Hat (elfutils, kernel, nss-softokn, ntp, procps-ng, and python), Scientific Linux (firefox), Slackware (git), SUSE (git and ruby2.5), and Ubuntu (git). --------------------------------------------- https://lwn.net/Articles/817565/ ∗∗∗ IPAS: Security Advisories for April 2020 ∗∗∗ --------------------------------------------- Hello, Today, in addition to the 6 security advisories we are releasing, we want to call your attention to a new whitepaper we have just published addressing CVE-2019-0090, a vulnerability in the Intel® Converged Security Management Engine (CSME) that we first disclosed in May of last year. You can read the whitepaper HERE. --------------------------------------------- https://blogs.intel.com/technology/2020/04/ipas-security-advisories-for-apr… ∗∗∗ BSRT-2020-001 Local File Inclusion Vulnerability in Apache Tomcat Impacts BlackBerry Workspaces Server and BlackBerry Good Control ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Advisory - Denial of Service Vulnerability on Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2020-4270) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Websphere Application Server affects the IBM Performance Management product (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in jQuery affects the IBM Performance Management product (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jquery… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to PHP object injection (CVE-2020-4271) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure (CVE-2019-4593) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to instantiation of arbitrary objects (CVE-2020-4272) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server-Side Request Forgery (SSRF) (CVE-2020-4294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Überschreiben von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0325 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2020
by Daily end-of-shift report 14 Apr '20

14 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-04-2020 18:00 − Dienstag 14-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Think Fast: Time Between Disclosure, Patch Release and VulnerabilityExploitation — Intelligence for Vulnerability Management, Part Two ∗∗∗ --------------------------------------------- One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure… ∗∗∗ WhatsApp-Nachricht: Billa verlost keinen 250 € Gutschein ∗∗∗ --------------------------------------------- Sie haben von einem WhatsApp-Kontakt einen Link zu einem Billa-Gutschein erhalten und fragen sich was dahintersteckt? Die Watchlist Internet hat sich diesen sogenannten Kettenbrief näher angesehen! Unser Fazit: Sie erhalten weder einen Gutschein, noch stammt diese Verlosung von Billa. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-billa-verlost-kei… ∗∗∗ APT41 Using New Speculoos Backdoor to Target Organizations Globally ∗∗∗ --------------------------------------------- Unit 42 identifies new payload, named Speculoos, exploiting CVE-2019-19781 to target organizations around the world, including state government in the United States. --------------------------------------------- https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-t… ∗∗∗ Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns ∗∗∗ --------------------------------------------- New research shows COVID-19 themed phishing campaigns are targeting healthcare organizations and medical research facilities around the world. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-go… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe ColdFusion (APSB20-18), Adobe After Effects (APSB20-21) and Adobe Digital Editions (APSB20-23). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1859 ∗∗∗ Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update ∗∗∗ --------------------------------------------- Oracle will detail 405 new security vulnerabilities Tuesday, part of its quarterly Critical Patch Update Advisory. --------------------------------------------- https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-up… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (haproxy), Gentoo (chromium and libssh), openSUSE (ansible, chromium, gmp, gnutls, libnettle, libssh, mgetty, nagios, permissions, and python-PyYAML), and Oracle (firefox, kernel, qemu-kvm, and telnet). --------------------------------------------- https://lwn.net/Articles/817399/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (thunderbird), Debian (thunderbird), Fedora (drupal7-ckeditor, nrpe, and php-robrichards-xmlseclibs1), Red Hat (firefox and kernel), SUSE (quartz), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/817471/ ∗∗∗ SSA-102233: SegmentSmack in VxWorks-based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-102233.txt ∗∗∗ SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162506.txt ∗∗∗ SSA-359303: Debug Port in TIM 3V-IE and 4R-IE Family Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-359303.txt ∗∗∗ SSA-377115: SegmentSmack in Linux IP-Stack based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-377115.txt ∗∗∗ SSA-593272: SegmentSmack in Interniche IP-Stack based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-593272.txt ∗∗∗ SSA-886514: Persistent XSS Vulnerabilities in the Web Interface of Climatix POL908 and POL909 Modules ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-886514.txt ∗∗∗ Security Bulletin: A vulnerability in IBM Java affect IBM Decision Optimization Center (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services v2.1.1 (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10209, 10211, 10210, 10208) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ XSA-318 - Bad continuation handling in GNTTABOP_copy ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-318.html ∗∗∗ XSA-316 - Bad error path in GNTTABOP_map_grant ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-316.html ∗∗∗ XSA-314 - Missing memory barriers in read-write unlock paths ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-314.html ∗∗∗ XSA-313 - multiple xenoprof issues ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-313.html ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0303 ∗∗∗ SAP Patchday April 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0300 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2020
by Daily end-of-shift report 10 Apr '20

10 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-04-2020 18:00 − Freitag 10-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DNS: Gehackte Router zeigen Coronavirus-Warnung mit Schadsoftware ∗∗∗ --------------------------------------------- Gehackte Router leiten bekannte Domains auf eine gefälschte Warnung der WHO um und versuchen, ihren Opfern eine Schadsoftware unterzujubeln. --------------------------------------------- https://www.golem.de/news/dns-gehackte-router-zeigen-coronavirus-warnung-mi… ∗∗∗ Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th) ∗∗∗ --------------------------------------------- How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified. --------------------------------------------- https://isc.sans.edu/diary/rss/25960 ∗∗∗ PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th) ∗∗∗ --------------------------------------------- Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified. --------------------------------------------- https://isc.sans.edu/diary/rss/26004 ∗∗∗ Analysis of a WordPress Credit Card Swiper ∗∗∗ --------------------------------------------- While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in the past). With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing [...] --------------------------------------------- https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.… ∗∗∗ Sophos Releases Sandboxie in Open Source ∗∗∗ --------------------------------------------- Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available. --------------------------------------------- https://www.securityweek.com/sophos-releases-sandboxie-open-source ∗∗∗ Gefälschte Mails von Sebastian Kurz im Umlauf ∗∗∗ --------------------------------------------- Viele Menschen benötigen derzeit aufgrund geschlossener Betriebe oder fehlender Aufträge finanzielle Unterstützung. Kriminelle nützen diese Ausnahmesituation aus und verschicken E-Mails im Namen von Sebastian Kurz, in denen sie rasche Soforthilfe anbieten. Der Link in diesen E-Mails führt jedoch zu einer unseriösen Trading-Plattform, bei der den Internet-NutzerInnen durch das Investment in Bitcoins schnelles Geld versprochen wird. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mails-von-sebastian-kurz… ∗∗∗ CVE-2020-0688: Verwundbare Microsoft Exchange Server in Österreich ∗∗∗ --------------------------------------------- Mit CVE-2020-0688 wurde im Februar eine Lücke in Microsoft Exchange Servern gepatched, die AngreiferInnen ermöglicht, beliebigen Code über das Netzwerk auszuführen -- und das mit NT Authority\SYSTEM also der Windows-Entsprechung von root. Für eine erfolgreiche Attacke werden zwar gültige Zugangsdaten für einen Mailaccount benötigt, da es bei CVE-2020-0688 aber auch zu einer Privilegieneskaltion kommt, können diese auch unpriviligiert sein. --------------------------------------------- https://cert.at/de/blog/2020/4/cve-2020-0688-verwundbare-microsoft-exchange… ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in the Rockwell Automation RSLinx Classic PLC communications software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-100-01 ∗∗∗ VMSA-2020-0006 ∗∗∗ --------------------------------------------- VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0006.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox). --------------------------------------------- https://lwn.net/Articles/817233/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-remote-code-exec… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2020
by Daily end-of-shift report 09 Apr '20

09 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-04-2020 18:00 − Donnerstag 09-04-2020 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Visa urges merchants to migrate e-commerce sites to Magento 2.x ∗∗∗ --------------------------------------------- Payments processor Visa is urging merchants to migrate their online stores to Magento 2.x before the Magento 1.x e-commerce platform reaches end-of-life (EoL) in June 2020 to avoid exposing their stores to Magecart attacks and to remain PCI compliant. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visa-urges-merchants-to-migr… ∗∗∗ Data Center Migration Deadline Extended Due To COVID-19 ∗∗∗ --------------------------------------------- The original deadline for Shadowserver to move our data center has been extended from May 26th to August 31st 2020, due to the worsening COVID-19 pandemic and Silicon Valley Shelter in Place lockdowns. This extension provides us with some much needed additional time to continue raising funding for our 2020 operations, such as the recently received donation from cryptocurrency exchange BitMEX. --------------------------------------------- https://www.shadowserver.org/news/data-center-migration-deadline-extended-d… ∗∗∗ BGP Hijacking and BGP Security ∗∗∗ --------------------------------------------- BGP Hijacking is a long-standing problem and is a constant possibility in today’s BGP environment. These news stories will continue for some time to come, but there are things the community can do to limit the impact of these events. --------------------------------------------- https://blog.team-cymru.com/2020/04/08/bgp-hijacking-and-bgp-security/ ∗∗∗ Viele Meldungen zu mimty.de und evenlife.de ∗∗∗ --------------------------------------------- Egal ob Atemschutzmasken, Desinfektionsmittel oder Schutzausrüstung - auf mimty.de und evenlife.de finden Sie Produkte, die momentan äußerst schwer zu bekommen sind. Zahlreiche InternetuserInnen melden diese Online-Shops jedoch an die Watchlist Internet und klagen über ausbleibende Lieferungen. Auch auf Bewertungsportalen wird den beiden Shops kein gutes Zeugnis ausgestellt. --------------------------------------------- https://www.watchlist-internet.at/news/viele-meldungen-zu-mimtyde-und-evenl… ∗∗∗ Jahresbericht 2019 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- Das Mandat als nationales Computer-Notfallteam nach NISG, Emotet, Ransomware, Sextortion, ein Projektabschluss und CyberExchanges – das Jahr 2019 war für CERT.at und GovCERT Austria ein ereignisreiches, das wir in Form unseres Jahresberichts Revue passieren lassen. --------------------------------------------- https://cert.at/de/blog/2020/4/jahresbericht-2019-von-certat-und-govcert-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Networks Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: April 9, 2020 Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates or workarounds. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/09/juniper-networks-r… ∗∗∗ Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009 ∗∗∗ --------------------------------------------- Project: Spamicide Date: 2020-April-08 Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesnt require appropriate permissions for administrative pages leading to an Access Bypass. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2020-009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipmitool, krb5-appl, and telnet), Debian (ceph and firefox-esr), Mageia (firefox), openSUSE (bluez and exiv2), Red Hat (firefox), SUSE (ceph, libssh, mgetty, permissions, python-PyYAML, rubygem-actionview-4_2, and vino), and Ubuntu (libiberty and libssh). --------------------------------------------- https://lwn.net/Articles/817128/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: IBM Resilient OnPrem does not properly limit the number or frequency of pssword reset interactions ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-onprem-does… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) ( CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2020
by Daily end-of-shift report 08 Apr '20

08 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-04-2020 18:00 − Mittwoch 08-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Infrastructure components ∗∗∗ --------------------------------------------- Cybercriminals understand that your website is not only the face of your organization, but often also its weakest link. With just one misconfigured port, malicious spearphishing email or unpatched vulnerability, an attacker can deploy a range of techniques and tools to enter and then move undetected throughout a network to find a valuable target. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-infrastructure-c… ∗∗∗ FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks ∗∗∗ --------------------------------------------- FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware. --------------------------------------------- https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/1… ∗∗∗ Microsoft shares new threat intelligence, security guidance during global crisis ∗∗∗ --------------------------------------------- Our threat intelligence shows that COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to the pandemic. We’re seeing a changing of lures, not a surge in attacks. These attacks are settling into the normal ebb and flow of the threat environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-thr… ∗∗∗ DDG botnet, round X, is there an ending? ∗∗∗ --------------------------------------------- DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), [...] --------------------------------------------- https://blog.netlab.360.com/an-update-on-the-ddg-botnet/ ∗∗∗ COVID-19 Exploited by Malicious Cyber Actors ∗∗∗ --------------------------------------------- This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/aa20-099a ∗∗∗ New dark_nexus IoT Botnet Puts Others to Shame ∗∗∗ --------------------------------------------- Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen. --------------------------------------------- https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-… ∗∗∗ Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation ∗∗∗ --------------------------------------------- This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack… ∗∗∗ These hackers have been quietly targeting Linux servers for years ∗∗∗ --------------------------------------------- Researchers at Blackberry detail a newly uncovered hacking campaign that has been operating successfully against unpatched open-source servers for the best part of a decade. --------------------------------------------- https://www.zdnet.com/article/these-hackers-have-been-quietly-targeting-lin… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess/NMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in Advantechs WebAccess/NMS network management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-01 ∗∗∗ GE Digital CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigations for a privilege escalation vulnerability in GE Digital CIMPLICITY HMI/SCADA products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-02 ∗∗∗ HMS Networks eWON Flexy and Cosy ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in HMS Networks eWON Flexy and Cosy Industrial VPN routers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-03 ∗∗∗ Fuji Electric V-Server Lite ∗∗∗ --------------------------------------------- This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server Lite data collection and management service. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-04 ∗∗∗ KUKA.Sim Pro ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-05 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Debian (chromium and firefox-esr), Oracle (ipmitool and telnet), Red Hat (firefox and qemu-kvm), Scientific Linux (firefox, krb5-appl, and qemu-kvm), Slackware (firefox), SUSE (gmp, gnutls, libnettle and runc), and Ubuntu (firefox, gnutls28, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, [...] --------------------------------------------- https://lwn.net/Articles/817059/ ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0294 ∗∗∗ Security Advisory - Information Disclosure Vulnerability about SWAPGS Instruction ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200408-… ∗∗∗ Security Bulletin: IBM Security Information Queue could reveal sensitive data in application error messages (CVE-2020-4164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Insufficient command validation in IBM Security Information Queue (CVE-2020-4282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-command-vali… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities affect IBM DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Quality Manager (RQM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2019-19925, CVE-2019-19645, CVE-2019-19924, CVE-2019-19923, CVE-2019-19880, CVE-2019-19646, CVE-2019-19926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-sqlite… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2020
by Daily end-of-shift report 07 Apr '20

07 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 06-04-2020 18:00 − Dienstag 07-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ corp.com: Microsoft kauft gefährliche Domain ∗∗∗ --------------------------------------------- Alte, fehlerhaft konfigurierte Windowsversionen verbinden sich häufig zur Domain corp.com und geben Daten preis. --------------------------------------------- https://www.golem.de/news/corp-com-microsoft-kauft-gefaehrliche-domain-2004… ∗∗∗ Web server protection: Web application firewalls for web server protection ∗∗∗ --------------------------------------------- Firewalls are an integral part of the tools necessary in securing web servers. In this article, we will discuss all relevant aspects of web application firewalls. We’ll explore a few concepts that touch on these firewalls, both from a compliance and technical point of view, as well as examine a few examples of how [...] --------------------------------------------- https://resources.infosecinstitute.com/web-server-protection-web-applicatio… ∗∗∗ Unkillable xHelper and a Trojan matryoshka ∗∗∗ --------------------------------------------- It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. --------------------------------------------- https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ ∗∗∗ ENISA publishes a Tool for the Mapping of Dependencies to International Standards ∗∗∗ --------------------------------------------- The web tool presents the mapping of the indicators demonstrated in the report Good practices on interdependencies between OES and DSPs to international information security standards. This report analysed the dependencies and interdependencies between Operators of Essential Services (OES) and Digital Service Providers (DSPs) and identified a number of indicators to assess them. These indicators are mapped to international standards and frameworks, namely ISO IEC 27002, COBIT5, the NIS [...] --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-a-tool-for-the-… ∗∗∗ Jetzt patchen! Über 350.000 Microsoft Exchange Server immer noch attackierbar ∗∗∗ --------------------------------------------- Auch wenn Angreifer schon seit Ende Februar Ausschau nach verwundbaren Exchange Servern halten, haben viele Admins offensichtlich noch nicht gepatcht. --------------------------------------------- https://heise.de/-4698421 ∗∗∗ Google Patches Critical RCE Vulnerabilities in Androids System Component ∗∗∗ --------------------------------------------- Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component. --------------------------------------------- https://www.securityweek.com/google-patches-critical-rce-vulnerabilities-an… ∗∗∗ Vorsicht Phishing: Amazon führt keine 3-Stufen-Authentifizierung ein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Amazon aus und behaupten, eine „neue 3-Stufen-Authentifizierung für alle Kunden verbindlich einzuführen“. Angeblich in Zusammenarbeit mit Ihrer Bank und Ihrem E-Mail-Provider. Klicken Sie keinesfalls auf den Link in der E-Mail. Sie gelangen auf eine gefälschte Amazon Login-Seite. Kriminelle stehlen Ihre Zugangsdaten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-amazon-fuehrt-kein… ∗∗∗ More Medical Record Security Flaws ∗∗∗ --------------------------------------------- Tenable Research recently disclosed a number of security-related bugs in a popular open-source medical records application - OpenMRS. This blog details our findings. --------------------------------------------- https://medium.com/tenable-techblog/more-medical-record-security-flaws-8175… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin ∗∗∗ --------------------------------------------- On March 3, 2020, our Threat intelligence team discovered a number of vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations designed to allow site owners to create landing and squeeze pages on their sites. These vulnerabilities allowed an authenticated attacker with minimal permissions, such as a subscriber, to create or [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-l… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/817003/ ∗∗∗ Joomla! plugin "AcyMailing" vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56890693/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Log Analysis is vulnerable to Injection Attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log-analysis-is-vulnerabl… ∗∗∗ Multiple XSS vulnerabilities in TAO Open Source Assessment Platform ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-xss-vulnerabilities-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2020
by Daily end-of-shift report 06 Apr '20

06 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-04-2020 18:00 − Montag 06-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Command line-fu for web server protection ∗∗∗ --------------------------------------------- Adequate web server security requires proper understanding, implementation and use of a variety of different tools. In this article, we will take a look at some command line tools that can be used to manage the security of web servers. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-command-line-fu-… ∗∗∗ Analyzing & Decrypting L4NC34’s Simple Ransomware ∗∗∗ --------------------------------------------- We’re constantly seeing news about computers being infected by ransomware, but very little do we hear about it affecting websites. That being said, the impact can be serious if the affected website is the webmaster’s only source of income or a business relies entirely on it’s website and online presence. --------------------------------------------- https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomw… ∗∗∗ Kinsing Linux Malware Deploys Crypto-Miner in Container Environments ∗∗∗ --------------------------------------------- A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments. --------------------------------------------- https://www.securityweek.com/kinsing-linux-malware-deploys-crypto-miner-con… ∗∗∗ 8,000 Unprotected Redis Instances Accessible From Internet ∗∗∗ --------------------------------------------- Trend Micro’s security researchers discovered roughly 8,000 unsecured Redis instances that were exposed to anyone with an Internet connection. Spread all over the world, the unsecured instances were found to lack Transport Layer Security (TLS) encryption and without any password protection. Some of these instances were even deployed in public clouds. --------------------------------------------- https://www.securityweek.com/8000-unprotected-redis-instances-accessible-in… ∗∗∗ Userdir URLs like https://example.org/~username/ are dangerous ∗∗∗ --------------------------------------------- I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly. Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). --------------------------------------------- https://blog.hboeck.de/archives/899-Userdir-URLs-like-httpsexample.orgusern… ∗∗∗ MISP 2.4.124 released (aka the dashboard, auditing improvements) ∗∗∗ --------------------------------------------- MISP 2.4.124 releasedA new version of MISP (2.4.124) has been released. This version includes various improvements including a new multiline widgets in the dashboard, auditing improvements and many bugs fixed. --------------------------------------------- https://www.misp-project.org/2020/04/06/MISP.2.4.124.released.html ∗∗∗ Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2020-8515 that was made publicly available in March is found being employed by a new DDoS botnet called hoaxcalls. --------------------------------------------- https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#660597: Periscope BuySpeed is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to store arbitrary JavaScript within the application. --------------------------------------------- https://kb.cert.org/vuls/id/660597 ∗∗∗ Gefährliche Sicherheitslücken in HP Support Assistant immer noch offen ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher rügt HP, weil die Entwickler seit Monaten im standardmäßig installierten HP Support Assistant diverse Schwachstellen nicht schließen. --------------------------------------------- https://heise.de/-4697583 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/816886/ ∗∗∗ XSS vulnerability in the Dashboard name parameter of FortiADC. ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-012 ∗∗∗ Improper Authorization vulnerability in FortiADC ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-013 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Bouncy Castle API affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2020
by Daily end-of-shift report 03 Apr '20

03 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-04-2020 18:00 − Freitag 03-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln ∗∗∗ --------------------------------------------- I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-y… ∗∗∗ Progress In 2020 Funding Challenge - Thanks To Fantastic Global Supporters, But More Help Still Needed! ∗∗∗ --------------------------------------------- Our first status update on the critical initial milestone in Shadowservers urgent 2020 funding challenge. Great progress from our awesome community, with particular thanks to philanthropist Craig Newmark, but more help still needed to fully secure our data center operations in 2020. Join with us to continue protecting victims of cybercrime and help protect the Internet. --------------------------------------------- https://www.shadowserver.org/news/progress-in-2020-funding-challenge-thanks… ∗∗∗ Contact Form 7 Datepicker: Gefährliches WordPress-Plugin ohne Support ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites attackieren und Admin-Sessions übernehmen. --------------------------------------------- https://heise.de/-4696045 ∗∗∗ Researchers Discover Hidden Behavior in Thousands of Android Apps ∗∗∗ --------------------------------------------- Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered. With smartphones being part of our every-day lives, millions of applications are being used for a broad variety of activities, yet many of these engage in behaviors that are never disclosed to their users. --------------------------------------------- https://www.securityweek.com/researchers-discover-hidden-behavior-thousands… ∗∗∗ Mahnungen und Zahlungsaufforderungen von Flirthub.de ungerechtfertigt ∗∗∗ --------------------------------------------- Zahlreiche InternetuserInnen wenden sich momentan an uns, da sie plötzlich Zahlungsaufforderungen von Flirthub.de erhalten. Angeblich hätten sie sich auf der Website der MD Service GmbH angemeldet und eine Testphase sei nun in ein Premium-Abo übergelaufen. Wir haben uns die Websites und Zahlungsaufforderungen genauer angesehen. Unser Urteil: Betroffene müssen die geforderten 265,62 Euro nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-und-zahlungsaufforderungen… ∗∗∗ Vorsicht bei gefälschten Nachrichten von SMSinfo zu Paketlieferungen ∗∗∗ --------------------------------------------- Aufgrund der Corona-Krise müssen Fachgeschäfte in Österreich geschlossen sein. Viele Menschen greifen daher auf Online-Bestellungen zurück und warten auf ihr bestelltes Paket. Das nutzen derzeit vermehrt Kriminelle aus und versenden SMS unter den Namen „SMSinfo“. Der mitgeschickte Link in dieser SMS führt zu einer gefälschten Post-Webseite auf der Sie aufgefordert werden zwei Euro zu zahlen. Geben Sie Ihre Daten hier nicht ein, denn die Nachricht stammt [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-gefaelschten-nachrichte… ∗∗∗ GuLoader: Malspam Campaign Installing NetWire RAT ∗∗∗ --------------------------------------------- NetWire, a publicly-available RAT, was found being distributed through a file downloader called GuLoader. We explain how its infection chain works and how to defend against it. --------------------------------------------- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ ∗∗∗ Microsoft: How one Emotet infection took out this organizations entire network ∗∗∗ --------------------------------------------- An Emotet victims IT disaster shows why organizations should filter internal emails and use two-factor authentication. --------------------------------------------- https://www.zdnet.com/article/microsoft-how-one-emotet-infection-took-out-t… ===================== = Vulnerabilities = ===================== ∗∗∗ B&R Automation Studio ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper privilege management, missing required cryptographic step, and path traversal vulnerabilities in B&R Automation Studio software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-093-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2). --------------------------------------------- https://lwn.net/Articles/816757/ ∗∗∗ Security Bulletin: IBM Agile Lifecycle Manager is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-agile-lifecycle-manag… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Agile Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2020
by Daily end-of-shift report 02 Apr '20

02 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-04-2020 18:00 − Donnerstag 02-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways ∗∗∗ --------------------------------------------- A phishing campaign using Office 365 voicemail lures to trick them into visiting landing pages designed to steal their personal information or infect their computers with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-uses-css… ∗∗∗ Pekraut - German RAT starts gnawing ∗∗∗ --------------------------------------------- Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-… ∗∗∗ Cyber-Kriminelle nutzen Corona-Krise vermehrt aus ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet aktuell eine Zunahme von Cyber-Angriffen mit Bezug zum Corona-Virus auf Unternehmen und Bürger. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/Cyber-Krimi… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache HTTP Server 2.4 vulnerabilities, Fixed in Apache httpd 2.4.42 ∗∗∗ --------------------------------------------- low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934): mod_proxy_ftp use of uninitialized value with maliciosu FTP backend. low: mod_rewrite CWE-601 open redirect (CVE-2020-1927): Some mod_rewrite configurations vulnerable to open redirect. --------------------------------------------- https://httpd.apache.org/security/vulnerabilities_24.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/816633/ ∗∗∗ 2020-04-02: Vulnerabilities in Telephone Gateway TG/S 3.2 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A3921&Lan… ∗∗∗ 2020-04-02: SECURITY System 800xA Information Manager - Remote Code Execution ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&Language… ∗∗∗ 2020-04-02: SECURITY System 800xA Weak Registry Permissions ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121221&Language… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.5.0 ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-2989 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2989-vulnerabili… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: IBM Process Federation Server REST API is subject to DoS attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-federation-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2020
by Daily end-of-shift report 01 Apr '20

01 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-03-2020 18:00 − Mittwoch 01-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom Lets Attackers Steal Windows Credentials via UNC Links ∗∗∗ --------------------------------------------- The Zoom Windows client is vulnerable to UNC path injection in the clients chat feature that could allow attackers to steal the Windows credentials of users who click on the link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-wi… ∗∗∗ WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers ∗∗∗ --------------------------------------------- [...] Named "Vollgar" after the Vollar cryptocurrency it mines and its offensive "vulgar" modus operandi, researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/04/backdoor-.html ∗∗∗ WordPress-SEO-Plugin Rank Math: Admin-Lücke gefährdet Websites ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke mit Höchstwertung im WordPress-Plugin Rank Math kann Angreifer zu Admins machen. Ein Update ist verfügbar. --------------------------------------------- https://heise.de/-4694641 ∗∗∗ Kleinanzeigenbetrug: So funktioniert der Dreiecksbetrug ∗∗∗ --------------------------------------------- Ebay, Willhaben, Shpock und Co. sind beliebt, um günstige und gebrauchte Ware zu kaufen oder nicht mehr gebrauchte Gegenstände zu verkaufen. Doch auch Kriminelle fühlen sich auf diesen Kleinanzeigenportalen wohl, da sie die Anonymität im Internet gezielt nutzen können. Eine besonders perfide Betrugsfalle in diesem Bereich ist der „Dreiecksbetrug“. Hier werden sowohl KäuferInnen als auch VerkäuferInnen abgezockt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-so-funktioniert-… ===================== = Vulnerabilities = ===================== ∗∗∗ BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System ∗∗∗ --------------------------------------------- This advisory contains mitigations for a protection mechanism failure vulnerability in BD Pyxis medical devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-091-01 ∗∗∗ Hirschmann Automation and Control HiOS and HiSecOS Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a classic buffer overflow vulnerability in Hirschmann Automation and Control HiOS and HiSecOS software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-01 ∗∗∗ Mitsubishi Electric MELSEC ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in Mitsubishi Electric MELSEC programmable controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, [...] --------------------------------------------- https://lwn.net/Articles/816511/ ∗∗∗ Cisco NX-OS Software Anycast Gateway Invalid ARP Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200401-… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data returning decrypted credentials ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2020-2604) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Possible denial of service vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-denial-of-servic… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Tririga Application Platform (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by multiple vulnerabilities in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerabilities in Java runtime environment that IBM provides affect WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-r… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server (CVE-2019-4057, CVE-2019-4101, CVE-2019-4154, CVE-2019-4386, CVE-2019-4322) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-vulnerabilit… ∗∗∗ Security Bulletin: Security vulnerability in IBM Java SDK affect Rational Build Forge (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ HPESBHF03994 rev.1 - HPE Superdome Flex with iLO4, Remote or Local Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03940 rev.1 - HPE MSA 1040, HPE MSA 2040, HPE MSA 2042, HPE MSA 1050, HPE MSA 2050, and HPE MSA 2052 Multiple Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03993 rev.1 - HPE Superdome X servers with iLO4, Remote Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03995 rev.1 - HPE Superdome X servers with iLO4, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03986 rev.1 - HPE Superdome X servers with iLO4, Remote Code Execution and Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2020
by Daily end-of-shift report 31 Mar '20

31 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-03-2020 18:00 − Dienstag 31-03-2020 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Networking Basics for Reverse Engineers ∗∗∗ --------------------------------------------- This article will define network reverse engineering, list tools used by reverse engineers for reverse engineering and then highlight the network basics required by such engineers. The article will illustrate, through the lens of an attacker, how to expose the vulnerability of a network protocol and exploit the vulnerability, and then discuss how to [...] --------------------------------------------- https://resources.infosecinstitute.com/networking-basics-for-reverse-engine… ∗∗∗ OWASP Firmware Security Testing Methodology ∗∗∗ --------------------------------------------- FSTM is composed of nine stages tailored to enable security researchers, software developers, hobbyists, and Information Security professionals with conducting firmware security assessments. --------------------------------------------- https://scriptingxss.gitbook.io/firmware-security-testing-methodology/ ∗∗∗ They told me I could be anything, so I became a Kubernetes node - Using K3s for command and control on compromised Linux hosts ∗∗∗ --------------------------------------------- In their RSA 2020 talk Advanced Persistence Threats: The Future of Kubernetes Attacks, Ian Coldwater and Brad Geesaman demonstrated that K3s, a lightweight version of Kubernetes, can be used to backdoor compromised Kubernetes clusters. This post describes how K3s can also serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines. --------------------------------------------- https://blog.christophetd.fr/using-k3s-for-command-and-control-on-compromis… ∗∗∗ Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit ∗∗∗ --------------------------------------------- While following reports on these infections, we stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, we found ourselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service. --------------------------------------------- https://www.perimeterx.com/resources/blog/2020/skimming-as-a-service-anatom… ∗∗∗ Microsoft fixt Windows 10 VPN-Bug mit optionalen Sonderupdates ∗∗∗ --------------------------------------------- Microsoft bringt Windows-10-Updates, die einen Fehler beim Internetzugang beheben sollen, speziell wenn VPN-Software mit Proxy-Konfigurationen verwendet wird. --------------------------------------------- https://heise.de/-4694177 ∗∗∗ Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks ∗∗∗ --------------------------------------------- Researchers demonstrated recently that hackers could launch a Stuxnet-style attack against Schneider Electric’s Modicon programmable logic controllers (PLCs), but it’s believed that products from other vendors could also be vulnerable to the same type of attack. --------------------------------------------- https://www.securityweek.com/industrial-controllers-still-vulnerable-stuxne… ∗∗∗ FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries ∗∗∗ --------------------------------------------- A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns. --------------------------------------------- https://www.securityweek.com/fbi-warns-ongoing-kwampirs-attacks-targeting-g… ∗∗∗ Vorsicht vor Gewinnspielen, die Kreditkartendaten erfordern ∗∗∗ --------------------------------------------- Kriminelle geben sich als bekannte Unternehmen aus und verbreiten über unterschiedliche Kanäle gefälschte Gewinnspiele. Sie täuschen den TeilnehmerInnen vor, ein iPhone 11 Pro, einen E-Scooter oder Weber Grill gewonnen zu haben. Für den Versand des Gewinnes werden jedoch 1-3 Euro, die per Kreditkarte bezahlt werden müssen, verlangt. Vorsicht: Es handelt sich um eine Abo-Falle. Kriminelle buchen monatlich bis zu 90 Euro ab. Ihren angeblichen Gewinn erhalten Sie [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gewinnspielen-die-kredi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin ∗∗∗ --------------------------------------------- On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. --------------------------------------------- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-o… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift). --------------------------------------------- https://lwn.net/Articles/816368/ ∗∗∗ VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/962085 ∗∗∗ VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/944837 ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ PEPPERL+FUCHS Kr00k vulnerabilities in Broadcom Wi-Fi chipsets ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-014 ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Denial of service vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in TLS (CVE-2019-6485) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Potential information disclosure vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4239) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-information-dis… ∗∗∗ Security Bulletin: Directory Traversal vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4240, CVE-2020-4209) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-vulne… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Protect Plus (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605, CVE-2019-9511, CVE-2019-9516, CVE-2019-9512, CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9513, CVE-2019-9514) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2020
by Daily end-of-shift report 30 Mar '20

30 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-03-2020 18:00 − Montag 30-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances von F5 angreifbar ∗∗∗ --------------------------------------------- Die Entwickler von F5 haben mehrere Sicherheitslücken in verschiedenen Produkten geschlossen. --------------------------------------------- https://heise.de/-4693455 ∗∗∗ A mysterious hacker group is eavesdropping on corporate email and FTP traffic ∗∗∗ --------------------------------------------- Hacker group uses zero-day in DrayTek Vigor enterprise routers and VPN gateways to record network traffic. --------------------------------------------- https://www.zdnet.com/article/a-mysterious-hacker-group-is-eavesdropping-on… ∗∗∗ Source code of Dharma ransomware pops up for sale on hacking forums ∗∗∗ --------------------------------------------- The source code of one of todays most profitable and advanced ransomware strains is up for sale on two Russian-language hacking forums. --------------------------------------------- https://www.zdnet.com/article/source-code-of-dharma-ransomware-pops-up-for-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/816267/ ∗∗∗ Synology-SA-20:04 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_04_Drupal ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0272 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2020
by Daily end-of-shift report 27 Mar '20

27 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-03-2020 18:00 − Freitag 27-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Bug: Kein durchgängiges VPN unter iOS ∗∗∗ --------------------------------------------- Alte Verbindungen werden unter iOS derzeit am VPN vorbeigeleitet. --------------------------------------------- https://www.golem.de/news/bug-kein-durchgaengiges-vpn-unter-ios-2003-147552… ∗∗∗ Corona-Malware-Kampagne im Namen der WHO über manipulierte Routereinstellungen ∗∗∗ --------------------------------------------- Manipulierte DNS-Settings von D-Link- und Linksys-Routern leiten auf angebliche Warnhinweise der World Health Organization, hinter denen sich Malware verbirgt. --------------------------------------------- https://heise.de/-4692092 ∗∗∗ Micropatching Unknown 0days in Windows Type 1 Font Parsing ∗∗∗ --------------------------------------------- Three days ago, Microsoft published a security advisory alerting about two vulnerabilities in Windows font parsing, which were noticed as being exploited in "limited targeted Windows 7 based attacks." These vulnerabilities currently dont have an official vendor fix. As weve done before in a similar situation, we decided to provide our users with a micropatch to protect [...] --------------------------------------------- https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html ∗∗∗ Unseriöser Online-Shop: silahmall.com ∗∗∗ --------------------------------------------- Antiquitäten, Kleidung, Schmuck und Uhren, Möbel oder Computer-Zubehör. Der Online-Shop silahmall.com bietet eine breite Produktpalette an und verspricht hochwertige Qualität. Die Seite verlockt zum Einkaufen. Doch seien Sie vorsichtig! Wir raten von einer Bestellung ab, da es kein Impressum auf der Seite gibt und die einzige angegebene Kontaktmöglichkeit unseriös ist. --------------------------------------------- https://www.watchlist-internet.at/news/unserioeser-online-shop-silahmallcom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-086-01 ∗∗∗ VISAM Automation Base (VBASE) ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in VISAMs VBASE automation platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-01 ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal and missing authentication for critical function vulnerabilities in the Schneider Electric ICSS SCADA software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-02 ∗∗∗ Critical CODESYS Bug Allows Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2020-10245, a heap-based buffer overflow that rates 10 out of 10 in severity, exists in the CODESYS web server and takes little skill to exploit. --------------------------------------------- https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/ ∗∗∗ [Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1) ∗∗∗ --------------------------------------------- With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: [...] --------------------------------------------- https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093245.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6). --------------------------------------------- https://lwn.net/Articles/816130/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0268 ∗∗∗ MediaWiki: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0271 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in PC WORX SRT ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-012 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in Portico Remote desktop control software ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-013 ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IP TMM Ram Cache vulnerability CVE-2020-5861 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22113131 ∗∗∗ BIG-IP HTTP profile vulnerability CVE-2020-5857 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70275209 ∗∗∗ BIG-IP HTTP/3 QUIC vulnerability CVE-2020-5859 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61367237 ∗∗∗ BIG-IP AWS vulnerability CVE-2020-5862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01054113 ∗∗∗ BIG-IP tmsh vulnerability CVE-2020-5858 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36814487 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2020
by Daily end-of-shift report 26 Mar '20

26 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-03-2020 18:00 − Donnerstag 26-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angespannter Arbeitsmarkt sorgt für betrügerische Job-Angebote ∗∗∗ --------------------------------------------- Aufgrund der durch das Coronavirus bedingten Arbeitsmarktsituation, suchen viele InternetuserInnen momentan online nach Jobs oder einer zusätzlichen Verdienstmöglichkeit. Dies nützen Kriminelle gezielt aus, indem Sie betrügerische Job-Angebote im Internet inserieren. Die Fake-Berufe können zu Geldwäsche führen, Pyramidensysteme sein oder zu gefährlichen Investments verleiten. --------------------------------------------- https://www.watchlist-internet.at/news/angespannter-arbeitsmarkt-sorgt-fuer… ∗∗∗ WordPress Malware Distributed via Pirated Coronavirus Plugins ∗∗∗ --------------------------------------------- The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-malware-distribute… ∗∗∗ Malware spotlight: Nemty ∗∗∗ --------------------------------------------- If the last five years or so have proven anything, it is that ransomware is here to stay as a threat in the cybersecurity wild. This should not be used as rationale to simply ignore the deluge of new types of malware that are discovered weekly, as the recently discovered malware family Nemty has [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-spotlight-nemty/ ∗∗∗ As Zoom Booms Incidents of ‘ZoomBombing’ Become a Growing Nuisance ∗∗∗ --------------------------------------------- Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools. --------------------------------------------- https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-grow… ∗∗∗ Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios ∗∗∗ --------------------------------------------- Increased remote work has many organizations rethinking network and security strategies. In this post we share guidance on how to manage security in this changing environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/26/alternative-security-pro… ∗∗∗ Assemble the Cookies ∗∗∗ --------------------------------------------- When we investigate compromised websites, it’s not unusual to find malicious files that have been obfuscated through forms of encoding or encryption — however, these are not the only methods that attackers use to obfuscate code. Obfuscation via Predefined PHP Variables Here’s an example of obfuscation that doesn’t use encoding or encryption in any way: [...] --------------------------------------------- https://blog.sucuri.net/2020/03/assemble-the-cookies.html ∗∗∗ Apple iOS users served mobile malware in Poisoned News campaign ∗∗∗ --------------------------------------------- As we all devour online news sources in the current climate, cyberattackers are waiting to spring. --------------------------------------------- https://www.zdnet.com/article/apple-ios-users-served-mobile-malware-in-oper… ∗∗∗ 4G networks vulnerable to denial of service attacks, subscriber tracking ∗∗∗ --------------------------------------------- Don’t think you’re protected on upcoming 5G networks, either. --------------------------------------------- https://www.zdnet.com/article/100-of-4g-networks-vulnerable-to-denial-of-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr). --------------------------------------------- https://lwn.net/Articles/816039/ ∗∗∗ Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-008 ∗∗∗ Security Advisory - Use-after-free Vulnerability in Some Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Vulnerabilities Patched in IMPress for IDX Broker ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-f… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0264 ∗∗∗ Security Bulletin: Security: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-a-vulnerability-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2020
by Daily end-of-shift report 25 Mar '20

25 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-03-2020 18:00 − Mittwoch 25-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ginp Mobile Banker Targets Spain with "Coronavirus Finder" Lure ∗∗∗ --------------------------------------------- In todays deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ginp-mobile-banker-targets-s… ∗∗∗ Three More Ransomware Families Create Sites to Leak Stolen Data ∗∗∗ --------------------------------------------- Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-more-ransomware-famili… ∗∗∗ Firmware-Bug zerstört SSDs nach genau 40.000 Stunden ∗∗∗ --------------------------------------------- Hewlett Packard warnt davor, dass alle Daten nach Ablauf der Zeit unwiederbringlich gelöscht werden. --------------------------------------------- https://futurezone.at/produkte/firmware-bug-zerstoert-ssds-nach-genau-40000… ∗∗∗ Traffic to Malicious Websites Spiking as more Employees Take Up Work from Home ∗∗∗ --------------------------------------------- Heimdal™ Security’s Incident Response and Research team has recently uncovered evidence of what a potentially dangerous campaign directed at employees working from home. With many cities under lockdown due to the COVID-19 pandemic, companies were mandated to allow the employees to work from home, in a bid to stop the spread of the virus. Since [...] --------------------------------------------- https://heimdalsecurity.com/blog/malicious-websites-work-from-home/ ∗∗∗ TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services ∗∗∗ --------------------------------------------- The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users [...] --------------------------------------------- https://thehackernews.com/2020/03/trickbot-two-factor-mobile-malware.html ∗∗∗ Microsoft Defender: "Scan-Skip-Bug" mit Update KB4052623 anscheinend beseitigt ∗∗∗ --------------------------------------------- Das von Microsoft für den Windows Defender veröffentlichte Update KB4052623 scheint die Meldung, dass Elemente beim Scan übersprungen wurden, zu eliminieren. --------------------------------------------- https://heise.de/-4690575 ∗∗∗ VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion ∗∗∗ --------------------------------------------- VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. However, one of the researchers who found it says the patch is "still bad". --------------------------------------------- https://www.securityweek.com/vmware-again-fails-patch-privilege-escalation-… ∗∗∗ Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library ∗∗∗ --------------------------------------------- Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn. --------------------------------------------- https://www.securityweek.com/videolabs-patches-code-execution-dos-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Affects Millions of OpenWrt-based Network Devices ∗∗∗ --------------------------------------------- A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the [...] --------------------------------------------- https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: iTunes 12.10.5 for Windows iOS 13.4 and iPadOS 13.4 Safari 13.1 watchOS 6.2 tvOS 13.4 macOS [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/25/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived). --------------------------------------------- https://lwn.net/Articles/815937/ ∗∗∗ BlackBerry Powered by Android Security Bulletin – March 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0262 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Security vulnerability is identified in Apache POI server where Rational Asset Manager is deployed (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-is… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2020
by Daily end-of-shift report 24 Mar '20

24 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 23-03-2020 18:00 − Dienstag 24-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps ∗∗∗ --------------------------------------------- A new cyber attack is hijacking routers DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Vidar information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-t… ∗∗∗ Unknown Hackers Use New Milum RAT in WildPressure Campaign ∗∗∗ --------------------------------------------- A new piece of malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the threat Milum and dubbed the operation WildPressure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unknown-hackers-use-new-milu… ∗∗∗ Tekya Malware Threatens Millions of Android Users via Google Play ∗∗∗ --------------------------------------------- The ad-fraud malware lurks in dozens of childrens and utilities apps. --------------------------------------------- https://threatpost.com/tekya-malware-android-google-play/154064/ ∗∗∗ Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it ∗∗∗ --------------------------------------------- Yes, you may have detected some sarcasm An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/memcache… ∗∗∗ Betrügerische Raiffeisen-E-Mails im Umlauf ∗∗∗ --------------------------------------------- Aktuell erhalten Raiffeisen-KundInnen eine Benachrichtigung, dass die smsTAN deaktiviert wird und ELBA-NutzerInnen z. B. auf pushTAN umsteigen können. Für weitere Informationen zur Umstellung werden sie aufgefordert, sich ins Online Banking einzuloggen. Seien Sie bei E-Mails der Raiffeisen Bank zum Thema smsTAN und pushTAN besonders vorsichtig und kontrollieren Sie sorgfältig, ob die Aufforderung tatsächlich von der Raiffeisen Bank stammt. Es sind auch betrügerische [...] --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-raiffeisen-e-mails-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch für Adobe Creative Cloud Application ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Creative Cloud Application von Adobe macht Windows-Computer angreifbar. --------------------------------------------- https://heise.de/-4689478 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim). --------------------------------------------- https://lwn.net/Articles/815882/ ∗∗∗ Kritische Sicherheitslücke in Microsoft Windows (Adobe Type Manager Library) - Workarounds verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory für eine kritische Sicherheitslücke in der Adobe Type Manager Library veröffentlicht. Laut Microsoft und CERT/CC wird die Schwachstelle bereits aktiv ausgenutzt, [...] --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ systemd-journald vulnerability CVE-2019-3815 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22040951 ∗∗∗ Apache vulnerability CVE-2020-8840 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15320518 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0256 ∗∗∗ Kubernetes: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0253 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Arbitrary Script Injection vulnerability (CVE-2019-4681) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to a session management vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Content Navigator includes the host IP address in an HTTP response. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-inc… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM API Connect is impacted by weak cryptographic algorithms (CVE-2019-4553) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is potentially impacted by vulnerabilities in MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-potent… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by a denial of service vulnerability in MySQL (CVE-2019-2805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A security vulnerability has been disclosed in Expat, which is installed as part of IBM Tivoli Network Manager (CVE-2019-15903). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2020
by Daily end-of-shift report 23 Mar '20

23 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-03-2020 18:00 − Montag 23-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware ∗∗∗ --------------------------------------------- PwndLocker has rebranded as the ProLock Ransomware after fixing a crypto bug that allowed a free decryptor to be created. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-… ∗∗∗ Netwalker Ransomware Infecting Users via Coronavirus Phishing ∗∗∗ --------------------------------------------- As if people did not have enough to worry about, attackers are now targeting them with Coronavirus (COVID-19) phishing emails that install ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecti… ∗∗∗ Latest Astaroth living-off-the-land attacks are even more invisible but not less observable ∗∗∗ --------------------------------------------- Astaroth is back sporting significant changes. The updated attack chain maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-o… ∗∗∗ Zero-Day Vulnerabilities in LILIN DVRs Exploited by Several Botnets ∗∗∗ --------------------------------------------- Cybercrime groups have been exploiting vulnerabilities in digital video recorders (DVRs) made by Taiwan-based surveillance solutions provider LILIN to increase the size of their botnets. --------------------------------------------- https://www.securityweek.com/zero-day-vulnerabilities-lilin-dvrs-exploited-… ∗∗∗ Achtung bei Einkäufen auf mimty.de und evenlife.de ∗∗∗ --------------------------------------------- Unzählige InternetuserInnen melden die Online-Shops mimty.de und evenlife.de momentan an die Watchlist Internet. Die Webseiten sind exakt gleich aufgebaut und bieten Atemschutzmasken, Desinfektionssprays und ähnliches an. Die Shopiago GmbH, die hinter den Shops steckt, gibt einen Sitz in Deutschland an, der Versand erfolgt aber stark verzögert aus dem weit entfernten Ausland oder bleibt längerfristig aus. Die Watchlist Internet rät zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bei-einkaeufen-auf-mimtyde-u… ∗∗∗ How to prevent your Zoom meetings being Zoom-bombed (gate-crashed) by trolls ∗∗∗ --------------------------------------------- The coronavirus outbreak has seen an unprecedented number of people working and learning from home, and one of the tools that is making that possible is Zoom. But if you dont take care, you could find your meetings being gate-crashed or Zoom-bombed, potentially causing havoc and mayhem. --------------------------------------------- https://www.zdnet.com/article/how-to-prevent-your-zoom-meetings-being-zoom-… ===================== = Vulnerabilities = ===================== ∗∗∗ Insulet Omnipod ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper access control vulnerability in Insulets Omnipod insulin management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-079-01 ∗∗∗ Systech NDS-5000 Terminal Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in Systechs NDS-5000 network server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-079-01 ∗∗∗ FIBARO System Home Center v5.021 Remote File Include XSS ∗∗∗ --------------------------------------------- The smart home solution is vulnerable to a remote Cross-Site Scripting triggered via a Remote File Inclusion issue by including arbitrary client-side dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its url GET parameter. This allows hijacking the current session of the user or changing the look of the page by changing the HTML. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php ∗∗∗ PMASA-2020-4 ∗∗∗ --------------------------------------------- SQL injection relating to data displayAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected. We believe the flaw was introduced with phpMyAdmin 3.4.CVE IDCVE-2020-10803 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-4/ ∗∗∗ PMASA-2020-3 ∗∗∗ --------------------------------------------- SQL injection relating to searchingAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.CVE IDCVE-2020-10802 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-3/ ∗∗∗ PMASA-2020-2 ∗∗∗ --------------------------------------------- SQL injection with processing usernameAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.CVE IDCVE-2020-10804 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-2/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, chromium, graphicsmagick, jackson-databind, phpmyadmin, python-bleach, and tor), Gentoo (exim and nodejs), openSUSE (chromium and thunderbird), Oracle (tomcat), Red Hat (devtoolset-8-gcc, libvncserver, runc, samba, thunderbird, and tomcat6), and SUSE (ruby2.5). --------------------------------------------- https://lwn.net/Articles/815798/ ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0250 ∗∗∗ Security Bulletin: Jan 2020 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jan-2020-multiple-vulnera… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI ( CVE-2019-4717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Few vulnerabilities affecting IBM Cloud Object Storage Systems (March 2020v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-few-vulnerabilities-affec… ∗∗∗ Security Bulletin: Vulnerabilities affecting IBM Cloud Object Storage Systems (March 2020v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affecting… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2020
by Daily end-of-shift report 20 Mar '20

20 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-03-2020 18:00 − Freitag 20-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ WHO Chief Impersonated in Phishing to Deliver HawkEye Malware ∗∗∗ --------------------------------------------- An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/who-chief-impersonated-in-ph… ∗∗∗ Firefox Reenables Insecure TLS to Improve Access to COVID19 Info ∗∗∗ --------------------------------------------- Mozilla says that the support for the insecure TLS 1.0 and TLS 1.1 will be reenabled in the latest version of Firefox to maintain access to government sites with COVID19 information that havent yet upgraded to TLS 1.2 or TLS 1.3. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firefox-reenables-insecure-t… ∗∗∗ PrivEsc in Lenovo Vantage. Two minutes later ∗∗∗ --------------------------------------------- TL;DR The latest and greatest Lenovo Vantage software which ships with the most recent Lenovo devices is affected by a privilege escalation vulnerability. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-vantage-two… ∗∗∗ New Mirai Variant Targets Zyxel Network-Attached Storage Devices ∗∗∗ --------------------------------------------- Unit 42 researchers discovered a new Mirai variant, dubbed Mukashi, exploiting CVE-2020-9054 to infect vulnerable versions of Zyxel network-attached storage (NAS) devices. --------------------------------------------- https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/ ∗∗∗ Security flaws found in popular password managers ∗∗∗ --------------------------------------------- Not all they’re cracked up to be? Several password vaults have been found to contain vulnerabilities, both new and previously disclosed but never patched, a study says --------------------------------------------- https://www.welivesecurity.com/2020/03/19/security-flaws-found-in-popular-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted). --------------------------------------------- https://lwn.net/Articles/815591/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0246 ∗∗∗ Symantec Veritas NetBackup: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0244 ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by vulnerabilities in WebSphere Application Server Liberty (CVE-2019-9515, CVE-2019-9518, CVE-2019-9517, CVE-2019-9512, CVE-2019-9514, CVE-2019-9513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Information Disclosure in Cognos Business Intelligence (Cognos BI) shipped with Tivoli Common Reporting (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2020
by Daily end-of-shift report 19 Mar '20

19 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-03-2020 18:00 − Donnerstag 19-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Shadowserver Foundation: Gemeinnütziges IT-Security-Team benötigt Spenden ∗∗∗ --------------------------------------------- Das Shadowserver-Team unterstützt Strafverfolgungsbehörden dabei, Cybergangstern das Handwerk zu legen. Jetzt braucht es selbst zeitnah (finanzielle) Hilfe. --------------------------------------------- https://heise.de/-4686211 ∗∗∗ RedLine Info-Stealing Malware Spread by Folding@home Phishing ∗∗∗ --------------------------------------------- A new phishing email is trying to take advantage of the Coronavirus pandemic and the race to develop medications by promoting a fake Folding@home app that installs an information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-info-stealing-malwar… ∗∗∗ InfoSec Conferences Canceled? We’ve Hours Of Recordings! ∗∗∗ --------------------------------------------- If you planned to attend some security conferences in the coming weeks, there are risks to have them canceled… Normally, I should be now in Germany to attend TROOPERS… Canceled! SAS2020 (“Security Analyst Summit”)… Canceled! FIRST TC Amsterdam… Canceled! And more will probably be added to the long list. --------------------------------------------- https://blog.rootshell.be/2020/03/19/infosec-conferences-canceled-weve-hour… ∗∗∗ Achtung vor dem Fake-Shop hausmasters.net ∗∗∗ --------------------------------------------- Hausmasters.net bietet unzählige Haushaltswaren zu Bestpreisen mit kostenlosem Versand nach Österreich, Deutschland und in die Schweiz an. Das breite Sortiment bestehend aus Kühlschränken, Staubsaugern, Waschmaschinen und der moderne Webauftritt laden zu einem schnellen Kauf ein. Doch Vorsicht: Hier zahlen Sie per Vorkasse, erhalten dafür aber nie eine Lieferung. Es handelt sich um einen Fake-Shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-dem-fake-shop-hausmaster… ∗∗∗ France warns of new ransomware gang targeting local governments ∗∗∗ --------------------------------------------- CERT France says some local governments have been infected with a new version of the Pysa (Mespinoza) ransomware. --------------------------------------------- https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe: Weitere teils kritische Updates unter anderem für Photoshop und Bridge ∗∗∗ --------------------------------------------- Nicht nur bei Acrobat und Reader hat Adobe nachgebessert, sondern auch bei Bridge, ColdFusion, Experience Manager, Photoshop und Genuine Integrity Service. --------------------------------------------- https://heise.de/-4686418 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/815442/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Check Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerabilities affect the IBM Spectrum Protect Backup-Archive Client and web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2019-4732, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to a DoS issue when processing regular expressions (CVE-2017-16231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2019-4304, CVE-2019-4305, CVE-2019-4441, CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563, CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Potential exposure of sensitive data in IBM DataPower Gateway (CVE-2020-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-exposure-of-sen… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems (Oct2019 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0241 ∗∗∗ Drupal: Mehrere Schwachstelle ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0240 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2020
by Daily end-of-shift report 18 Mar '20

18 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-03-2020 18:00 − Mittwoch 18-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks ∗∗∗ --------------------------------------------- A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/03/trickbot-malware-rdp-bruteforce.html ∗∗∗ Home-Office? – Aber sicher! ∗∗∗ --------------------------------------------- Eine empfohlene Maßnahme im Kontext der Corona-Prävention ist die intensivere Nutzung von Home-Office und mobilem Arbeiten. Dafür gilt es, pragmatische Lösungen zu finden, die einerseits die Arbeitsfähigkeit einer Organisation erhalten, gleichzeitig jedoch Vertraulichkeit, Verfügbarkeit und Integrität gewährleisten. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/Empfehlungen_mobi… ∗∗∗ Sicher arbeiten im Homeoffice! ∗∗∗ --------------------------------------------- Unzählige Unternehmen haben ihren Betrieb als Reaktion auf das Coronavirus und entsprechende Regierungsvorgaben mittlerweile auf Arbeit im Homeoffice umgestellt. Da dies einige Änderungen in alltäglichen Arbeitsprozessen bedeutet, gibt es Empfehlungen für Unternehmen und deren MitarbeiterInnen, die Schäden durch Kriminelle in der momentanen Ausnahmesituation vermeiden können. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-arbeiten-im-homeoffice/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Genuine Integrity Service (APSB20-12), Adobe Acrobat and Reader (APSB20-13), Adobe Photoshop (APSB20-14), Adobe Experience Manager (APSB20-15), Adobe ColdFusion (APSB20-16) and Adobe Bridge (APSB20-17). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1847 ∗∗∗ Severe Flaws Patched in Responsive Ready Sites Importer Plugin ∗∗∗ --------------------------------------------- On March 2nd, our Threat Intelligence team discovered several vulnerable endpoints in Responsive Ready Sites Importer, a WordPress plugin installed on over 40,000 sites. These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions. ... We highly recommend updating to the latest version available, 2.2.7, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/03/severe-flaws-patched-in-responsive-r… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im). --------------------------------------------- https://lwn.net/Articles/815309/ ∗∗∗ FreeRADIUS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- FreeRADIUS ist ein Open Source Server zur Authentisierung entfernter Benutzer auf Basis des RADIUS-Protokolls (Remote Access Dial-In User Service). Ein entfernter, anonymer Angreifer kann eine Schwachstelle in FreeRADIUS ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0235 ∗∗∗ Delta Electronics Industrial Automation CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-077-01 ∗∗∗ Cisco SD-WAN Solution vManage SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution vManage Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Double Free Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud January 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Vulnerability in Apache Log4j affects IBM LKS ART & Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Cross-Site Request Forgery (CSRF) vulnerabilities were identified on Tivoli Netcool/OMNIbus WebGUI Relationship admin page (CVE-2020-4199) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects Liberty for Java for IBM Cloud(CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2020
by Daily end-of-shift report 17 Mar '20

17 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 16-03-2020 18:00 − Dienstag 17-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails zum Thema Corona ∗∗∗ --------------------------------------------- Kriminelle nutzen das Corona-Virus für ihre Betrugsmaschen und versenden Phishings-Mails im Namen von Unternehmen. Aktuell sind uns gefälschte E-Mails, die angeblich von A1 und DHL stammen, bekannt. Seien Sie also bei E-Mails zum Thema Corona sehr vorsichtig und klicken keinesfalls auf einen Link oder loggen sich über einen Button am Ende der E-Mail in Ihr Kundenkonto ein. Laden Sie auch keine Anhänge herunter, es könnte sich um Schadsoftware handeln. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-zum-them… ∗∗∗ Die Shadowserver Foundation braucht dringend finanzielle Hilfe ∗∗∗ --------------------------------------------- Die Shadowserver Foundation ist nicht nur weltweit die größte Quelle von Threat Intelligence, sie ist auch bei weitem die wichtigste Informationsquelle für CERT.at zu Themen wie Malwareinfektionen, verwundbaren Systeme, etc. in Österreich (siehe die Liste der Feeds, die wir von Shadowserver erhalten). Insgesamt versorgt die Shadowserver Foundation 107 nationale CERTs/CSIRTs in 136 Ländern mit wertvollen Informationen über Probleme in ihrem jeweiligen [...] --------------------------------------------- https://cert.at/de/blog/2020/3/die-shadowserver-foundation-braucht-dringend… ∗∗∗ Slack fixes account-stealing bug ∗∗∗ --------------------------------------------- Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. --------------------------------------------- https://nakedsecurity.sophos.com/2020/03/17/slack-fixes-account-stealing-bu… ∗∗∗ A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th) ∗∗∗ --------------------------------------------- DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/25916 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, [...] --------------------------------------------- https://lwn.net/Articles/815202/ ∗∗∗ Intel CPUs vulnerable to new Snoop attack ∗∗∗ --------------------------------------------- Applying the the patches for the Foreshadow (L1TF) attack disclosed in 2018 also blocks Snoop attacks. --------------------------------------------- https://www.zdnet.com/article/intel-cpus-vulnerable-to-new-snoop-attack/ ∗∗∗ Trend Micro Produkte: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0230 ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM Operations Analytics Predictive Insights (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2020
by Daily end-of-shift report 16 Mar '20

16 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-03-2020 18:00 − Montag 16-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kritische Lücke: Angreifer könnten aus VMware Fusion und Workstation ausbrechen ∗∗∗ --------------------------------------------- Wer virtuelle Maschinen mit Fusion, Horizon, Remote Console (VMRC) und Workstation betreibt, sollte sich aus Sicherheitsgründen die aktualisierten Versionen herunterladen und installieren. Andernfalls könnten Angreifer im schlimmsten Fall aus einer VM ausbrechen und Schadcode im Host-System ausführen. --------------------------------------------- https://www.heise.de/security/meldung/Kritische-Luecke-Angreifer-koennten-a… ∗∗∗ Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help ∗∗∗ --------------------------------------------- Shadowserver has unexpectedly lost the financial support of our largest sponsor. We need to transition the impacted operations staff and move our data center by May 26th 2020. This is an extremely aggressive timeline. We urgently appeal to our constituents and the community to rally together, help save Shadowserver and help secure the Internet. This is the initial announcement and the index page to more detailed supporting content. --------------------------------------------- https://www.shadowserver.org/news/saving-shadowserver-and-securing-the-inte… ∗∗∗ BlackWater Malware Abuses Cloudflare Workers for C2 Communication ∗∗∗ --------------------------------------------- A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malwares command and control (C2) server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cl… ∗∗∗ MonitorMinor: vicious stalkerware ∗∗∗ --------------------------------------------- The other day, our Android traps ensnared an interesting specimen of stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. --------------------------------------------- https://securelist.com/monitorminor-vicious-stalkerware/95575/?utm_source=r… ∗∗∗ Phishing PDF With Incremental Updates., (Sat, Mar 14th) ∗∗∗ --------------------------------------------- Someone asked me for help with this phishing PDF. --------------------------------------------- https://isc.sans.edu/diary/rss/25904 ∗∗∗ Desktop.ini as a post-exploitation tool, (Mon, Mar 16th) ∗∗∗ --------------------------------------------- Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however. --------------------------------------------- https://isc.sans.edu/diary/rss/25912 ∗∗∗ Open MQTT Report - Expanding the Hunt for Vulnerable IoT devices ∗∗∗ --------------------------------------------- New MQTT IPv4 scans are now carried out daily as part of our efforts to expand our capability to enable the mapping of exposed IoT devices on the Internet. A new report - Open MQTT - is now shared in our free daily victim remediation reports to 107 National CSIRTs and 4600+ network owners. In particular, the report identifies accessible MQTT broker service that enable anonymous access. The work is being carried out as part of the EU CEF VARIoT (Vulnerability and Attack Repository for IoT) --------------------------------------------- https://www.shadowserver.org/news/open-mqtt-report-expanding-the-hunt-for-v… ∗∗∗ Has The Sun Set On The Necurs Botnet? ∗∗∗ --------------------------------------------- Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and [...] --------------------------------------------- https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/ ∗∗∗ COVID-19 Themed Phishing Campaigns Continue ∗∗∗ --------------------------------------------- Another COVID-19 (Coronavirus) phishing campaign has been discovered -- this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. --------------------------------------------- https://www.securityweek.com/covid-19-themed-phishing-campaigns-continue ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), [...] --------------------------------------------- https://lwn.net/Articles/815097/ ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing error messages. (CVE-2019-4656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Cloud Automation Manager Session Fixation Vulnerability (CVE-2019-4617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-automation-mana… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services v2.1.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-a-loca… ∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2020
by Daily end-of-shift report 13 Mar '20

13 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-03-2020 18:00 − Freitag 13-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware ∗∗∗ --------------------------------------------- The security research team at DomainTools recently observed an uptick in suspicious Coronavirus and COVID-19 domains, leading them to discover CovidLock, a malicious Android App. --------------------------------------------- https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tra… ∗∗∗ mTAN abgefangen: Betrüger räumten Konten in Österreich leer ∗∗∗ --------------------------------------------- Mit SIM-Swapping haben Kriminelle bei Dutzenden Österreichern Geld abgehoben. Nun wurden sie verhaftet. (TAN, Malware) --------------------------------------------- https://www.golem.de/news/mtan-abgefangen-betrueger-raeumten-konten-in-oest… ∗∗∗ Persistent Cross-Site Scripting, the MSSQL Way ∗∗∗ --------------------------------------------- If you save wide Unicode brackets (i.e. ＜＞) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. ). So, ＜img src=x onerror=alert(pxss)＞ will be converted to compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/persistent-… ∗∗∗ Tor team warns of Tor Browser bug that runs JavaScript on sites it shouldnt ∗∗∗ --------------------------------------------- Tor team says its working on a fix, but has no timeline. --------------------------------------------- https://www.zdnet.com/article/tor-team-warns-of-tor-browser-bug-that-runs-j… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid). --------------------------------------------- https://lwn.net/Articles/814817/ ∗∗∗ Update - Kritische Sicherheitslücke in Microsoft SMBv3 - Patch und Workarounds verfügbar ∗∗∗ --------------------------------------------- 03. März 2020 Update: 13. März 2020 Beschreibung Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory mit Workarounds für eine kritische Sicherheitslücke in Microsoft Server Message Block 3.1.1 (SMBv3) veröffentlicht. CVE-Nummern: CVE-2020-0796 CVSS Base Score: 10.0 (laut CERT/CC) Update: 13. März 2020 Microsoft gibt unter https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ebenfalls einen CVSS Base Score --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ Security Bulletin: PowerVC is impacted by information leakage from nova APIs during external exception (CVE-2019-14433) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-is-impacted-by-in… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a 3RD PARTY Path Traversal vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a cross-site scripting vulnerability in WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot for VMware (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2019-18348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a File traversal vulnerability in WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a Information disclosure vulnerability in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ VMSA-2020-0004 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0004.html ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2020
by Daily end-of-shift report 12 Mar '20

12 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-03-2020 18:00 − Donnerstag 12-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Prenotification Security Advisory for Adobe Acrobat and Reader ∗∗∗ --------------------------------------------- Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on Tuesday, March 17, 2020. --------------------------------------------- https://helpx.adobe.com/security/products/acrobat/apsb20-13.html ∗∗∗ Live Coronavirus Map Used to Spread Malware ∗∗∗ --------------------------------------------- Cybercriminals constantly latch on to news items that captivate the publics attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software. --------------------------------------------- https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-mal… ===================== = Vulnerabilities = ===================== ∗∗∗ Achtung: Sicherheitspatch gegen kritische SMBv3-Lücke jetzt verfügbar ∗∗∗ --------------------------------------------- Gegen die kritische Windows-Sicherheitslücke CVE-2020-0796 gibt es jetzt einen Patch von Microsoft. Admins sollten ihre Systeme möglichst sofort akualisieren.. --------------------------------------------- https://heise.de/-4681993 ∗∗∗ Flaws Riddle Zyxel’s Network Management Software ∗∗∗ --------------------------------------------- Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software. --------------------------------------------- https://threatpost.com/flaws-zyxels-network-management-software/153554/ ∗∗∗ Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites ∗∗∗ --------------------------------------------- On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. .. We highly recommend updating to the latest version, 3.64.1, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-bui… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (dojo, firefox-esr, sleuthkit, and wpa), Fedora (cacti, cacti-spine, and python-psutil), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, ...), Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/814652/ ∗∗∗ ABB eSOMS ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-01 ∗∗∗ ABB Asset Suite ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-02 ∗∗∗ Rockwell Automation Allen-Bradley Stratix 5950 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-03 ∗∗∗ XSS vulnerability in the FortiManager via the buffer parameter ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-271 ∗∗∗ Information disclosure through diagnose debug commands in FortiWeb ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-269 ∗∗∗ XSS Vulnerability in Disclaimer Description of a Replacement Message in FortiWeb ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-001 ∗∗∗ Unquoted Service Path exploit in FortiClient ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-281 ∗∗∗ Authorizations Bypass in the FortiPresence portal parameters ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-258 ∗∗∗ XSS vulnerability in the URL Description of URL filter ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-270 ∗∗∗ XSS vulnerability in the Anomaly Detection Parameter Name ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-265 ∗∗∗ FortiSIEM is vulnerable to a CSRF attack ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/ FG-IR-19-240 ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Integrity Checking Vulnerability on some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Bulletin: Vulnerability from Apache HttpClient affects IBM Cloud Pak System (CVE-2012-5783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in HTTP/2 implementation used by Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An information disclosure security vulnerability has been identified with the embedded Content Navigator component shipped with IBM Business Automation Workflow (CVE-2019-4679) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily