- Daily - CERT.at

Tageszusammenfassung - 16.12.2019
by Daily end-of-shift report 16 Dec '19

16 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2019 18:00 − Montag 16-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PCI Point-to-Point Encryption Standard 3.0 released ∗∗∗ --------------------------------------------- The PCI Security Standards Council (PCI SSC) has updated the PCI Point-to-Point Encryption Standard (P2PE) and supporting program. PCI P2PE Version 3.0 simplifies the process for component and solution providers to validate their P2PE products for cardholder data protection efforts. --------------------------------------------- https://www.helpnetsecurity.com/2019/12/16/pci-point-to-point-encryption-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Javascript: Node-Pakete können Binärdateien unterjubeln ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in den Paketmanangern für Node.js, NPM und Yarn, ermöglicht das Unterschieben und Manipulieren von Binärdateien auf dem Client-System. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/javascript-node-pakete-koennen-binaerdateien-unte… ∗∗∗ 2019-11-12: Cybersecurity Advisory - Automation Builder 2.2 (and earlier), Drive Application Builder 1.0 ∗∗∗ --------------------------------------------- ABB is aware of public reports of a vulnerability in the product versions listed above. This issue will be fixed by · Version 2.3.0 of Automation Builder. The release of this version is expected for end of Q1 2020 · Version 1.1.0 of Drive Application Builder. The release of this version is expected for end of 2019 An attacker who successfully exploited this vulnerability could insert and run arbitrary JavaScript and/or ActiveX code. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR010465&Language… ∗∗∗ Multiple Vulnerabilities in ABB PB610 PanelBuilder 600 ∗∗∗ --------------------------------------------- ABB is aware of a private report of four vulnerabilities in PB610 Panel Builder 600, versions 2.8.0.424 and earlier, affecting the HMIStudio and HMISimulator components. The vulnerabilities are corrected in version 2.8.0.460. --------------------------------------------- http://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/1520A33C30E2562EC12584D20058… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200 ∗∗∗ --------------------------------------------- The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration... --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (davical, intel-microcode, libpgf, php-horde, spamassassin, spip, and thunderbird), Mageia (clementine, dnsmasq, git, jasper, kdelibs4, kernel, libcroco, libgit2, libvirt, ncurses, openafs, proftpd, qbittorrent, signing-party, squid, and wireshark), openSUSE (java-1_8_0-openjdk and postgresql), Oracle (kernel), Red Hat (chromium-browser and openslp), and SUSE (kernel, libssh, and xen). --------------------------------------------- https://lwn.net/Articles/807412/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is impacted by credential caching ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-impacted-b… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Kubernetes shipped with PowerAI Vision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an abend while processing messages. (CVE-2019-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2019
by Daily end-of-shift report 13 Dec '19

13 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2019 18:00 − Freitag 13-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Echobot Variant Exploits 77 Remote Code Execution Flaws ∗∗∗ --------------------------------------------- The Echobot botnet is still after the low hanging fruit as a new variant has been spotted with an increased number of exploits that target unpatched devices, IoT for the most part. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-echobot-variant-exploits… ∗∗∗ All in the (Ransomware) Family: 10 Ways to Take Action ∗∗∗ --------------------------------------------- Check out our list of top 10 things to do to protect your organization from the deepening scourge of ransomware. --------------------------------------------- https://threatpost.com/ransomware-family-10-ways-take-action/151080/ ∗∗∗ Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities ∗∗∗ --------------------------------------------- Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS. --------------------------------------------- https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-t… ∗∗∗ Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!, (Fri, Dec 13th) ∗∗∗ --------------------------------------------- Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use. And even though the numbers are much lower, some servers on the web support SSLv2 to this day as well. And, as it turns out, this is true even when it comes to web servers hosting internet banking portals --------------------------------------------- https://isc.sans.edu/diary/rss/25606 ∗∗∗ Unmasking Black Hat SEO for Dating Scams ∗∗∗ --------------------------------------------- Malware obfuscation comes in all shapes and sizes - and it’s sometimes hard to recognize the difference between malicious and legitimate code when you see it. Recently, we came across an interesting case where attackers went a few extra miles to make it more difficult to notice the site infection. --------------------------------------------- https://blog.sucuri.net/2019/12/unmasking-black-hat-seo-for-dating-scams.ht… ∗∗∗ Threat spotlight: The curious case of Ryuk ransomware ∗∗∗ --------------------------------------------- >From comic book death god to ransomware baddie, Ryuk ransomware remains a mainstay when organizations find themselves in a crippling malware pinch. We look at Ryuks origins, attack methods, and how to protect against this ever-present threat. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the… ∗∗∗ Targeted Attacks Deliver New "Anchor" Malware to High-Profile Companies ∗∗∗ --------------------------------------------- TrickBot/Anchor Campaign Could be a New Targeted Magecart Attack Against High-Profile Companies --------------------------------------------- https://www.securityweek.com/targeted-attacks-deliver-new-anchor-malware-hi… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech DiagAnywhere Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in the Advantech DiagAnywhere Server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-01 ∗∗∗ Omron PLC CJ and CS Series ∗∗∗ --------------------------------------------- This advisory includes information and mitigation recommendations for authentications vulnerabilities reported in the Omron PLC CJ and CS Series. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-02 ∗∗∗ Omron PLC CJ, CS and NJ Series ∗∗∗ --------------------------------------------- This advisory includes information and mitigation recommendations for an authentication related vulnerability in the Omron PLC CJ, CS, and NJ Series. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-03 ∗∗∗ WordPress 5.3.1 Security and Maintenance Release ∗∗∗ --------------------------------------------- This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes - see the list below. --------------------------------------------- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (knot-resolver and xen), openSUSE (kernel), and SUSE (haproxy, kernel, and openssl). --------------------------------------------- https://lwn.net/Articles/807261/ ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component in IBM Case Manager (CVE-2019-4426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-se… ∗∗∗ Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component shipped with IBM Business Automation Workflow (CVE-2019-4426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-se… ∗∗∗ HPESBHF03974 rev.1 - HPE Servers using certain Intel Processors, Local Denial of Service, Disclosure of Information, Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Dovecot: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1076 ∗∗∗ Trend Micro AntiVirus: Schwachstelle ermöglicht Denial of Service oder Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1077 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2019
by Daily end-of-shift report 12 Dec '19

12 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-12-2019 18:00 − Donnerstag 12-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing ∗∗∗ --------------------------------------------- Cryptocurrencies values are increasing again, which may explain why the number of stealthy techniques to deliver them have also increased this year. We found another campaign using process hollowing and a dropper component to evade detection and analysis, and can potentially be used for other malware payloads. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/wSpVXlrw0Ok/ ∗∗∗ Code & Data Reuse in the Malware Ecosystem ∗∗∗ --------------------------------------------- In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, its tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, its a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc... --------------------------------------------- https://isc.sans.edu/forums/diary/Code+Data+Reuse+in+the+Malware+Ecosystem/… ∗∗∗ Winbox in the Wild ∗∗∗ --------------------------------------------- I’ve written, ad nauseam, about MikroTik routers. I’ve detailed vulnerabilities, post exploitation, and the protocol used by Winbox to communicate to the router on port 8291: [...] --------------------------------------------- https://medium.com/tenable-techblog/winbox-in-the-wild-9a2ee4946add?source=… ∗∗∗ The little-known ways mobile device sensors can be exploited by cybercriminals ∗∗∗ --------------------------------------------- Mobile device sensors offer great utility to users—from taking pictures and commanding voice assistants to determining which direction to flip your screen. However, they harbor little-known vulnerabilities that could be exploited by crafty cybercriminals. --------------------------------------------- https://blog.malwarebytes.com/iot/2019/12/the-little-known-ways-mobile-devi… ∗∗∗ Gefälschte Post-SMS zur Zahlung für wartende Pakete ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? In der Weihnachtszeit ist das nicht unwahrscheinlich! Kriminelle nützen das und versenden gefälschte SMS mit dem Absendenamen „PST“ oder „POST“. Sie sollen eine Zahlung über 2,99 Euro bestätigen indem Sie einem Link folgen. Sie landen auf einer gefälschten Post-Website. Geben Sie Ihre Daten hier nicht ein – man versucht sie Ihnen zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-post-sms-zur-zahlung-fue… ∗∗∗ What I Learned from Reverse Engineering Windows Containers ∗∗∗ --------------------------------------------- Our researcher provides an overview on containers - starting with their Linux history - and shows the different implementations of containers in Windows, how they work, the security pitfalls that may occur, as well as the internal implementation of objects that are necessary for Containers in Windows. --------------------------------------------- https://unit42.paloaltonetworks.com/what-i-learned-from-reverse-engineering… ∗∗∗ Microsoft details the most clever phishing techniques it saw in 2019 ∗∗∗ --------------------------------------------- This years most clever phishing tricks include hijacking Google search results and abusing 404 error pages. --------------------------------------------- https://www.zdnet.com/article/microsoft-details-the-most-clever-phishing-te… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and nss-softokn), Fedora (samba), Oracle (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), Scientific Linux (thunderbird), SUSE (firefox), and Ubuntu (librabbitmq and samba). --------------------------------------------- https://lwn.net/Articles/807186/ ∗∗∗ Synology-SA-19:40 Samba AD DC ∗∗∗ --------------------------------------------- CVE-2019-14861 and CVE-2019-11479 allow remote authenticated users to conduct denial-of-service attacks or bypass security constraints via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_40 ∗∗∗ Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-096 ∗∗∗ Modal Page - Moderately critical - Access bypass - SA-CONTRIB-2019-094 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-094 ∗∗∗ Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-093 ∗∗∗ Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-092 ∗∗∗ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-095 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ BIG-IP TMM vulnerability CVE-2019-6671 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K39225055 ∗∗∗ TMOS vulnerability CVE-2019-6664 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03126093 ∗∗∗ HPESBHF03973 rev.1 - HPE Servers with certain Intel Processors, Local Disclosure of Information, Local Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat OpenShift Service Mesh: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1067 ∗∗∗ OpenBSD: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1070 ∗∗∗ Linux Kernel und hostapd: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1071 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2019
by Daily end-of-shift report 11 Dec '19

11 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-12-2019 18:00 − Mittwoch 11-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zeppelin Ransomware Targets Healthcare and IT Companies ∗∗∗ --------------------------------------------- A new variant of the VegaLocker/Buran Ransomware called Zeppelin has been spotted infecting U.S. and European companies via targeted installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-targets-… ∗∗∗ Bad news: KeyWe Smart Lock is easily bypassed and cant be fixed ∗∗∗ --------------------------------------------- Good news? There is no good news File this one under "not everything needs a computer in it". Finnish security house F-Secure today revealed a vulnerability in the KeyWe Smart Lock that could let a sticky-fingered miscreant easily bypass it. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/11/f_secure… ∗∗∗ Intel flickt "Plundervolt" und zahlreiche weitere Sicherheitslücken ∗∗∗ --------------------------------------------- Durch bösartiges Prozessor-"Undervolting" lassen sich SGX-verschlüsselten RAM-Enklaven Geheimnisse entlocken; Intel patcht auch 10 weitere Sicherheitslücken. --------------------------------------------- https://heise.de/-4611068 ∗∗∗ Gratis Online-Dating oder teure Abo-Falle? ∗∗∗ --------------------------------------------- Immer wieder erreichen uns Beschwerden verärgerter Singles, die auf heissetreffen.at auf der Suche nach Liebe oder Spaß waren. Die erste Anmeldung ist völlig kostenlos. Wer hier aber Profilbilder sehen möchte, soll das Alter über Eingabe der Kreditkartendaten bestätigen. Achtung: Dadurch rutscht man in eine teure Abo-Falle! Für Zahlungen besteht kein Grund. --------------------------------------------- https://www.watchlist-internet.at/news/gratis-online-dating-oder-teure-abo-… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/10/apple-releases-mul… ∗∗∗ Microsoft Releases December 2019 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/10/microsoft-releases… ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities in multiple products. An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/10/intel-releases-sec… ∗∗∗ Xen Security Advisory CVE-2019-19581,CVE-2019-19582 / XSA-307 - find_next_bit() issues ∗∗∗ --------------------------------------------- In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: [...] --------------------------------------------- https://xenbits.xen.org/xsa/advisory-307.html ∗∗∗ Xen Security Advisory CVE-2019-19583 / XSA-308 - VMX: VMentry failure with debug exceptions and blocked states ∗∗∗ --------------------------------------------- The VMX VMEntry checks does not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-308.html ∗∗∗ Xen Security Advisory CVE-2019-19578 / XSA-309 - Linear pagetable use / entry miscounts ∗∗∗ --------------------------------------------- [...] If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-309.html ∗∗∗ Xen Security Advisory CVE-2019-19580 / XSA-310 - Further issues with restartable PV type change operations ∗∗∗ --------------------------------------------- XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-310.html ∗∗∗ Xen Security Advisory CVE-2019-19577 / XSA-311 - Bugs in dynamic height handling for AMD IOMMU pagetables ∗∗∗ --------------------------------------------- A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-311.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (crypto++ and thunderbird), Debian (cacti, freeimage, git, and jackson-databind), Fedora (nss), openSUSE (clamav, dnsmasq, munge, opencv, permissions, and shadowsocks-libev), Red Hat (nss, nss-softokn, nss-util, rh-maven35-jackson-databind, and thunderbird), Scientific Linux (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), SUSE (caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, [...] --------------------------------------------- https://lwn.net/Articles/807073/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- CTX266932 NewApplicable Products : Citrix Hypervisor 8.0, XenServer 7.0, XenServer 7.1 LTSR Cumulative Update 2, XenServer 7.6A number of vulnerabilities have been found in Citrix Hypervisor (formerly Citrix XenServer) that may:i. Allow the host to be compromised by privileged code in a PV guest VM,ii. allow unprivileged code in a HVM guest VM to cause that guest to [...] --------------------------------------------- https://support.citrix.com/article/CTX266932 ∗∗∗ Security Advisory - Denial of Service Vulnerability on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190911-… ∗∗∗ Security Advisory - Information Leakage Vulnerability on Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei CloudUSM-EUA Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-… ∗∗∗ Security Advisory - Multiple Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which allows users to embed arbitrary JavaScript code in the Web UI (CVE-2019-4665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Security vulnerability in IBM WebSphere Application Server affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-4244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2018-1996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-a… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where remoted authenticated attacker can execute arbitrary command(CVE 2019-4715)) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox have affected Synthetic Playback Agent 8.1.4.x ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-10072 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-10072/ ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which allows users to embed arbitrary JavaScript code in the Web UI (CVE-2019-4665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ File Extension Spoofing in Windows Defender Antivirus ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/file-extension-spoofing-in-windo… ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1054 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2019
by Daily end-of-shift report 10 Dec '19

10 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Montag 09-12-2019 18:00 − Dienstag 10-12-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools ∗∗∗ --------------------------------------------- Researchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions and immediately starts encrypting files once the system loads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to… ∗∗∗ Dont pay off Ryuk ransomware, warn infoseccers: Its creators borked the decryptor ∗∗∗ --------------------------------------------- Oracle DBs particularly vulnerable to fake decryptions, say researchers If youre an Oracle database user and are tempted to pay off a Ryuk ransomware infection to get your files back, for pitys sake, dont. The criminals behind it have broken their own decryptor, meaning nobody will be able to unlock files scrambled by the malicious software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/10/ryuk_dec… ∗∗∗ Was Sie beim Onlineshoppen beachten müssen ∗∗∗ --------------------------------------------- Nicht mehr lang, dann ist wieder Weihnachten. Für die einen die besinnlichste Zeit im Jahr, für die anderen der pure Stress - vor allem wenn viele Geschenke besorgt werden müssen. Onlineshoppen ist da eine bequeme Lösung. Doch Onlineshoppen birgt auch einige Gefahren. --------------------------------------------- https://www.watchlist-internet.at/news/was-sie-beim-onlineshoppen-beachten-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB19-55), Adobe Photoshop (APSB19-56), Brackets (APSB19-57) and Adobe ColdFusion (APSB19-58). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1813 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jruby, and squid3), Fedora (librabbitmq, libuv, and xpdf), openSUSE (calamares and opera), Oracle (kernel and nss), Red Hat (httpd24-httpd, kernel, kernel-alt, kpatch-patch, nss-softokn, sudo, and thunderbird), SUSE (apache2-mod_perl, java-1_8_0-openjdk, and postgresql), and Ubuntu (eglibc, firefox, and samba). --------------------------------------------- https://lwn.net/Articles/806957/ ∗∗∗ SAP Security Patch Day – December 2019 ∗∗∗ --------------------------------------------- Page edited by Aditi Kulkarni This post by SAP Product Security Response Team shares information on Patch Day Security Notes that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.On 10th of December 2019, SAP Security Patch Day saw the release of 5 Security Notes. There are 2 updates to previously released Patch [...] --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533660397 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in MongoDB affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2019-4663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities addressed in IBM Cloud Pak System (CVE-2019-4521, CVE-2019-4095) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-addressed… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in HAProxy affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server October 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in python affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Integration Bus Hyper visor Edition V9.0 require customer action for security vulnerabilities in Red Hat Linux ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-hyper… ∗∗∗ IBM Security Bulletin: PowerVC is impacted by an OpenStack Neutron vulnerability related to security group rules (CVE-2019-10876) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-powervc-is-impacted-b… ∗∗∗ IBM Security Bulletin: PowerVC is impacted by an OpenStack Neutron denial of service vulnerability (CVE-2018-14635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-powervc-is-impacted-b… ∗∗∗ SSA-451445 (Last Update: 2019-12-10): Multiple Vulnerabilities in SPPA-T3000 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf ∗∗∗ SSA-273799 (Last Update: 2019-12-10): Vulnerability in SIMATIC products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-273799.pdf ∗∗∗ SSA-525454 (Last Update: 2019-12-10): Vulnerabilities in XHQ Operations Intelligence ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf ∗∗∗ SSA-418979 (Last Update: 2019-12-10): Vulnerabilities in EN100 Ethernet Communication Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-418979.pdf ∗∗∗ SSA-761617 (Last Update: 2019-12-10): Multiple Vulnerabilities in SiNVR Video Management Solution ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf ∗∗∗ SSA-344983 (Last Update: 2019-12-10): Vulnerability in WPA2 Key Handling affecting SCALANCE W700 and SCALANCE W1700 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-344983.pdf ∗∗∗ SSA-618620 (Last Update: 2019-12-10): Vulnerabilities in Boot Loader (U-Boot) of RUGGEDCOM ROS Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-618620.pdf ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1048 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2019
by Daily end-of-shift report 09 Dec '19

09 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-12-2019 18:00 − Montag 09-12-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SCshell: Fileless Lateral Movement Using Service Manager ∗∗∗ --------------------------------------------- During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fil… ∗∗∗ We thought they were potatoes but they were beans (from Service Account to SYSTEM again) ∗∗∗ --------------------------------------------- Nevertheless, we decided to do some further research in order to understand if any bypass of the new OXID resolver restrictions, which in fact inhibits resolver requests over a port different to 135, is still possible. --------------------------------------------- https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-wer… ∗∗∗ Detecting unsafe path access patterns with PathAuditor ∗∗∗ --------------------------------------------- Posted by Marta Rożek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer #!/bin/shcat /home/user/fooWhat can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used? Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec. --------------------------------------------- https://security.googleblog.com/2019/12/detecting-unsafe-path-access-patter… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA Patches Severe Flaws in Mercedes Infotainment System Chips ∗∗∗ --------------------------------------------- NVIDIA released security updates for six high severity vulnerabilities found in the Tegra Linux Driver Package (L4T) for Jetson AGX Xavier, TK1, TX1, TX2, and Nano chips used in Mercedes-Benzs MBUX infotainment system and Bosch self-driving computer systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-patches-severe-flaws-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (SDL), Debian (htmldoc, librabbitmq, nss, openjdk-7, openslp-dfsg, and phpmyadmin), Fedora (chromium, community-mysql, kernel, libidn2, oniguruma, proftpd, and rabbitmq-server), Mageia (ansible, clamav, evince, firefox, graphicsmagick, icu, libcryptopp, libtasn1, libtiff, libvncserver, libvpx, lz4, nss, openexr, openjpeg2, openssl, phpmyadmin, python-psutil, python-twisted, QT, sdl2_image, SDL_image, sysstat, thunderbird, and tnef), Oracle (firefox), [...] --------------------------------------------- https://lwn.net/Articles/806832/ ∗∗∗ OpenSSL: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1045 ∗∗∗ [dos] Omron PLC 1.0.0 - Denial of Service (PoC) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47757 ∗∗∗ [webapps] Alcatel-Lucent Omnivista 8770 - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47761 ∗∗∗ [webapps] Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47760 ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Planning Analytics Local is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-lo… ∗∗∗ Security Bulletin: Vulnerability affects IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-ibm… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tie… ∗∗∗ Security Bulletin: IBM Transparent Cloud Tiering is affected by Netty vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tie… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Transparent Cloud Tiering ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2019
by Daily end-of-shift report 06 Dec '19

06 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-12-2019 18:00 − Freitag 06-12-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ 8 common pen testing mistakes and how to avoid them ∗∗∗ --------------------------------------------- One of the most effective ways to uncover flaws and weaknesses in your security posture is to have a third party carry out planned attacks on your system. Penetration testing is all about exposing gaps in your defenses so that they can be plugged before someone with malicious intent can take advantage. There are several different types of pen test designed to target different aspects of your organization. --------------------------------------------- https://www.csoonline.com/article/3487557/8-common-pen-testing-mistakes-and… ∗∗∗ Lazarus Group Goes Fileless ∗∗∗ --------------------------------------------- The rather infamous APT group, "Lazarus", continues to evolve their macOS capabilities. Today, we tear apart their latest 1st-stage implant that supports remote download & in-memory execution of secondary payloads! --------------------------------------------- https://objective-see.com/blog/blog_0x51.html ∗∗∗ Phishing with a self-contained credentials-stealing webpage ∗∗∗ --------------------------------------------- Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however. I recently came across an interesting phishing campaign in which the scammers used a rather novel technique. --------------------------------------------- https://isc.sans.edu/diary/rss/25580 ∗∗∗ If theres somethin stored in a secure enclave, who ya gonna call? Membuster! ∗∗∗ --------------------------------------------- Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus. --------------------------------------------- https://www.theregister.co.uk/2019/12/05/membuster_secure_enclave/ ∗∗∗ Nur noch wenige Wochen: Planänderungen beim Support-Ende bei Windows 7 ∗∗∗ --------------------------------------------- Drei Wochen nach Weihnachten will Microsoft zum letzten Mal kostenlose Sicherheits-Updates für Windows 7 spendieren. Bald wird es also Zeit für den Umstieg.. --------------------------------------------- https://heise.de/-4602768 ===================== = Vulnerabilities = ===================== ∗∗∗ Unix-artige Systeme: Sicherheitslücke ermöglicht Übernahme von VPN-Verbindung ∗∗∗ --------------------------------------------- Durch eine gezielte Analyse und Manipulation von TCP-Paketen könnten Angreifer eigene Daten in VPN-Verbindungen einschleusen und diese so übernehmen. Betroffen sind fast alle Unix-artigen Systeme sowie auch VPN-Protokolle. Ein Angriff ist in der Praxis wohl aber eher schwierig. (Security, Server) --------------------------------------------- https://www.golem.de/news/unix-artige-systeme-sicherheitsluecke-ermoeglicht… ∗∗∗ VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability (CVE-2019-5544) ∗∗∗ --------------------------------------------- OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0022.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libav), Fedora (kernel, libuv, and nodejs), Oracle (firefox), Red Hat (firefox and java-1.7.1-ibm), SUSE (clamav, cloud-init, dnsmasq, dpdk, ffmpeg, munge, opencv, and permissions), and Ubuntu (librabbitmq). --------------------------------------------- https://lwn.net/Articles/806543/ ∗∗∗ Thales DIS SafeNet Sentinel LDK License Manager Runtime ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-339-01 ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by a FasterXML jackson-databind vulnerability (CVE-2019-14439) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-2/ ∗∗∗ Security Bulletin: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin/ ∗∗∗ Security Bulletin: IBM DataPower Gateway enables default IPMI account ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-ena… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2019
by Daily end-of-shift report 05 Dec '19

05 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-12-2019 18:00 − Donnerstag 05-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security prenotification for Adobe Acrobat and Reader | APSB19-55 ∗∗∗ --------------------------------------------- Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on Tuesday, December 10, 2019. --------------------------------------------- https://helpx.adobe.com/security/products/acrobat/apsb19-55.html ∗∗∗ Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter ∗∗∗ --------------------------------------------- Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/atlassia… ∗∗∗ NTLMRecon ∗∗∗ --------------------------------------------- A fast NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains. --------------------------------------------- https://github.com/sachinkamath/ntlmrecon ∗∗∗ xHunt Actor’s Cheat Sheet ∗∗∗ --------------------------------------------- Unit 42 found evidence that the developers who created the Sakabota tool had carried out two sets of testing activities on Sakabota in an attempt to evade detection. Within one sample created during this testing process, we uncovered a cheat sheet meant to assist operators of the tool to carry out activities on the compromised system and network, which weve never seen before. --------------------------------------------- https://unit42.paloaltonetworks.com/xhunt-actors-cheat-sheet/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication vulnerabilities in OpenBSD ∗∗∗ --------------------------------------------- We discovered an authentication-bypass vulnerability in OpenBSDs authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms. (CVE-2019-19521) --------------------------------------------- https://www.openwall.com/lists/oss-security/2019/12/04/5 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Fedora (cyrus-imapd, freeipa, haproxy, ImageMagick, python-pillow, rubygem-rmagick, sqlite, squid, and tnef), openSUSE (haproxy), Oracle (microcode_ctl), and Ubuntu (squid, squid3). --------------------------------------------- https://lwn.net/Articles/806384/ ∗∗∗ Weidmueller multiple vulnerabilities in various Industrial Ethernet managed switches ∗∗∗ --------------------------------------------- CVE-2019-16670: The Authentication mechanism has no brute-force prevention. CVE-2019-16671: Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption. CVE-2019-16672: Sensitive Credentials data is transmitted in cleartext. ... CVSS-Scores: bis 9.8 --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-018 ∗∗∗ Mozilla Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Mozilla Thunderbird ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, vertrauliche Daten einzusehen oder einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1040 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Wireshark ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1039 ∗∗∗ Security Bulletin: IBM ToolsCenter Dynamic System Analysis (DSA) Preboot is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-toolscenter-dynamic-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Intel MCE vulnerability CVE-2018-12207 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17269881 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2019
by Daily end-of-shift report 04 Dec '19

04 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-12-2019 18:00 − Mittwoch 04-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RSA-240: Faktorisierungserfolg gefährdet RSA nicht ∗∗∗ --------------------------------------------- Forscher haben auf einem Rechencluster eine 795 Bit große Zahl faktorisiert. Das RSA-Verschlüsselungs- und Signaturverfahren basiert darauf, dass Faktorisierung schwierig ist. Für die praktische Sicherheit von RSA mit modernen Schlüssellängen hat dieser Durchbruch heute aber wenig Bedeutung. --------------------------------------------- https://www.golem.de/news/rsa-240-faktorisierungserfolg-gefaehrdet-rsa-nich… ∗∗∗ APT review: what the world’s threat actors got up to in 2019 ∗∗∗ --------------------------------------------- What were the most interesting developments in terms of APT activity during the year and what can we learn from them? --------------------------------------------- https://securelist.com/ksb-2019-review-of-the-year/95394/ ∗∗∗ SEC Xtractor: Extrahieren von Daten aus elektronischen Geräten ∗∗∗ --------------------------------------------- Das SEC Consult Hardware Lab hat ein spezielles Hardware-Analyse-Tool entwickelt, mit dem Security Consultants auf einfache Weise Firmware aus Speicherchips auslesen können. Der sogenannte „SEC Xtractor“ wurde nun als Open-Source-Version veröffentlicht. --------------------------------------------- https://www.sec-consult.com/blog/2019/12/sec-xtractor-extrahieren-von-daten… ∗∗∗ Introducing Password Cracking Manager: CrackQ ∗∗∗ --------------------------------------------- Today we are releasing CrackQ, a queuing system to manage password cracking that Ive been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. Its an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/introducing… ∗∗∗ How to Respond to Emotet Infection (FAQ) ∗∗∗ --------------------------------------------- The purpose of this entry is to provide instructions on how to check if you are infected with Emotet and what you can do in case of infection (based on the information available as of December 2019). --------------------------------------------- https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html ∗∗∗ Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774) ∗∗∗ --------------------------------------------- As established, the patches for CVE-2017-11774 can be effectively “disabled” by modifying registry keys on an endpoint with no special privileges. The following registry keys and values should be configured via Group Policy to reinforce the recommended configurations in the event that an attacker attempts to reverse the intended security configuration on an endpoint to allow for Outlook home page persistence for malicious purposes. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tou… ∗∗∗ Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business ∗∗∗ --------------------------------------------- ... WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned. However, these orphaned keys are not deleted even when the device it was created on is no longer present. Any authentication to Azure AD using such an orphaned WHfB key will be rejected. However, some of these orphaned keys could lead to the following security issue in Active Directory 2016 or 2019, in either hybrid or on-premises --------------------------------------------- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190026 ∗∗∗ Betrug mit begehrten Champions League Tickets auf Facebook ∗∗∗ --------------------------------------------- Die Lieblings-Band einmal live zu erleben oder den favorisierten Fußballklub in der UEFA Champions League live im Stadion anzufeuern, ist ein einmaliges Erlebnis. In Facebook-Gruppen ausverkaufter Events versuchen verzweifelte Fans, die letzten Tickets zu ergattern. In Privatnachrichten werden ihnen diese Karten auf Facebook gegen Überweisung oder PayPal-Zahlung versprochen. Vorsicht: Dahinter können Kriminelle stecken! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-begehrten-champions-leagu… ∗∗∗ Two malicious Python libraries removed from PyPI ∗∗∗ --------------------------------------------- One library was available for only two days, but the second was live for nearly a year. --------------------------------------------- https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Reliable Controls LicenseManager ∗∗∗ --------------------------------------------- This advisory contains mitigations for an unquoted search path or element vulnerability in the Reliable Controls LicenseManager. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-337-01 ∗∗∗ Moxa AWK-3121 ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in Moxa’s AWK-3121 wireless access point/bridge/client. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-337-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, ghostscript, kernel, and tcpdump), Debian (libonig), Fedora (clamav, firefox, and oniguruma), openSUSE (calamares, cloud-init, haproxy, libarchive, libidn2, libxml2, and ucode-intel), Scientific Linux (SDL and tcpdump), Slackware (mozilla), and Ubuntu (haproxy, intel-microcode, and postgresql-common). --------------------------------------------- https://lwn.net/Articles/806296/ ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Remote Code Execution Vulnerability in Fastjson ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Advanced Packages of Gauss100 OLTP Database ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Insufficient Verification of Data Authenticity Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Path Traversal Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Bulletin: : Netcool Operations Insight – Cloud Native Event Analytics is affected by a FasterXML jackson-databind vulnerability (CVE-2019-12814) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Pak System (CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Red Hat® Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Kafka vulnerability (CVE-2018-17196) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Red Hat® Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2019-2602) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2019
by Daily end-of-shift report 03 Dec '19

03 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Montag 02-12-2019 18:00 − Dienstag 03-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Strandhogg: Sicherheitslücke in Android wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Unter Android können sich Schad-Apps als legitime Apps tarnen und weitere Berechtigungen anfordern. Die Strandhogg genannte Sicherheitslücke wird bereits aktiv ausgenutzt und eignet sich beispielsweise für Banking-Trojaner. Einen Patch gibt es nicht. ... Die Sicherheitsfirma Lookout konnte bereits 36 Apps ausfindig machen, die die Sicherheitslücke ausnutzen. Die betroffenen Apps nennt die Sicherheitsfirma allerdings nicht. Diese seien zum Teil auch im Google Play Store zu finden gewesen, allerdings hätten sie die Schadsoftware nicht enthalten, sondern diese erst nach der Installation nachgeladen - sogenannte Dropper-Apps. Google hat die betroffenen Apps nach einem Hinweis aus dem Play Store gelöscht. --------------------------------------------- https://www.golem.de/news/strandhogg-sicherheitsluecke-in-android-wird-akti… ∗∗∗ Network traffic analysis for Incident Response (IR): TLS decryption ∗∗∗ --------------------------------------------- e post Network traffic analysis for Incident Response (IR): TLS decryption appeared first on Infosec Resources.Network traffic analysis Over the years, the use of TLS has grown dramatically, with over half of websites using HTTPS by default. However, situations exist where it is useful to be able to decrypt this traffic. For example, many organizations perform deep packet inspection (DPI) in order to detect and block potentially malicious traffic. --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-inciden… ∗∗∗ Another Fake Google Domain: fonts[.]googlesapi[.]com ∗∗∗ --------------------------------------------- Our Remediation team lead Ben Martin recently found a fake Google domain that is pretty convincing to the naked eye. The malicious domain was abusing the URL shortener service is.gd: shortened URLs were being injected into the posts table of the client’s WordPress database. Whenever the infected WordPress page loads, the actual content is obscured behind the is.gd shortener, which obtains content from the fake Google domain: fonts[.]googlesapi[.]com --------------------------------------------- https://blog.sucuri.net/2019/12/another-fake-google-domain-fonts-googlesapi… ∗∗∗ Ursnif infection with Dridex ∗∗∗ --------------------------------------------- Todays diary reviews an Ursnif infection from this campaign that I generated in my lab environment on Monday, December 2nd. --------------------------------------------- https://isc.sans.edu/diary/rss/25566 ∗∗∗ Anruf von Microsoft? – Legen Sie sofort auf! ∗∗∗ --------------------------------------------- Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und erklären besorgten NutzerInnen, ihr Computer sei von einem Trojaner befallen. Mit diesem Vorwand versuchen Kriminelle sich Zugriff auf den Computer zu verschaffen und anschließend sensible Zugangsdaten zu stehlen oder wertvolle Daten zu löschen. Es handelt sich um eine Betrugsmasche, Microsoft würde niemals persönlich anrufen! --------------------------------------------- https://www.watchlist-internet.at/news/anruf-von-microsoft-legen-sie-sofort… ∗∗∗ A decade of malware: Top botnets of the 2010s ∗∗∗ --------------------------------------------- ZDNet goes over the list of biggest malware botnets of the past decade, from Necurs to Mirai. --------------------------------------------- https://www.zdnet.com/article/a-decade-of-malware-top-botnets-of-the-2010s/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple MOTEX products vulnerable to privilege escalation ∗∗∗ --------------------------------------------- LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. An user who can login to the PC where the vulnerable product is installed may obtain unauthorized privileges and execute arbitrary code. --------------------------------------------- https://jvn.jp/en/jp/JVN49068796/ ∗∗∗ Patchday: Google serviert Sicherheitspatches für Android und seine Pixel-Serie ∗∗∗ --------------------------------------------- Verschiedene Android-Versionen sind über kritische Sicherheitslücken attackierbar. Nun gibt es Sicherheitsupdates. --------------------------------------------- https://heise.de/-4602506 ∗∗∗ Multiple vulnerabilites in Fronius Solar Inverter Series (CVE-2019-19229, CVE-2019-19228) ∗∗∗ --------------------------------------------- The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. (CVE-2019-19229, CVE-2019-19228) --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-froni… ∗∗∗ Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead ∗∗∗ --------------------------------------------- EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition. --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-EmbedThi… ∗∗∗ Vulnerability Spotlight: Accusoft ImageGear PNG IHDR width code execution vulnerability ∗∗∗ --------------------------------------------- Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit. --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft… ∗∗∗ Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-inje… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (intel-ucode and libtiff), Debian (exiv2), Oracle (SDL), Red Hat (kernel, patch, and python-jinja2), and Ubuntu (graphicsmagick, linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp...) --------------------------------------------- https://lwn.net/Articles/806202/ ∗∗∗ Kaspersky Internet Security: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Kaspersky Internet Security und Kaspersky Total Security ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1035 ∗∗∗ Trend Micro Internet Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Trend Micro Internet Security und Trend Micro AntiVirus ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1034 ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: Vulnerability in Google Guava affects IBM Cloud Pak System (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-g… ∗∗∗ Security Bulletin: Vulnerability from Apache HttpComponents affects IBM Cloud Pak System (CVE-2011-1498, CVE-2015-5262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability in IBM Cloud Pak System (CVE-2019-4098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ BIND vulnerability CVE-2019-6477 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15840535?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2019
by Daily end-of-shift report 02 Dec '19

02 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-11-2019 18:00 − Montag 02-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybercrime-Bericht 2018: Kriminalität im Netz bleibt große Herausforderung ∗∗∗ --------------------------------------------- Auch im Jahr 2018 verzeichnete das Cybercrime Competence Center (C4) des Bundeskriminalamtes eine Zunahme von Cybercrime Delikten. Im Vergleich zum Vorjahr wurde ein Anstieg von 16,8 Prozent registriert, vorwiegend im Bereich Internetbetrug. --------------------------------------------- http://www.bmi.gv.at/news.aspx?id=6D4D326A543767595673593D ∗∗∗ Analysis of Malicious ElectrumX Servers Source Code ∗∗∗ --------------------------------------------- Recently I have found some malicious ElectrumX nodes in the Electrum network that are still being connected by the Electrum software. In this post I share some information about these nodes and the ElectrumX patched code that they execute. --------------------------------------------- http://www.peppermalware.com/2019/12/analysis-of-malicious-electrumx-server… ∗∗∗ Polizei warnt vor professionellen Fake-Shops im Internet ∗∗∗ --------------------------------------------- In der Weihnachtszeit wird kräftig online eingekauft. Das machen sich auch Betrüger zunutze. Experten der Polizei warnen gerade jetzt vor deren Maschen. --------------------------------------------- https://heise.de/-4600046 ∗∗∗ Insight into NIS Directive sectoral incident response capabilities ∗∗∗ --------------------------------------------- The report provides a deeper insight into NISD sectoral Incident Response capabilities, procedures, processes and tools to identify the trends and possible gaps and overlaps. --------------------------------------------- https://www.helpnetsecurity.com/2019/12/02/nis-directive-incident-response/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Critical Vulnerabilities in SALTO ProAccess SPACE ∗∗∗ --------------------------------------------- In the software SALTO ProAccess Space ... multiple typical web application vulnerabilities got identified. An authenticated attacker was able to exploit a path traversal vulnerability to backup arbitrary files into the web root. This allowed an attacker to export the database into the web root and download it. Furthermore, it was possible to combine another export feature with the path traversal vulnerability to write arbitrary contents to arbitrary locations on the backend Windows server. --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilitie… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, asterisk, file, nss, proftpd-dfsg, ssvnc, and tnef), Fedora (chromium, djvulibre, freeradius, ImageMagick, jhead, kernel, phpMyAdmin, python-pillow, and rubygem-rmagick), Mageia (bzip2, chromium-browser-stable, curl, dbus, djvulibre, glib2.0, glibc, gnupg2, httpie, libreoffice, libssh2, mosquitto, nginx, python-sqlalchemy, unbound, and zipios++), openSUSE (bluez, clamav, cpio, freerdp, openafs, phpMyAdmin, strongswan, and webkit2gtk3), --------------------------------------------- https://lwn.net/Articles/806079/ ∗∗∗ Multiple Cisco Analog Telephone Adapters Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Teams and Cisco Webex Meetings Client DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2019
by Daily end-of-shift report 29 Nov '19

29 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-11-2019 18:00 − Freitag 29-11-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Sicherheitslücken: So einfach lassen sich SMS mitlesen ∗∗∗ --------------------------------------------- Mit dem SMS-Nachfolger RCS werden SMS und Telefonanrufe über das Internet abgewickelt - mit einem vorgegebenen Passwort. Mit diesem können auch klassische SMS unbemerkt mitgelesen werden. Eine entsprechende Konfigurationsdatei lässt sich von jeder App empfangen. (Joyn, Datenschutz) --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-so-einfach-lassen-sich-sms-mit… ∗∗∗ Smartwatch exposes locations and other data on thousands of children ∗∗∗ --------------------------------------------- A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device for bad actors The post Smartwatch exposes locations and other data on thousands of children appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/11/29/smartwatch-exposes-location-data-… ===================== = Vulnerabilities = ===================== ∗∗∗ Y2K-Bug-Variante trifft Splunk-Produkte – Lösungen verfügbar ∗∗∗ --------------------------------------------- Splunk-Admins sollten sich vor dem Jahreswechsel dringend mit einem "Jahr-2020-Problem" in der Software auseinandersetzen. Updates stehen bereit. --------------------------------------------- https://heise.de/-4599420 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libvpx and vino), Fedora (grub2 and nss), and SUSE (cloud-init, libarchive, libtomcrypt, ncurses, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/805811/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2019
by Daily end-of-shift report 28 Nov '19

28 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-11-2019 18:00 − Donnerstag 28-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Video: Abo-Falle Streaming-Plattformen ∗∗∗ --------------------------------------------- Streaming-Plattformen werben mit einer kostenlosen Registrierung. Nach fünf Tagen verlangen sie von BenutzerInnen für einen Premium-Status 358,80 Euro, 359,88 Euro bzw. 395,88 Euro. Für die Bezahlung der Rechnung gibt es keinen Grund. --------------------------------------------- https://www.watchlist-internet.at/news/video-abo-falle-streaming-plattforme… ∗∗∗ Adobe discloses security breach impacting Magento Marketplace users ∗∗∗ --------------------------------------------- Security breach was detected last week and traced back to a vulnerability in the Magento Marketplace website. --------------------------------------------- https://www.zdnet.com/article/adobe-discloses-security-breach-impacting-mag… ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry Powered by Android Security Bulletin - November 2019 ∗∗∗ --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ DSA-4577 haproxy - security update ∗∗∗ --------------------------------------------- Tim Düsterhus discovered that haproxy, a TCP/HTTP reverse proxy, didnot properly sanitize HTTP headers when converting from HTTP/2 toHTTP/1. This would allow a remote user to perform CRLF injections. --------------------------------------------- https://www.debian.org/security/2019/dsa-4577 ∗∗∗ QNAP NAS: Hersteller fixt unter anderem kritische Schwachstelle in Photo Station ∗∗∗ --------------------------------------------- QTS-Updates beseitigen zahlreiche Angriffsmöglichkeiten aus der Ferne. --------------------------------------------- https://heise.de/-4598238 ∗∗∗ Security updates for (US) Thanksgiving ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and libvorbis), Fedora (mod_auth_mellon and xen), Oracle (389-ds-base, kernel, and tcpdump), SUSE (bsdtar, java-11-openjdk, java-1_7_0-openjdk, and libxml2), and Ubuntu (nss and python-psutil). --------------------------------------------- https://lwn.net/Articles/805777/ ∗∗∗ WordPress Plugin "WP Spell Check" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN26838191/ ∗∗∗ Security Bulletin: IBM Security QRadar Packet Capture is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-packe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2019
by Daily end-of-shift report 27 Nov '19

27 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-11-2019 18:00 − Mittwoch 27-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Almost 60% Of Malicious Ads Come from Three Ad Providers ∗∗∗ --------------------------------------------- In Confiants "Demand Quality Report for Q3 2019", the ad fraud and security company analyzed 120 billion ad impressions between January 1st and September 20th that flowed through their systems in order to provide a breakdown of different malicious ad campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/almost-60-percent-of-malicio… ∗∗∗ Top 25 Most Dangerous Vulnerabilities Refreshed After 8 Years ∗∗∗ --------------------------------------------- For the first time in eight years, the list with the most dangerous 25 software vulnerabilities received an update that promises to be relevant for current times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/top-25-most-dangerous-vulner… ∗∗∗ MITRE ATT&CK vulnerability spotlight: Credentials in registry ∗∗∗ --------------------------------------------- One of the attack stages as described in the MITRE ATT&CK tool is credential access, where a hacker tries to steal user credential information to gain access to new accounts or elevate privileges on a compromised system. One of the means by which an attacker can perform this stage of an attack is by extracting credentials from where they are stored in the Windows registry. --------------------------------------------- https://resources.infosecinstitute.com/mitre-attck-vulnerability-spotlight-… ∗∗∗ Insights from one year of tracking a polymorphic threat ∗∗∗ --------------------------------------------- We discovered the polymoprhic threat Dexphot in October 2018. In the months that followed, we closely tracked the threat as attackers upgraded the malware, targeted new processes, and worked around defensive measures. One year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general. --------------------------------------------- https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-o… ∗∗∗ Exposed Firebase Database ∗∗∗ --------------------------------------------- An issue can arise in firebase when developers fail to enable authentication. This vulnerability is very similar to every other database misconfiguration, theres no authentication. Leaving a database exposed to the world unauthenticated is an open invite for malicious hackers. --------------------------------------------- http://ghostlulz.com/google-exposed-firebase-database/ ∗∗∗ Vorsicht vor Ping-Anrufen! ∗∗∗ --------------------------------------------- KonsumentInnen erhalten immer wieder sogenannte Ping-Calls. Sie werden dabei von unbekannten Nummern angerufen. Die Anrufe werden meist nach dem ersten oder zweiten Läuten wieder beendet. Wer aus Höflichkeit oder Neugierde zurückruft, tappt in die Kostenfalle. Bei unbekannten, verdächtigen Nummern gilt: Nicht abheben und nicht zurückrufen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ping-anrufen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bsdiff, libvpx, tiff, and xmlrpc-epi), Fedora (freeimage, imapfilter, kernel, mingw-freeimage, and thunderbird), openSUSE (cups and djvulibre), Oracle (SDL), SUSE (ardana-db, ardana-keystone, ardana-neutron, ardana-nova, crowbar-core, crowbar-openstack, crowbar-ui, openstack-barbican, openstack-heat-templates, openstack-keystone, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-sahara, python-psutil, release-notes-suse-openstack-cloud, freerdp, mailman, slurm) and Ubuntu (ruby2.3, ruby2.5). --------------------------------------------- https://lwn.net/Articles/805720/ ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei Smart Speaker Myna ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191127-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Huawei Atlas Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191127-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191127-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191127-… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar Network Packet Capture is vulnerable to (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2019-1547, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Vulnerability CVE-2019-10218 in Samba affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2019-10… ∗∗∗ Security Bulletin: Python as used by IBM QRadar Network Packet Capture is vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers (CVE-2019-9947, CVE-2019-9948) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar Network Packet Capture is vulnerable to a timing side channel attack (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ TMM vulnerability CVE-2019-6669 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11447758 ∗∗∗ BIG-IP AAM vulnerability CVE-2019-6666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K92411323 ∗∗∗ BIG-IP FIX profile security advisory vulnerability CVE-2019-6667 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82781208 ∗∗∗ BIG-IP TMM vulnerability CVE-2019-6671 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K39225055 ∗∗∗ BIG-IP AFM vulnerability CVE-2019-6672 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14703097 ∗∗∗ BIG-IP ASM Bot Detection DNS cache does not expire security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K79240502 ∗∗∗ The BIG-IP system may fail to properly parse HTTP headers that are prepended by whitespace (non RFC2616 compliant) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K39794285 ∗∗∗ BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow device authentication and trust vulnerability CVE-2019-6665 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26462555 ∗∗∗ BIG-IP HTTP/2 vulnerability CVE-2019-6673 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K81557381 ∗∗∗ F5 SSL Orchestrator vulnerability CVE-2019-6674 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21135478 ∗∗∗ BIG-IP Edge Client for macOS vulnerability CVE-2019-6668 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49827114 ∗∗∗ BIG-IP APM ignores the Restrict to Single Client IP option for Native RDP resources ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24241590 ∗∗∗ vCMP vulnerability CVE-2019-6670 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05765031 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2019
by Daily end-of-shift report 26 Nov '19

26 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 25-11-2019 18:00 − Dienstag 26-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unsichere Tracking-Smartwatch: Angreifer könnten Tausende Kinder stalken ∗∗∗ --------------------------------------------- Billige Tracker-Uhren aus China sind recht häufig Gegenstand von Sicherheitswarnungen. Das aktuelle Kindermodell SMA-WATCH-M2 setzt den (Abhör-)Alptraum fort. --------------------------------------------- https://heise.de/-4596410 ∗∗∗ Vorsicht beim Black-Friday-Shopping ∗∗∗ --------------------------------------------- Zahlreiche Online-HändlerInnen locken im Zuge des Black Fridays mit sagenhaften Angeboten. Am Freitag können Sie Kleidung, Elektronik, Haushaltswaren und viel mehr deutlich günstiger erwerben. Seien Sie jedoch bei den unglaublichsten Schnäppchen doppelt vorsichtig, denn nicht jedes Angebot ist seriös. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-black-friday-shopping/ ∗∗∗ A hacking group is hijacking Docker systems with exposed API endpoints ∗∗∗ --------------------------------------------- Its almost 2020 and some sysadmins are still leaving Docker admin ports exposed on the internet. --------------------------------------------- https://www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-w… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-19-996: Dell EMC Storage Monitoring and Reporting Java RMI Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dell EMC Storage Monitoring and Reporting. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-996/ ∗∗∗ Xen Security Advisory XSA-306 - Device quarantine for alternate pci assignment methods ∗∗∗ --------------------------------------------- An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-306.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxdmcp, nss, php-imagick, and ruby2.1), openSUSE (java-11-openjdk), Red Hat (389-ds-base, kernel, kernel-rt, python-jinja2, qemu-kvm-ma, and tcpdump), SUSE (bluez, clamav, cpio, cups, gcc9, libpng16, libssh2_org, mailman, sqlite3, squid, strongswan, tiff, and webkit2gtk3), and Ubuntu (redmine). --------------------------------------------- https://lwn.net/Articles/805650/ ∗∗∗ Paessler PRTG: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- PRTG Network Monitor ist eine Netzwerk Monitoring Werkzeug der Paessler AG. Ein Angreifer kann mehrere Schwachstellen in Paessler PRTG ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen oder beliebigen Programmcode mit Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1019 ∗∗∗ Kaspersky Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Kaspersky Anti-Virus, Kaspersky Internet Security und Kaspersky Total Security ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1018 ∗∗∗ Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-mq-security-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Server on AIX (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-4387) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server (CVE-2019-4057, CVE-2019-4101, CVE-2019-4154, CVE-2019-4386, CVE-2019-4322) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-vulnerabilit… ∗∗∗ BIG-IP Engineering Hotfix authentication bypass vulnerability CVE-2019-6675 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55655944 ∗∗∗ NodeJS vulnerability CVE-2018-7160 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63025104 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2019
by Daily end-of-shift report 25 Nov '19

25 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-11-2019 18:00 − Montag 25-11-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Short History of Juice Jacking ∗∗∗ --------------------------------------------- The days are now shorter, and the holiday season is upon us. Many of us have travel booked to bring our family together and will soon be uncomfortably sitting in the halls of airline terminals, desperate to escape the monotony of an international waiting room we will sit transfixed to our mobile devices. Breaking our mobile-mindfulness-zen like state, an alert graces the screen: 15% battery life remaining. --------------------------------------------- https://www.secjuice.com/history-of-juice-jacking/ ∗∗∗ Local Malware Analysis with Malice, (Sat, Nov 23rd) ∗∗∗ --------------------------------------------- This project (Malice) provides the ability to have your own locally managed multi-engine malware scanning system. The framework allows the owner to analyze files for known malware. It can be used both as a command tool to analyze samples and review the results via a Kibana web interface. The Command-Line Interface (CLI) is used to scan a file or directory or can be setup to watch and scan new files when copied into a write only directory. --------------------------------------------- https://isc.sans.edu/diary/rss/25544 ∗∗∗ Introducing Merlin - A cross-platform post-exploitation HTTP/2 Command & Control Tool ∗∗∗ --------------------------------------------- Merlin is a cross-platform post-exploitation framework that leverages HTTP/2 communications to evade inspection. HTTP/2 is a relatively new protocol that requests Perfect Forward Secrecy (PFS) encryption cipher suites are used. ... Additionally, many security technologies are not equipped with HTTP/2 protocol dissectors and are therefore not able to evaluate traffic even if keying material is provided. --------------------------------------------- https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a ∗∗∗ Trickbot Updates Password Grabber Module ∗∗∗ --------------------------------------------- Trickbot is a modular malware, and one of its modules is a password grabber. In November 2019, we started seeing indicators of Trickbot's password grabber targeting data from OpenSSH and OpenVPN applications. --------------------------------------------- https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-modul… ∗∗∗ PC-Fernwartung: Sicherheitsforscher warnen vor angreifbarer VNC-Software ∗∗∗ --------------------------------------------- Angreifer könnten Clients und Server mit verschiedener VNC-Software attackieren und unter bestimmten Voraussetzungen Malware platzieren. --------------------------------------------- https://heise.de/-4595718 ∗∗∗ Kauf von Konzertkarten auf eventtickets24.com birgt Gefahren ∗∗∗ --------------------------------------------- Die Smartfox Media b.v. aus den Niederlanden bietet auf eventtickets24.com Konzert- und Veranstaltungskarten an. Zahlreiche KundInnen berichten von groben Problemen nach dem Ticketkauf. So kommt es u.U. zu Schwierigkeiten bei der Beschaffung und Lieferung oder ausbleibenden Rückerstattungen nach Nichtlieferung. Wir raten zu großer Vorsicht bei diesem Angebot. --------------------------------------------- https://www.watchlist-internet.at/news/kauf-von-konzertkarten-auf-eventtick… ===================== = Vulnerabilities = ===================== ∗∗∗ Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps ∗∗∗ --------------------------------------------- CVE-2019-11932, which is a vulnerability in WhatsApp for Android, was first disclosed to the public on October 2, 2019 after a researcher named Awakened discovered that attackers could use maliciously crafted GIF files to allow remote code execution. The vulnerability was patched with version 2.19.244 of WhatsApp, but the underlying problem lies in the library called libpl_droidsonroids_gif.so, which is part of the android-gif-drawable package. While this flaw has also been patched, many [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/sBAf9Ks1I8Y/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, enigmail, isc-dhcp, libice, libofx, and pam-python), Fedora (chromium, ghostscript, mingw-cfitsio, mingw-gdal, mingw-libidn2, and rsyslog), Gentoo (adobe-flash, chromium, expat, and firefox), openSUSE (apache2-mod_perl, haproxy, java-11-openjdk, and ncurses), Oracle (ghostscript, kernel, php:7.2, php:7.3, and sudo), Red Hat (chromium-browser, python27-python, and SDL), and Ubuntu (dpdk and libvpx). --------------------------------------------- https://lwn.net/Articles/805527/ ∗∗∗ Weak encryption cipher and hardcoded cryptographic keys in Fortinet products ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardc… ∗∗∗ Security Bulletin: Incorrect permissions on CIT files in IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2018-2025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect for Enterprise Resource Planning on AIX (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Denial of Service vulnerability in IBM Spectrum Protect Backup-Archive Client (CVE-2019-4406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot on AIX (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: SMB signing not required in IBM Spectrum Protect Plus (CVE-2016-2115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-smb-signing-not-required-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2019
by Daily end-of-shift report 22 Nov '19

22 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-11-2019 18:00 − Freitag 22-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing Portable Electronic Devices During Travel ∗∗∗ --------------------------------------------- Holiday travelers often use portable electronic devices (PEDs) because they offer a range of conveniences, for example, enabling the traveler to order gifts on-the-go, access to online banking, or download boarding passes. However, these devices are vulnerable to cyberattack or theft, resulting in exposure of personal information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/11/22/securing-portable-… ∗∗∗ Abusing Web Filters Misconfiguration for Reconnaissance ∗∗∗ --------------------------------------------- Yesterday, an interesting incident was detected while working at a customer SOC. They use a “next-generation” firewall that implements a web filter based on categories. This is common in many organizations today: Users web traffic is allowed/denied based on an URL categorization database (like “adult content”, “hacking”, “gambling”, …). How was it detected? --------------------------------------------- https://isc.sans.edu/diary/rss/25538 ∗∗∗ ENISA: How to implement security by design for IoT ∗∗∗ --------------------------------------------- ENISA, the European Union Agency for Cybersecurity releases ‘Good Practices for Security of IoT’, a significant report to promote security by design for IoT. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/how-to-implement-security-by-de… ∗∗∗ A guidebook to open-source OT reconnaissance ∗∗∗ --------------------------------------------- An attacker targeting OT needs to perform reconnaissance on the targeted system and learn how it is connected to the IT network. This often involves old-fashioned or digital espionage, but a lot of such information is actually available out there in the open. ... how open source intelligence (OSINT) can be used to learn crucial details of the inner workings of many a system. An important lesson from Daniels paper and talk is that security by obscurity is dead and ... --------------------------------------------- https://www.virusbulletin.com/blog/2019/11/vb2019-paper-fantastic-informati… ∗∗∗ Introducing Flan Scan: Cloudflare’s Lightweight Network Vulnerability Scanner ∗∗∗ --------------------------------------------- Today, we’re excited to open source Flan Scan, Cloudflare’s in-house lightweight network vulnerability scanner. Flan Scan is a thin wrapper around Nmap that converts this popular open source tool into a vulnerability scanner with the added benefit of easy deployment. --------------------------------------------- https://blog.cloudflare.com/introducing-flan-scan/ ∗∗∗ Ransomware: A free tool can decrypt this malware variant that puts a ransom note on you desktop wallpaper ∗∗∗ --------------------------------------------- Emsisoft, which has build the decryption tool, said that the Hakbit ransomware has hit home users and businesses in the US and Europe, demanding $300 in bitcoin from victims, while warning them how many files they stand to lose. --------------------------------------------- https://www.zdnet.com/article/ransomware-a-free-tool-can-decrypt-this-malwa… ===================== = Vulnerabilities = ===================== ∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in ClamAV ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/11/warn… ∗∗∗ Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085 ∗∗∗ --------------------------------------------- Nodequeues JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loaded. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "manipulate queues". --------------------------------------------- https://www.drupal.org/sa-contrib-2019-085 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dpdk, mingw-djvulibre, mingw-hunspell, mingw-ilmbase, mingw-OpenEXR, php-symfony, php-symfony3, and rsyslog), openSUSE (chromium and squid), SUSE (aspell, cups, djvulibre, and dpdk), and Ubuntu (djvulibre). --------------------------------------------- https://lwn.net/Articles/805367/ ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1011 ∗∗∗ New bypass disclosed in Microsoft PatchGuard (KPP) ∗∗∗ --------------------------------------------- After GhostHook and InfinityHook, we now have ByePg. No patch out yet. --------------------------------------------- https://www.zdnet.com/article/new-bypass-disclosed-in-microsoft-patchguard-… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM Tivoli Netcool Impact (CVE-2019-4570) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Log Analysis is vulnerable to a client side scripting attack due to missing HTTPOnly and Secure attribute in the cookie ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log-analysis-is-vulnerabl… ∗∗∗ Security Bulletin: Stored cross site scripting vulnerability in IBM Tivoli Netcool Impact (CVE-2019-4569) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stored-cross-site-scripti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2019
by Daily end-of-shift report 21 Nov '19

21 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-11-2019 18:00 − Donnerstag 21-11-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin ∗∗∗ --------------------------------------------- Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability present since Jetpack 5.1. --------------------------------------------- https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by… ∗∗∗ New RIPlace Bypass Evades Windows 10, AV Ransomware Protection ∗∗∗ --------------------------------------------- A new ransomware bypass technique called RIPlace requires only a few lines of code to bypass ransomware protection features built into many security products and Windows 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-riplace-bypass-evades-wi… ∗∗∗ Gnip Banking Trojan Shows Ongoing, Aggressive Development ∗∗∗ --------------------------------------------- The mobile malware, which incorporates Anubis source code, could evolve into a fully fledged spyware in the future. --------------------------------------------- https://threatpost.com/gnip-banking-trojan-aggressive-development/150521/ ∗∗∗ Linux Webmin Servers Under Attack by Roboto P2P Botnet ∗∗∗ --------------------------------------------- A newly-discovered peer-to-peer (P2P) botnet has been found targeting a remote code execution vulnerability in Linux Webmin servers. --------------------------------------------- https://threatpost.com/linux-webmin-servers-attack-p2p-botnet/150513/ ∗∗∗ Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1909 (a.k.a., “19H2”), and for Windows Server version 1909. Note that Windows Server version 1909 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option. --------------------------------------------- https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Securit… ∗∗∗ Explained: juice jacking ∗∗∗ --------------------------------------------- Juice jacking is a type of cyberattack that uses a USB charging port to steal data or infect phones with malware. Learn how it works and ways to protect against it. --------------------------------------------- https://blog.malwarebytes.com/explained/2019/11/explained-juice-jacking/ ∗∗∗ Video: Identitätsdiebstahl bei Umfragejob ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen zu Umfragejobs. Schon bei der Registrierung verlangt man Ihre Ausweiskopie. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. --------------------------------------------- https://www.watchlist-internet.at/news/video-identitaetsdiebstahl-bei-umfra… ∗∗∗ DePriMon downloader uses novel ways to infect your PC with ColoredLambert malware ∗∗∗ --------------------------------------------- It is believed the downloader is using techniques not seen before in the wild. --------------------------------------------- https://www.zdnet.com/article/deprimon-downloader-uses-novel-ways-to-infect… ∗∗∗ New SectopRAT Trojan creates hidden second desktop to control browser sessions ∗∗∗ --------------------------------------------- The Trojan makes sure the second desktop is hidden from sight. --------------------------------------------- https://www.zdnet.com/article/new-sectoprat-malware-creates-hidden-second-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Releases Outlook for Android Security Update ∗∗∗ --------------------------------------------- Original release date: November 21, 2019Microsoft has released an update to address a vulnerability in Outlook for Android. An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/11/21/microsoft-releases… ∗∗∗ New security release versions of BIND are available: 9.11.13, 9.14.8 and 9.15.6 ∗∗∗ --------------------------------------------- New security releases of BIND are available which contain fixes for the CVEs disclosed today. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2019-November/001143.html ∗∗∗ Apache Solr Bug Gets Bumped Up to High Severity ∗∗∗ --------------------------------------------- The vulnerability (CVE-2019-12409) was first reported in July and patched in August. ... Since the bug was initially discovered, researchers have reevaluated the threat and escalated its severity to high-risk. --------------------------------------------- https://threatpost.com/apache-solr-bug-gets-bumped-up-to-high-severity/1504… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb). --------------------------------------------- https://lwn.net/Articles/805281/ ∗∗∗ Security Bulletin: Inadequate account lockout in Cloud Pak System (CVE-2019-4096) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-account-lockou… ∗∗∗ Security Bulletin: Vulnerabilities in WAS Liberty affect IBM Spectrum LSF Suite, Spectrum LSF Suite for HPA and Spectrum LSF Application Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-was-li… ∗∗∗ Security Bulletin: Bypass Client-Side Validation vulnerability in Cloud Pak System (CVE-2019-4240) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bypass-client-side-valida… ∗∗∗ Security Bulletin: A vulnerability in Apache Solr (lucene) affects IBM Operations Analytics – Log Analysis (CVE-2019-4243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Clickjacking vulnerability in IBM Operations Analytics – Log Analysis (CVE-2019-4215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-clickjacking-vulnerabilit… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is vulnerable to potential Host Header Injection (CVE-2019-4216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoil Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: XStream as used by IBM QRadar SIEM is vulnerable to os command injection (CVE-2019-10173) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xstream-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center on AIX (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ IBM Security Bulletin: A Vulnerability in Apache PDFBox Affects Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ap… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems (July2019 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Controller 2019Q4 Security Updater: Multiple Security Vulnerabilities have been identified in IBM Cognos Controller ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-201… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2019
by Daily end-of-shift report 20 Nov '19

20 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-11-2019 18:00 − Mittwoch 20-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NSA Releases Cyber Advisory: Managing Risk from Transport Layer Security Inspection ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cyber Advisory that addresses managing risk from Transport Layer Security Inspection (TLSI). This short, informative document defines TLSI (a security process that allows incoming traffic to be decrypted, inspected, and re-encrypted), explains some risks and associated challenges, and discusses mitigations. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/11/19/nsa-releases-cyber… ∗∗∗ D-Link Adds More Buggy Router Models to 'Won’t Fix' List ∗∗∗ --------------------------------------------- D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of hardware and steal data. The routers won’t be fixed, said D-Link, explaining that the hardware has reached its end-of-life and will no longer receive security updates. ... D-Link identified the additional affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862. --------------------------------------------- https://threatpost.com/d-link-wont-fix-router-bugs/150438/ ∗∗∗ Monero Project site compromised, served malware-infected binaries ∗∗∗ --------------------------------------------- The official website of the Monero Project has been compromised to serve a malware-infected version of the CLI (command-line interface) wallet. The malicious file was available for download for around 14 hours and at least one of the users who downloaded the malware has had their funds stolen. What happened? --------------------------------------------- https://www.helpnetsecurity.com/2019/11/20/monero-project-compromised/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google and Samsung Fix Android Spying Flaw. Other Makers May Still Be Vulnerable ∗∗∗ --------------------------------------------- Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images and then upload them to an attacker-controlled server -- without any permissions to do so. Camera apps from other manufacturers may still be susceptible. --------------------------------------------- https://tech.slashdot.org/story/19/11/19/1737219/google-and-samsung-fix-and… ∗∗∗ Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076 ∗∗∗ --------------------------------------------- This module replaces administrative overview/listing pages with actual views for superior usability.The module doesnt sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System". --------------------------------------------- https://www.drupal.org/sa-contrib-2019-076 ∗∗∗ Unbound: Vulnerability in IPSEC module ∗∗∗ --------------------------------------------- Due to unsanitized characters passed to the ipsecmod-hook shell command, it is possible for Unbound to allow shell code execution from a specially crafted IPSECKEY answer. (CVE-2019-18934) --------------------------------------------- https://nlnetlabs.nl/projects/unbound/security-advisories/ ∗∗∗ Flexera FlexNet Publisher ∗∗∗ --------------------------------------------- These vulnerabilities could allow an attacker to deny the acquisition of a valid license for legal use of the product. The memory corruption vulnerability could allow remote code execution. (CVE-2018-20033, CVSS v3 9.8) --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-323-01 ∗∗∗ High Severity Vulnerability Patched in WP Maintenance Plugin ∗∗∗ --------------------------------------------- This flaw allowed attackers to enable a vulnerable site’s maintenance mode and inject malicious code affecting site visitors. We disclosed this issue privately to the plugin’s developer who released a patch the next day. Plugin versions of WP Maintenance up to 5.0.5 are vulnerable to attacks against this flaw. All WP Maintenance users should update to version 5.0.6 immediately. --------------------------------------------- https://www.wordfence.com/blog/2019/11/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo). --------------------------------------------- https://lwn.net/Articles/805224/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Teams for Windows DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Centers Username Enumeration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution vManage Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unity Express Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Domain Manager Persistent Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Stealthwatch Enterprise Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Routers RV016, RV042, RV042G, and RV082 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software NETCONF Over Secure Shell ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance MP3 Content Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces: Connector SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces: Connector Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces: Connector Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Use of Insufficiently Random Values Vulnerability in Huawei ViewPoint Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191120-… ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191113-… ∗∗∗ Security Advisory - Improper Validation of Array Index Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191120-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Privilege Escalation (CVE-2019-4530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in the IBM Security Identity Manager product (CVE-2019-4561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in WAS Liberty affect IBM Spectrum LSF Suite, Spectrum LSF Suite for HPA and Spectrum LSF Application Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-was-li… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2019
by Daily end-of-shift report 19 Nov '19

19 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 18-11-2019 18:00 − Dienstag 19-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Linux, Windows Users Targeted With New ACBackdoor Malware ∗∗∗ --------------------------------------------- Researchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted… ∗∗∗ Buran Ransomware Infects PCs via Microsoft Excel Web Queries ∗∗∗ --------------------------------------------- A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victims computer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/buran-ransomware-infects-pcs… ∗∗∗ Coin Stealer Found in Monero Linux Binaries From Official Site ∗∗∗ --------------------------------------------- The Monero Project is currently investigating a potential compromise of the official website after a coin stealer was found in the Linux 64-bit command line (CLI) Monero binaries downloaded from the download page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coin-stealer-found-in-monero… ∗∗∗ Elasticsearch: Datenleak bei Conrad ∗∗∗ --------------------------------------------- Der Elektronikhändler Conrad meldet, dass ein Angreifer Zugang zu Kundendaten und Kontonummern gehabt habe. Grund dafür war eine ungesicherte Elasticsearch-Datenbank. --------------------------------------------- https://www.golem.de/news/elasticsearch-datenleak-bei-conrad-1911-145091-rs… ∗∗∗ Windows Debugging & Exploiting Part 2 - WinDBG 101 ∗∗∗ --------------------------------------------- Hello again! After our previous post about the environment setup, now it is time to cover the main tool of this project, the WinDBG. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb… ∗∗∗ When Bank Communication is Indistinguishable from Phishing Attacks ∗∗∗ --------------------------------------------- You know how banks really, really want to avoid their customers falling victim to phishing scams? And how they put a heap of effort into education to warn folks about the hallmarks of phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security [...] --------------------------------------------- https://www.troyhunt.com/when-bank-communication-is-indistinguishable-from-… ∗∗∗ Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery ∗∗∗ --------------------------------------------- It took Swiss-based industrial technology solutions provider ABB five years to inform customers of a critical vulnerability affecting one of its products, and the researcher who found it says this increased the chances of threat actors discovering and exploiting the security flaw. --------------------------------------------- https://www.securityweek.com/vulnerability-abb-plant-historian-disclosed-5-… ∗∗∗ Vorsicht bei angeblichen Gewinnspielen von Magenta, A1, Drei oder Liwest ∗∗∗ --------------------------------------------- Aktuell verbreiten Kriminelle über unterschiedliche Kanäle Fake-Gewinnspiele. Sie werden entweder per E-Mail, SMS oder mittels Pop-Up im Browser benachrichtigt, dass Sie angeblich ein Smartphone gewonnen haben. Um den Gewinn zu erhalten, muss nur eine kurze Umfrage beantwortet und ein kleiner Geldbetrag für den Versand bezahlt werden. Vorsicht: Es handelt sich um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-angeblichen-gewinnspiel… ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in WhatsApp entdeckt ∗∗∗ --------------------------------------------- In WhatsApp wurde eine Schwachstelle gefunden, die es Angreifern ermöglicht, Dateien zu stehlen und Nachrichten auszulesen. --------------------------------------------- https://futurezone.at/apps/schwere-sicherheitsluecke-in-whatsapp-entdeckt/4… ∗∗∗ Lernplattform Moodle: Entwickler schließen kritische Schwachstellen ∗∗∗ --------------------------------------------- Moodle-Admins aufgepasst: Neue Versionen schließen mehrere, teils als "Serious" bewertete Lücken. --------------------------------------------- https://heise.de/-4591094 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses). --------------------------------------------- https://lwn.net/Articles/805149/ ∗∗∗ Lexmark Services Monitor 2.27.4.0.39 Directory Traversal ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019110124 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2019-5435, CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ HPESBHF03963 rev.1 - Certain HPE ProLiant Servers with Intel CSME, AMT, SPS, TXE, ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03968 rev.1 - HPE Gen10 ProLiant, Apollo, and Synergy Servers using Intel CPU Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA), Local Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03969 rev.1 - HPE ProLiant Gen10 Servers using certain Intel Xeon Scalable Processors, Voltage Modulation, Local Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03971 rev.1 - HPE Servers using certain Intel Processors, SMM and TXT, Local Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03964 rev.1 - HPE Nimble Storage, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Google Chrome: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0998 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2019
by Daily end-of-shift report 18 Nov '19

18 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-11-2019 18:00 − Montag 18-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New NextCry Ransomware Encrypts Data on NextCloud Linux Servers ∗∗∗ --------------------------------------------- On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration. Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encry… ∗∗∗ Powershell ConstrainedLanguage Mode ∗∗∗ --------------------------------------------- Gastbeitrag vom milCERT - Philipp Thaller und Stefan Bachmair - Bei der Analyse von aktueller Malware stellte sich heraus dass viele der aktuellen Exemplare (inkl. Emotet ) auf die PowerShell angewiesen sind um ihr schadhaftes Potential entfalten zu können. Schränkt man die PowerShell entsprechend ein, ist eine Ausführung des eigentlichen Schadcodes oft gar nicht möglich. --------------------------------------------- https://cert.at/de/blog/2019/11/201911-powershell-constrainedlanguage ∗∗∗ Willhaben warnt vor betrügerischer Phishing-SMS ∗∗∗ --------------------------------------------- Wer von der Verkaufsplattform Willhaben eine SMS mit Zahlungsinformationen bekommt, soll den Link keinesfalls anklicken. --------------------------------------------- https://futurezone.at/apps/willhaben-warnt-vor-betruegerischer-phishing-sms… ∗∗∗ pax: Exploit padding oracles for fun and profit ∗∗∗ --------------------------------------------- Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to: - Obtain plaintext for a given piece of CBC encrypted data. - Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle. --------------------------------------------- https://github.com/liamg/pax ∗∗∗ RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients ∗∗∗ --------------------------------------------- In this blogpost I will describe the process I followed to write a tool that will extract clear-text credentials from the Microsoft RDP client using API hooking. Using this approach, if you are already operating under the privileges of the compromised user (e.g. as a result of a phish) and the user has an RDP session open, you are able to extract the clear-text credentials without privilege escalation. --------------------------------------------- https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-… ∗∗∗ Medica 2019: BSI-Leitfaden zur Cyber-Sicherheit von Medizinprodukten ∗∗∗ --------------------------------------------- Im Kontext der sicheren Digitalisierung im Gesundheitswesen hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) im Rahmen der Messe "Medica" in Düsseldorf einen neuen Leitfaden "Sicherheit von Medizinprodukten – Leitfaden zur Nutzung des MDS2 aus 2019" (Manufacturer Disclosure Statement for Medical Device Security) veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Leitfaden_M… ∗∗∗ Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature ∗∗∗ --------------------------------------------- The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering. --------------------------------------------- https://www.zdnet.com/article/google-patches-awesome-xss-vulnerability-in-g… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa). --------------------------------------------- https://lwn.net/Articles/805083/ ∗∗∗ Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2019-4096) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2019
by Daily end-of-shift report 15 Nov '19

15 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-11-2019 18:00 − Freitag 15-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ How the Linux kernel balances the risks of public bug disclosure ∗∗∗ --------------------------------------------- A serious Wi-Fi flaw shows how Linux handles security in plain sight. --------------------------------------------- https://nakedsecurity.sophos.com/2019/11/15/how-the-linux-kernel-balances-t… ∗∗∗ A Tale of Rootkits and Other Backdoors ∗∗∗ --------------------------------------------- In this post, we will focus on software backdoors commonly seen in Linux environments, we will attempt to outline some representative examples, and we will discuss common techniques backdoor authors use to hide their malicious payloads. --------------------------------------------- https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2019-15: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- OTRS can be put into an endless loop by providing filenames with overly long extensions. This applies to the PostMaster (sending in email) and also upload (attaching files to mails, for example). --------------------------------------------- https://community.otrs.com/security-advisory-2019-15-security-update-for-ot… ∗∗∗ Security Advisory 2019-14: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesn’t have permissions. --------------------------------------------- https://community.otrs.com/security-advisory-2019-14-security-update-for-ot… ∗∗∗ A heap overflow vulnerability has been found in wolfssl ∗∗∗ --------------------------------------------- Wolfssl is an TLS library mostly used in embedded Linux devices. It is also used in the popular tool curl. ... The vulnerability has been given the CVE of CVE-2019–18840. --------------------------------------------- https://medium.com/@social_62682/heap-overflow-in-wolfssl-cve-2019-18840-18… ∗∗∗ Lücke in älteren WhatsApp-Versionen erlaubte Codeausführung aus der Ferne ∗∗∗ --------------------------------------------- Facebook weist auf eine Lücke in dem Messenger WhatsApp hin. Viele Geräte sollten dank automatischer Updates bereits seit einiger Zeit geschützt sein. --------------------------------------------- https://heise.de/-4587119 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, kernel, libjpeg-turbo, openconnect, squid), Ubuntu (ghostscript, imagemagick, postgresql-common). --------------------------------------------- https://lwn.net/Articles/804904/ ∗∗∗ Philips IntelliBridge EC40/80 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-318-01 ∗∗∗ Omron CX-Supervisor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-318-04 ∗∗∗ ABB Power Generation Information Manager (PGIM) and Plant Connect ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-318-05 ∗∗∗ Security Bulletin: CSV Injection (CVE-2019-4490) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-csv-injection-cve-2019-44… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities affect IBM Cloud Object Storage SDK Java (November 2019 Bulletin) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OS Images for RedHat Enterprise System is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-os-images-for-redhat-… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting IBM Aspera Connect 3.7.4 and earlier (CVE-2017-3732, CVE-2016-7055) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-collection… ∗∗∗ iControl REST logs a plaintext password when the syntax of a cURL request is incorrect ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61105950 ∗∗∗ BIG-IP / BIG-IQ / Enterprise Manager / F5 iWorkflow Configuration utility vulnerability CVE-2019-6663 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K76052144 ∗∗∗ TMM vulnerability CVE-2019-6660 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23860356 ∗∗∗ TLS 1.3 vulnerability CVE-2019-6659 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34450231 ∗∗∗ BIG-IP restjavad vulnerability CVE-2019-6662 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01049383 ∗∗∗ TMOS vulnerability CVE-2019-6664 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03126093 ∗∗∗ BIG-IP APM apd vulnerability CVE-2019-6661 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61705126 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2019
by Daily end-of-shift report 14 Nov '19

14 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-11-2019 18:00 − Donnerstag 14-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Find Bug in Qualcomm Code for Trusted App ∗∗∗ --------------------------------------------- Researchers stressing the code related to Qualcomms implementation of the secure execution area on mobile devices found a new vulnerability that could allow access to critical data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-find-bug-in-qual… ∗∗∗ NCSC-NZ Cyber threat report for 2018/19 released ∗∗∗ --------------------------------------------- The National Cyber Security Centre, (NCSC) has released its Cyber Threat Report for the 2018/19 reporting year. --------------------------------------------- https://www.ncsc.govt.nz/newsroom/cyber-threat-report-for-201819-released/ ∗∗∗ Windows & Linux get options to disable Intel TSX to prevent Zombieload v2 attacks ∗∗∗ --------------------------------------------- Disclosure of new Zombieload v2 vulnerability prompts OS makers to react with ways to disable Intels TSX technology. --------------------------------------------- https://www.zdnet.com/article/windows-linux-get-options-to-disable-intel-ts… ===================== = Vulnerabilities = ===================== ∗∗∗ Symantec Fixes Privilege Escalation Flaw in Endpoint Protection ∗∗∗ --------------------------------------------- Symantec fixed a local privilege escalation security flaw affecting all Symantec Endpoint Protection software versions prior to 14.2 RU2, and allowing attackers to escalate privileges on compromised devices and execute malicious code using SYSTEM privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/symantec-fixes-privilege-esc… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (kernel, linux-lts, and linux-zen), CentOS (kernel, sudo, and thunderbird), Debian (linux-4.9), Fedora (samba), openSUSE (apache2-mod_auth_openidc, kernel, qemu, rsyslog, and ucode-intel), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and microcode_ctl), and Ubuntu (kernel, libjpeg-turbo, linux, linux-hwe, linux-oem, linux, linux-hwe, linux-oem-osp1, and qemu). --------------------------------------------- https://lwn.net/Articles/804775/ ∗∗∗ Movable Type vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65280626/ ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ bzip2 vulnerability CVE-2019-12900 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68713584 ∗∗∗ lodash library vulnerability CVE-2019-10744 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K47105354 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2019
by Daily end-of-shift report 13 Nov '19

13 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-11-2019 18:00 − Mittwoch 13-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Network Traffic Analysis for IR: Address Resolution Protocol (ARP) with Wireshark ∗∗∗ --------------------------------------------- Introduction to the Address Resolution Protocol The Address Resolution Protocol (ARP) was first defined in RFC 826. As the name suggests, it is designed to resolve IP addresses into a form usable by other systems within a subnet. Network addressing works at a couple of different layers of the OSI model. --------------------------------------------- https://resources.infosecinstitute.com/address-resolution-protocol-arp-with… ∗∗∗ Schlüssel aus TPM-Chips lassen sich extrahieren ∗∗∗ --------------------------------------------- Mit einem Timing-Angriff lassen sich Signaturschlüssel auf Basis elliptischer Kurven aus TPM-Chips extrahieren. ... TPM-Chips sind in allen modernen PCs vorhanden und teilweise umstritten, da sie auch dazu genutzt werden können, Schutzmechanismen gegen den Willen des Nutzers umzusetzen. Trotz ihrer Verbreitung werden die Chips eher selten für kritische Applikationen genutzt, die Auswirkungen der Lücke dürften sich in Grenzen halten. --------------------------------------------- https://www.golem.de/news/tpm-fail-schluessel-aus-tpm-chips-lassen-sich-ext… ∗∗∗ GSM Traffic and Encryption: A5/1 Stream Cipher ∗∗∗ --------------------------------------------- This write-up documents some of my follow-up research with regard to analyzing the GSM traffic packets I captured using Software Defined Radio. My attempt was to better understand the GSM mobile network protocols and procedures, with an emphasis on the authentication and ciphering algorithms being deployed. --------------------------------------------- https://www.blackhillsinfosec.com/gsm-traffic-and-encryption-a5-1-stream-ci… ∗∗∗ Angriffe über USB und Bluetooth: Android-Smartphones verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Schwachstellen in mehreren älteren Android-Smartphones entdeckt, die sie über USB- und Bluetooth-Verbindungen ausnutzen konnten. --------------------------------------------- https://heise.de/-4584690 ∗∗∗ Seriöses Job-Angebot oder Auftrag zur Geldwäsche? ∗∗∗ --------------------------------------------- Auf diversen Job-Börsen und Kleinanzeigenportalen stoßen Arbeitssuchende momentan auf Angebote zur freien Mitarbeit der „TideBit Deutschland LTD“. Die Firma existiert in dieser Form nicht. Kriminelle missbrauchen den Namen eines Kryptowährungsunternehmens, um BewerberInnen zur Geldwäsche zu bringen. Wer die Aufgaben erfüllt, macht sich womöglich selbst strafbar. --------------------------------------------- https://www.watchlist-internet.at/news/serioeses-job-angebot-oder-auftrag-z… ===================== = Vulnerabilities = ===================== ∗∗∗ November 2019 security updates are available! ∗∗∗ --------------------------------------------- We have released the November security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder, Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020. --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/11/12/november-2019-security-updat… ∗∗∗ Intel fixt Sicherheitslücken und enthüllt nebenbei eine neue ZombieLoad-Variante ∗∗∗ --------------------------------------------- Zum Patch Tuesday hat Intel 77 teils kritische Lücken gefixt, unter denen sich auch ein bislang geheim gehaltener Seitenkanalangriff befand. --------------------------------------------- https://heise.de/-4584543 ∗∗∗ VMSA-2019-0020 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion patches provide Hypervisor-Specific Mitigations for Speculative-Execution Vulnerabilities (CVE-2018-12207, CVE-2019-11135) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0020.html ∗∗∗ VMSA-2019-0021 ∗∗∗ --------------------------------------------- VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2019-5540, CVE-2019-5541, CVE-2019-5542) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0021.html ∗∗∗ VMSA-2019-0008.2 ∗∗∗ --------------------------------------------- VMware product updates enable Hypervisor-Specific Mitigations, Hypervisor-Assisted Guest Mitigations, and Operating System-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0008.html ∗∗∗ Xen Security Advisory CVE-2019-11135 / XSA-305 ∗∗∗ --------------------------------------------- A new way to sample data from microarchitectural structures has been identified. A TSX Asynchronous Abort is a state which occurs between a transaction definitely aborting (usually for reasons outside of the pipeline's control e.g. receiving an interrupt), and architectural state being rolled back to start of the transaction. During this period, speculative execution may be able to infer the value of data in the microarchitectural structures. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-305.html ∗∗∗ Xen Security Advisory CVE-2018-12207 / XSA-304 ∗∗∗ --------------------------------------------- An erratum exists across some CPUs whereby an instruction fetch may cause a machine check error if the pagetables have been updated in a specific manner without invalidating the TLB. ... This corner case can be triggered by guest kernels. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-304.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, intel-microcode, kernel, libssh2, qemu, and webkit2gtk), Fedora (apache-commons-beanutils, bluez, iwd, kernel, kernel-headers, kernel-tools, libell, and microcode_ctl), openSUSE (gdb), Oracle (kernel), Red Hat (kernel and kernel-rt), SUSE (dhcp, evolution, kernel, libcaca, python, python-xdg, qemu, sysstat, ucode-intel, and xen), and Ubuntu (dpdk, intel-microcode, kernel, linux, linux-aws, ..., webkit2gtk) --------------------------------------------- https://lwn.net/Articles/804641/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- CTX263684 - A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core. --------------------------------------------- https://support.citrix.com/article/CTX263684 ∗∗∗ Citrix ADC and Citrix Gateway Security Update (CVE-2019-0140) ∗∗∗ --------------------------------------------- CTX263807 - A vulnerability has been identified affecting Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, platforms which could result in privilege escalation via layer 2 network access on all network interfaces. --------------------------------------------- https://support.citrix.com/article/CTX263807 ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191113-… ∗∗∗ Security Advisory - Improper File Management Vulnerability in Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191113-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerability in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-nextscale-fan-power-c… ∗∗∗ libpcap vulnerability CVE-2019-15163 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K92862401?utm_source=f5support&utm_mediu… ∗∗∗ Hotfix XS80E008 - For Citrix Hypervisor 8.0 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263663 ∗∗∗ Hotfix XS76E012 - For XenServer 7.6 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263662 ∗∗∗ Hotfix XS71ECU2024 - For XenServer 7.1 Cumulative Update 2 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263661 ∗∗∗ Hotfix XS70E075 - For XenServer 7.0 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263660 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2019
by Daily end-of-shift report 12 Nov '19

12 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 11-11-2019 18:00 − Dienstag 12-11-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat Alert: TCP Amplification Attacks ∗∗∗ --------------------------------------------- TCP reflection attacks, such as SYN-ACK reflection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link. --------------------------------------------- https://blog.radware.com/security/2019/11/threat-alert-tcp-reflection-attac… ∗∗∗ Tech Support Scammers Exploiting Unpatched Firefox Bug ∗∗∗ --------------------------------------------- Mozilla is working on addressing a Firefox bug that has been exploited by tech support scammers to lock the browser when users visit specially crafted websites. --------------------------------------------- https://www.securityweek.com/tech-support-scammers-exploiting-unpatched-fir… ∗∗∗ Netflix: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Aktuell häufen sich Meldungen über betrügerische E-Mails, die angeblich von Netflix stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Netflix die Nutzungsgebühr nicht abbuchen kann und daher den Account vorübergehend gesperrt hat. Kriminelle fordern Netflix-NutzerInnen auf, die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/netflix-vorsicht-vor-betruegerischen… ∗∗∗ This unusual new ransomware is going after servers ∗∗∗ --------------------------------------------- The previously undetected server-encrypting malware has been detailed in research by cyber security analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in written in the PureBasic programming language. ... It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack. --------------------------------------------- https://www.zdnet.com/article/this-unusual-new-ransomware-is-going-after-se… ===================== = Vulnerabilities = ===================== ∗∗∗ McAfee Patches Privilege Escalation Flaw in Antivirus Software ∗∗∗ --------------------------------------------- McAfee patched a security vulnerability discovered in all editions of its Antivirus software for Windows and enabling potential attackers to escalate privileges and execute code using SYSTEM privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mcafee-patches-privilege-esc… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Adobe Security Bulletins ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Animate CC (APSB19-34), Adobe Illustrator CC (APSB19-36), Adobe Media Encoder (APSB19-52) and Adobe Bridge CC (APSB19-53). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1801 ∗∗∗ Sicherheitsupdate: Magento-Onlineshops von Schadcode-Attacken gefährdet ∗∗∗ --------------------------------------------- Wer einen Onlineshop mit Magento-Software betreibt, sollte aus Sicherheitsgründen zügig die aktuelle Version installieren. --------------------------------------------- https://heise.de/-4584383 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar). --------------------------------------------- https://lwn.net/Articles/804412/ ∗∗∗ Synology-SA-19:38 Synology Assistant ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Assistant. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_38 ∗∗∗ SAP Security Patch Day – November 2019 ∗∗∗ --------------------------------------------- On 12th of November 2019, SAP Security Patch Day saw the release of 12 Security Notes. There are 3 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528880390 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache ActiveMQ vulnerability (CVE-2018-11775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Incorrect permissions on restored files and directories on Windows using IBM Spectrum Protect Plus (CVE-2019-4652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Java affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact Configuration and Deployment Management Clickjacking ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2015-9251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ SSA-686531 (Last Update: 2019-11-12): Hardware based manufacturing access on S7-1200 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf ∗∗∗ SSA-616472 (Last Update: 2019-11-12): ZombieLoad and Microarchitectural Data Sampling Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-616472.pdf ∗∗∗ SSA-898181 (Last Update: 2019-11-12): Desigo PX Web Remote Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf ∗∗∗ SSA-434032 (Last Update: 2019-11-12): Vulnerability in Mentor Nucleus Networking Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf ∗∗∗ Multiple tcpdump vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44551633 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2019
by Daily end-of-shift report 11 Nov '19

11 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-11-2019 18:00 − Montag 11-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DDoS attacks in Q3 2019 ∗∗∗ --------------------------------------------- Statistically, Q3 2019 differs little from Q2. In terms of geographical distribution of attacks and targets, we saw a continuation of the now familiar trend of unexpected guests appearing, only to drop out the next quarter. --------------------------------------------- https://securelist.com/ddos-report-q3-2019/94958/ ∗∗∗ Vulnerable Versions of Adminer as a Universal Infection Vector ∗∗∗ --------------------------------------------- This past week, we’ve been monitoring a new wave of website infections mostly impacting WordPress and Magento websites. We found that hackers have been injecting scripts from scripts.trasnaltemyrecords[.]com into multiple files and database tables. This is still the same ongoing campaign that we’ve been following for the past few years, where site visitors are redirected to various kinds of scam landing pages—including tech support scams, fake lottery wins, and malicious [...] --------------------------------------------- https://blog.sucuri.net/2019/11/vulnerable-versions-of-adminer-as-a-univers… ∗∗∗ Ring Video Doorbell Pro: Mitteilsame IoT-Türklingel verriet WLAN-Zugangsdaten ∗∗∗ --------------------------------------------- Eine Klingel, die Besucher sicht- und hörbar macht, hätte Angreifern unbemerkt vollen WLAN-Zugriff verschaffen können. Automatische Updates wurden verteilt. --------------------------------------------- https://heise.de/-4583764 ∗∗∗ Sofortübersetzer von Muama Enence hält nicht, was er verspricht ∗∗∗ --------------------------------------------- Ein Gerät, das 32 Sprachen unmittelbar übersetzt und Verständigungsprobleme im Urlaub oder bei Geschäftstätigkeiten beseitigt, klingt erstmal hervorragend! Dies verspricht die UAB Ekomlita mit dem MUAMA Enence Instant Translator. Doch Vorsicht: Hier werden mitunter wichtige Informationen zum Produkt verheimlicht, es kommt zu groben Problemen beim Rücktritt und wir hegen Bedenken zum Datenschutz! --------------------------------------------- https://www.watchlist-internet.at/news/sofortuebersetzer-von-muama-enence-h… ∗∗∗ Apples Siri unterwandert E-Mail-Verschlüsselung ∗∗∗ --------------------------------------------- Nachrichten werden unter macOS im Klartext lokal gespeichert – Fehlerbereinigung laut Apple in Arbeit --------------------------------------------- https://www.derstandard.at/story/2000110928043/apples-siri-unterwandert-e-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Jira Service Desk Security Advisory 2019-11-06 ∗∗∗ --------------------------------------------- CVE-2019-15003 - Authorization bypass allows information disclosure CVE-2019-15004 - URL path traversal allows information disclosure --------------------------------------------- https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2… ∗∗∗ UniFi Video Server Privilege Escalation From user to SYSTEM via unauthenticated command execution ∗∗∗ --------------------------------------------- The vulnerability, or feature depending how you look at it, is the ability to execute commands using the evostream API interface that is exposed on localhost:7440. --------------------------------------------- https://hackerone.com/reports/544928 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ampache, chromium, djvulibre, firefox-esr, gdal, and ruby-haml), Fedora (chromium, file, gd, hostapd, nspr, and rssh), openSUSE (bcm20702a1-firmware, firefox, gdal, libtomcrypt, php7, python-ecdsa, python3, samba, and thunderbird), SUSE (apache2-mod_auth_openidc, libssh2_org, and rsyslog), and Ubuntu (bash). --------------------------------------------- https://lwn.net/Articles/804325/ ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to multiple Kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by TCP denial of service vulnarabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Camel vulnerability (CVE-2019-0188) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Node.js lodash vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ( CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-lodash-vulnerabil… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in SQLite (CVE-2018-20346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Jetty Vulnerabilities (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Camel vulnerability (CVE-2019-0194) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross site scripting (XSS) (CVE-2019-4470) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Python affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2019
by Daily end-of-shift report 08 Nov '19

08 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2019 18:00 − Freitag 08-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Warns of More Harmful Windows BlueKeep Attacks, Patch Now ∗∗∗ --------------------------------------------- The Microsoft Defender ATP Research Team says that the BlueKeep attacks detected on November 2 are connected with a coin mining campaign from September that used the same command-and-control (C2) infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-more-harm… ∗∗∗ QNAP Warns Users to Secure Devices Against QSnatch Malware ∗∗∗ --------------------------------------------- Network-attached storage (NAS) maker QNAP urges customers to secure their NAS devices against an ongoing malicious campaign that infects them with QSnatch malware capable of stealing user credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-users-to-secure-d… ∗∗∗ Amazon Kindle, Embedded Devices Open to Code-Execution ∗∗∗ --------------------------------------------- Flaws in Das U-Boot affect third-party hardware that uses the universal bootloader as an underlying component. --------------------------------------------- https://threatpost.com/amazon-kindle-embedded-devices-code-execution/150003/ ∗∗∗ Pwn2Own Tokyo Roundup: Amazon Echo, Routers and Smart TVs Fall to Hackers ∗∗∗ --------------------------------------------- The latest edition of the bi-annual hacking contest saw creative exploits in new device categories. --------------------------------------------- https://threatpost.com/pwn2own-tokyo-2019-amazon-echo-hackers/150033/ ∗∗∗ Microsoft Apps Diverted from Their Main Use, (Fri, Nov 8th) ∗∗∗ --------------------------------------------- This week, the CERT.eu[1] organized its yearly conference in Brussels. Across many interesting presentations, one of them covered what they called the "catnmouse" game that Blue and Red teams are playing continuously. When the Blue team has detected an attack technique, they write a rule or implement a new control to detect or block it. Then, the Red team has to find an alternative attack path, [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25502 ∗∗∗ Skimmers for Both Magento and WordPress ∗∗∗ --------------------------------------------- We often write about malware that steal payment information from sites built with Magento and other types of e-commerce CMS. When discussing credit card skimmers like Magecart, it’s sometimes overlooked that WordPress also has a decent share in the ecommerce segment. There are numerous popular plugins that can easily turn a WordPress site into a full-featured online store. In fact, Woocommerce alone has over 5 million installations. --------------------------------------------- https://blog.sucuri.net/2019/11/skimmers-for-both-magento-and-wordpress.html ∗∗∗ Wireshark Tutorial: Examining Trickbot Infections ∗∗∗ --------------------------------------------- A tutorial offering tips on how to identify Trickbot, an information stealer and banking malware that has been infecting victims since 2016. --------------------------------------------- https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic Valleylab FT10 and LS10 ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for improper authentication and protection mechanism failure vulnerabilities in Medtronic’s Valleylab FT10 and LS10 energy and electrosurgery products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-311-01 ∗∗∗ Medtronic Valleylab FT10 and FX8 ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for use of hard-coded credentials, reversible one-way hash, and improper input validation vulnerabilities in Medtronic’s Valleylab FT10 and FX8 products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-311-02 ∗∗∗ Mitsubishi Electric MELSEC-Q Series and MELSEC-L Series CPU Modules ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in select Mitsubishi Electrics CPU modules. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-311-01 ∗∗∗ Fuji Electric V-Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server data collection and management service. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-311-02 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (linux-hardened), Debian (fribidi), Gentoo (oniguruma, openssh/openssh, openssl, and pump), Mageia (chromium-browser-stable, expat, firefox, freetds, proftpd, python, thunderbird, and unbound), Oracle (sudo), Scientific Linux (thunderbird), Slackware (kernel), SUSE (rubygem-haml), and Ubuntu (fribidi and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/804202/ ∗∗∗ IBM Security Bulletin: Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ tcpdump vulnerability CVE-2018-14879 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51512510 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0006.html ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2019
by Daily end-of-shift report 07 Nov '19

07 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2019 18:00 − Donnerstag 07-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Specially Crafted ZIP Files Used to Bypass Secure Email Gateways ∗∗∗ --------------------------------------------- Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT. --------------------------------------------- https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-… ∗∗∗ How to Secure Critical Infrastructure When Patching Isn’t Possible ∗∗∗ --------------------------------------------- Mission-critical systems cant just be switched off to apply security updates -- so patching can take weeks if not years. --------------------------------------------- https://threatpost.com/secure-critical-infrastructure-when-patching-isnt-po… ∗∗∗ Vulnerability hunting with Semmle QL: DOM XSS ∗∗∗ --------------------------------------------- In two previous blog posts ( part 1 and part 2), we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of the [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/11/06/vulnerability-hunting-with-s… ∗∗∗ Getting the best value out of security assessments, (Thu, Nov 7th) ∗∗∗ --------------------------------------------- Since my day job is all about hacking, I get a lot of questions (and there appears to be a lot of confusion) about what a vulnerability scan, penetration test or red team assessment is. --------------------------------------------- https://isc.sans.edu/diary/rss/25498 ∗∗∗ Magento 1 End of Life ∗∗∗ --------------------------------------------- It’s no secret that a CMS without support will develop vulnerabilities. Eventually, these lead to a compromised website — which cripples any ecommerce business. When you consider the popularity of the Magento ecommerce platform, it’s easy to see how their announcement of the Magento 1 end of life could leave a significant portion of ecommerce retailers scrambling for new solutions. --------------------------------------------- https://blog.sucuri.net/2019/11/magento-1-end-of-life.html ∗∗∗ VB2019 paper: DNS on fire ∗∗∗ --------------------------------------------- In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/11/vb2019-paper-dns-fire/ ∗∗∗ C2 With It All: From Ransomware To Carding ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack. --------------------------------------------- https://blog.talosintelligence.com/2019/11/c2-with-it-all.html ∗∗∗ 5 Tipps zur Steigerung der Cybersecurity Awareness von Angestellten ∗∗∗ --------------------------------------------- Wie können Firmen ein Arbeitsumfeld schaffen, das es Angestellten ermöglicht, die nötigen Fähigkeiten zu erwerben, um Cybergefahren richtig einzuschätzen? --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/11/07/5-tipps-steigerung-cybers… ∗∗∗ Falsche Gewinnspiele für Kinogutscheine kosten 80 Euro pro Monat ∗∗∗ --------------------------------------------- Mit Facebook-Anzeigen und nachgebauten Facebook-Seiten von Kinos in ganz Österreich werben Kriminelle für ein Gewinnspiel. Angeblich können Kinogutscheine gewonnen werden. Doch Vorsicht: Hier gibt es nichts zu gewinnen! Statt eines Kinobesuchs gibt es nur Ärger. Die Kreditkartendaten landen in den Händen von Kriminellen, die dann 80 bis 90 Euro pro Monat abbuchen. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-gewinnspiele-fuer-kinogutsch… ===================== = Vulnerabilities = ===================== ∗∗∗ Gamers Hit with Nvidia GPU Driver, GeForce Flaws ∗∗∗ --------------------------------------------- Vulnerabilities in several PC gaming products offered by Nvidia can lead to escalation of privilege, denial of service and other malicious attacks. --------------------------------------------- https://threatpost.com/gamers-hit-with-nvidia-gpu-driver-geforce-flaws/1499… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (squid), Fedora (chromium, libssh2, and wpa_supplicant), openSUSE (chromium), Red Hat (ansible, chromium-browser, openstack-octavia, patch, qemu-kvm-rhev, sudo, and thunderbird), Scientific Linux (sudo), SUSE (bluez, gdb, php72, and thunderbird), and Ubuntu (cpio and rygel). --------------------------------------------- https://lwn.net/Articles/804091/ ∗∗∗ Cisco: All these routers have the same embedded crypto keys, so update firmware ∗∗∗ --------------------------------------------- Cisco removes static encryption keys that were shared across its small-business routers. --------------------------------------------- https://www.zdnet.com/article/cisco-all-these-routers-have-the-same-embedde… ∗∗∗ Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-075 ∗∗∗ PEPPERL+FUCHS Linux Kernel Vulnerability on ecom Mobile Devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-021 ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0965 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2019
by Daily end-of-shift report 06 Nov '19

06 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2019 18:00 − Mittwoch 06-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail ∗∗∗ --------------------------------------------- Der aktuell "zerstörerischste" Schädling Emotet besteht aus einer Kaskade mehrerer Schadprogramme, die zusammen vielstellige Millionenschäden verursachen. --------------------------------------------- https://heise.de/-4573848 ∗∗∗ Überteuerte Visums- und Einreisegenehmigungsangebote im Internet ∗∗∗ --------------------------------------------- Ihr nächstes Urlaubsziel verlangt ein Visum? Dann nehmen Sie sich vor unseriösen Websites in Acht, die ein Vielfaches der tatsächlich anfallenden Gebühr für die Einreisegenehmigungen verlangen. Besondere Vorsicht ist beispielsweise bei Reisen nach Australien, Ägypten, Vietnam, Indien sowie Kanada oder in die USA und die Türkei geboten – theoretisch ist die Masche aber bei allen Destinationen mit Visumspflicht möglich. --------------------------------------------- https://www.watchlist-internet.at/news/ueberteuerte-visums-und-einreisegene… ∗∗∗ German Dridex spam campaign is unfashionably large ∗∗∗ --------------------------------------------- VB has analysed a malicious spam campaign targeting German-speaking users with obfuscated Excel malware that would likely download Dridex but that mostly stood out through its size. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/11/german-malspam-campaign-unfa… ∗∗∗ Scammers Are Exploiting a Firefox Bug to Freeze Your Browser ∗∗∗ --------------------------------------------- Fraudulent tech-support sites are causing the browser to lock up and display a disturbing message. Force quitting is the only way out. --------------------------------------------- https://www.wired.com/story/scammers-are-exploiting-a-firefox-bug-to-freeze… ∗∗∗ Siemens PLC Feature Can Be Exploited for Evil - and for Good ∗∗∗ --------------------------------------------- A hidden feature in some newer models of the vendors programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it. --------------------------------------------- https://www.darkreading.com/vulnerabilities---threats/siemens-plc-feature-c… ∗∗∗ Kamerka OSINT tool shows your countrys internet-connected critical infrastructure ∗∗∗ --------------------------------------------- Kamerka lets you see what a hacker sees. It plots maps with SCADA equipment, webcams, and printers that have been left exposed on the internet inside any given country. --------------------------------------------- https://www.zdnet.com/article/kamerka-osint-tool-shows-your-countrys-intern… ===================== = Vulnerabilities = ===================== ∗∗∗ Omron CX-Supervisor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Omrons CX-Supervisor SCADA and HMI package. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-309-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cpio, openafs, proftpd-dfsg, simplesamlphp, and wordpress), Fedora (thunderbird), openSUSE (binutils, docker-runc, kernel, nfs-utils, php7, python3, and samba), Red Hat (389-ds:1.4, ansible, bind, container-tools:1.0, container-tools:rhel8, curl, dbus, dhcp, dovecot, edk2, elfutils, evolution, freeradius:3.0, gdb, gettext, glib2, glibc, GNOME, gnutls, go-toolset:rhel8, http-parser, httpd:2.4, kernel, kernel-rt, libarchive, libjpeg-turbo, libqb, [...] --------------------------------------------- https://lwn.net/Articles/804018/ ∗∗∗ Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php ∗∗∗ Smartwares HOME easy v1.0.9 Client-Side Authentication Bypass ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Several Band Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191106-… ∗∗∗ libpcap vulnerability CVE-2018-16301 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K86252029 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0959 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2019
by Daily end-of-shift report 05 Nov '19

05 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2019 18:00 − Dienstag 05-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Alexa und Siri: Sprachbefehle unhörbar per Laser übertragen ∗∗∗ --------------------------------------------- Sprachbefehle müssen nicht unbedingt per Sprache übertragen werden: Forschern ist es gelungen, smarte Lautsprecher wie Amazon Echo oder Google Home mit einem Laser aus bis zu 110 Metern Entfernung zu steuern - und so beispielsweise ein Garagentor zu öffnen. --------------------------------------------- https://www.golem.de/news/alexa-und-siri-sprachbefehle-unhoerbar-per-laser-… ∗∗∗ Magecart Groups Attack Simultaneous Sites in Card-Theft Frenzy ∗∗∗ --------------------------------------------- Stealing payment-card data and PII from e-commerce sites has become so lucrative that some are being targeted by multiple groups at the same time. --------------------------------------------- https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-th… ∗∗∗ Bluekeep exploitation causing Bluekeep vulnerability scan to fail, (Tue, Nov 5th) ∗∗∗ --------------------------------------------- I woke up this morning to the long anticipated news that Bluekeep exploitation is happening in the wild. As some of you may recall, back in August I wrote a diary demonstrating a way to scan for Bluekeep vulnerable devices. So the next thing I did was check my Bluekeep scan results and was presented with this graph. --------------------------------------------- https://isc.sans.edu/diary/rss/25488 ∗∗∗ Pwning a Smart Car Charger, Building a Bot-Net ∗∗∗ --------------------------------------------- ...or Why We Don’t Build Commercial IoT on a Raspberry Pi. A positive story of disclosure and remediation. We’re quite in to our electric vehicles at PTP, so we started hunting for a smart car charger. There are plenty of industrial chargers out there and some research has been done in the past. We got [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/pwning-a-smart-car-charger-bu… ∗∗∗ Bestellen Sie nicht bei kafrosa.de ∗∗∗ --------------------------------------------- kafrosa.de vertreibt Kaffeemaschinen, Kaffeevollautomaten und sogar Kaffee zu günstigen Preisen. Der Aufbau von kafrosa.de wirkt seriös, verpflichtende Angaben über das Unternehmen werden angeführt und die Auszeichnungen des Shops stiften Vertrauen. Doch Vorsicht: Der Schein trügt. Es handelt sich um einen Fake-Shop, der keine Ware liefert! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-kafrosade/ ∗∗∗ A look at WP-VCD, todays largest WordPress hacking operation ∗∗∗ --------------------------------------------- Exclusive look into the WP-VCD gang operations! --------------------------------------------- https://www.zdnet.com/article/a-look-at-wp-vcd-todays-largest-wordpress-hac… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows-Kernel-Lücke in Netzwerküberwachsungssoftware PRTG geschlossen ∗∗∗ --------------------------------------------- Die in Paessler PRTG integrierte Paket-Sniffer-Bibliothek Npcap ist verwundbar. Das haben die Entwickler nun repariert. --------------------------------------------- https://heise.de/-4577699 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (electron, ghostscript, glibc, python2, and samba), Debian (webkit2gtk), Slackware (libtiff), SUSE (ImageMagick, python-ecdsa, and samba), and Ubuntu (apport, haproxy, ruby-nokogiri, and whoopsie). --------------------------------------------- https://lwn.net/Articles/803885/ ∗∗∗ Synology-SA-19:37 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands or conduct denial-of-service attacks, or allow remote attackers to delete arbitrary files via a susceptible version of DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_37 ∗∗∗ Microsoft Office365 Integrity Validation / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019110022 ∗∗∗ [20191002] - Core - Path Disclosure in phpuft8 mapping files ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/Zi-lVuM4KoY/795-20191002-c… ∗∗∗ [20191001] - Core - CSRF in com_template overrides view ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/LaIC5kOPGB0/794-20191001-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson is vulnerable to Hazardous Input Validation in some cases ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ November 4, 2019 TNS-2019-07 [R1] PHP Stand-alone Patch Available for Tenable.sc versions 5.7.x to 5.11.x ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2019-07 ∗∗∗ FRF.16 parser vulnerability CVE-2018-14468 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04367730 ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0957 ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0958 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2019
by Daily end-of-shift report 04 Nov '19

04 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2019 18:00 − Montag 04-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows: Schadsoftware nutzt erstmals Bluekeep-Sicherheitslücke aus ∗∗∗ --------------------------------------------- Als eine Sicherheitslücke wie Wanna Cry beschreibt Microsoft Bluekeep. Nun entdeckten Sicherheitsforscher die erste Schadsoftware, die die Lücke ausnutzt. Diese ist jedoch noch weit entfernt von dem Worst-Case-Szenario. --------------------------------------------- https://www.golem.de/news/windows-schadsoftware-nutzt-erstmals-bluekeep-sic… ∗∗∗ Malware "QSnatch" attackiert QNAP-Netzwerkspeicher – auch in Deutschand ∗∗∗ --------------------------------------------- QSnatch hat es auch hierzulande auf NAS von QNAP abgesehen. Ob ein Firmware-Update hilft, ist unklar – durchführen sollte man es dennoch. --------------------------------------------- https://heise.de/-4573483 ∗∗∗ Android Beam erlaubt Einschleusen fremder Apps ∗∗∗ --------------------------------------------- Über NFC könnten fast unbemerkt gefährliche Apps auf Android-Geräte gelangen. Betroffen sind Android 8, 9 und 10. Es gibt Abhilfe. --------------------------------------------- https://heise.de/-4574396 ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WISE-PaaS/RMM ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal, missing authorization, improper restriction of XML external entity reference, and SQL injection vulnerabilities in Advantech’s WISE-PaaS/RMM IoT device remote monitoring and management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-01 ∗∗∗ Honeywell equIP Series IP Cameras ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in Honeywells equIP series IP cameras. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-02 ∗∗∗ Honeywell equIP and Performance Series IP Cameras ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function vulnerability in Honeywells equIP series and Performance series IP cameras. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-03 ∗∗∗ Honeywell equIP and Performance Series IP Cameras and Recorders ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass by capture-relay vulnerability in Honeywells equIP series and Performance series IP cameras and recorders. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-04 ∗∗∗ Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig ∗∗∗ --------------------------------------------- If youre using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you. A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow [...] --------------------------------------------- https://thehackernews.com/2019/11/rConfig-network-vulnerability.html ∗∗∗ Microsoft Office for Mac cannot properly disable XLM macros ∗∗∗ --------------------------------------------- The Microsoft Office for Mac option "Disable all macros without notification" enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. --------------------------------------------- https://kb.cert.org/vuls/id/125336/ ∗∗∗ Update verfügbar: MikroTik sichert Router gegen vier Schwachstellen ab ∗∗∗ --------------------------------------------- Schwachstellen in RouterOS lassen sich zu einer Exploit-Chain zusammenbauen. Gerätebesitzer sollten jetzt updaten. --------------------------------------------- https://heise.de/-4573749 ∗∗∗ Xcode: Lücken in Entwicklungsumgebung erlaubten beliebige Codeausführung ∗∗∗ --------------------------------------------- Zwei Lücken in der macOS-Entwicklungsumgebung Xcode vor Version 11.2 erlaubten die beliebige Programmcode-Ausführung – möglicherweise auch aus der Ferne. --------------------------------------------- https://heise.de/-4575632 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, sudo, and thunderbird), Debian (libarchive and qtbase-opensource-src), Oracle (php), Red Hat (php, rh-php71-php, and rh-php72-php), Scientific Linux (firefox and php), and SUSE (kernel and samba). --------------------------------------------- https://lwn.net/Articles/803651/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and qt5-webengine), CentOS (firefox and php), Fedora (file, java-latest-openjdk, nspr, nss, php, t1utils, and webkit2gtk3), Mageia (ansible, aspell, golang, libsoup, and libxslt), openSUSE (chromium and chromium, re2), Oracle (php), and Ubuntu (apport and file). --------------------------------------------- https://lwn.net/Articles/803785/ ∗∗∗ Synology-SA-19:36 PHP ∗∗∗ --------------------------------------------- CVE-2019-11043 allows remote attackers to execute arbitrary code via a susceptible version of PHP 7.2, or PHP 7.3. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_36 ∗∗∗ [remote] Microsoft Windows Server 2012 - Group Policy Security Feature Bypass ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47559 ∗∗∗ [remote] Microsoft Windows Server 2012 - Group Policy Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47558 ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2019-4442) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in PHP (CVE-2019-6978, CVE-2019-6977) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by CVE-2019-4450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in libssh2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a TCP SACK PANIC -Kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in PHP. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by CVE-2019-4450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ BIG-IP TMUI XSS vulnerability CVE-2019-6657 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22441651 ∗∗∗ BIG-IP AFM SQL injection vulnerability CVE-2019-6658 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21121741 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263477 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2019
by Daily end-of-shift report 31 Oct '19

31 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2019 18:00 − Donnerstag 31-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st) ∗∗∗ --------------------------------------------- Ive recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful. --------------------------------------------- https://isc.sans.edu/diary/rss/25474 ∗∗∗ Data URLs and HTML Entities in New WordPress Malware ∗∗∗ --------------------------------------------- Last week, an ongoing WordPress malware campaign started a new wave which included a variety of experimental injection types. Scripts as Data URLs The first type looks pretty similar to what we discussed in our recent post. However, instead of placing the code between the … tags, these injections have begun to embed them inline using a so called data URL notation in the src parameter. --------------------------------------------- https://blog.sucuri.net/2019/10/data-urls-and-html-entities-in-new-wordpres… ∗∗∗ MS-ISAC Releases EOS Software Report List ∗∗∗ --------------------------------------------- Original release date: October 30, 2019The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an end-of-support (EOS) software report list. Software that has reached its EOS date no longer receives security updates and patches from the vendor and is, therefore, susceptible to exploitation from security vulnerabilities. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/30/ms-isac-releases-e… ∗∗∗ 5th eHealth Security Conference: ENISA advises on cybersecurity for hospitals ∗∗∗ --------------------------------------------- ENISA, the EU Agency for Cybersecurity organised the 5th consecutive eHealth Security Conference in cooperation with the Spanish Authorities and the Centre for Information Security of Catalonia (CESICAT) on the 30th October in Barcelona. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/5th-ehealth-security-conference… ∗∗∗ Office 365 Users Targeted by Voicemail Scam Pages ∗∗∗ --------------------------------------------- Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/office-365-user… ∗∗∗ Ungenutzte E-Mail-Adressen ermöglichen Zugang zu persönlichen Konten ∗∗∗ --------------------------------------------- E-Mail-Adressen, die nicht mehr genutzt werden, werden oft neu vergeben. Wenn diese Adressen noch bei Social-Media-Konten, Gaming-Accounts, Online-Shops oder anderen Zugangsdaten hinterlegt sind, können sich die neuen BesitzerInnen Zugang zu diesen Konten verschaffen. Kriminelle nutzen das zu Betrugs- und Erpressungszwecken aus. --------------------------------------------- https://www.watchlist-internet.at/news/ungenutzte-e-mail-adressen-ermoeglic… ∗∗∗ Untitled Goose Game security hole could have allowed hackers to wreak havoc ∗∗∗ --------------------------------------------- The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer. --------------------------------------------- https://hotforsecurity.bitdefender.com/blog/untitled-goose-game-security-ho… ∗∗∗ Home & Small Office Wireless Routers Exploited to Attack Gaming Servers ∗∗∗ --------------------------------------------- Unit 42 researchers discovered an updated Gafgy variant that looks to infect home and small office WiFi routers of known commercial brands, like Zyxel, Huawei, and Realtek to attack gaming servers. More than 32,000 WiFi routers are potentially vulnerable to these exploits around the world. --------------------------------------------- https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-expl… ∗∗∗ Vorwarnung: Neue Webseite kommt nächste Woche ∗∗∗ --------------------------------------------- tl;dr: Nein, wir werden nächste Woche nicht gehackt, wir stellen nur eine neue Webseite online. --------------------------------------------- http://www.cert.at/services/blog/20191031121150-2561.html ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-299 Security Vulnerability ∗∗∗ --------------------------------------------- IBM is aware of a reported XSA-299 security vulnerability (CVE-2019-18421) that potentially would permit an attacker from within a VSI to elevate privileges to that of the host.There are no known malicious exploits of this vulnerability, which potentially impacts the hypervisor.IBM is implementing updates to remediate this vulnerability. No downtime for clients is expected and no client action is necessary for IBM Cloud virtual servers. While we do not anticipate any issues with remediation, we [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/xsa-299-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (italc and python-ecdsa), Fedora (php and sudo), openSUSE (binutils and docker-runc), Oracle (thunderbird), Red Hat (firefox and sudo), SUSE (ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, [...] --------------------------------------------- https://lwn.net/Articles/803583/ ∗∗∗ XSA-303 - ARM: Interrupts are unconditionally unmasked in exception handlers ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-303.html ∗∗∗ XSA-302 - passed through PCI devices may corrupt host memory after deassignment ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-302.html ∗∗∗ XSA-301 - add-to-physmap can be abused to DoS Arm hosts ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-301.html ∗∗∗ XSA-299 - Issues with restartable PV type change operations ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-299.html ∗∗∗ XSA-298 - missing descriptor table limit checking in x86 PV emulation ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-298.html ∗∗∗ XSA-296 - VCPUOP_initialise DoS ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-296.html Next End-of-Day report: 2019-11-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2019
by Daily end-of-shift report 30 Oct '19

30 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2019 18:00 − Mittwoch 30-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Paradise Ransomware Decryptor Gets Your Files Back for Free ∗∗∗ --------------------------------------------- A decryptor for the Paradise Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-decrypto… ∗∗∗ A1 warnt Android-Nutzer vor App, die Bankdaten stiehlt ∗∗∗ --------------------------------------------- Kunden sollten sich vor einer App mit dem Titel „Netztest“ in Acht nehmen. --------------------------------------------- https://futurezone.at/digital-life/a1-warnt-android-nutzer-vor-app-die-bank… ∗∗∗ Gewinnversprechen von Coca-Cola in Höhe von 1 Million US-Dollar ist Scam ∗∗∗ --------------------------------------------- Wenn Sie per E-Mail über einen Gewinn in Millionenhöhe benachrichtigt werden, handelt es sich um einen Betrugsversuch. Aktuell geben sich Kriminelle als Kommunikationsbeauftragte von Coca-Cola aus und informieren Sie über einen vermeintlichen Gewinn. Die Gewinnsumme wird im Austausch Ihrer persönlichen Daten und Ausweiskopien übermittelt. Vorsicht: Kriminelle versuchen an Ihr Geld zu kommen, stehlen Ihre Identität und missbrauchen sie für Straftaten in Ihrem [...] --------------------------------------------- https://www.watchlist-internet.at/news/gewinnversprechen-von-coca-cola-in-h… ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT Automation Worx Software Suite ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in Phoenix Contacts Automation Worx Software Suite products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-302-01 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: October 30, 2019Content: Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/30/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imapfilter, libvncserver, and pam-python), Fedora (tcpdump), Mageia (file, graphviz, kernel, and php, pcre2), openSUSE (nfs-utils), Red Hat (heketi and samba), Scientific Linux (thunderbird), SUSE (libtomcrypt, php7, and runc), and Ubuntu (apport, libarchive, libidn2, samba, and whoopsie). --------------------------------------------- https://lwn.net/Articles/803474/ ∗∗∗ Synology-SA-19:35 Samba ∗∗∗ --------------------------------------------- These vulnerabilities allow remote attackers to bypass security constraints via a susceptible version of DiskStation Manager (DSM), Synology Router Manager (SRM), and allow remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_35 ∗∗∗ Security Advisory - Two Heap Buffer Overflow Vulnerabilities in Broadcom WiFi Chipset Drivers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191030-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2019
by Daily end-of-shift report 29 Oct '19

29 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2019 18:00 − Dienstag 29-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke in EU-Authentifizierungssoftware (eIDAS Node) ∗∗∗ --------------------------------------------- SEC Consult identifizierte kritische Schwachstellen in eIDAS-Node, die es einem Angreifer ermöglichen könnten, sich als beliebiger EU-Bürger auszugeben. --------------------------------------------- https://www.sec-consult.com/blog/2019/10/sicherheitsluecke-in-eu-authentifi… ∗∗∗ File Inclusions: kleiner Programmierfehler, fatale Wirkung ∗∗∗ --------------------------------------------- Angriffe über File Inclusions sind vor allem in PHP und JSP nach wie vor möglich und können verheerende Folgen haben. --------------------------------------------- https://heise.de/-4570773 ∗∗∗ MikroTik Router Vulnerabilities Can Lead to Backdoor Creation ∗∗∗ --------------------------------------------- A chain of vulnerabilities in MikroTik routers could allow an attacker to gain a backdoor. The chain starts with DNS poisoning, goes on to downgrading the installed version of MikroTiks RouterOS software, and ends with enabling a backdoor. read more --------------------------------------------- https://www.securityweek.com/mikrotik-router-vulnerabilities-can-lead-backd… ∗∗∗ Achtung Abo-Falle: endlich-windelfrei.de & baby-endlich-schlafen.de ∗∗∗ --------------------------------------------- Die Websites endlich-windelfrei.de und baby-endlich-schlafen.de versprechen Eltern große Erleichterungen beim Abgewöhnen der Windel und Schlafenlegen der Kinder. Die Systeme „Endlich Schlaf für Ihr Baby“ und „Von der Windel zum Töpfchen – in nur 3 Tagen“ können um nur 1 Euro erworben werden. Doch Vorsicht: Der Kauf führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-abo-falle-endlich-windelfrei… ∗∗∗ Modern Wireless Tradecraft Pt I ∗∗∗ --------------------------------------------- The past few years have seen some exciting developments in the subtle art of forcing wireless devices to connect to malicious access points. We’ve seen the resurgence of karma-style attacks with Dominic White’s and Ian de Villiers’ work on MANA, as well George Chatzisofroniou’s Lure10 and Known Beacon attacks, which can be used to target devices that are immune to karma [1][2]. --------------------------------------------- https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro schließt zwei Schwachstellen in Sicherheitssoftware für Windows ∗∗∗ --------------------------------------------- Patches für Apex One, OfficeScan und WFBS fixen zwei Schwachstellen. Trend Micro hat Exploit-Versuche beobachtet und rät zum zügigen Update. --------------------------------------------- https://heise.de/-4571304 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.0, php7.3, ruby-loofah, and spip), Fedora (proftpd), openSUSE (lz4 and sysstat), Red Hat (chromium-browser, jss, kernel, kernel-alt, kpatch-patch, pango, polkit, sudo, systemd, and thunderbird), SUSE (graphite-web, python3, and samba), and Ubuntu (php5, php7.0, php7.2, php7.3, and samba). --------------------------------------------- https://lwn.net/Articles/803381/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0005 ∗∗∗ --------------------------------------------- Date Reported: October 29, 2019 Advisory ID: WSA-2019-0005 CVE identifiers: CVE-2019-8625, CVE-2019-8674,CVE-2019-8707, CVE-2019-8719,CVE-2019-8720, CVE-2019-8726,CVE-2019-8733, CVE-2019-8735,CVE-2019-8763, CVE-2019-8768,CVE-2019-8769, CVE-2019-8771. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8625 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before2.26.0. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted [...] --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0005.html ∗∗∗ Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC ∗∗∗ --------------------------------------------- As part of its features, the Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-014/ ∗∗∗ Unsafe Storage of Credentials in Carel pCOWeb HVAC ∗∗∗ --------------------------------------------- The Carel pCOWeb card stores password hashes in the file "/etc/passwd",allowing privilege escalation by authenticated users. Additionally,plaintext copies of the passwords are stored. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-013/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - October 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ tcpdump vulnerability CVE-2018-14880 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56551263?utm_source=f5support&utm_mediu… ∗∗∗ Open Redirect Vulnerability Patched In Bridge Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2019/10/open-redirect-vulnerability-patched-… ∗∗∗ PHOENIX CONTACT improper access control exists on FL NAT devices when using MAC-based port security ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-020 ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0945 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0944 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2019
by Daily end-of-shift report 28 Oct '19

28 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2019 18:00 − Montag 28-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Network traffic analysis for IR: Analyzing fileless malware ∗∗∗ --------------------------------------------- Fileless malware is malware authors’ response to traditional malware identification and analysis techniques. Many antiviruses operate by using signature-based analysis to identify malicious files on a computer. By ensuring that a malicious file is never saved on the filesystem, malware authors can make their attacks much more difficult to detect and [...] --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-anal… ∗∗∗ Steam-powered scammers ∗∗∗ --------------------------------------------- One of the most popular platforms among users (and hence cybercriminals) is Steam, and we’ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated. --------------------------------------------- https://securelist.com/steam-powered-scammers/94553/ ∗∗∗ Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise ∗∗∗ --------------------------------------------- Experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations. --------------------------------------------- https://www.microsoft.com/security/blog/2019/10/28/experts-on-demand-your-d… ∗∗∗ Using scdbg to Find Shellcode, (Sun, Oct 27th) ∗∗∗ --------------------------------------------- I've written a couple of diary entries about scdbg, a Windows 32-bit shellcode emulator. --------------------------------------------- https://isc.sans.edu/diary/rss/25460 ∗∗∗ VB2019 paper: Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry ∗∗∗ --------------------------------------------- Today we publish the VB2019 paper by RiskIQ researcher Yonathan Klijnsma, who looked at the Magecart web-skimming attacks. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/10/vb2019-paper-inside-magecart… ∗∗∗ Ouroboros Ransomware decryption tool ∗∗∗ --------------------------------------------- Ouroboros ransomware has been around for more than a year in various forms, operated by different cybercrime groups. Ouroboros, known to spread via Remote Desktop Protocol bruteforce attacks and deceptive downloads, has claimed a significant number of victims worldwide. We’re now happy to announce the availability of a new decryptor that can restore the .Lazarus, and .Lazarus+ file extensions to their original, unencrypted form. --------------------------------------------- https://labs.bitdefender.com/2019/10/ouroboros-ransomware-decryption-tool/ ∗∗∗ New Ransomware CCryptor struck, which can encrypt 362 file types ∗∗∗ --------------------------------------------- Recently, 360 Security Center captured a new type of ransomware CCryptor. The attacker spread the virus by delivering phishing emails, and the CVE-2017-11882 vulnerability was [...] --------------------------------------------- https://blog.360totalsecurity.com/en/new-ransomware-ccryptor-struck-which-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für PHP7: NGINX-Server mit PHP-FPM waren aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Betreiber eines NGINX-Webservers mit PHP-FPM sollten zügig updaten: Aktuelle PHP-Versionen schließen eine Lücke, für die es Exploit-Code gibt. --------------------------------------------- https://heise.de/-4570800 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, php, and thunderbird), Debian (file, golang-1.11, libarchive, libxslt, mosquitto, php5, and proftpd-dfsg), Fedora (apache-commons-compress, chromium, java-1.8.0-openjdk, java-11-openjdk, jss, kernel, kernel-headers, kernel-tools, libpcap, mod_auth_openidc, tcpdump, and xpdf), openSUSE (kernel, openconnect, procps, python, sysstat, and zziplib), and SUSE (binutils, docker-runc, ImageMagick, nfs-utils, and xen). --------------------------------------------- https://lwn.net/Articles/803318/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2019
by Daily end-of-shift report 25 Oct '19

25 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2019 18:00 − Freitag 25-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin ∗∗∗ --------------------------------------------- A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies. --------------------------------------------- https://heimdalsecurity.com/blog/vendor-email-compromise-vec/ ∗∗∗ ACSC Releases Advisory on Emotet Malware Campaign ∗∗∗ --------------------------------------------- Original release date: October 25, 2019The Australian Cyber Security Centre (ACSC) has released an advisory on an ongoing, widespread Emotet malware campaign. Emotet is a Trojan—commonly spread via malicious email attachments—that attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. ACSC provides indicators of compromise (IOCs) and recommendations to help organizations defend against Emotet malware. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/25/acsc-releases-advi… ∗∗∗ Your smart doorbell may be collecting more data than you think, study finds ∗∗∗ --------------------------------------------- The study tested 81 IoT devices to analyze their behavior and tracking habits, and in some cases brought rather surprising findings The post Your smart doorbell may be collecting more data than you think, study finds appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/10/25/iot-smart-doorbell-collecting-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Urgent security issue in NGINX/php-fpm ∗∗∗ --------------------------------------------- [...] a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you. --------------------------------------------- https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/ ∗∗∗ Philips IntelliSpace Perinatal ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for an exposure of resource to wrong sphere vulnerability in Philips’ IntelliSpace Perinatal obstetrics information management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-297-01 ∗∗∗ Rittal Chiller SK 3232-Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function and use of hard-coded vulnerabilities in Rittals Chiller SK 3232-series IT application cooler. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-297-01 ∗∗∗ Honeywell IP-AK2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function vulnerability in Honeywells IP-AK2 access control panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-297-02 ∗∗∗ VMSA-2019-0019 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0019.html ∗∗∗ VMSA-2019-0018 ∗∗∗ --------------------------------------------- VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0018.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Gentoo (php), Oracle (firefox), Scientific Linux (sudo), and SUSE (accountsservice, binutils, nfs-utils, and xen). --------------------------------------------- https://lwn.net/Articles/803158/ ∗∗∗ Mattermost security update 5.16.1 / 5.15.2 / 5.14.5 / 5.9.6 (ESR) released ∗∗∗ --------------------------------------------- We have released a recommended security update via Mattermost Team Edition 5.16.1, 5.15.2, 5.14.5, 5.9.6 (ESR) and Mattermost Enterprise Edition 5.16.1, 5.15.2, 5.14.5, 5.9.6 (ESR). This security update addresses a high level vulnerability discovered during a security research review by Roman Shchekin. Follow the standard upgrade instructions to apply the updates. --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-5-16-1-5-15-2-5-14-5… ∗∗∗ 2019-10-22: Vulnerability in Relion® 650 series and Relion® 670 series - Terminal Reboot ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9256&Lan… ∗∗∗ 2019-10-22: Vulnerability in Relion® 670 series - MMS Path Traversal ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9255&Lan… ∗∗∗ 2019-10-22: Vulnerabilities in Relion® 650 series version 2.1 and Relion® 670 series version 2.1 - OpenSSL ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9254&Lan… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is impacted by a a confidential information leak(CVE-2019-4600) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM Maximo Health, Safety, and Environment Manager Installation Gives Application Access to Non-Authorized Users (CVE-2019-4546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-health-saf… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cleartext Transmission of Sensitive Information vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Cookie Secure Attribute vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Hazardous Input Validation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a One-Way Hash without a Salt vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Information Exposure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of Hard-coded Credentials vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Authentication for Critical Function vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2019
by Daily end-of-shift report 24 Oct '19

24 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2019 18:00 − Donnerstag 24-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Your Supply Chain Doesnt End At Receiving: How Do You Decommission Network Equipment?, (Thu, Oct 24th) ∗∗∗ --------------------------------------------- Trying to experiment with cutting edge security tools, without breaking the bank, often leads me to used equipment on eBay. High-end enterprise equipment is usually available at a bargain-basement price. For experiments or use in a home/lab network, I am willing to take the risk to receive the occasional "dud," and I usually can do without the support and other perks that come with equipment purchased full price. --------------------------------------------- https://isc.sans.edu/diary/rss/25448 ∗∗∗ Windows Debugging & Exploiting Part 1 - Environment Setup ∗∗∗ --------------------------------------------- In this blog series, I will try to set some base knowledge for Windows system debugging & exploitation and present how to setup an environment for remote kernel debugging. This environment will be useful for learning Windows internals and indispensable for our future posts about its exploitation. About Windows internals, I really recommend the training from Pavel Yosifovich on Pluralsight that will expand your familiarity with the system if you are new to the topic. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb… ∗∗∗ Warnung vor Handybezahlfalle auf Facebook ∗∗∗ --------------------------------------------- Bei der Rundfunk und Telekom Regulierungs-GmbH (RTR) häufen sich derzeit Beschwerden über unerwartet hohe Handyrechnungen. Die Betroffenen wurden über Facebook in eine Handyfalle gelockt. Sie tätigten unwissentlich teure Einkäufe, die dann über ihr Handy bezahlt wurden. --------------------------------------------- https://help.orf.at/stories/2993419/ ∗∗∗ Android Adware‑Entwickler aufgespürt ∗∗∗ --------------------------------------------- ESET-Forscher beschreiben, wie sie eine einjährige Adware-Kampagne bei Google Play entdeckten, die Millionen von Usern beeinträchtigte. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/10/24/android-adware-entwickler… ∗∗∗ Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey ∗∗∗ --------------------------------------------- ATLANTA — SECURITYWEEK 2019 ICS CYBER SECURITY CONFERENCE — Some of the recent cybersecurity incidents involving industrial control systems (ICS) have resulted in injury and even loss of life, according to a survey conducted by Control Systems Cyber Security Association International (CS2AI). --------------------------------------------- https://www.securityweek.com/some-ics-security-incidents-resulted-injury-lo… ∗∗∗ Führerscheine legal online kaufen? Mitnichten! ∗∗∗ --------------------------------------------- KonsumentInnen, die sich im Internet über den Führerschein informieren, stoßen womöglich auch auf Websites wie billigerfuehrerschein.com oder fuhrerschein-online.com. Die betrügerischen Websites werben mit dem legalen Verkauf von Führerscheinen ohne Fahr- und Theorieprüfungen. Achtung: Sowohl die Herstellung als auch die Nutzung derartiger Dokumente ist illegal, es kommt zu keiner Lieferung und bezahltes Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fuehrerscheine-legal-online-kaufen-m… ∗∗∗ Practical Behavioral Profiling of PowerShell Scripts through Static Analysis (Part 2) ∗∗∗ --------------------------------------------- Part 2 of a 3-part blog series that offers a more technical perspective and begins looking at common obfuscation techniques and methods for hiding data within PowerShell that can be reversed. --------------------------------------------- https://unit42.paloaltonetworks.com/practical-behavioral-profiling-of-power… ===================== = Vulnerabilities = ===================== ∗∗∗ EOL D-Link Routers Vulnerable to Remote Command Execution ∗∗∗ --------------------------------------------- Original release date: October 24, 2019The CERT Coordination Center (CERT/CC) has released information on a vulnerability (CVE-2019-16920) affecting multiple D-Link routers. A remote attacker could exploit this vulnerability to take control of an affected device.D-Link no longer provides support to the affected end-of-life (EOL) devices, and updates will not be made available. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/24/eol-d-link-routers… ∗∗∗ SYSS-2019-009, SYSS-2019-010 und SYSS-2019-011: Schwachstellen in weiterer Funktastatur mit "sicherer" 2,4-GHz-Technologie ∗∗∗ --------------------------------------------- SySS IT-Sicherheitsexperte Matthias Deeg fand im Rahmen eines Forschungsprojekts zu drahtlosen Eingabegeräten (siehe auch 1 und 2) drei Sicherheitsschwachstellen im Fujitsu Wireless Keyboard Set LX390. Diese drei Schwachstellen betreffen einen fehlenden Schutz vor Replay-Angriffen, eine fehlende Verschlüsselung von per Funkkommunikation übertragenen sensiblen Daten und die Möglichkeit für Keystroke Injection-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/2019/syss-2019-009-syss-2019-010-und-syss-… ∗∗∗ Sicherheitspatches: Angreifer könnten mit Admin-Rechten auf Junos OS zugreifen ∗∗∗ --------------------------------------------- Die Entwickler des Betriebssystems für Netzwerkgeräte Junos OS haben eine gefährliche Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-4567444 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (file), Mageia (bind, chromium-browser-stable, java-1.8.0-openjdk, libsndfile, mediawiki, and virtualbox), Oracle (firefox), Red Hat (firefox and sudo), Scientific Linux (firefox and OpenAFS), SUSE (kernel, lz4, rust, and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/803068/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in MongoDB server affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2019-10197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-sa… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM i HTTP Server affect IBM i. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud (CVE-2019-4304, CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ libcurl vulnerability CVE-2018-16890 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03314397 ∗∗∗ Linux kernel vulnerability CVE-2019-15916 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K57418558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2019
by Daily end-of-shift report 23 Oct '19

23 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2019 18:00 − Mittwoch 23-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VB2019 papers: Emotet and Ryuk ∗∗∗ --------------------------------------------- Today we publish VB2019 papers by Luca Nagy (Sophos) on Emotet and Gabriela Nicolao and Luciano Martins (Deloitte) on Ryuk, as well as the corresponding videos of their presentations. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/10/vb2019-papers-emotet-and-ryu… ∗∗∗ CPDoS: Cache Poisoned Denial of Service ∗∗∗ --------------------------------------------- Cache-Poisoned Denial-of-Service (CPDoS) is a new class of web cache poisoning attacks aimed at disabling web resources and websites. --------------------------------------------- https://cpdos.org/ ∗∗∗ Tech, Security Firms Launch Operational Technology Cyber Security Alliance ∗∗∗ --------------------------------------------- Several major tech and cybersecurity companies have joined forces for a new initiative called the Operational Technology Cyber Security Alliance (OTCSA), which aims to help industrial and critical infrastructure organizations address challenges related to OT security by providing guidance and resources. --------------------------------------------- https://www.securityweek.com/tech-security-firms-launch-operational-technol… ∗∗∗ Investment-Firmen fordern Zugriff auf Ihr System? Nehmen Sie Abstand! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Investments bei unseriösen Firmen wie aurumpro.co beziehungsweise Muller Enterprise LTD in Acht. Angebliche BeraterInnen kontaktieren Sie telefonisch und verleiten Sie zu immer höheren Investments. Um "effektiver" handeln zu können, verlangt man die Installation von Fernwartungssoftware wie AnyDesk oder TeamViewer. Tun Sie dies nicht und nehmen Sie Abstand – man hat es auf Ihr Vermögen abgesehen! --------------------------------------------- https://www.watchlist-internet.at/news/investment-firmen-fordern-zugriff-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric ProClima ∗∗∗ --------------------------------------------- This advisory contains mitigations for code injection, improper restriction of operations within the bounds of a memory buffer, and uncontrolled search path element vulnerabilities in Schneider Electrics ProClima building and automation control products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-295-01 ∗∗∗ Firefox, Chrome Bugs Allow Arbitrary Code-Execution ∗∗∗ --------------------------------------------- Multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1 in particular affect medium and large government entities and enterprises. --------------------------------------------- https://threatpost.com/critical-firefox-bugs-arbitrary-code-execution/14945… ∗∗∗ OpenAFS Security Advisory 2019-001 ∗∗∗ --------------------------------------------- Topic: information leakage from uninitialized RPC output variables on error Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt ∗∗∗ OpenAFS Security Advisory 2019-002 ∗∗∗ --------------------------------------------- Topic: information leakage from uninitialized scalars Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-002.txt ∗∗∗ OpenAFS Security Advisory 2019-003 ∗∗∗ --------------------------------------------- Topic: database server crash from unserialized data access Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-003.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (go, go-pie, pacman, and xpdf), CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, and patch), openSUSE (gcc7), Red Hat (firefox, kernel, and qemu-kvm-rhev), Slackware (mozilla), SUSE (kernel, libcaca, openconnect, python, sysstat, and zziplib), and Ubuntu (libxslt, linux-azure, and linux-lts-xenial, linux-aws). --------------------------------------------- https://lwn.net/Articles/802941/ ∗∗∗ Avast, Avira Products Vulnerable to DLL Hijacking ∗∗∗ --------------------------------------------- Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered. read more --------------------------------------------- https://www.securityweek.com/avast-avira-products-vulnerable-dll-hijacking ∗∗∗ Security Advisory - Out-Of-Bound Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1547, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Commons Beanutils affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-apac… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4486) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana… ∗∗∗ IBM Security Bulletin: A security vulnerability affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition (CVE-2019-4398) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by ASoC vulnerability (CVE-2019-4459) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-orchestrato… ∗∗∗ IBM Security Bulletin: A security vulnerability affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition (CVE-2019-4397) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by glibc vulnerabilities (CVE-2018-20796, CVE-2019-9169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ BIND vulnerability CVE-2018-5743 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74009656 ∗∗∗ BIG-IP vulnerability CVE-2018-15333 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53620021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2019
by Daily end-of-shift report 22 Oct '19

22 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2019 18:00 − Dienstag 22-10-2019 18:00 Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Three Service Account Secrets Straight from Hackers and Security Pros ∗∗∗ --------------------------------------------- A survey of nearly 300 Black Hat conference attendees this year showed strong agreement that service accounts are an attractive target. --------------------------------------------- https://threatpost.com/service-account-secrets/148996/ ∗∗∗ MISP Summit 0x05 Wrap-Up ∗∗∗ --------------------------------------------- I’m in Luxembourg for a full week of infosec events. It started today with the MISP summit. It was already the fifth edition and, based on the number of attendees, the tool is getting more and more popularity. --------------------------------------------- https://blog.rootshell.be/2019/10/21/misp-summit-0x05-wrap-up/ ∗∗∗ emotet_network_protocol ∗∗∗ --------------------------------------------- This repository has been created with the idea of helping the community of cybersecurity researchers and malware researchers. It explains in detail how the network communication protocol used by Emotet to communicate with the C&Cs works. Knowing all these details, it should be relatively easy to emulate the communication, and obtain the new modules and distributed malware directly from the c&c. --------------------------------------------- https://d00rt.github.io/emotet_network_protocol/ ∗∗∗ Avast, NordVPN Breaches Tied to Phantom User Accounts ∗∗∗ --------------------------------------------- Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that -- while otherwise unrelated -- shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password. --------------------------------------------- https://krebsonsecurity.com/2019/10/avast-nordvpn-breaches-tied-to-phantom-… ∗∗∗ The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT ∗∗∗ --------------------------------------------- Bread crumbs left behind open up a possible connection between Magecart Group 5 and Carbanak. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-… ∗∗∗ Malspam Campaign Targeted German Organizations with Buran Ransomware ∗∗∗ --------------------------------------------- Researchers spotted a malspam campaign that targeted German organizations with samples of the Buran crypto-ransomware family. In early October, Bromium observed a malspam campaign whose emails impersonated online fax service eFax. The emails contained hyperlinks to a PHP page that served up malicious Word documents. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/malspam… ∗∗∗ genosyla.net und versandhaus-voss.de liefern keine Ware ∗∗∗ --------------------------------------------- Bei genosyla.net und versandhaus-voss.de finden Sie günstige Elektrogeräte. Viele Produkte sind im Schnitt 100 Euro billiger als bei anderen Shops. Der Haken: die Ware wird trotz Bezahlung nie geliefert. Es handelt sich um betrügerische Webshops. Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/genosylanet-und-versandhaus-vossde-l… ∗∗∗ Browser-based attacks, our customers, and us ∗∗∗ --------------------------------------------- While some browser-based attacks such as web skimming steal customer data and thus victimize both the organization and the users, other attacks leverage an organizations website to attack the customers or to attack another organization entirely. --------------------------------------------- https://www.zdnet.com/article/browser-based-attacks-our-customers-and-us/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (jss and kernel), Debian (libpcap, openjdk-8, and tcpdump), Fedora (java-11-openjdk), openSUSE (libreoffice), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk, python, and wget), Scientific Linux (java-1.7.0-openjdk), SUSE (ceph, ceph-iscsi, ses-manual_en, dhcp, openconnect, and procps), and Ubuntu (exiv2, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, [...] --------------------------------------------- https://lwn.net/Articles/802863/ ∗∗∗ ZDI-19-908: Foxit Studio Photo JPEG Batch Processing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-908/ ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2019
by Daily end-of-shift report 21 Oct '19

21 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2019 18:00 − Montag 21-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Network Breached As Hackers Target CCleaner Again ∗∗∗ --------------------------------------------- Avast said it believes that threat actors are again looking to target CCleaner in a supply chain attack. --------------------------------------------- https://threatpost.com/avast-network-breached-as-hackers-target-ccleaner-ag… ∗∗∗ Attention: Your blog may be used to spread the Emotet Trojan! ∗∗∗ --------------------------------------------- Emotet was originally a banking Trojan that targeted bank customers in Europe and stole relevant bank credentials. In 2017, Emotet changed its business model from [...] --------------------------------------------- https://blog.360totalsecurity.com/en/attention-your-blog-may-be-used-to-spr… ∗∗∗ Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor ∗∗∗ --------------------------------------------- Notorious cyberespionage group debases MSSQL --------------------------------------------- https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sq… ===================== = Vulnerabilities = ===================== ∗∗∗ Linux: Kritische Zeroday-Lücke im WLAN-Treiber ∗∗∗ --------------------------------------------- Mit speziell präparierten WLAN-Paketen könnten Angreifer Linux-Systeme kapern, die Realtek-Chips einsetzen. --------------------------------------------- https://heise.de/-4562505 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, graphite-web, imagemagick, mediawiki, milkytracker, nfs-utils, and openjdk-11), Fedora (kernel, kernel-headers, kernel-tools, mediawiki, and radare2), openSUSE (dhcp, libpcap, lighttpd, and tcpdump), Scientific Linux (java-1.8.0-openjdk), Slackware (python), SUSE (bluez, kernel, and python-xdg), and Ubuntu (aspell). --------------------------------------------- https://lwn.net/Articles/802776/ ∗∗∗ AVM FRITZ!OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/10/warn… ∗∗∗ Trend Micro Anti-Threat Toolkit (ATTK) < = v1.62.0.1218 Remote Code Execution 0day ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100137 ∗∗∗ IBM Security Bulletin: Version 8.15.0 of Node.js included in IBM Cloud Event Management 2.3.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-version-8-15-0-of-nod… ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by HTTP Server vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-orchestrato… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2018-1996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ Linux kernel vulnerability CVE-2019-16089 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03814795?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-15666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53420251?utm_source=f5support&utm_mediu… ∗∗∗ Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX261055 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2019
by Daily end-of-shift report 18 Oct '19

18 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2019 18:00 − Freitag 18-10-2019 18:00 Handler: n/a Co-Handler: n/a ===================== = News = ===================== ∗∗∗ STOP Ransomware Decryptor Released for 148 Variants ∗∗∗ --------------------------------------------- The release of Emsisofts STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer. It should be noted, though, that while this decryptor can help with the majority of STOP variants, anyone who was infected after August 2019 cannot be helped. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-re… ∗∗∗ REvil Ransomware Affiliates Partner with Corporate Intruders ∗∗∗ --------------------------------------------- Experienced network intruders and ransomware groups have struck an alliance helping each other monetize their skills by spreading malware to company networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-affiliates-… ∗∗∗ Ordinypt: Resurgence ∗∗∗ --------------------------------------------- Recently, the Ordinypt malware has seen a resurgence in the wild, disguised as fake job applications sent via email to human resource departments in German companies. The malware uses social engineering to infect the user’s files and trick them into paying cryptocurrency to restore the infected files. --------------------------------------------- https://www.gdatasoftware.com/blog/2019/10/35358-resurgence ∗∗∗ Quick Malicious VBS Analysis, (Fri, Oct 18th) ∗∗∗ --------------------------------------------- Lets have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This technique is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. --------------------------------------------- https://isc.sans.edu/diary/rss/25430 ∗∗∗ Fake UpdraftPlus Plugins ∗∗∗ --------------------------------------------- We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality. --------------------------------------------- https://blog.sucuri.net/2019/10/fake-updraftplus-plugins.html ∗∗∗ Samsung to patch S10 fingerprint sensor bug next week ∗∗∗ --------------------------------------------- Samsung promises software patch next week; recommends not using custom screen covers in the meantime. --------------------------------------------- https://www.zdnet.com/article/samsung-to-patch-s10-fingerprint-sensor-bug-n… ===================== = Vulnerabilities = ===================== ∗∗∗ AVEVA Vijeo Citect and Citect SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in the AVEVA Vijeo Citect and Citect SCADA. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-290-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper input validation and out-of-bounds write vulnerabilities in Horner Automations Cscape control system application programming software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-290-02 ∗∗∗ VMSA-2019-0017 ∗∗∗ --------------------------------------------- VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0017.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10). --------------------------------------------- https://lwn.net/Articles/802622/ ∗∗∗ Synology-SA-19:34 WordPress ∗∗∗ --------------------------------------------- These vulnerabilities allow remote attackers to inject arbitrary web script or HTML, obtain sensitive information, or access intranet resources via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_34 ∗∗∗ InfoZIP vulnerability CVE-2019-13232 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K80311892 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2019
by Daily end-of-shift report 17 Oct '19

17 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2019 18:00 − Donnerstag 17-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 10 Steps for Ransomware Protection ∗∗∗ --------------------------------------------- Here are things you can do right now to shore up your defenses and help your recovery when you get hit. --------------------------------------------- https://threatpost.com/10-steps-ransomware-protection/149259/ ∗∗∗ Betrüger übernehmen alte E-Mail-Adressen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt (BKA) warnt vor missbräuchlicher Verwendung alter E-Mail-Adressen. Betrüger würden sich länger nicht genutzte E-Mail-Adressen aneignen, um damit Zugang zu persönlichen Nutzerkonten zu erlangen, so das BKA. Gaming Accounts und Nutzerkonten in Sozialen Medien seien besonders betroffen. --------------------------------------------- https://help.orf.at/stories/2993027/ ∗∗∗ l+f: Leise rieselt der Crypto-Miner ∗∗∗ --------------------------------------------- Forscher entdecken Crypto-Miner und Backdoors, die sich in WAV-Dateien verstecken. --------------------------------------------- https://heise.de/-4558856 ∗∗∗ Cisco fixes serious flaws in enterprise-grade Catalyst and Aironet access points ∗∗∗ --------------------------------------------- Cisco has released another batch of security updates, the most critical of which fixes a vulnerability that could allow unauthenticated, remote attackers to gain access to vulnerable Cisco Aironet wireless access points. Cisco Aironet APs are enterprise-grade access points used for branch offices, campuses, organizations of all sizes, enterprise and carrier-operator Wi-Fi deployments, and so on. --------------------------------------------- https://www.helpnetsecurity.com/2019/10/17/cisco-aironet-vulnerabilities/ ∗∗∗ KRACK‑Sicherheitslücke in Alexa Smart Home Geräten ∗∗∗ --------------------------------------------- Das ESET Smart Home Research Team entdeckte KRACK-Sicherheitslücken in einigen Amazon Echo- und Kindle-Geräten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/10/17/krack-sicherheitsluecke-a… ∗∗∗ Werbung für betrügerische Elektriker auf Google ∗∗∗ --------------------------------------------- Wenn zu Hause der Strom ausfällt, verschafft oft nur eine Fachkraft Abhilfe. Die Suche über Google am Smartphone liegt dabei natürlich nahe. Doch Vorsicht: Die Gefahr, über die Anzeigen auf unseriöse Angebote zu stoßen, ist hoch! Opfer landen beispielsweise auf elektriker-mg.at, elektriker-dienst.at oder elektriker.24std.expert, wo die großen Versprechen in schlechter Arbeit zu horrenden Preisen münden. --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-betruegerische-elektrik… ===================== = Vulnerabilities = ===================== ∗∗∗ Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS ∗∗∗ --------------------------------------------- The flaws in the container technology, CVE-2019-16276 and CVE-2019-11253, are simple to exploit. --------------------------------------------- https://threatpost.com/kubernetes-bugs-authentication-bypass-dos/149265/ ∗∗∗ Security updates available in Foxit Reader 9.7, Foxit PhantomPDF 9.7 and Foxit PhantomPDF Mac 3.4 ∗∗∗ --------------------------------------------- Foxit has released Foxit Reader 9.7 and Foxit PhantomPDF 9.7, which addresses potential security and stability issues. Foxit has released Foxit PhantomPDF Mac 3.4, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ VMSA-2019-0017 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), Debian (libsdl1.2 and libsdl2), Mageia (e2fsprogs, kernel, libpcap and tcpdump, nmap, and sudo), openSUSE (GraphicsMagick and sudo), Oracle (java-1.8.0-openjdk, java-11-openjdk, jss, and kernel), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (jss), SUSE (gcc7 and libreoffice), and Ubuntu (leading to a double-free, libsdl1.2, and tiff). --------------------------------------------- https://lwn.net/Articles/802537/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/10/warn… ∗∗∗ CyberArk Password Vault 10.6 Authentication Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100114 ∗∗∗ Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-074 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Vim/Neovim vulnerability CVE-2019-12735 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_mediu… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0924 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2019
by Daily end-of-shift report 16 Oct '19

16 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2019 18:00 − Mittwoch 16-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Docker Containers Riddled with Graboid Crypto-Worm ∗∗∗ --------------------------------------------- A worm with a randomized propagation method is spreading via the popular container technology. --------------------------------------------- https://threatpost.com/docker-containers-graboid-crypto-worm/149235/ ∗∗∗ Security Monitoring: At Network or Host Level?, (Wed, Oct 16th) ∗∗∗ --------------------------------------------- Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25420 ∗∗∗ Messing with Azorult Part 1: Malware Breakdown ∗∗∗ --------------------------------------------- In this blog series, we dive into an information stealing Trojan called Azorult that we analysed during a recent Digital Forensics and Incident Response (DFIR) investigation. During our analysis, we also take a look at the bot’s control panel and its vulnerability. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/messing-wit… ∗∗∗ Patchday bei Adobe: 64 Lücken im Reader ∗∗∗ --------------------------------------------- Außerdem gibt es auch Updates für den Experience Manager, Experience Manager Forms und den Adobe Download Manager. --------------------------------------------- https://heise.de/-4557403 ∗∗∗ Schadsoftware in vermeintlichen Banking-Apps aus unbekannter Quelle! ∗∗∗ --------------------------------------------- Immer wieder versenden Kriminelle massenhaft E-Mails im Design diverser Banken. Sie beziehen sich darin gehäuft auf die sogenannte PSD2-Richtlinie, die zu diversen Änderungen beim Online-Banking geführt hat und verlangen die Bestätigung persönlicher Daten oder die Installation einer App aus unbekannter Quelle. Nur so ließe sich die Sperre Ihres Kontos verhindern. Es dürfen keine Daten bekanntgegeben und die Apps nicht installiert werden. Es handelt sich um [...] --------------------------------------------- https://www.watchlist-internet.at/news/schadsoftware-in-vermeintlichen-bank… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Patch Update: Oracle veröffentlicht 219 Sicherheitspatches ∗∗∗ --------------------------------------------- Es gibt abgesicherte Versionen von unter anderem Fusion Middleware und NoSQL Database, in denen Oracle kritische Sicherheitslücken geschlossen hat. --------------------------------------------- https://heise.de/-4557788 ∗∗∗ VMSA-2019-0016 ∗∗∗ --------------------------------------------- VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0016.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and unbound), Fedora (opendmarc, runc, and sudo), openSUSE (epiphany, GraphicsMagick, and libopenmpt), Oracle (kernel and sudo), Red Hat (java-1.8.0-openjdk, jss, kernel, kernel-rt, and kpatch-patch), SUSE (crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer, libpcap, sudo, [...] --------------------------------------------- https://lwn.net/Articles/802451/ ∗∗∗ Linux kernel vulnerability CVE-2019-13233 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13331647?utm_source=f5support&utm_mediu… ∗∗∗ HPESBHF03960 rev.1 - HPE Lights Out 100 (LO100) Remote Management for ProLiant G1 - G6 servers, Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle gefährdet Verfügbarkeit und Integrität ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0905 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0913 ∗∗∗ Publish SBA-ADV-20190913-04: WordPress Plugin - All in One SEO Pack -… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/478f4828ddc618f6bdb9530640… ∗∗∗ Publish SBA-ADV-20190913-03: WordPress Plugin - Events Manager - Stor… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/eb0047b9fb067ec171007b14df… ∗∗∗ Publish SBA-ADV-20190913-02: WordPress Plugin - Broken Link Checker -… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/3e79665a02f0cd2e7666e7738e… ∗∗∗ Publish SBA-ADV-20190913-01: WordPress Plugin - EU Cookie Law (GDPR) … ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/51b3d30fc0d9e69a760203b32d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2019
by Daily end-of-shift report 15 Oct '19

15 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2019 18:00 − Dienstag 15-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriffe: Attribution ist wie ein Indizienprozess ∗∗∗ --------------------------------------------- Russland hat den Bundestag gehackt! China wollte die Bayer AG ausspionieren! Bei großen Hackerangriffen ist oft der Fingerzeig auf den mutmaßlichen Täter nicht weit. Knallharte Beweise dafür gibt es selten, Hinweise sind aber kaum zu vermeiden. --------------------------------------------- https://www.golem.de/news/cyberangriffe-attribution-ist-wie-ein-indizienpro… ∗∗∗ Update now! Windows users targeted by iTunes Software Updater zero-day ∗∗∗ --------------------------------------------- The flaw is a rare ‘unquoted path class’ described as "so thoroughly documented that you would expect programmers to be well aware..." But thats not the case. --------------------------------------------- https://nakedsecurity.sophos.com/2019/10/15/update-now-windows-users-target… ∗∗∗ Top 10 Website Hardening Tips ∗∗∗ --------------------------------------------- Website hardening means adding layers of protection to reduce the risk of website attacks, a process known as “defense in depth.” Here are our top 10 virtual hardening principles: [...] --------------------------------------------- https://blog.sucuri.net/2019/10/top-10-website-hardening-tips.html ∗∗∗ Threat Actor Profile: TA407, the Silent Librarian ∗∗∗ --------------------------------------------- [...] Since our blog post, colleagues at Secureworks have provided further details on one actor we highlighted, tracked by Proofpoint as TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute. In this blog, we provide additional insight into the actor and their evolving TTPs in ongoing, academia-focused campaigns. --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta40… ∗∗∗ Europol: Ransomware remains top threat in IOCTA report ∗∗∗ --------------------------------------------- The European Union Agency for Law Enforcement Cooperation, or Europol, just released its annual Internet Organized Crime Threat Assessment (IOCTA) report. We highlight their key findings and remind readers how to better protect themselves. --------------------------------------------- https://blog.malwarebytes.com/awareness/2019/10/europol-ransomware-remains-… ∗∗∗ Researchers Find New Backdoor Used by Winnti Hackers ∗∗∗ --------------------------------------------- ESET security researchers were able to identify a new backdoor associated with the threat actor known as the Winnti Group. --------------------------------------------- https://www.securityweek.com/researchers-find-new-backdoor-used-winnti-hack… ∗∗∗ SMS von „InfoSMS“ führt in Abo-Falle ∗∗∗ --------------------------------------------- Aktuell sind vermehrt betrügerische SMS vom Absender „InfoSMS“ im Umlauf. In der SMS heißt es, dass der Besitzer der Handynummer gesucht wird. Für nähere Informationen werden Sie aufgefordert, einem Link zu folgen. Sie landen dann auf einer gefälschten Media Markt Seite, wo ein angeblicher Gewinn auf Sie wartet. Sie werden Ihren Gewinn jedoch nie erhalten, es handelt sich um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-infosms-fuehrt-in-abo-falle/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Experience Manager (APSB19-48), Adobe Acrobat and Reader (APSB19-49), Adobe Experience Manager Forms (APSB19-50) and Adobe Download Manager (APSB19-51). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1795 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sudo and xtrlock), openSUSE (sudo), Red Hat (Single Sign-On), Slackware (sudo), SUSE (binutils, dhcp, ffmpeg, kernel, kubernetes-salt, sudo, and tcpdump), and Ubuntu (sudo). --------------------------------------------- https://lwn.net/Articles/802328/ ∗∗∗ PHOENIX CONTACT Security Advisory for Automation Worx Software Suite ∗∗∗ --------------------------------------------- Phoenix Contact Automationworx Suite: *.bcp-file Memory Corruption Remote Code Execution Vulnerability and *.mwt-file Out-OfBounds Read Remote Code Execution Vulnerability --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-016 ∗∗∗ sudo: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0902 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0903 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2019-11479, CVE-2019-11478 and CVE-2019-11477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-is-a… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence is affected by a Using Components with Known Vulnerabilities vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-4031 affects IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ TYPO3-EXT-SA-2019-018: Remote Code Execution in extension "freeCap CAPTCHA" (sr_freecap) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-018/ ∗∗∗ TYPO3-EXT-SA-2019-017: Multiple vulnerabilities in extension "SLUB: Event Registration" (slub_events) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-017/ ∗∗∗ TYPO3-EXT-SA-2019-016: Information Disclosure in extension "Direct Mail" (direct_mail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-016/ ∗∗∗ TYPO3-EXT-SA-2019-015: SQL Injection in extension "URL redirect" (url_redirect) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-015/ ∗∗∗ Linux kernel vulnerability CVE-2019-16714 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48351130?utm_source=f5support&utm_mediu… ∗∗∗ OpenLDAP vulnerability CVE-2019-13565 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98008862?utm_source=f5support&utm_mediu… ∗∗∗ HPESBHF03933 rev.6 - HPE Products using certain Intel Processors, Microarchitectural Data Sampling (MDS) Side Channel Vulnerabilities, Local Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2019
by Daily end-of-shift report 14 Oct '19

14 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2019 18:00 − Montag 14-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Week in Ransomware - October 11th 2019 - Decryptors Released! ∗∗∗ --------------------------------------------- We had some interesting news this week, such as the HildaCrypt ransomware releasing their keys, RobbinHood Ransomware bragging about their past exploits, a Muhstik Ransomware victim hacking back and stealing the decryption keys, and a Nemty decryptor being released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-octob… ∗∗∗ Sodinokibi Ransomware: Following the Affiliate Money Trail ∗∗∗ --------------------------------------------- After a Sodinokibi ransomware affiliate posted partial transaction IDs for ransomware payments, researchers were able to use that information to follow the money trail for affiliates and in some cases, how they spend their illicit earnings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-follow… ∗∗∗ Simjacker: SIM-Karten in 29 Ländern anfällig für SMS-Angriff ∗∗∗ --------------------------------------------- Mit einer präparierten SMS können Daten aus dem Mobiltelefon ausgelesen werden. Die Sicherheitsfirma Adaptive Mobile hat den Simjacker genannten Angriff entdeckt und die betroffenen Staaten veröffentlicht. Demnach nutzte in drei Ländern eine Überwachungsfirma die Lücke aktiv aus. --------------------------------------------- https://www.golem.de/news/simjacker-sim-karten-in-29-laendern-anfaellig-fue… ∗∗∗ Pass the AppleJeus ∗∗∗ --------------------------------------------- A new macOS backdoor written by the infamous Lazarus APT group needs analyzing. Here, we examine its infection vector, method of persistence, capabilities, and more! --------------------------------------------- https://objective-see.com/blog/blog_0x49.html ∗∗∗ Another successful edition of the European Cyber Security Challenge concluded in Romania ∗∗∗ --------------------------------------------- The sixth edition of the European Cyber Security Challenge (ECSC), organised from 9 to 11 October in Bucharest at the Palace of the Parliament, the heaviest building and the second-largest building in the world, has concluded. Team Romania - followed by Italy and Austria - has proven successful in completing the most advanced and complex cybersecurity challenges and is thereby the proud winner of ECSC2019. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/another-successful-edition-of-t… ∗∗∗ Most SSL certificate misissuance caused by software bugs and rule misinterpretations ∗∗∗ --------------------------------------------- Academic study analyzed 379 incidents of incorrectly-issued SSL certificates from a total of 1,300+ known cases. --------------------------------------------- https://www.zdnet.com/article/most-ssl-certificate-misissuance-caused-by-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB19-49) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB19-49) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, October 15, 2019. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well as the Adobe PSIRT Blog. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1793 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, sdl, and unbound), Debian (clamav, libdatetime-timezone-perl, openssl, tcpdump, and tzdata), Fedora (cutter-re, jackson-annotations, jackson-bom, jackson-core, jackson-databind, jackson-parent, libapreq2, ming, opendmarc, radare2, and thunderbird), openSUSE (chromium), Oracle (kernel), and SUSE (axis, jakarta-commons-fileupload, kernel, sles12sp3-docker-image, sles12sp4-image, system-user-root, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/802268/ ∗∗∗ Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution ∗∗∗ --------------------------------------------- A critical vulnerability patched recently by Sophos in its Cyberoam firewall appliances allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges. --------------------------------------------- https://www.securityweek.com/critical-flaw-sophos-cyberoam-appliances-allow… ∗∗∗ Swift 5.1.1 for Ubuntu ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT210647 ∗∗∗ Reflected XSS vulnerability in OpenProject (CVE-2019-17092) ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/reflected-xss-vulnerability-in-o… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2019
by Daily end-of-shift report 11 Oct '19

11 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2019 18:00 − Freitag 11-10-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Remote-Angriffe und Denial-of-Service: Schwachstellen in Juniper-Netzwerktechnik ∗∗∗ --------------------------------------------- Juniper-Geräte der Serien SRX, NFX, QFX, PTX, ACX, MX, und EX sowie das Betriebssystem JUNOS weisen Schwachstellen auf die umgehend gepatcht werden sollten. --------------------------------------------- https://heise.de/-4553168 ∗∗∗ Researchers released a free decryptor for the Nemty Ransomware ∗∗∗ --------------------------------------------- Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files. --------------------------------------------- https://securityaffairs.co/wordpress/92386/malware/nemty-ransomware-decrypt… ∗∗∗ Examining the Ryuk Ransomware ∗∗∗ --------------------------------------------- Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom. The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. --------------------------------------------- https://www.zscaler.com/blogs/research/examining-ryuk-ransomware ∗∗∗ Staying Hidden on the Endpoint: Evading Detection with Shellcode ∗∗∗ --------------------------------------------- True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response (EDR) products have matured over the years, the red teams must follow suit. This blog post will provide some insights into how the FireEye Mandiant Red Team crafts payloads to bypass modern EDR products and get full command and control (C2) on their [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lucene-solr and ruby-openid), Fedora (krb5 and SDL2), openSUSE (kernel and libopenmpt), and Ubuntu (python2.7, python3.4). --------------------------------------------- https://lwn.net/Articles/802086/ ∗∗∗ IBM Security Bulletin: IBM FileNet Content Manager and Case Foundation security vulnerability in Process Orchestration Web Service logging ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-filenet-content-m… ∗∗∗ IBM Security Bulletin: IBM FileNet Content Manager and Case Foundation are affected by Publicly disclosed vulnerability in Java July 2019 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-filenet-content-m… ∗∗∗ Linux kernel vulnerability CVE-2017-18551 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48073202?utm_source=f5support&utm_mediu… ∗∗∗ Apache Tomcat vulnerability CVE-2019-0221 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_mediu… ∗∗∗ ImageMagick vulnerability CVE-2019-13136 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03512441?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2019
by Daily end-of-shift report 10 Oct '19

10 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2019 18:00 − Donnerstag 10-10-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HP Touchpoint Analytics LPE Vulnerability Affects Most HP PCs ∗∗∗ --------------------------------------------- HP patched a vulnerability discovered in the HP Touchpoint Analytics software installed by default on most of its Windows laptops and desktops, a flaw allowing attackers to escalate privileges and execute arbitrary code using SYSTEM privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-touchpoint-analytics-lpe-… ∗∗∗ Gamers Warned of High-Severity Intel, Nvidia Flaws ∗∗∗ --------------------------------------------- The Intel NUC and Nvidia Shield both are vulnerable to high-severity flaws, Intel and Nvidia warned in dual advisories. --------------------------------------------- https://threatpost.com/gamers-high-severity-intel-nvidia-flaws/149034/ ∗∗∗ Apple iTunes Bug Actively Exploited in BitPaymer/iEncrypt Campaign ∗∗∗ --------------------------------------------- Attackers exploit an “unquoted path” flaw in the Bonjour updater in iTunes for Windows to deliver ransomware attacks. --------------------------------------------- https://threatpost.com/apple-itunes-bug-bitpaymer-iencrypt/149075/ ∗∗∗ Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques ∗∗∗ --------------------------------------------- During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-… ∗∗∗ Security Descriptor Auditing Methodology: Investigating Event Log Security ∗∗∗ --------------------------------------------- Upon gaining access to a system, what level of access is granted to an attacker who has yet to elevate their privileges? --------------------------------------------- https://posts.specterops.io/security-descriptor-auditing-methodology-invest… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Networks Releases Security Updates ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/10/juniper-networks-r… ∗∗∗ Sicherheitsupdates: Intel sichert NUC-PCs und Serverwartungstool ab ∗∗∗ --------------------------------------------- Angreifer könnten sich auf NUCs und auf Intel-Servern höhere Rechte aneignen. Eine Lücke bleibt jedoch ungepatcht. --------------------------------------------- https://heise.de/-4550829 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, libtomcrypt, and rsyslog), Fedora (suricata), SUSE (libopenmpt and python-requests), and Ubuntu (libsoup2.4 and octavia). --------------------------------------------- https://lwn.net/Articles/801974/ ∗∗∗ ZDI-19-866: NETGEAR AC1200 mini_httpd Poison Null Byte Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-866/ ∗∗∗ Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-073 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ OpenSSL vulnerability CVE-2019-1563 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_mediu… ∗∗∗ OpenSSL vulnerability CVE-2019-1547 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2019
by Daily end-of-shift report 09 Oct '19

09 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2019 18:00 − Mittwoch 09-10-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Microsoft NTLM Flaws May Allow Full Domain Compromise ∗∗∗ --------------------------------------------- Two security vulnerabilities in Microsofts NTLM authentication protocol allow attackers to bypass the MIC (Message Integrity Code) protection and downgrade NTLM security features leading to full domain compromise of a network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-microsoft-ntlm-flaws-may… ∗∗∗ Doctor Web’s overview of malware detected on mobile devices in September 2019 ∗∗∗ --------------------------------------------- October 9, 2019 In September, Android users were threatened by various malware, many of which was distributed via Google Play. Those were the Android.DownLoader downloaders, the Android.Banker and Android.HiddenAds banking and adware trojans, as well as other threats. Doctor Web experts have also discovered several new versions of potentially dangerous applications, designed to spy on users, including Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor. --------------------------------------------- https://news.drweb.com/show/?i=13446&lng=en&c=9 ∗∗∗ Twitter: iOS-Apps verwenden altes Twitterkit mit Sicherheitslücke ∗∗∗ --------------------------------------------- Das Fraunhofer SIT hat eine Sicherheitslücke im eingestellten Twitterkit entdeckt, die nicht mehr geschlossen werden soll. Über diese kann ein Man-in-the-Middle-Angriff durchgeführt werden. Einige iOS-Apps verwenden die Software noch, um auf Tweets zuzugreifen oder einen Login mit Twitter anzubieten. --------------------------------------------- https://www.golem.de/news/twitter-ios-apps-verwenden-altes-twitterkit-mit-s… ∗∗∗ Vermeintliche Kündigung führt zu teurem Vertrag ∗∗∗ --------------------------------------------- Unternehmen aufgepasst: Unseriöse Firmen kontaktieren Unternehmen und behaupten, dass ein bereits laufender Vertrag zu einem Branchenbucheintrag nun gekündigt werden könne. Dazu müsse lediglich ein Fax unterzeichnet und retourniert werden. Wer das tut, kündigt nicht, sondern schließt einen teuren Vertrag ab. Unternehmen müssen den Betrag nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/vermeintliche-kuendigung-fuehrt-zu-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft sichert Windows und Browser gegen Angriffe ab ∗∗∗ --------------------------------------------- Microsoft hat Windows-Patches veröffentlicht, unter anderem aber auch einige gefährliche Angriffsmöglichkeiten auf Edge und Internet Explorer beseitigt. --------------------------------------------- https://heise.de/-4549555 ∗∗∗ Forensoftware vBulletin: Weitere Sicherheits-Patches veröffentlicht ∗∗∗ --------------------------------------------- Auf Patch-Level 1 folgte zügig Patch-Level 2 für die Foren-Software. Angesichts jüngst erfolgter Angriffe auf vBulletin-Foren sollte man zügig updaten. --------------------------------------------- https://heise.de/-4549270 ∗∗∗ SMA Solar Technology AG Sunny WebBox ∗∗∗ --------------------------------------------- This advisory includes mitigations for a cross-site request forgery vulnerability reported in the SMA Solar Technology AG Sunny WebBox communications hub. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-281-01 ∗∗∗ GE Mark VIe Controller ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper authorization and use of hard-coded credentials vulnerabilities reported in GE’s Mark VIe controller. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-281-02 ∗∗∗ Vulnerability Spotlight: Multiple remote code execution bugs in NitroPDF ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple remote code execution vulnerabilities in NitroPDF. Nitro PDF allows users to save, read, sign and edit PDF files on their machines. --------------------------------------------- https://blog.talosintelligence.com/2019/10/vuln-spotlight-Nitro-PDF-RCE-bug… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7). --------------------------------------------- https://lwn.net/Articles/801838/ ∗∗∗ Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit ∗∗∗ --------------------------------------------- A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. --------------------------------------------- https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-aud… ∗∗∗ VU#719689: Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/719689 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM SPSS Modeler (CVE-2019-4473,CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Maximo Anywhere does not have device root detection. (CVE-2019-4265) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-anywhere-d… ∗∗∗ ImageMagick vulnerability CVE-2019-13135 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20336394 ∗∗∗ Beckhoff TwinCAT Denial-of-Service in Profinet driver ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-019 ∗∗∗ CVE-2019-TBD - Citrix Application Delivery Management (ADM) Console Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX261735 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2019
by Daily end-of-shift report 08 Oct '19

08 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2019 18:00 − Dienstag 08-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ D-Link Home Routers Open to Remote Takeover Will Remain Unpatched ∗∗∗ --------------------------------------------- CVE-2019-16920 allows remote unauthenticated attackers to execute code on a target device. --------------------------------------------- https://threatpost.com/d-link-home-routers-unpatched/148941/ ∗∗∗ Kriminelle versenden gefälschte Apple Rechnung ∗∗∗ --------------------------------------------- Kriminelle fälschen App Store Rechnungen und senden diese wahllos an zahlreiche E-Mail-Adressen. Angeblich wurden Spiele im Wert von rund 80 Euro per Kreditkarte gekauft. Für die Stornierung und Rückerstattung des Betrages haben besorgte EmpfängerInnen die Möglichkeit, einem Link zu folgen. Ignorieren Sie diese Rechnung und klicken Sie nicht auf den Link, denn dieser führt zu einer Phishing-Seite. Im schlimmsten Fall wird Ihr Computer mit Schadsoftware infiziert. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-app… ∗∗∗ Zero-day published for old Joomla CMS versions ∗∗∗ --------------------------------------------- Proof-of-concept code available online; trivial to exploit. --------------------------------------------- https://www.zdnet.com/article/zero-day-published-for-old-joomla-cms-version… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/08/apple-releases-sec… ∗∗∗ Patchday: Google schließt zahlreiche kritische Android-Lücken ∗∗∗ --------------------------------------------- Zum Oktober-Patchday hat Google unter anderem die kürzlich von Project Zero veröffentlichte kritische Sicherheitslücke in Pixel 1 und 2 beseitigt. --------------------------------------------- https://heise.de/-4548538 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjpeg2, openssh, and xen), openSUSE (dovecot23, jasper, libseccomp, lxc, putty, and singularity), Red Hat (bind, kernel, polkit, python, and wget), and Ubuntu (unbound). --------------------------------------------- https://lwn.net/Articles/801692/ ∗∗∗ SAP Security Patch Day – October 2019 ∗∗∗ --------------------------------------------- [...] On 8th of October 2019, SAP Security Patch Day saw the release of 7 Security Notes. There is 1 update to previously released Patch Day [...] --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050 ∗∗∗ All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9898 ∗∗∗ SSA-608355: Processor Vulnerabilities Affecting SIMATIC WinAC RTX (F) 2010 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-608355.txt ∗∗∗ SSA-878278: Denial-of-Service Vulnerability in SIMATIC WinAC RTX (F) 2010 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-878278.txt ∗∗∗ SSA-984700: Password Storage Vulnerability in SIMATIC IT UADM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-984700.txt ∗∗∗ SSA-473245: Denial-of-Service Vulnerability in Profinet Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-473245.txt ∗∗∗ SSA-349422: Denial-of-Service in Industrial Real-Time (IRT) Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-349422.txt ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where the local attacker can obtain root privilege by injecting parameters into setuid files (CVE-2019-4558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-has-b… ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to Information Disclosure (CVE-2019-4512) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana… ∗∗∗ Bash vulnerability CVE-2012-6711 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05122252 ∗∗∗ Linux kernel vulnerability CVE-2019-15505 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28222050 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2019
by Daily end-of-shift report 07 Oct '19

07 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2019 18:00 − Montag 07-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Betrügerische Mahnungen von Streaming-Seiten ignorieren! ∗∗∗ --------------------------------------------- Auf der Suche nach den neuesten Hollywood-Blockbustern im Internet stolpern zahlreiche KonsumentInnen über kinox.su. Beim Versuch, kostenlos Filme anzusehen, werden sie auf Websites wie streamovo.de, streamado.de, streamamy.de oder streamjuju.de weitergeleitet. Achtung: Die gratis Anmeldung auf diesen Websites führt nicht zu unbegrenztem Filmgenuss, sondern zu Rechnungen und Mahnungen über 395,88 Euro. Es besteht kein Grund zur Zahlung! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mahnungen-von-streami… ∗∗∗ visNetwork for Network Data, (Sun, Oct 6th) ∗∗∗ --------------------------------------------- DFIR Redefined Part 3 - Deeper Functionality for Investigators with R series continued --------------------------------------------- https://isc.sans.edu/diary/rss/25390 ∗∗∗ Factsheet DNS monitoring will get harder ∗∗∗ --------------------------------------------- New DNS transport protocols make it harder to monitor or modify DNS requests. This is beneficial on today’s untrusted networks. At the same time the shift may render your organisation’s security controls ineffective, expose internal naming or break connectivity. These negative side effects are hard to mitigate at a network level and require mitigation at DNS infrastructure and individual devices. --------------------------------------------- https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dn… ∗∗∗ NISTs Zero Trust Taxonomy Introduces Components, Threats and Migration Routes ∗∗∗ --------------------------------------------- NIST has published a draft Zero Trust Architecture (ZTA) special publication (SP.800.207). The purpose is to develop a technology-neutral lexicon of the logical components of a zero trust strategy, and to define ZTA, describe possible deployment scenarios, and highlight threats. --------------------------------------------- https://www.securityweek.com/nists-zero-trust-taxonomy-introduces-component… ∗∗∗ A year after patch, Drupalgeddon2 is still being employed in cybercriminal attacks ∗∗∗ --------------------------------------------- The remote code execution bug is being used in attacks against high-profile websites. --------------------------------------------- https://www.zdnet.com/article/old-drupalgeddon2-rce-is-still-being-employed… ∗∗∗ White-hat hacks Muhstik ransomware gang and releases decryption keys ∗∗∗ --------------------------------------------- Annoyed victim hacks back ransomware gang and releases all their decryption keys, along with a free decrypter. --------------------------------------------- https://www.zdnet.com/article/white-hat-hacks-muhstik-ransomware-gang-and-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities exploited in VPN products used worldwide ∗∗∗ --------------------------------------------- The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse secure, Palo Alto and Fortinet. --------------------------------------------- https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities ∗∗∗ Großer Lausch-Anruf: Signal für Android nimmt selbsttätig Anrufe an ∗∗∗ --------------------------------------------- Eine Lücke im Messenger Signal führt unter Android dazu, dass Nutzer belauscht werden könnten. Die App nimmt Sprachanrufe ohne Nutzerinteraktion entgegen. --------------------------------------------- https://heise.de/-4546500 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jackson-databind, libapreq2, libreoffice, novnc, phpbb3, and ruby-mini-magick), Fedora (mbedtls and mosquitto), Mageia (xpdf), openSUSE (bind, firefox, nginx, openssl-1_0_0, php7, python-numpy, and thunderbird), Oracle (kernel), SUSE (ansible1, ardana-ansible, ardana-cluster, ardana-db, ardana-extensions-nsx, ardana-glance, ardana-input-model, ardana-installer-ui, ardana-manila, ardana-monasca, ardana-neutron, ardana-nova, ardana-octavia, [...] --------------------------------------------- https://lwn.net/Articles/801469/ ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Rational® Quality Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by an openssh vulnerability (CVE-2018-15473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-se… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by openssl vulnerabilities (CVE-2019-1559, CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-se… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by Linux kernel vulnerabilities (CVE-2019-11479, CVE-2019-11478, CVE-2019-11477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2019
by Daily end-of-shift report 04 Oct '19

04 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-10-2019 18:00 − Freitag 04-10-2019 18:00 Handler: Stephan Richter Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Lost Files Data Wiper Poses as a Windows Security Scanner ∗∗∗ --------------------------------------------- A Windows Security Scanner that states it encrypted your files is being distributed by spam, but whether by bug or design, it instead corrupts binary data in a victims files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lost-files-data-wiper-poses-… ∗∗∗ Linux-Kernel: Android-Bug wird von NSO Group angegriffen ∗∗∗ --------------------------------------------- Googles Project Zero berichtet über einen Bug im Linux-Kernel, mit dem sich Android-Telefone angreifen lassen. Laut Google wird offenbar ein Exploit für den Bug bereits aktiv ausgenutzt. Pikant: Gefunden wurde der Bug bereits 2017 - von Google selbst. --------------------------------------------- https://www.golem.de/news/linux-kernel-android-bug-wird-von-nso-group-angeg… ∗∗∗ Investigating the security of Lime scooters ∗∗∗ --------------------------------------------- I've been looking at the security of the Lime escooters. These caught my attention because:(1) There's a whole bunch of them outside my building, and(2) I can see them via Bluetooth from my sofa which, given that I'm extremely lazy, made them more attractive targets than something that would actually require me to leave my home. --------------------------------------------- https://mjg59.dreamwidth.org/53024.html ∗∗∗ Down the Malware Rabbit Hole – Part 1 ∗∗∗ --------------------------------------------- It’s common for malware to be encoded to hide itself—or its true intentions—but have you ever given thought to what lengths attackers will go to hide their malicious code? In our first post in this series, we’ll describe how bad actors hide their malicious code and the steps taken to reveal its true form. --------------------------------------------- https://blog.sucuri.net/2019/10/down-the-malware-rabbit-hole-part-1.html ∗∗∗ COMpfun successor Reductor infects files on the fly to compromise TLS traffic ∗∗∗ --------------------------------------------- In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. --------------------------------------------- https://securelist.com/compfun-successor-reductor/93633/ ∗∗∗ Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI ∗∗∗ --------------------------------------------- AMSI offers a fantastic interface for endpoint security vendors to gain insight into in-memory buffers from components that choose have their content scanned. --------------------------------------------- https://posts.specterops.io/antimalware-scan-interface-detection-optics-ana… ∗∗∗ macOS systems abused in DDoS attacks ∗∗∗ --------------------------------------------- Up to 40,000 macOS systems expose a particular port online that can be abused for pretty big DDoS attacks. --------------------------------------------- https://www.zdnet.com/article/macos-systems-abused-in-ddos-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Interpeak IPnet TCP/IP Stack (Update A) ∗∗∗ --------------------------------------------- This updated medical advisory is a follow-up to the original advisory titled ICSMA-19-274-01 Interpeak IPnet TCP/IP Stack that was published October 1, 2019, on the ICS webpage on us-cert.gov. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-274-01 ∗∗∗ Microsoft Re-Releases Security Updates ∗∗∗ --------------------------------------------- Microsoft has re-released security updates to address a vulnerability in Microsoft software. A remote attacker could exploit this vulnerability to take control of an affected system. Updates are now available automatically via Windows Update or Windows Server Update Services. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/03/microsoft-re-relea… ∗∗∗ FreeType vulnerability CVE-2015-9290 ∗∗∗ --------------------------------------------- In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict ... --------------------------------------------- https://support.f5.com/csp/article/K38315305 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, ruby, ruby-rdoc, ruby2.5, and systemd), Debian (openconnect), Mageia (thunderbird), openSUSE (lxc and mosquitto), Oracle (kernel and patch), Scientific Linux (patch), SUSE (firefox, java-1_7_0-ibm, and sqlite3), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/801318/ ∗∗∗ Security Advisory 2019-13: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2019-13-security-update-for-ot… ∗∗∗ IBM Security Bulletin: Linux Kernel as used by IBM QRadar SIEM is vulnerable to Denial of Service(CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2019
by Daily end-of-shift report 03 Oct '19

03 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-10-2019 18:00 − Donnerstag 03-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sodinokibi Ransomware Builds An All-Star Team of Affiliates ∗∗∗ --------------------------------------------- The Sodinokibi Ransomware (REvil) has been making news lately as they target the enterprise, MSPs, and government entities through their hand-picked team of all-star affiliates. These affiliates appear to have had a prior history with the GandCrab RaaS and use similar distribution methods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-builds… ∗∗∗ A New Wave of Buggy WordPress Infections ∗∗∗ --------------------------------------------- We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities. Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. --------------------------------------------- https://blog.sucuri.net/2019/10/a-new-wave-of-buggy-wordpress-infections.ht… ∗∗∗ FBI: Don’t pay ransomware demands, stop encouraging cybercriminals to target others ∗∗∗ --------------------------------------------- The FBI has some unambiguous advice for organisations on how they should handle ransomware demands: Dont pay. --------------------------------------------- https://www.tripwire.com/state-of-security/featured/fbi-dont-pay-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Lücke in Magenta-Routern entdeckt ∗∗∗ --------------------------------------------- Die bereits in UPC-Zeiten verteilte Connect Box kann von außen übernommen werden. Ein Firmware-Update soll Abhilfe schaffen. --------------------------------------------- https://futurezone.at/produkte/gefaehrliche-luecke-in-magenta-routern-entde… ∗∗∗ WhatsApp Flaw Opens Android Devices to Remote Code Execution ∗∗∗ --------------------------------------------- A double-free bug could allow an attacker to achieve remote code execution; users are encouraged to update to a patched version of the messaging app. --------------------------------------------- https://threatpost.com/whatsapp-flaw-opens-android-devices-to-remote-code-e… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (jackson-databind, libapreq2, and subversion), Fedora (glpi, memcached, and zeromq), openSUSE (rust), Oracle (kernel), Red Hat (patch), and SUSE (dovecot23, git, jasper, libseccomp, and thunderbird). --------------------------------------------- https://lwn.net/Articles/801226/ ∗∗∗ Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-072 ∗∗∗ Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-071 ∗∗∗ Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-070 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Cross-Site Scripting (CVE-2019-4564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by information exposure (CVE-2019-4514) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Connect:Direct Web Services (CVE-2019-10246, CVE-2019-10247, CVE-2019-10241 & CVE-2018-12545) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: IBM MQ AMQP Listeners are vulnerable to a session fixation attack (CVE-2019-4227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-amqp-listeners… ∗∗∗ HPESBST03958 rev.1 - HPE Command View Advanced Edition (CVAE) Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03959 rev.1 - HPE Command View Advanced Edition (CVAE) Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2019
by Daily end-of-shift report 02 Oct '19

02 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-10-2019 18:00 − Mittwoch 02-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ethical hacking: Passive information gathering with Maltego ∗∗∗ --------------------------------------------- In this article, we’ll discuss passive information gathering. We’ll first look at how we can use Maltego, a common information gathering tool, to perform this form of reconnaissance. Using a hands-on walkthrough of Maltego, we’ll see how you can acquire IP addresses, sub-domains and perform different levels of reconnaissance to inform your information gathering [...] --------------------------------------------- https://resources.infosecinstitute.com/ethical-hacking-passive-information-… ∗∗∗ Hackers Turn to OpenDocument Format to Avoid AV Detection ∗∗∗ --------------------------------------------- Malware laced OpenDocument files target Microsoft Office, OpenOffice and LibreOffice users. --------------------------------------------- https://threatpost.com/hackers-turn-to-opendocument/148817/ ∗∗∗ Magecart hits again, leveraging compromised sites and newly registered domains ∗∗∗ --------------------------------------------- During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. --------------------------------------------- https://www.zscaler.com/blogs/research/magecart-hits-again-leveraging-compr… ∗∗∗ Erfundene Speditionen beim Autokauf über Kleinanzeigen! ∗∗∗ --------------------------------------------- Auf der Suche nach günstigen Gebrauchtautos, Wohnmobilen, Motorrädern oder Oldtimern sind Kleinanzeigenplattformen häufig die beste Option. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich angeblich im Ausland befindet und der Kauf über eine Spedition abgewickelt werden soll. Meist handelt es sich hierbei um Kriminelle, die Ihnen das Geld aus der Tasche ziehen wollen. Das versprochene Gefährt erhalten Sie nie! --------------------------------------------- https://www.watchlist-internet.at/news/erfundene-speditionen-beim-autokauf-… ∗∗∗ Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe ∗∗∗ --------------------------------------------- https://posts.specterops.io/understanding-and-defending-against-access-toke… ===================== = Vulnerabilities = ===================== ∗∗∗ Interpeak IPnet TCP/IP Stack ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection, and null pointer dereference vulnerabilities in the Interpeak IPnet TCP/IP stack. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-274-01 ∗∗∗ Yokogawa Products ∗∗∗ --------------------------------------------- This advisory includes mitigations for an unquoted search path or element vulnerability reported in Yokogawa’s Exaopc, Exaplog, Exaquantum, Exasmoc, Exarqe, GA10, and InsightSuiteAE products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-274-02 ∗∗∗ Moxa EDR 810 Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation and improper access control vulnerabilities reported in Moxa’s EDR 810 router. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-274-03 ∗∗∗ Inadequate Patch in Hewlett Packard Enterprise iMC 7.3 E0703 ∗∗∗ --------------------------------------------- [...] This means there are (at least) two unpatched, known vulnerabilities in iMC with a CVSSv2 base score of 10.0. Basically, these bugs have been lurking around without proper patches since December 2018. --------------------------------------------- https://medium.com/tenable-techblog/inadequate-patch-in-hewlett-packard-ent… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and openssl1.0), Fedora (expat, kernel, kernel-headers, kernel-tools, and phpMyAdmin), openSUSE (nghttp2 and u-boot), Oracle (kernel), Red Hat (rh-nodejs8-nodejs), Slackware (libpcap), SUSE (bind, jasper, libgcrypt, openssl-1_0_0, and php7), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/801130/ ∗∗∗ PuTTY: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0863 ∗∗∗ Fortinet FortiSIEM 5.0 / 5.2.1 Improper Certification Validation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100006 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Information disclosure vulnerability in WebSphere Application Server (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by an Escalation of Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Vulnerabilities in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2019-14439, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-fa… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance has shipped a security vulnerability fix for WebSphere Application Server (CVE-2019-4046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-access-m… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private for Data – OpenSSL (CVE-2019-1543), Kubernetes (CVE-2019-1002100) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2019
by Daily end-of-shift report 01 Oct '19

01 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 30-09-2019 18:00 − Dienstag 01-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Free Ouroboros Ransomware (Zeropadypt NextGen) Decryption Available ∗∗∗ --------------------------------------------- Victims of the Ouroboros Ransomware, otherwise known as Zeropadypt NextGen, can get their files decrypted for free with the help of a security researcher and a decryptor that has been made for different variants. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-ouroboros-ransomware-ze… ∗∗∗ Beyond the SISSDEN event horizon ∗∗∗ --------------------------------------------- Between May 2016 and April 2019, The Shadowserver Foundation participated in the SISSDEN EU Horizon 2020 project. The main goal of the project was to improve the cybersecurity posture of EU entities and end users through the development of situational awareness and sharing of actionable information. It exceeded KPIs, with 257 sensors in 59 countries, using 974 IP addresses across 119 ASNs and 383 unique /24 (Class C) networks, and collected 31TB of threat data. --------------------------------------------- https://www.shadowserver.org/news/beyond-the-sissden-event-horizon/ ∗∗∗ Decades-Old Code Is Putting Millions of Critical Devices at Risk ∗∗∗ --------------------------------------------- Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light. --------------------------------------------- https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices ∗∗∗ Vorsicht bei zu günstigen Technik-Angeboten ∗∗∗ --------------------------------------------- sgt-sonic.store, alpha-tech.store, omega-tech.store, grand-elec.store und beta-elec.store bieten ein breites Technik-Sortiment mit unschlagbaren Angeboten. Sehen Sie jedoch von einer Bestellung ab, denn es handelt sich um Fake-Shops. Die Ware wird trotz Vorab-Zahlung nie geliefert. Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-technik-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Noch ein Update für iOS, iPadOS und watchOS ∗∗∗ --------------------------------------------- Bei Apple kommen die Aktualisierungen Schlag auf Schlag. iOS 13.1.2, iPadOS 13.1.2 und watchOS 6.0.1 beheben erneut Fehler. --------------------------------------------- https://heise.de/-4543459 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, linux-4.9, netty, phpbb3, and poppler), openSUSE (chromium, djvulibre, ghostscript, python-numpy, SDL2, and varnish), Oracle (nodejs:10), Red Hat (httpd24-httpd and httpd24-nghttp2, kpatch-patch, and rh-nodejs10-nodejs), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and SDL 2.0). --------------------------------------------- https://lwn.net/Articles/801010/ ∗∗∗ Red Hat Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0860 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0862 ∗∗∗ Theme Editor <= 2.1 - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9894 ∗∗∗ Cisco Webex Meetings Enumeration Attack ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities have been addressed in IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 and LCM8 & LCM16 KVM Switch Firmware (CVE-2018-0732 CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op… ∗∗∗ HPESBHF03955 rev.1 - HPE Simplivity Omnistack, Local and Remote File Modification and Deletion ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03956 rev.1 - HPE Simplivity Omnistack, Local and Remote Arbitrary Command Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03954 rev.1 - HPE UioT, Remote Unauthorized Access and Access to sensitive Data ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2019
by Daily end-of-shift report 30 Sep '19

30 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-09-2019 18:00 − Montag 30-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Angreifer können verschlüsselte PDF-Daten leaken ∗∗∗ --------------------------------------------- Passwortgeschützte PDF-Dateien bieten wenig Sicherheit. Ein Angreifer, der die Dateien manipulieren kann, kann dafür sorgen, dass deren Inhalt geleakt wird. Abhilfe gibt es nicht, dafür müsste das Dateiformat geändert werden. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-angreifer-koennen-verschluessel… ∗∗∗ Kriminelle nützen Thomas Cook Insolvenz für Phishing-Attacken ∗∗∗ --------------------------------------------- Die Insolvenz von Thomas Cook und Neckermann Reisen ist momentan in aller Munde. Betroffene KonsumentInnen gelangten nun ins Visier Krimineller. In betrügerischen Phishing-Mails werden sie aufgefordert, Kreditkartendaten und Ausweise zu übermitteln, um ihr Geld zurückzuerhalten. Die E-Mails stammen nicht von Thomas Cook und müssen ignoriert werden! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nuetzen-thomas-cook-insol… ∗∗∗ Masad Spyware Uses Telegram Bots for Command-and-Control ∗∗∗ --------------------------------------------- The malware harvests data, steals cryptocurrency and drops additional malware, while masquerading as a Fortnite aimbot and more. --------------------------------------------- https://threatpost.com/masad-spyware-telegram-bots/148759/ ∗∗∗ European Cybersecurity Month 2019 is launched ∗∗∗ --------------------------------------------- October marks the kick-off of the European Cybersecurity Month (ECSM), coordinated by the European Union Agency for Cybersecurity (ENISA), the European Commission and supported by the Member States. This campaign will focus on expanding awareness about cybersecurity to citizens across Europe. --------------------------------------------- https://www.enisa.europa.eu/news/european-cybersecurity-month-2019-is-launc… ∗∗∗ Malvertiser eGobbler Exploits Chrome & WebKit Bugs, Infects Over 1 Billion Ads ∗∗∗ --------------------------------------------- We have written about the threat actor eGobbler extensively on our blog over the last year as they’ve continued to emerge as a prolific source of malvertising. [...] Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections. --------------------------------------------- https://blog.confiant.com/malvertiser-egobbler-exploits-chrome-webkit-bugs-… ∗∗∗ Cisco führt halbjährlichen Patchday ein ∗∗∗ --------------------------------------------- Ab sofort will Cisco alle sechs Monate gesammelte Sicherheitsupdates für sein Netzwerkbetriebssysteme IOS und IOS XE veröffentlichen. --------------------------------------------- https://heise.de/-4542793 ===================== = Vulnerabilities = ===================== ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerability ∗∗∗ --------------------------------------------- Original release date: September 27, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Hypertext Preprocessor (PHP). An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/27/ms-isac-releases-a… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot, kernel, and qemu-kvm), Debian (cimg, cups, e2fsprogs, exim4, file-roller, golang-1.11, httpie, and wpa), Fedora (curl, ghostscript, ibus, krb5, mod_md, and nbdkit), Mageia (chromium-browser-stable, libheif, and nghttp2), openSUSE (djvulibre, expat, libopenmpt, mosquitto, phpMyAdmin, and webkit2gtk3), Red Hat (nodejs:10), SUSE (gpg2), and Ubuntu (e2fsprogs and exim4). --------------------------------------------- https://lwn.net/Articles/800915/ ∗∗∗ Exim 4.92.3 security release ∗∗∗ --------------------------------------------- Exim 4.92.3 has been released with a fix for CVE-2019-16928, a heap-basedbuffer overflow in string_vformat that could lead to remote codeexecution. "The currently known exploit uses a extraordinary longEHLO string to crash the Exim process that is receiving the message. Whileat this mode of operation Exim already dropped its privileges, other paths toreach the vulnerable code may exist." --------------------------------------------- https://lwn.net/Articles/800917/ ∗∗∗ xpdf: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0857 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0856 ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190930-… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service (CVE-2019-4494, CVE-2019-4495, CVE-2019-4497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Vulnerabilities in kernel affect Power Hardware Management Console (CVE-2019-11479,CVE-2019-11477 and CVE-2019-11478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ke… ∗∗∗ IBM Security Bulletin: Potential denial of service vulnerability in WebSphere Application Server can affect IBM SPSS Analytic Server (CVE-2019-4046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect Rational Build Forge (CVE-2019-9517, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Build Forge (CVE-2019-4473; CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Daeja ViewONE Virtual may expose internal IP addresses (CVE-2019-4246) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-daeja-viewone-virtual… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2019
by Daily end-of-shift report 27 Sep '19

27 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-09-2019 18:00 − Freitag 27-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe and Google Open Redirects Abused by Phishing Campaigns ∗∗∗ --------------------------------------------- Google and Adobe open redirects are being used by phishing campaigns in order to add legitimacy to the URLs used in the spam emails. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-and-google-open-redire… ∗∗∗ Digital Canaries in a Coal Mine: Detecting Enumeration with DNS and AD ∗∗∗ --------------------------------------------- A fundamental part of any network is the Domain Name Service (DNS). Adversaries will likely want to enumerate computers in Active Directory and connect to them, and at some point, they will likely interact with DNS doing so. A simple example is attempting to access a remote share and the resulting DNS query. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/digital-can… ∗∗∗ Researchers Disclose Another SIM Card Attack Possibly Impacting Millions ∗∗∗ --------------------------------------------- A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned. --------------------------------------------- https://www.securityweek.com/researchers-disclose-another-sim-card-attack-p… ∗∗∗ So schützen Sie sich effektiv vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails oder in scheinbar harmlosen Chat-Nachrichten kann sich Schadsoftware verstecken. Diese verseuchten Dateien dürfen nicht ausgeführt werden, da sie ansonsten das Smartphone, den Computer oder das Netzwerk infizieren. Kriminelle können so beispielsweise sensible Daten auslesen und stehlen, Rechenleistung abzweigen oder ganze Systeme lahmlegen bis eine Kaution bezahlt wird. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-effektiv-vor-s… ∗∗∗ Microsoft: New Nodersok malware has infected thousands of PCs ∗∗∗ --------------------------------------------- New Nodersok malware installs Node.js to turn systems into proxies, perform click-fraud. --------------------------------------------- https://www.zdnet.com/article/microsoft-new-nodersok-malware-has-infected-t… ∗∗∗ Hit by ransomware? Victims of these four types of file-encrypting malware can now retrieve their files for free ∗∗∗ --------------------------------------------- Cybersecurity researchers crack the codes of FortuneCrypt, Yatron, WannaCryFake and Avest ransomware, allowing victims to get their files back without paying cyber criminals. --------------------------------------------- https://www.zdnet.com/article/hit-by-ransomware-victims-of-these-four-types… ∗∗∗ New WhiteShadow downloader uses Microsoft SQL to retrieve malware ∗∗∗ --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloade… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 27, 2019Apple has released security updates to address a vulnerability in multiple products. A remote attacker could exploit this vulnerability to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, and [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/27/apple-releases-sec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dcmtk), openSUSE (rust), Red Hat (redhat-virtualization-host), and SUSE (ghostscript, nghttp2, and u-boot). --------------------------------------------- https://lwn.net/Articles/800699/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling File Gateway (CVE-2019-4423, CVE-2019-4280) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling File Gateway (CVE-2019-4423, CVE-2019-4280) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 KVM Switch Firmware (CVE-2018-0734, CVE-2018-0737, CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op… ∗∗∗ HPESBGN03957 rev.1 - HPE Oneview for VMware vCenter, Remote Cross-Site Scripting ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2019
by Daily end-of-shift report 26 Sep '19

26 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-09-2019 18:00 − Donnerstag 26-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forensoftware vBulletin: Patch schließt kritische Zero-Day-Lücke ∗∗∗ --------------------------------------------- Die Entwickler von vBulletin haben Patches bereitgestellt, die eine als kritisch eingestufte Sicherheitslücke schließen. Forenbetreiber sollten jetzt handeln. --------------------------------------------- https://heise.de/-4539833 ∗∗∗ BSI stellt Service-Paket "IT-Notfall" für kleine und mittlere Unternehmen vor ∗∗∗ --------------------------------------------- Eine Notfallkarte zum Aushängen und ein neuer Maßnahmenkatalog für Sicherheitsverantwortliche sollen KMU helfen, mit Cyber-Bedrohungen besser umzugehen. --------------------------------------------- https://heise.de/-4540075 ∗∗∗ Hackers Replace Windows Narrator to Get SYSTEM Level Access ∗∗∗ --------------------------------------------- Chinese hackers are replacing the legitimate Narrator app on targeted Windows systems with a trojanized version that gives them remote access with privileges of the most powerful account on the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-replace-windows-narr… ∗∗∗ Ransomware Decryptors Released for Yatron, WannaCryFake, & FortuneCrypt ∗∗∗ --------------------------------------------- Security vendors released decryptors for three ransomware infections today that allow victims to recover their files for free. These decryptors are for the WannaCryFake, Yatron, and FortuneCrypt Ransomware infections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-decryptors-releas… ∗∗∗ Windows‌ ‌Exploitation‌ ‌Tricks:‌ ‌Spoofing‌ ‌Named‌ ‌Pipe‌ ‌Client‌ ‌PID‌ ∗∗∗ --------------------------------------------- Posted by James Forshaw, Project ZeroWhile researching the Access Mode Mismatch in IO Manager bug class I came across an interesting feature in named pipes which allows a server to query the connected clients PID. This feature was introduced in Vista and is exposed to servers through the GetNamedPipeClientProcessId API, pass the API a handle to the pipe server and you’ll get back the PID of the connected client. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/09/windows-exploitation-tricks-… ∗∗∗ Joomla! Security Best Practices: 12 Ways to Keep Joomla! Secure ∗∗∗ --------------------------------------------- At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, most advice can often be too broad; different content management systems (CMS) exist in this ecosystem, and each requires a unique security configuration. --------------------------------------------- https://blog.sucuri.net/2019/09/joomla-security-best-practices.html ∗∗∗ Hackers looking into injecting card stealing code on routers, rather than websites ∗∗∗ --------------------------------------------- Magecart (web skimming) attacks are evolving into a direction where theyre gonna be harder and harder to detect. --------------------------------------------- https://www.zdnet.com/article/hackers-looking-into-injecting-card-stealing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Releases Security Advisories ∗∗∗ --------------------------------------------- Original release date: September 26, 2019Cisco has released security updates to address vulnerabilities affecting multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/26/cisco-releases-sec… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot), Debian (lemonldap-ng, openssl, and ruby-nokogiri), openSUSE (fish3, ibus, nmap, and openssl-1_1), Slackware (mozilla), SUSE (mariadb, python-numpy, and SDL2), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/800647/ ∗∗∗ Multiple Vulnerabilities in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- CTX261963 NewApplicable Products : LicensingMultiple Denial-of-Service vulnerabilities have been identified in Citrix License Server for Windows and VPX that, when exploited, could result in an attacker being able to force the vendor service to shutdown. --------------------------------------------- https://support.citrix.com/article/CTX261963 ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-069 ∗∗∗ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-068 ∗∗∗ IBM Security Bulletin: Linux kernel as used by IBM QRadar SIEM is vulnerable to privilege escalation(Publicly disclosed vulnerability) (CVE-2019-3896) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack caused by a memory leak in the clustering code. (CVE-2019-4141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. These issues were disclosed as part of the IBM Java SDK updates in October 2018 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-there-are-multiple-vu… ∗∗∗ Multiple SQL Injection Vulnerabilities in eBrigade ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-sql-injection-vulnerabi… ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0840 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0838 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2019
by Daily end-of-shift report 25 Sep '19

25 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-09-2019 18:00 − Mittwoch 25-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ vBulletin Zero-Day Exploited for Years, Gets Unofficial Patch ∗∗∗ --------------------------------------------- A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vbulletin-zero-day-exploited… ∗∗∗ Free Decryptors Released for Two Ransomware Families ∗∗∗ --------------------------------------------- Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free. On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 25, 2019Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to obtain access to sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/25/apple-releases-sec… ∗∗∗ Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2019-0015 ∗∗∗ --------------------------------------------- VMware Cloud Foundation and VMware Harbor Container Registry for PCF address remote escalation of privilege vulnerability (CVE-2019-16097) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0015.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libgcrypt20, and spip), Fedora (compat-openssl10, expat, ghostscript, ibus, java-1.8.0-openjdk-aarch32, and SDL2_image), openSUSE (bird, chromium, kernel, libreoffice, links, and varnish), Oracle (httpd:2.4 and qemu-kvm), Red Hat (kernel), Scientific Linux (qemu-kvm), SUSE (djvulibre, dovecot22, ghostscript, kernel, libxml2, and python-Twisted), and Ubuntu (file-roller and libreoffice). --------------------------------------------- https://lwn.net/Articles/800553/ ∗∗∗ [20190901] - Core - XSS in logo parameter of default templates ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/PO-TPPu7rQ0/791-20190901-c… ∗∗∗ SBA-ADV-20190911-01: Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS) ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/9000d9bfd120a1b8f5f1643e5f… ∗∗∗ Security Advisory - Two Integer overflow Vulnerabilities in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Gauss100 OLTP Database of Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Improper Validation Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Linux Kernel as used in IBM QRadar Network Packet Capture is vulnerable to denial of service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance command server is vulnerable to a denial of service attack caused by specially crafted PCF messages (CVE-2019-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2019-10241, CVE-2019-10246 & CVE-2019-10247) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty Admin Center in IBM Cloud (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (CVE-2019-4262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin:IBM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-security-identity-… ∗∗∗ BIG-IQ services for stats vulnerability CVE-2019-6652 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23101430 ∗∗∗ BIG-IP APM Edge Client logging vulnerability CVE-2019-6656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23876153 ∗∗∗ BIG-IP Analytics vulnerability CVE-2019-6655 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31152411 ∗∗∗ Martian address filtering vulnerability CVE-2019-6654 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45644893 ∗∗∗ BIG-IQ vulnerability CVE-2019-6653 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71712132 ∗∗∗ REST Framework vulnerability CVE-2019-6651 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K89509323 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2019
by Daily end-of-shift report 24 Sep '19

24 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2019 18:00 − Dienstag 24-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE ATT&CK vulnerability spotlight: Access token manipulation ∗∗∗ --------------------------------------------- MITRE is a U.S. government federally-funded research and development center (FFRDC) which performs a large amount of research and assessment as a trusted third party for the government. One of their research areas is cybersecurity, and they have developed the MITRE ATT&CK matrix to help with research and education about cybersecurity threats. --------------------------------------------- https://resources.infosecinstitute.com/mitre-attck-access-token-manipulatio… ∗∗∗ Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs ∗∗∗ --------------------------------------------- Im keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain remotewebaccess.com. --------------------------------------------- https://isc.sans.edu/forums/diary/Huge+Amount+of+remotewebaccesscom+Sites+F… ∗∗∗ E-Mail der Chaos-Hacking-Gruppe ignorieren ∗∗∗ --------------------------------------------- Angeblich hat sich die Chaos-Hacking-Gruppe in Ihr E-Mail-Konto und Betriebssystem gehackt und Ihr Surfverhalten drei Monate lang beobachtet. Die Kriminellen behaupten, Sie beim Surfen auf Porno-Seiten erwischt und bei intimen Handlungen gefilmt zu haben. Damit das Video über Sie nicht an all Ihre Kontakte gesendet wird, fordern die Hacker eine Überweisung von 2.000 Euro in Form von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-der-chaos-hacking-gruppe-igno… ∗∗∗ No summer vacations for Zebrocy ∗∗∗ --------------------------------------------- ESET researchers describe the latest components used in a recent Sednit campaign The post No summer vacations for Zebrocy appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates Available for ColdFusion (APSB19-47) ∗∗∗ --------------------------------------------- Adobe has published a Security Bulletin (APSB19-47) for ColdFusion versions 2018 and 2016. These updates resolve two critical and one moderate vulnerability that could lead to arbitrary code execution and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1789 ∗∗∗ Notfallpatch: Attacken gegen Internet Explorer ∗∗∗ --------------------------------------------- Ein Update schließt eine kritische Lücke im Internet Explorer – es ist aber noch nicht über Windows Update verfügbar. Auch Windows Defender bekommt einen Patch. --------------------------------------------- https://heise.de/-4537525 ∗∗∗ Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild ∗∗∗ --------------------------------------------- Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: [...] --------------------------------------------- https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-ex… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php5), Fedora (blis, kernel, and kernel-headers), openSUSE (bird, curl, fish3, ghostscript, ibus, kernel, libgcrypt, openldap2, openssl-1_1, skopeo, and util-linux and shadow), Oracle (dovecot and kernel), Red Hat (dovecot, httpd:2.4, qemu-kvm, and redhat-virtualization-host), Scientific Linux (dovecot), SUSE (djvulibre, expat, firefox, libopenmpt, and rust), and Ubuntu (ibus and Mosquitto). --------------------------------------------- https://lwn.net/Articles/800448/ ∗∗∗ IBM Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: IBM Cloud Private for Data is affected by a vulnerability in Go Language (CVE-2019-6486) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-for… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2019
by Daily end-of-shift report 23 Sep '19

23 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2019 18:00 − Montag 23-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zunahme von erfolgreichen Cyber-Angriffen mit Emotet – BSI rät zu Schutzmaßnahmen ∗∗∗ --------------------------------------------- Cyber-Angriffe mit der Schadsoftware Emotet haben in den vergangenen Tagen erhebliche Schäden in der deutschen Wirtschaft, aber auch bei Behörden und Organisationen verursacht. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt daher erneut eindringlich vor dieser Schadsoftware und gibt ausführliche Hinweise zum Schutz vor Emotet. Auch Privatanwender stehen im Fokus der Angreifer. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Emotet-Warn… ∗∗∗ Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About ∗∗∗ --------------------------------------------- Have you ever heard of the STOP Ransomware? Probably not, as few write about it, most researchers dont cover it, and for the most part it targets consumers through cracked software, adware bundles, and shady sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-mos… ∗∗∗ What you should know about Ryuk ransomware ∗∗∗ --------------------------------------------- The ransomware called Ryuk has established ransomware as a lucrative enterprise product. This sentence may sound provocative, as it is treating cybercriminals like businesspeople, but this is what Ryuk is about - making money. This strain of ransomware is estimated by Crowdstrike to have made the gang behind it over $3.7 million USD since [...] --------------------------------------------- https://resources.infosecinstitute.com/what-you-should-know-about-ryuk-rans… ∗∗∗ Hello! My name is Dtrack ∗∗∗ --------------------------------------------- When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family. Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. --------------------------------------------- https://securelist.com/my-name-is-dtrack/93338/ ∗∗∗ YARA XOR Strings: an Update, (Sun, Sep 22nd) ∗∗∗ --------------------------------------------- Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key. --------------------------------------------- https://isc.sans.edu/diary/rss/25346 ∗∗∗ Bereit für NISG & NISV? – Anforderungen an den Umgang mit Sicherheitsvorfällen ∗∗∗ --------------------------------------------- Es ist so weit - Österreich hat mit dem Beschluss der Netz- und Informationssystemsicherheitsverordnung (NISV) nun konkrete Netzwerk- und Informationssicherheitsanforderungen für Anbietern wesentlicher Dienste i.S.d. Netz- und Informationssystemsicherheitsgesetz (NISG) festgelegt. --------------------------------------------- https://www.sec-consult.com/blog/2019/09/bereit-fuer-nisg-nisv-anforderunge… ∗∗∗ Dear network operators, please use the existing tools to fix security ∗∗∗ --------------------------------------------- The internets security and stability would be significantly improved if network operators implemented protocols that were already written into technical standards and if vendors provided better tools for fixing security. --------------------------------------------- https://www.zdnet.com/article/dear-network-operators-please-use-the-existin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Jira Server und Data Center vor Schadcode-Attacken gefährdet ∗∗∗ --------------------------------------------- Verschiedene Software von Jira ist über kritische Sicherheitslücken attackierbar. Angreifer könnten die Kontrolle über Server übernehmen. --------------------------------------------- https://heise.de/-4536050 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, php-pecl-http, and php7.0), Fedora (ImageMagick, jackson-annotations, jackson-bom, jackson-core, jackson-databind, and rubygem-rmagick), Mageia (chromium-browser-stable, ibus, kernel, samba, and thunderbird), openSUSE (chromium), Oracle (dovecot and kernel), Red Hat (dbus, kernel, kernel-alt, and kpatch-patch), Scientific Linux (dovecot and kernel), and SUSE (expat, ibus, kernel, kernel-source-rt, nmap, openssl, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/800377/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190921-… ∗∗∗ Security Advisory - Race Condition Vulnerability on Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190911-… ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager stores password in clear text (CVE-2019-4566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Apache Commons Compress vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-commons-compre… ∗∗∗ IBM Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-vulnerabiliti… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-2684, CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2019
by Daily end-of-shift report 20 Sep '19

20 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2019 18:00 − Freitag 20-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forcepoint Fixes Privilege Escalation Bug in Windows VPN Client ∗∗∗ --------------------------------------------- A vulnerability affecting all versions of Forcepoint VPN Client for Windows, save the latest release, can be used to achieve persistence and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/forcepoint-fixes-privilege-e… ∗∗∗ Fake SSO Used In Multi-Email Provider Phishing ∗∗∗ --------------------------------------------- Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a separate username and password. This feature also extends to third party services such as the popular Dropbox file sharing application, which offers users the option to access their account using Google’s authentication from their sign in page. Malicious Pages Mimic Popular Login Workflows [...] --------------------------------------------- https://blog.sucuri.net/2019/09/fake-sso-used-in-multi-email-provider-phish… ∗∗∗ Blacklisting or Whitelisting in the Right Way ∗∗∗ --------------------------------------------- Its Friday today, Id like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different: --------------------------------------------- https://isc.sans.edu/forums/diary/Blacklisting+or+Whitelisting+in+the+Right… ∗∗∗ Wenn Instagram- und Facebook-Freunde nach der Handynummer fragen ∗∗∗ --------------------------------------------- Zahlreiche NutzerInnen berichten derzeit, dass sie von FreundInnen über den Instagram-Chat oder den Facebook-Messenger nach ihrer Handynummer gefragt werden. Anschließend wird noch nach einem 4-stelligen PIN Code gefragt. Achtung! Hier schreiben nicht die FreundInnen. Deren Zugang wurde gehackt. Kriminelle versuchen so, ein kostenpflichtiges Abo abzuschließen. --------------------------------------------- https://www.watchlist-internet.at/news/wenn-instagram-und-facebook-freunde-… ===================== = Vulnerabilities = ===================== ∗∗∗ Tridium Niagara ∗∗∗ --------------------------------------------- This advisory contains mitigations for information exposure and improper authorization vulnerabilities in Tridiums Niagara business application framework software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-262-01 ∗∗∗ WECON LeviStudioU (Update A) ∗∗∗ --------------------------------------------- WECON has produced Version 1.8.69 to fix the reported vulnerabilities in Version 1.8.56; however, exploits are still successful against this updated version. --------------------------------------------- https://www.us-cert.gov/ics/advisories/ICSA-19-036-03 ∗∗∗ VMSA-2019-0014 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0014.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug). --------------------------------------------- https://lwn.net/Articles/800149/ ∗∗∗ Western Digital My Book World II NAS 1.02.12 Hardcoded Credential ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019090130 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Cross-Site Request Forgery (CVE-2019-4515 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4 is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag… ∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4.x is affected by multiple vulnerabilities of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2019
by Daily end-of-shift report 19 Sep '19

19 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2019 18:00 − Donnerstag 19-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Human Verification Spam ∗∗∗ --------------------------------------------- We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin. --------------------------------------------- https://blog.sucuri.net/2019/09/fake-human-verification-spam.html ∗∗∗ Agent Tesla Trojan Abusing Corporate Email Accounts ∗∗∗ --------------------------------------------- The trojan Agent Tesla is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1]. --------------------------------------------- https://isc.sans.edu/forums/diary/Agent+Tesla+Trojan+Abusing+Corporate+Emai… ∗∗∗ Shhmon — Silencing Sysmon via Driver Unload ∗∗∗ --------------------------------------------- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke erlaubt Root-Zugriff auf D-Link-NAS DNS-320 ∗∗∗ --------------------------------------------- Ein Update schließt eine Schwachstelle mit Höchstwertung im Netzwerkspeicher DNS-320 von D-Link. --------------------------------------------- https://heise.de/-4533707 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, [...] --------------------------------------------- https://lwn.net/Articles/799971/ ∗∗∗ Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097) ∗∗∗ --------------------------------------------- Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole. --------------------------------------------- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enable… ∗∗∗ TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-067 ∗∗∗ Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-066 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0826 ∗∗∗ Cisco HyperFlex Software Counter Value Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco HyperFlex Software Cross-Frame Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei CloudEngine Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190918-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Security QRadar Packet Capture is vulnerable to Denial of Service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-3896) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-qradar-p… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system and Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs CVE-2019-4473 and CVE-2019-11771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-eclipse-openj9-could-… ∗∗∗ IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE’s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-as-used-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2019
by Daily end-of-shift report 18 Sep '19

18 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2019 18:00 − Mittwoch 18-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions ∗∗∗ --------------------------------------------- A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases. --------------------------------------------- https://thehackernews.com/2019/09/phpmyadmin-csrf-exploit.html ∗∗∗ Clever New DDoS Attack Gets a Lot of Bang for a Hackers Buck ∗∗∗ --------------------------------------------- By exploiting the WS-Discovery protocol, a new breed of DDoS attack can get a huge rate of return. --------------------------------------------- https://www.wired.com/story/ddos-attack-ws-discovery ∗∗∗ FAQ: Emotet (bei Heise) ∗∗∗ --------------------------------------------- Seit die Heise Gruppe von einer Emotet-Infektion betroffen war, erreichen uns immer wieder Rückfragen. Hier die Antworten auf die häufigsten davon. --------------------------------------------- https://heise.de/-4517354 ∗∗∗ SMS von "PostInfo" führt in Abo-Falle ∗∗∗ --------------------------------------------- Zahlreiche HandynutzerInnen erhalten momentan eine SMS von PostInfo. Sie haben angeblich etwas bei einer Verlosung gewonnen. Um den Gewinn einzulösen, müssen sie einem Link folgen. Dieser führt zu einer Umfrage auf einer gefälschten Post-Seite. Achtung: dieses SMS stammt nicht von der Post, sondern von Kriminellen. Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-postinfo-fuehrt-in-abo-falle/ ∗∗∗ Daily Emotet IoCs and Notes for 09/16/19 ∗∗∗ --------------------------------------------- Emotet Malware Document links/IOCs for 09/16/19 as of 09/17/19 02:30 EDTNotes and Credits at the bottom Follow us on twitter @cryptolaemus1 for more updates. --------------------------------------------- https://paste.cryptolaemus.com/emotet/2019/09/16/emotet-malware-IoCs_09-16-… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for code injection, command injection, stack-based buffer overflow, and improper authorization vulnerabilities in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-260-01 ∗∗∗ Honeywell Performance IP Cameras and Performance NVRs ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure vulnerability in the Honeywell Performance IP Cameras and Performance NVRs product. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-260-03 ∗∗∗ HPESBHF03844 rev.3 - HPE Integrated Lights-Out 4, 5 (iLO 4, 5) iLO Moonshot and Moonshot iLO Chassis Manager, Remote or Local Code Execution ∗∗∗ --------------------------------------------- Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03866 rev.3 - HPE Integrated Lights-Out 3,4,5 iLO Moonshot and Moonshot iLO Chassis Manager, using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security update available in Foxit Studio Photo 3.6.6.913 ∗∗∗ --------------------------------------------- Foxit has released Foxit Studio Photo 3.6.6.913, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ Kritisches Update für AMD-Grafikkarten löst spezielles Sicherheitsproblem ∗∗∗ --------------------------------------------- Die Kombination von VMware Workstation Pro und AMD-GPUs könnte die Computersicherheit gefährden. --------------------------------------------- https://heise.de/-4533148 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa). --------------------------------------------- https://lwn.net/Articles/799765/ ∗∗∗ WAGO Series PFC100/PCF200 Information Disclosure ∗∗∗ --------------------------------------------- The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-017 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager uses Weak password policy (CVE-2019-4565) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2019 – Includes Oracle Jul 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ IBM Security Bulletin: Vulnerability in Eclipse Jetty affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ecli… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been identified in bundled libraries of IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2019-12086, CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects… ∗∗∗ Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-x… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2019
by Daily end-of-shift report 17 Sep '19

17 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2019 18:00 − Dienstag 17-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet Revived with Large Spam Campaigns Around the World ∗∗∗ --------------------------------------------- Less than a month after reactivating its command and control (C2) servers, the Emotet botnet has come to like by spewing spam messages to countries around the globe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-sp… ∗∗∗ Misuse of WordPress update_option() function Leads to Website Infections ∗∗∗ --------------------------------------------- In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website. Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code. --------------------------------------------- https://blog.sucuri.net/2019/09/misuse-of-wordpress-update_option-function-… ∗∗∗ Explaining Server Side Template Injections ∗∗∗ --------------------------------------------- [...] Exploiting SSTI in strange cases will be the next post I make. Any and all feedback is appreciated --------------------------------------------- https://0x00sec.org/t/explaining-server-side-template-injections/16297 ∗∗∗ 2019 CWE Top 25 Most Dangerous Software Errors ∗∗∗ --------------------------------------------- The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. --------------------------------------------- https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html ∗∗∗ Investigating Gaps in your Windows Event Logs ∗∗∗ --------------------------------------------- I recently TAd the SANS SEC 504 class (Hacker Tools, Techniques, Exploits, and Incident Handling) , and one of the topics we covered was attackers "editing" windows event logs to cover their tracks, especially the Windows Security Event Log. --------------------------------------------- https://isc.sans.edu/forums/diary/Investigating+Gaps+in+your+Windows+Event+… ∗∗∗ Phishing: BAWAG PSK fordert keine Datenbestätigung per E-Mail ∗∗∗ --------------------------------------------- Kriminelle geben sich als BAWAG PSK Bank aus und behaupten, dass Online-Banking-NutzerInnen aufgrund der EU-Zahlungsrichtlinie ihre Daten bestätigen müssen. Angeblich sei auch das Konto gesperrt. Es handelt sich jedoch um einen Vorwand, um an Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den Button, Sie gelangen zu einer gefälschten Login-Seite! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-bawag-psk-fordert-keine-dat… ∗∗∗ MISP 2.4.116 released (aka the new decaying feature) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.116) has been release, including a long awaited major new feature that deals with decaying indicators in addition to a new ATT&CK sightings export and a new sync priority capability. --------------------------------------------- https://www.misp-project.org/2019/09/17/MISP.2.4.116.released.html ∗∗∗ Gootkit malware crew left their database exposed online without a password ∗∗∗ --------------------------------------------- Even cyber-criminal gangs cant secure their MongoDB servers properly. --------------------------------------------- https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-expo… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira ∗∗∗ --------------------------------------------- Ben Taylor of Cisco ASIG discovered these vulnerabilities.Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and [...] --------------------------------------------- https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/799509/ ∗∗∗ SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices ∗∗∗ --------------------------------------------- Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0. --------------------------------------------- https://www.securityweek.com/sohopelessly-broken-20-125-vulnerabilities-fou… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Apache HTTPD vulnerability CVE-2019-10098 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25126370 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2019
by Daily end-of-shift report 16 Sep '19

16 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2019 18:00 − Montag 16-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefährliche Sicherheitslücken in Überwachungskameras von Dahua ∗∗∗ --------------------------------------------- Angreifer könnten einige Dahua-Überwachungskameras attackieren und in ein Botnetz zwingen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-4523355 ∗∗∗ Fake-Bewerbung von "Eva Richter" hat Erpressungstrojaner Ordinypt im Gepäck ∗∗∗ --------------------------------------------- Vorsicht: Derzeit sind wieder gefälschte Bewerbungen mit gefährlichem Dateianhang in Umlauf. Wer darauf reinfällt, steht vor einem digitalen Scherbenhaufen. --------------------------------------------- https://heise.de/-4523365 ∗∗∗ How to Enable Ransomware Protection in Windows 10 ∗∗∗ --------------------------------------------- Windows Defender includes a security feature called "Ransomware Protection" that allows you to enable various protections against ransomware infections. This feature is disabled by default in Windows 10, but with ransomware running rampant, it is important to enable this feature in order to get the most protection on your computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/how-to-enable-ransomware-pr… ∗∗∗ iPhone: PIN-Sperre in iOS 13 umgangen ∗∗∗ --------------------------------------------- Der Sperrbildschirm in iOS 13 kann mit einem einfachen Trick umgangen werden. So kann auf das Adressbuch des Besitzers zugegriffen werden. iOS 13 soll am 19. September veröffentlicht werden - die Lücke will Apple bis dahin nicht schließen. --------------------------------------------- https://www.golem.de/news/iphone-pin-sperre-in-ios-13-umgangen-1909-143860-… ∗∗∗ WordPress XSS Bug Allows Drive-By Code Execution ∗∗∗ --------------------------------------------- Sites that use the Gutenberg (found in WordPress 5.0 to 5.2.2) are open to complete takeover. --------------------------------------------- https://threatpost.com/wordpress-xss-drive-by-code-execution/148324/ ∗∗∗ Dissecting the WordPress 5.2.3 Update ∗∗∗ --------------------------------------------- Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing. --------------------------------------------- https://blog.sucuri.net/2019/09/dissecting-the-wordpress-5-2-3-update.html ∗∗∗ Smishing Explained: What It Is and How to Prevent It ∗∗∗ --------------------------------------------- Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late? It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around [...] --------------------------------------------- https://www.webroot.com/blog/2019/09/16/smishing-explained-what-it-is-and-h… ∗∗∗ You Can Run, But You Can't Hide - Detecting Process Reimaging Behavior ∗∗∗ --------------------------------------------- Around 3 months ago, a new attack technique was introduced to the InfoSec community known as "Process Reimaging." This technique was released by the McAfee Security team in a blog titled — "In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass." A few days after this attack technique was released, a co-worker and friend of mine - Dwight Hohnstein - came out with proof of concept code demonstrating this technique, [...] --------------------------------------------- https://posts.specterops.io/you-can-run-but-you-cant-hide-detecting-process… ∗∗∗ Open source breach and attack simulation tool Infection Monkey gets new features ∗∗∗ --------------------------------------------- Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool. Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks. --------------------------------------------- https://www.helpnetsecurity.com/2019/09/16/infection-monkey-tool/ ∗∗∗ LastPass Patches Bug Leaking Last-Used Credentials ∗∗∗ --------------------------------------------- A vulnerability recently addressed in LastPass could be abused by attackers to expose the last site credentials filled by LastPass. A freemium password manager, LastPass stores encrypted passwords online and provides users with a web interface to access them, as well as with plugins for web browsers and apps for smartphones. --------------------------------------------- https://www.securityweek.com/lastpass-patches-bug-leaking-last-used-credent… ∗∗∗ Sophos open-sources Sandboxie, a utility for sandboxing any application ∗∗∗ --------------------------------------------- Sandboxie is now a free download. Source code to be open-sourced at a later date. --------------------------------------------- https://www.zdnet.com/article/sophos-open-sources-sandboxie-a-utility-for-s… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2019-0013 ∗∗∗ --------------------------------------------- VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0013.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark). --------------------------------------------- https://lwn.net/Articles/799324/ ∗∗∗ [remote] Inteno IOPSYS Gateway - Improper Access Restrictions ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47390 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2019
by Daily end-of-shift report 13 Sep '19

13 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2019 18:00 − Freitag 13-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Rig Exploit Kit Delivering VBScript, (Thu, Sep 12th) ∗∗∗ --------------------------------------------- I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the web, you can spot malicious scripts that will try to infect your computer (Exploit Kits). --------------------------------------------- https://isc.sans.edu/diary/rss/25318 ∗∗∗ Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics ∗∗∗ --------------------------------------------- We’re always eager for new research and learning opportunities, but this time, serendipitously, the opportunity found us. At the closing party of the Hack In The Box Amsterdam conference — where we presented our industrial radio research and ran a CTS contest — we were given LED wristbands to wear. They’re flashing wristbands meant to enhance the experience of an event, party, or show. At the beginning, we were not interested in the security impact; we just wanted to [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MzmWyorokxA/ ∗∗∗ InnfiRAT: A new RAT aiming for your cryptocurrency and more ∗∗∗ --------------------------------------------- Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals. --------------------------------------------- https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptoc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat). --------------------------------------------- https://lwn.net/Articles/799127/ ∗∗∗ Philips IntelliVue WLAN ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for use of hard-coded password, and download of code without integrity check vulnerabilities in Philips IntelliVue WLAN firmware. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-255-01 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Web Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal and stack-based buffer overflow vulnerabilities in 3S-Smart Software Solutions CODESYS V3 runtime systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-01 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in 3S-Smart Software Solutions CODESYS V3 library manager software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-02 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in 3S-Smart Software Solutions CODESYS Control V3 online user management software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-03 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a NULL pointer dereference vulnerability in 3S-Smart Software Solutions CODESYS Control V3 OPC UA Server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-04 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in 3S-Smart Software Solutions CODESYS V3 runtime systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-05 ∗∗∗ Multiple buffer overflow vulnerabilities in multiple Ricoh printers and Multifunction Printers (MFPs) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11708203/ ∗∗∗ libssh2 vulnerability CVE-2019-13115 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13322484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2019
by Daily end-of-shift report 12 Sep '19

12 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2019 18:00 − Donnerstag 12-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 1B Mobile Users Vulnerable to Ongoing 'SimJacker' Surveillance Attack ∗∗∗ --------------------------------------------- More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn. --------------------------------------------- https://threatpost.com/1b-mobile-users-vulnerable-to-ongoing-simjacker-surv… ∗∗∗ Attacking the VM Worker Process ∗∗∗ --------------------------------------------- In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components. --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/09/11/attacking-the-vm-worker-proc… ∗∗∗ From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer ∗∗∗ --------------------------------------------- Last June, I disclosed a use-after-free (UAF) vulnerability in Internet Explorer (IE) to Microsoft. It was rated as critical, designated as CVE-2019-1208, and then addressed in Microsoft’s September Patch Tuesday. I discovered this flaw through BinDiff (a binary code analysis tool) and wrote a proof of concept (PoC) showing how it can be fully and consistently exploited in Windows 10 RS5.A more in-depth analysis of this vulnerability is in this technical brief. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/NkmJvxTNnHM/ ∗∗∗ Phishing & Co: Betrüger nutzen Start der PSD2-Richtlinie aus ∗∗∗ --------------------------------------------- Die neue Zahlungsdienste-Richtlinie der EU steht vor der Umsetzung. Das sorgt für Verwirrung, die Betrüger schamlos ausnutzen. --------------------------------------------- https://heise.de/-4522179 ∗∗∗ Five years later, Heartbleed vulnerability still unpatched ∗∗∗ --------------------------------------------- The Heartbleed vulnerability was discovered and fixed in 2014, yet today—five years later—there are still unpatched systems. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2019/09/everything-you-need… ∗∗∗ Sind meine persönlichen Daten im Internet bekannt? ∗∗∗ --------------------------------------------- Wenn es Kriminellen gelingt, in Datenbanken von Unternehmen zu gelangen, können sie KundInnendaten stehlen. Mit den erbeuteten Informationen ist es ihnen möglich, dass sie Verbrechen unter fremden Namen begehen. KonsumentInnen sollten deshalb regelmäßig überprüfen, ob sie von einem Datendiebstahl betroffen sind, um geeignete Gegenmaßnahmen ergreifen zu können. --------------------------------------------- https://www.watchlist-internet.at/news/sind-meine-persoenlichen-daten-im-in… ∗∗∗ Warnung vor Ron Inkasso-Mahnungen ∗∗∗ --------------------------------------------- KonsumentInnen erhalten eine Mahnung, die angeblich von der Ron Adams Ltd stammt. Darin heißt es, dass sie sich auf grindplay.com registriert haben. Sie sollen dem Anbieter für ein Premium–Jahresabo 395,88 Euro zuzüglich Mahnspesen und Verzugszinsen gesamt 516,24 Euro bezahlen. KonsumentInnen müssen den Betrag nicht an ron-inkasso.eu bezahlen, denn das Schreiben ist betrügerisch. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-ron-inkasso-mahnungen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, firefox, and webkit2gtk), Debian (libonig and opensc), Fedora (cobbler), Oracle (firefox and kernel), Red Hat (flash-plugin, kernel, kernel-rt, rh-maven35-jackson-databind, rh-nginx110-nginx, and rh-nginx112-nginx), Scientific Linux (kernel), Slackware (curl, mozilla, and openssl), SUSE (ceph, libvirt, and python-Werkzeug), and Ubuntu (vlc and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/799052/ ∗∗∗ Cisco Enterprise Network Functions Virtualization Infrastructure Software File Enumeration Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Linux Kernel vulnerabilities affect IBM Spectrum Protect Plus CVE-2019-10140, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-13233, CVE-2019-13272, CVE-2019-14283, CVE-2019-14284, CVE-2019-15090, CVE-2019-15807, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-vulnerab… ∗∗∗ IBM Security Bulletin: SQL Injection Vulnerability Affects IBM Sterling File Gateway (CVE-2019-4147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-vulnera… ∗∗∗ Stored and reflected XSS vulnerabilities in LimeSurvey (CVE-2019-16172, CVE-2019-16173) ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/stored-and-reflected-xss-vulnera… ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0813 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2019
by Daily end-of-shift report 11 Sep '19

11 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2019 18:00 − Mittwoch 11-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ OpenDMARC: Aktiv ausgenutzte DMARC-Sicherheitslücke ohne Fix ∗∗∗ --------------------------------------------- Mitarbeiter von Protonmail haben in OpenDMARC eine Sicherheitslücke entdeckt, mit der sich die Signaturprüfung austricksen lässt. Angreifer haben die Lücke bereits für Phishingangriffe gegen Journalisten genutzt. OpenDMARC wird offenbar nicht weiterentwickelt und es gibt kein Update. --------------------------------------------- https://www.golem.de/news/opendmarc-aktiv-ausgenutzte-dmarc-sicherheitsluec… ∗∗∗ Office 365: prone to security breaches? ∗∗∗ --------------------------------------------- Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often. Office 365 breach investigations are common at our department. You'll find that this blog post actually doesn't make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office [...] --------------------------------------------- https://blog.fox-it.com/2019/09/11/office-365-prone-to-security-breaches/ ∗∗∗ NetCAT ∗∗∗ --------------------------------------------- NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. --------------------------------------------- https://www.vusec.net/projects/netcat/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Angreifer attackieren Windows und machen sich zum Admin ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für Office, Windows & Co. veröffentlicht. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4519699 ∗∗∗ Patchday: SAP behebt unter anderem kritische Lücke in NetWeaver ∗∗∗ --------------------------------------------- Am September-Patchday hat SAP zahlreiche Lücken geschlossen und überdies einige ältere Security Advisories aktualisiert. --------------------------------------------- https://heise.de/-4519758 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, and out-of-bounds write vulnerabilities in Delta Electronics TPEditor, a programming software for Delta text panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-253-01 ∗∗∗ OSIsoft PI SQL Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for an integer overflow or wraparound vulnerability in OSIsofts PI SQL Client component interface. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-253-06 ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 10, 2019Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to gain an escalation of privileges on a previously infected machine. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/10/intel-releases-sec… ∗∗∗ OpenSSL Security Advisory [10 September 2019] ∗∗∗ --------------------------------------------- ECDSA remote timing attack (CVE-2019-1547) Fork Protection (CVE-2019-1549) Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) --------------------------------------------- https://openssl.org/news/secadv/20190910.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python38), openSUSE (nginx, nodejs10, nodejs8, python-Twisted, python-Werkzeug, SDL2_image, SDL_image, and util-linux and shadow), Oracle (firefox and nghttp2), Red Hat (.NET Core, firefox, kernel, libwmf, pki-deps:10.6, and poppler), Scientific Linux (firefox), SUSE (ghostscript, libgcrypt, podman, python-SQLAlchemy, qemu, and webkit2gtk3), and Ubuntu (curl, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, systemd, and tomcat8). --------------------------------------------- https://lwn.net/Articles/798966/ ∗∗∗ Citrix SD-WAN Security Update ∗∗∗ --------------------------------------------- CTX256918 NewApplicable Products : Citrix SD-WANMultiple denial of service vulnerabilities have been identified in the Citrix SD-WAN Appliance and Citrix SD-WAN Center Management Console. --------------------------------------------- https://support.citrix.com/article/CTX256918 ∗∗∗ IBM Security Bulletin: Spectrum Protect Operations Center vulnerable to Logjam (CVE-2015-4000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-spectrum-protect-oper… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2019
by Daily end-of-shift report 10 Sep '19

10 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2019 18:00 − Dienstag 10-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ How to Audit & Cleanup WordPress Plugins & Themes ∗∗∗ --------------------------------------------- In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question. What Makes WordPress Vulnerable? "Here's the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS' popularity, with the end user thrown into the mix, make for a vulnerable website." --------------------------------------------- https://blog.sucuri.net/2019/09/wordpress-plugin-audit.html ∗∗∗ IoT Attack Opportunities Seen in the Cybercrime Underground ∗∗∗ --------------------------------------------- We looked into IoT-related discussions from several cybercrime underground communities. We found discussions ranging from tutorials to actual monetization schemes for IoT-related attacks. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/i588EjgxMnI/ ∗∗∗ When corporate communications look like a phish ∗∗∗ --------------------------------------------- Before organizations engage in gnashing of teeth over the "ignorant user" and the cost of training, think about how much email users encounter and whether corporate communications look like phishes themselves. --------------------------------------------- https://blog.malwarebytes.com/business-2/2019/09/when-corporate-communicati… ∗∗∗ Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study ∗∗∗ --------------------------------------------- Executive Summary Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-ma… ∗∗∗ Achung Phishing: betrügerische Raiffeisen E-Mails im Umlauf ∗∗∗ --------------------------------------------- Kriminelle behaupten Ihre Kreditkarte wäre gesperrt: Mit der neuen EU-Richtlinie als Vorwand, erhalten momentan zahlreiche Bank-Kundinnen und Kunden Phishing-Mails. Laut den E-Mails schreibt die Richtlinie angeblich die Bestätigung Ihrer persönlichen Daten vor. Der angeführte Link führt Sie jedoch auf eine gefälschte Login-Seite. Kriminelle erspähen Ihre Daten. --------------------------------------------- https://www.watchlist-internet.at/news/achung-phishing-betruegerische-raiff… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Application Manager (APSB19-45) and Adobe Flash Player (APSB19-46). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1785 ∗∗∗ Multiple Vulnerabilities in Comba and D-Link Routers ∗∗∗ --------------------------------------------- There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-vu… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, icedtea-web, and trafficserver), openSUSE (opera), Red Hat (bind, firefox, go-toolset:rhel8, kernel, nghttp2, and polkit), SUSE (buildah, curl, java-1_7_1-ibm, and skopeo), and Ubuntu (freetype, memcached, python2.7, python3.4, and python2.7, python3.5, python3.6, python3.7). --------------------------------------------- https://lwn.net/Articles/798883/ ∗∗∗ MISP 2.4.115 released (aka CVE-2019-16202 and sync speed improvement) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.115) with a major security fix (CVE-2019-16202) and various small improvements has been released. We strongly recommend all MISP users update to this version. --------------------------------------------- https://www.misp-project.org/2019/09/10/MISP.2.4.115.released.html ∗∗∗ SSA-187667 (Last Update: 2019-09-10): DejaBlue Vulnerabilities - Siemens Healthineers Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-187667.pdf ∗∗∗ SSA-189842 (Last Update: 2019-09-10): TCP URGENT/11 Vulnerabilities in RUGGEDCOM Win ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf ∗∗∗ SSA-191683 (Last Update: 2019-09-10): Cross-Site Scripting Vulnerability in IE/WSN-PA Link WirelessHART Gateway ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-191683.pdf ∗∗∗ SSA-250618 (Last Update: 2019-09-10): Denial-of-Service Vulnerability in SIMATIC TDC CP51M1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-250618.pdf ∗∗∗ SSA-462066 (Last Update: 2019-09-10): Vulnerability known as TCP SACK PANIC in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf ∗∗∗ SSA-834884 (Last Update: 2019-09-10): Vulnerability in SINETPLAN ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf ∗∗∗ SSA-884497 (Last Update: 2019-09-10): Multiple Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf ∗∗∗ GnuPG vulnerability CVE-2019-13050 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08654551 ∗∗∗ Wireshark vulnerability CVE-2019-12295 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06725231 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2019
by Daily end-of-shift report 09 Sep '19

09 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2019 18:00 − Montag 09-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 7 most common application backdoors ∗∗∗ --------------------------------------------- The popular adage "we often get in quicker by the back door than the front" has withstood the test of time even in our advanced, modern world. Application backdoors have become rampant in today's business environment, making it mandatory for us to take the same level of precaution we'd do to safeguard the backdoor [...] --------------------------------------------- https://resources.infosecinstitute.com/7-most-common-application-backdoors/ ∗∗∗ 'Purple Fox' Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell ∗∗∗ --------------------------------------------- This new iteration of Purple Fox that we came across, also being delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It now also eschews its use of NSIS in favor of abusing PowerShell, making Purple Fox capable of fileless infection. It also incorporated additional exploits to its infection chain, most likely as a foolproof mechanism to ensure that it can still infect the system. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rRfjdvF4DOI/ ∗∗∗ Open Sourcing StringSifter ∗∗∗ --------------------------------------------- Malware analysts routinely use the Strings program during static analysis in order to inspect a binarys printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke analyst fatigue, relevant strings occur less often than irrelevant ones, and the definition of "relevant" can vary significantly among analysts. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/09/open-sourcing-stringsif… ∗∗∗ BlueKeep Exploit Added to Metasploit ∗∗∗ --------------------------------------------- An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7's Metasploit framework. --------------------------------------------- https://www.securityweek.com/bluekeep-exploit-added-metasploit ∗∗∗ Kriminelle nützen Promis und Medien für Bitcoin-Betrug ∗∗∗ --------------------------------------------- Die Schadensummen reichen von etwa 200 Euro bis weit über 100.000 Euro: KonsumentInnen werden durch erfundene News-Artikel auf gefälschten Nachrichten-Websites zu Investments bei unseriösen Plattformen wie "Bitcoin Code", "Bitcoin Profit" oder "The News Spy" bewegt. Bekannte Persönlichkeiten wie Christoph Waltz oder Bill Gates und einflussreiche Medien wie orf.at oder Der Spiegel werden dabei von Kriminellen missbraucht, um Opfer [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nuetzen-promis-und-medien… ∗∗∗ Sicherheitsforscher warnen vor GPS-Uhren für Kinder: Sofort wegwerfen ∗∗∗ --------------------------------------------- Smartwatches für Kids mit horrender Sicherheit - Angreifer können mit Leichtigkeit, Heranwachsende und Eltern ausspionieren --------------------------------------------- https://www.derstandard.at/story/2000108423850/sicherheitsforscher-warnen-v… ∗∗∗ Telnet backdoor vulnerabilities impact over a million IoT radio devices ∗∗∗ --------------------------------------------- Devices can be remotely exploited as root without any need for user interaction. --------------------------------------------- https://www.zdnet.com/article/critical-vulnerabilities-impact-over-a-millio… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers ∗∗∗ --------------------------------------------- The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely. --------------------------------------------- https://blog.talosintelligence.com/2019/09/vuln-spotlight-Netgear-N300-rout… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, ghostscript, libreoffice, and memcached), Fedora (chromium, grafana, kea, nsd, pdfbox, roundcubemail, and SDL), Gentoo (apache, dbus, exim, libsdl2, pango, perl, vlc, and webkit-gtk), Mageia (dovecot, giflib, golang, icedtea-web, irssi, java-1.8.0-openjdk, libgcrypt, libmspack, mercurial, monit, php, poppler, python-urllib3, rdesktop, SDL12, sdl2, sigil, sqlite3, subversion, tomcat, and zstd), openSUSE (chromium, exim, go1.12, httpie, [...] --------------------------------------------- https://lwn.net/Articles/798826/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/09/warn… ∗∗∗ Instagram - Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019090061 ∗∗∗ Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9872 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics and Watson Explorer Content Analytics Studio (CVE-2018-1890, CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2019
by Daily end-of-shift report 06 Sep '19

06 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2019 18:00 − Freitag 06-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GootKit Malware Bypasses Windows Defender by Setting Path Exclusions ∗∗∗ --------------------------------------------- As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-win… ∗∗∗ [SANS ISC] PowerShell Script with a builtin DLL ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution [...] --------------------------------------------- https://blog.rootshell.be/2019/09/06/sans-isc-powershell-script-with-a-buil… ∗∗∗ Thousands of servers infected with new Lilocked (Lilu) ransomware ∗∗∗ --------------------------------------------- Researchers spot new ransomware targeting Linux-based servers. --------------------------------------------- https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilock… ===================== = Vulnerabilities = ===================== ∗∗∗ Buffer Overflow: Exim-Sicherheitslücke beim Verarbeiten von TLS-Namen ∗∗∗ --------------------------------------------- Im Mailserver Exim wurde eine Sicherheitslücke gefunden, die Angreifern das Ausführen von Code ermöglicht. Ein Update steht bereit. --------------------------------------------- https://www.golem.de/news/buffer-overflow-exim-sicherheitsluecke-beim-verar… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for a session fixation vulnerability reported in BD’s Pyxis medication management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-248-01 ∗∗∗ Red Lion Controls Crimson ∗∗∗ --------------------------------------------- This advisory includes mitigations for use after free, improper restriction of operations within the bounds of a memory buffer, pointer issues, and use of hard-coded cryptographic key vulnerabilities in the Red Lion Controls Crimson software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-248-01 ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: September 5, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/05/ms-isac-releases-a… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow). --------------------------------------------- https://lwn.net/Articles/798600/ ∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0790 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2019
by Daily end-of-shift report 05 Sep '19

05 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2019 18:00 − Donnerstag 05-09-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Android Zero-Day Bug Does Not Make It on Google's Fix List ∗∗∗ --------------------------------------------- Google yesterday rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-zero-day-bug-does-no… ∗∗∗ WordPress 5.2.3 Released with Security and Bug Fixes ∗∗∗ --------------------------------------------- WordPress 5.2.3 has been released and includes fixes for six vulnerabilities and 29 bugs or enhancements. As WordPress is a common target for threat actors looking to host their malicious campaigns, it is important that all WordPress users upgrade to the latest release as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-523-released-with-… ∗∗∗ Unifying: Sicherheitsupdate für Logitech-Tastaturen umgangen ∗∗∗ --------------------------------------------- Mit einem einfachen Trick kann ein Sicherheitsupdate von Logitech umgangen werden. Damit lassen sich weiterhin Eingaben von kabellosen Tastaturen abgreifen - oder Schadcode eintippen. Dabei hatte Logitech nicht einmal alle Sicherheitslücken behoben. --------------------------------------------- https://www.golem.de/news/unifying-sicherheitsupdate-fuer-logitech-tastatur… ∗∗∗ Das Smart‑Ding‑Dilemma ∗∗∗ --------------------------------------------- Vom 6.-11. September 2019 öffnet die Internationale Funkausstellung (IFA) in Berlin wieder ihre Pforten. Auch diesjährig wird das Thema "Vollvernetzung" die Messehallen beherrschen. Doch wie steht es nun, ein Jahr weiter, um die Sicherheit? --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/09/05/das-smart-ding-dilemma/ ∗∗∗ henrikson-research.de: Umfrage führt zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen einer HENRIKSON Research GmbH. Schon bei der Registrierung verlangt man Ihre Ausweiskopie sowie Selfies mit Pass oder Personalausweis. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. --------------------------------------------- https://www.watchlist-internet.at/news/henrikson-researchde-umfrage-fuehrt-… ∗∗∗ Betrügerische Angebote für Cineplexx-Gutscheine locken in die Abo-Falle ∗∗∗ --------------------------------------------- Mit Facebook-Anzeigen und über Facebook-Messenger werben Kriminelle für ein Gewinnspiel. Angeblich können Cineplexx-Geschenkgutscheine gewonnen werden. Das Gewinnspiel gibt es nicht. Die Kriminellen locken in eine Abofalle und sind auf Kreditkartendaten aus! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-angebote-fuer-cineple… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Cisco sichert macOS- und Windows-Software ab – und noch mehr ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Cisco-Produkte. Angreifer könnten Schadcode auf Systemen ausführen. --------------------------------------------- https://heise.de/-4514009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream). --------------------------------------------- https://lwn.net/Articles/798487/ ∗∗∗ Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-cisc… ∗∗∗ Various 3rd Party Vulnerabilities - PSA-2019-09-04 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2019-09-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2019
by Daily end-of-shift report 04 Sep '19

04 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2019 18:00 − Mittwoch 04-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacked SharePoint Sites Used to Bypass Secure Email Gateways ∗∗∗ --------------------------------------------- Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sharepoint-sites-used… ∗∗∗ Half of Android Handsets Susceptible to Clever SMS Phishing Attack ∗∗∗ --------------------------------------------- Researchers say an attacker could send a rogue over-the-air provisioning message to susceptible phones and route all internet traffic through a hacker-controlled proxy. --------------------------------------------- https://threatpost.com/half-of-android-handsets-susceptible-to-clever-sms-p… ∗∗∗ BRATA Android RAT Steals Banking Info in Real Time ∗∗∗ --------------------------------------------- The RAT targets users via fake WhatsApp updates in Google Play. --------------------------------------------- https://threatpost.com/brata-android-rat-steals-banking-info/148003/ ∗∗∗ ENISA: Secure Group Communications for incident response and operational communities ∗∗∗ --------------------------------------------- This document serves as a starting point for incident response communities to conduct their own evaluation and see how the various communication tools can fit their sizes and needs. --------------------------------------------- https://www.enisa.europa.eu/publications/secure-group-communications ∗∗∗ Spam In your Calendar? Here’s What to Do. ∗∗∗ --------------------------------------------- Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Heres a brief primer on what you can do about it. --------------------------------------------- https://krebsonsecurity.com/2019/09/spam-in-your-calendar-heres-what-to-do/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 4, 2019 The Samba Team has released security updates to address a vulnerability in all versions of Samba from 4.9.0 onward. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/04/samba-releases-sec… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t. These releases will be made available on 10th September 2019 between approximately 1200-1600 UTC. These are security fix releases. The highest severity security issue fixed by these releases is rated as LOW. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-September/000156.ht… ∗∗∗ Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-09-01.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (grafana, irssi, and jenkins), Debian (freetype, samba, and varnish), Fedora (community-mysql, kernel, kernel-headers, kernel-tools, and python-mitogen), openSUSE (postgresql10 and python-SQLAlchemy), Oracle (kdelibs and kde-settings and squid:4), Red Hat (kdelibs and kde-settings, kernel, kernel-rt, openstack-nova, qemu-kvm, and redis), Scientific Linux (kdelibs and kde-settings, kernel, and qemu-kvm), SUSE (ansible, java-1_7_1-ibm, libosinfo, [...] --------------------------------------------- https://lwn.net/Articles/798357/ ∗∗∗ Security Advisory - Version Downgrade Vulnerabilities on Smartphones and HiSuite ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190904-… ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4149) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2019
by Daily end-of-shift report 03 Sep '19

03 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2019 18:00 − Dienstag 03-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nemty Ransomware Gets Distribution from RIG Exploit Kit ∗∗∗ --------------------------------------------- The operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology that can still be infected by exploit kits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distri… ∗∗∗ Fake BleachBit Website Built to Distribute AZORult Info Stealer ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the popularity of the BleachBit disk cleaning tool to spread Azorult information stealer. For this purpose, they created a static web page that purports to be the official website for the utility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-bleachbit-website-built… ∗∗∗ Credential Management and Enforcement for ICS/SCADA environments ∗∗∗ --------------------------------------------- In the world of Operational Technology (OT), Industrial Control Systems (ICS) comprise the majority of the segment. Where ICS assets are dispersed and require centralized data acquisition and control, Supervisory Control and Data Acquisition (SCADA) systems are used. --------------------------------------------- https://resources.infosecinstitute.com/credential-management-and-enforcemen… ∗∗∗ Ratgeber vom Hersteller: So erkennt man gehackte Cisco-Geräte ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat vier Guides für verschiedene Software veröffentlicht, die helfen sollen, Hinweise auf mögliche Kompromittierungen zu finden. --------------------------------------------- https://heise.de/-4512704 ∗∗∗ Meet Domen, a New and Sophisticated Social Engineering Toolkit ∗∗∗ --------------------------------------------- A new social engineering toolkit has been discovered. The operational premise has been used many times, but the execution of that premise is new and described by security researchers "a beautiful piece of work". --------------------------------------------- https://www.securityweek.com/meet-domen-new-and-sophisticated-social-engine… https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2019… ∗∗∗ Diese Kleinanzeigen-Betrugsmasche sollten Sie kennen ∗∗∗ --------------------------------------------- BetrügerInnen versuchen auf Online-Marktplätzen wie willhaben, shpock und Co, ohne Bezahlung an Ihre Ware zu kommen. Sie geben sich als vermeintliche Zahlungsdienstleister und Zwischenvermittler aus und senden Ihnen eine gefälschte Zahlungsbestätigung. Das Geld wird angeblich erst für Sie freigegeben, wenn Sie den zu viel überwiesenen Betrag für das Speditionsunternehmen oder eine Versandbestätigung des Paketes übermitteln. --------------------------------------------- https://www.watchlist-internet.at/news/diese-kleinanzeigen-betrugsmasche-so… ===================== = Vulnerabilities = ===================== ∗∗∗ 'USBAnywhere' Bugs Open Supermicro Servers to Remote Attackers ∗∗∗ --------------------------------------------- Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker omnipotent control over a server and its contents. --------------------------------------------- https://threatpost.com/usbanywhere-bugs-supermicro-remote-attack/147899/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (ansible and wavpack), openSUSE (apache-commons-beanutils, apache2, go1.12, httpie, libreoffice, qemu, and slurm), Oracle (ghostscript), Scientific Linux (ghostscript), SUSE (ardana-ansible, ardana-barbican, ardana-cinder, ardana-cluster, ardana-cobbler, ardana-db, ardana-designate, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-horizon, ardana-input-model, ardana-installer-ui, ardana-ironic, ardana-keystone, ardana-logging, [...] --------------------------------------------- https://lwn.net/Articles/798225/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2019
by Daily end-of-shift report 02 Sep '19

02 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2019 18:00 − Montag 02-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sodinokibi Ransomware Spreads via Fake Forums on Hacked Sites ∗∗∗ --------------------------------------------- A distributor for the Sodinokibi Ransomware is hacking into WordPress sites and injecting JavaScript that displays a fake Q & A forum post over the content of the original site. This fake post contains an "answer" from the sites "admin" that contains a link to the ransomware installer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spread… ∗∗∗ Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps ∗∗∗ --------------------------------------------- Walled-garden Android platform security easily copied Facebook has insisted that losing control of the private key used to sign its Facebook Basics app is no biggie despite totally unrelated apps from other vendors, signed with the same key, popping up in unofficial repositories. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/09/02/facebook_ba… ∗∗∗ Analyse: Was bedeutet der iPhone-Massen-Hack? ∗∗∗ --------------------------------------------- Tausende iPhones wurden beim Besuch scheinbar harmloser Web-Sites gehackt. Wer steckt dahinter und wie schütze ich mich? --------------------------------------------- https://heise.de/-4511921 ∗∗∗ TrickBot Tricks U.S. Users into Sharing their PIN Codes ∗∗∗ --------------------------------------------- The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports. --------------------------------------------- https://www.securityweek.com/trickbot-tricks-us-users-sharing-their-pin-cod… ∗∗∗ WordPress sites under attack as hacker group tries to create rogue admin accounts ∗∗∗ --------------------------------------------- Hackers exploit vulnerabilities in more than ten WordPress plugins to plant backdoor accounts on unpatched sites. --------------------------------------------- https://www.zdnet.com/article/wordpress-sites-under-attack-as-hacker-group-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gosa, libav, libextractor, nghttp2, pump, and python2.7), Fedora (dovecot, mod_http2, and pango), Gentoo (dovecot, gnome-desktop, libofx, and nautilus), Mageia (ansible, ghostscript, graphicsmagick, memcached, mpg123, pango, vlc, wavpack, webmin, wireshark, and wpa_supplicant, hostapd), openSUSE (flatpak, libmirage, podman, slirp4netns and libcontainers-common, python-SQLAlchemy, and qemu), Red Hat (ghostscript, java-1.8.0-ibm, and squid:4), and SUSE [...] --------------------------------------------- https://lwn.net/Articles/798143/ ∗∗∗ Panasonic Video Insight VMS vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN93833849/ ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Local File inclusion ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47340 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47339 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47338 ∗∗∗ IBM Security Bulletin: Password vulnerability in IBM® Intelligent Operations Center (CVE-2019-4321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2019
by Daily end-of-shift report 30 Aug '19

30 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2019 18:00 − Freitag 30-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 7: Update-Blockade für Symantec-Nutzer aufgehoben ∗∗∗ --------------------------------------------- Microsoft hat Windows-Updates wieder für Nutzer von Symantec Endpoint Protection freigegeben. --------------------------------------------- https://heise.de/-4509981 ∗∗∗ CERT-Bund warnt vor offenen Smarthome-Systemen ∗∗∗ --------------------------------------------- Fast 3000 Homematic-Systeme sind offenbar aus dem Internet erreichbar -- die meisten davon lassen sich beliebig fernsteuern. --------------------------------------------- https://heise.de/-4509977 ∗∗∗ It Saved Our Community: 16 Realistic Ransomware Defenses for Cities ∗∗∗ --------------------------------------------- Practical steps municipal governments can take to better prevent and respond to ransomware infections. --------------------------------------------- https://www.darkreading.com/edge/theedge/it-saved-our-community-16-realisti… ∗∗∗ A very deep dive into iOS Exploit chains found in the wild ∗∗∗ --------------------------------------------- Posted by Ian Beer, Project ZeroProject Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier this year Googles Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-ex… ∗∗∗ Scalable infrastructure for investigations and incident response ∗∗∗ --------------------------------------------- Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/08/30/scalable-infrastructure-for-… ∗∗∗ [SANS ISC] Malware Dropping a Local Node.js Instance ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. --------------------------------------------- https://blog.rootshell.be/2019/08/30/sans-isc-malware-dropping-a-local-node… ∗∗∗ Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware ∗∗∗ --------------------------------------------- Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Change Healthcare McKesson and Horizon Cardiology ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect default permissions vulnerability in Change Healthcares cardiology devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-01 ∗∗∗ Philips HDI 4000 Ultrasound ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Philips HDI 4000 Ultrasound Systems diagnostic tool. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-02 ∗∗∗ Cisco Firepower 4100 and 9300 Security Appliance Local Management Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the process for creating default IP blocks during device initialization for Cisco Firepower 4100 Series and Firepower 9300 Security Appliances running Cisco FXOS Software could allow an unauthenticated, remote attacker to send traffic to the local IP address of the device, bypassing any filters that are configured to deny local IP management traffic. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/797938/ ∗∗∗ Linux kernel vulnerability CVE-2019-10639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32804955 ∗∗∗ Avira Optimizer Local Privilege Escalation ∗∗∗ --------------------------------------------- https://posts.specterops.io/avira-optimizer-local-privilege-escalation-af10… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-cast-ir… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2019
by Daily end-of-shift report 29 Aug '19

29 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2019 18:00 − Donnerstag 29-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Samples Compiling Their Next Stage on Premise, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim's computer. At a first point, it seems weird but, after all, its an interesting approach to bypass low-level detection mechanisms that look for PE files. --------------------------------------------- https://isc.sans.edu/diary/rss/25278 ∗∗∗ ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information ∗∗∗ --------------------------------------------- Despite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and theyre not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hQZwZfgZ7U/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Buffer Overflow in Dovecot-Mailserver ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Dovecot-Mailserver könnte es Angreifern erlauben, Code auszuführen. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-buffer-overflow-in-dovecot-mail… ∗∗∗ Kritische Lücke mit Höchstwertung in Ciscos Betriebssystem ISO EX ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für verschiedene Betriebssystem-Versionen für Netzwerkgeräte von Cisco. --------------------------------------------- https://heise.de/-4509454 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript). --------------------------------------------- https://lwn.net/Articles/797775/ ∗∗∗ Nextgen Gallery < 3.2.11 - SQL Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9816 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/external-dns-requests-in-zyxel-u… ∗∗∗ Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/hardcoded-ftp-credentials-in-zyx… ∗∗∗ A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50375550 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0004.html ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0768 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0769 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2019
by Daily end-of-shift report 28 Aug '19

28 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2019 18:00 − Mittwoch 28-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs ∗∗∗ --------------------------------------------- Law enforcement takedown causes Retadup malware to eat itself. --------------------------------------------- https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/ ∗∗∗ [Guest Diary] Open Redirect: A Small But Very Common Vulnerability, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- This is a guest diary submitted by Jan Kopriva. Jan is working for Alef Nula (http://www.alef.com) and you can follow him on Twitter at @jk0pr --------------------------------------------- https://isc.sans.edu/diary/rss/25276 ∗∗∗ Extracting Certificates From the Windows Registry ∗∗∗ --------------------------------------------- I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. --------------------------------------------- https://blog.nviso.be/2019/08/28/extracting-certificates-from-the-windows-r… ∗∗∗ RAT Ratatouille: Backdooring PCs with leaked RATs ∗∗∗ --------------------------------------------- Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. --------------------------------------------- https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html ∗∗∗ Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Achtung: Kriminelle versenden erfundene Mails im Namen von Airbnb an zahlreiche Kundinnen und Kunden. Darin behaupten sie, dass das Konto gesperrt wurde und nun Kopien des Personalausweises, Selfies mit dem Ausweis neben dem Gesicht sowie eine handschriftliche Notiz zur Freischaltung notwendig wären. Die Nachricht muss ignoriert werden, andernfalls kommt es zu Identitätsmissbrauch! --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-mit-gefaelschte… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Controls enteliBUS Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a buffer overflow vulnerability in Delta Controllers enteliBUS Controllers industrial control systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-01 ∗∗∗ Datalogic AV7000 Linear Barcode Scanner ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass using an alternate path vulnerability in Datalogics AV7000 Linear Barcode Scanners. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/797579/ ∗∗∗ DLL Hijacking Flaw Patched in Check Point Endpoint Security ∗∗∗ --------------------------------------------- Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes. read more --------------------------------------------- https://www.securityweek.com/dll-hijacking-flaw-patched-check-point-endpoin… ∗∗∗ CVE-2019-13609 - CRLF Vulnerability in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- A Carriage Return Line Feed (CRLF) injection vulnerability has been identified in Citrix License Server for Windows and VPX that could allow an unauthenticated attacker to bypass authentication and allow a malicious website to read or modify license server [...] --------------------------------------------- https://support.citrix.com/article/CTX257644 ∗∗∗ Realtek Managed Switch Controller RTL83xx Stack Overflow ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080138 ∗∗∗ Security Advisory - Key Negotiation of Bluetooth (KNOB) Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190828-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a insecure Content-Security-Policy header vulnerability CVE-2019-4133 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2019
by Daily end-of-shift report 27 Aug '19

27 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2019 18:00 − Dienstag 27-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ macOS: Zurückgelassene Helper-Tools als Sicherheitsproblem ∗∗∗ --------------------------------------------- "Privileged Helper Tools" können es Mac-Malware erlauben, Root-Rechte zu erlangen, warnt ein Entwickler. Nutzer sollten zum Schutz selbst aktiv werden. --------------------------------------------- https://heise.de/-4507656 ∗∗∗ Mobile Menace Monday: Android Trojan raises xHelper ∗∗∗ --------------------------------------------- Since its introduction in May 2019, the xHelper dropper, an Android Trojan, has climbed to our top 10 list of most detected mobile malware. --------------------------------------------- https://blog.malwarebytes.com/android/2019/08/mobile-menace-monday-android-… ∗∗∗ New 4CAN tool helps identify vulnerabilities in on-board car computers ∗∗∗ --------------------------------------------- Modern automobiles contain hundreds of sensors and mechanics that communicate via computers to understand their surrounding environment. Those components provide real-time information to drivers, connect the vehicle to a global network, and in some cases use that telemetry to automatically drive the vehicle. Like any computer, those in vehicles are susceptible to threats, such as vulnerabilities in software ... --------------------------------------------- https://blog.talosintelligence.com/2019/08/new-4can-tool-helps-identify.html ∗∗∗ Free Decryption Tool Released for Syrk Ransomware ∗∗∗ --------------------------------------------- Security researchers have released a decryption tool which victims of Syrk ransomware can use to recover their files for free. Emsisoft found that Syrk arrived with its own decryptor, but the security firm decided to release its own utility for three reasons. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ∗∗∗ Lojack’d: Pwning Smart vehicle trackers ∗∗∗ --------------------------------------------- This research is by @evstykas with help from @Yekki_1 and @TheKenMunroShow. Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered. Probably the most well-known is LoJack, also known as Tracker in Europe. --------------------------------------------- https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-… ∗∗∗ Aufgepasst: Es kursieren gefährliche Raiffeisen-Phishing-Mails ∗∗∗ --------------------------------------------- Aktuell sind wieder Phishing-Mails im Namen der Raiffeisen Bank unterwegs. Angeblich ist eine Nachricht für Sie eingegangen. Um diese zu lesen, werden Sie aufgefordert, einem Link zu folgen. Sie landen auf einem Nachbau der Raiffeisen-Login-Seite. Kriminelle versuchen so, an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/aufgepasst-es-kursieren-gefaehrliche… ===================== = Vulnerabilities = ===================== ∗∗∗ Betriebssystem: Apple patcht WatchOS und iOS ∗∗∗ --------------------------------------------- Nutzer von Apples mobilen Betriebssystemen haben gegebenenfalls eine Update-Benachrichtigung auf ihren Geräten. Apple hat sowohl für die Apple Watch als auch für iPhone, iPod Touch und iPad ein neues Betriebssystem freigegeben. Unter iOS wird dabei auch eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.golem.de/news/betriebssystem-apple-patcht-watchos-und-ios-1908-… ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 76.0.3809.132 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/27/google-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and xymon), openSUSE (putty and vlc), Red Hat (kernel and ruby), Scientific Linux (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, keycloak-httpd-client-install, libarchive, libcgroup, libguestfs-winsupport, libjpeg-turbo, libmspack, libreoffice, libsolv, libssh2, libtiff, libvirt, ... --------------------------------------------- https://lwn.net/Articles/797442/ ∗∗∗ IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to a denial of service (CVE-2019-10072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-tomcat-as-used… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2019
by Daily end-of-shift report 26 Aug '19

26 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2019 18:00 − Montag 26-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing-Mail: Keine 1.957,05 Euro Rückzahlung vom Finanzministerium! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische Phishing-Mails im Namen des Bundesministeriums für Finanzen (BMF), in denen sie Konsument/innen über eine angebliche Rückzahlung über 1957 Euro informieren. Empfänger/innen dürfen den Links in der Nachricht nicht folgen und keine Daten bekanntgeben. Sie landen in den Händen Krimineller und können für weitere Verbrechen missbraucht werden. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-keine-195705-euro-ruec… ∗∗∗ Lenovo Crapware: Vorinstallierte Systemsoftware macht Laptops angreifbar ∗∗∗ --------------------------------------------- Wer noch das Lenovo Solution Center auf seinem System hat, sollte es schnellstmöglich deinstallieren. --------------------------------------------- https://heise.de/-4505088 ∗∗∗ Jetzt patchen! Exploit-Code für Cisco-Switches in Umlauf ∗∗∗ --------------------------------------------- Es könnten Angriffe auf Switches von Cisco bevorstehen. Sicherheitsupdates gibt es bereits seit Anfang August. --------------------------------------------- https://heise.de/-4505182 ∗∗∗ Attackers are targeting vulnerable Fortigate and Pulse Secure SSL VPNs ∗∗∗ --------------------------------------------- Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations. About the vulnerabilities Attackers have been scanning for and targeting two vulnerabilities: CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal. --------------------------------------------- https://www.helpnetsecurity.com/2019/08/26/vulnerable-fortigate-pulse-secur… ∗∗∗ Malicious WordPress Redirect Campaign Attacking Several Plugins ∗∗∗ --------------------------------------------- Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations. --------------------------------------------- https://www.wordfence.com/blog/2019/08/malicious-wordpress-redirect-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, libreoffice-still, nginx, nginx-mainline, and subversion), Debian (commons-beanutils, h2o, libapache2-mod-auth-openidc, libmspack, qemu, squid, and tiff), Fedora (kubernetes, libmodbus, nfdump, and nodejs), openSUSE (dkgpg, libTMCG, go1.12, neovim, python, qbittorrent, schismtracker, teeworlds, thunderbird, and zstd), and SUSE (go1.11, go1.12, python-SQLAlchemy, and python-Twisted). --------------------------------------------- https://lwn.net/Articles/797286/ ∗∗∗ IBM Security Bulletin: IBM Db2 Mirror for i is affected by CVE-2019-4536 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-mirror-for-i-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a forbidden resouce redirect for bad API path CVE-2019-4132 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2019
by Daily end-of-shift report 23 Aug '19

23 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2019 18:00 − Freitag 23-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Many Possibilities of CVE-2019-8646 ∗∗∗ --------------------------------------------- CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-many-possibilities-of-cv… ∗∗∗ Instagram phishing uses 2FA as a lure ∗∗∗ --------------------------------------------- If the phishing page looks OK, and it has an HTTPS padlock, how are you supposed to spot phishes these days? --------------------------------------------- https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-… ∗∗∗ Simple Mimikatz & RDPWrapper Dropper, (Thu, Aug 22nd) ∗∗∗ --------------------------------------------- Let's review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25262 ∗∗∗ Sommerferien vorbei – Emotet ist zurück ∗∗∗ --------------------------------------------- Seit Freitag früh sind die Server der wohl gefährlichsten Cybercrime-Bande wieder aktiv. --------------------------------------------- https://heise.de/-4503467 ∗∗∗ Hackers Target Vulnerabilities in Fortinet, Pulse Secure Products ∗∗∗ --------------------------------------------- Recently disclosed vulnerabilities affecting enterprise virtual private network (VPN) products from Fortinet and Pulse Secure have been exploited in the wild, a researcher reported on Thursday. --------------------------------------------- https://www.securityweek.com/hackers-target-vulnerabilities-fortinet-pulse-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, nginx, and openjdk-7), Fedora (httpd, mod_md, nghttp2, and patch), and SUSE (rubygem-loofah). --------------------------------------------- https://lwn.net/Articles/797049/ ∗∗∗ PrivEsc in Lenovo Solution Centre, 10 minutes later ∗∗∗ --------------------------------------------- CVE-2019-6177 – Lenovo Solution Centre Privilege Escalation. Slow, but sure. TL;DR We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices. Lenovo say LSC has been shipped since 2011, but haven’t been clear about when they stopped shipping it by default with new devices. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-ce… ∗∗∗ IBM Security Bulletin: Remote Execution Vulnerability Affects Red Hat Linux Used By IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter (CVE-2019-12735) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-remote-execution-vuln… ∗∗∗ Spectre SWAPGS gadget vulnerability CVE-2019-1125 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31085564 ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2019
by Daily end-of-shift report 22 Aug '19

22 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2019 18:00 − Donnerstag 22-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ICS Protocols ∗∗∗ --------------------------------------------- ICS stands for Industrial Control Systems. ICS is a generic term used to describe various control systems and their instrumentation, used for controlling and monitoring industrial processes. ICS basically integrates hardware, software and their network connectivity for running and supporting critical infrastructure. ICS systems get data from remote sensors and send commands to the [...] --------------------------------------------- https://resources.infosecinstitute.com/ics-protocols/ ∗∗∗ Nach dem Datenleck: Mastercard benachrichtigt Kunden ∗∗∗ --------------------------------------------- Nachdem in den vergangenen Tagen Daten von Mastercard-Kunden im Internet auftauchten, hat das Unternehmen nun weitere Informationen per Mail verschickt. --------------------------------------------- https://heise.de/-4502408 ∗∗∗ KNOB-Attacke: Apple liefert Patch gegen Bluetooth-Schwachstelle ∗∗∗ --------------------------------------------- In der jüngsten Version der Betriebssysteme hat Apple eine grundlegende Schwachstelle ausgeräumt, die ein Knacken der Bluetooth-Verschlüsselung ermöglicht. --------------------------------------------- https://heise.de/-4503139 ∗∗∗ Android‑Spyware im Google Play Store aufgetaucht ∗∗∗ --------------------------------------------- ESET-Forscher entdeckten gleich zweimal Android-Spyware im Google Play Store. Die erste ihrer Art, die auf der Open-Source RAT-Software AhMyth aufbaut. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/08/22/android-spyware-google-pl… ∗∗∗ Hinter modellbau-billiger.de steckt Betrug ∗∗∗ --------------------------------------------- Modellbau-Fans stoßen auf der Suche nach Modelleisenbahnen, ferngesteuerten Autos, Flugzeugen oder Drohnen womöglich auf den Fake-Shop modellbau-billiger.de. Die Kriminellen nutzen dabei die Impressumsdaten eines seriösen Unternehmens, um Vertrauen zu stiften. Hier darf nichts bestellt werden. Die Zahlungen per Vorkasse sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/hinter-modellbau-billigerde-steckt-b… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Cisco schließt 27 Sicherheitslücken in diversen Produkten ∗∗∗ --------------------------------------------- Vor allem Nutzer von Ciscos IMC Supervisor und UCS Director sollten einen Blick auf die aktuellen Sicherheitshinweise werfen. Kritische Lücken wurden gefixt. --------------------------------------------- https://heise.de/-4502617 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2). --------------------------------------------- https://lwn.net/Articles/796949/ ∗∗∗ IBM Security Bulletin: IBM Security Access Manager for Enterprise Single-Sign On is affected by an XML External Entity Injection (XXE) vulnerability (CVE-2019-4513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-access-m… ∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE-2019-4169 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd… ∗∗∗ IBM Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2018 – Includes Oracle Oct.2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-sdk-java-technolog… ∗∗∗ Multiple Vulnerabilities in OpenPGP.js ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-open… ∗∗∗ HPESBST03951 rev.1 - HPE Command View Advanced EditionCVAE (Virtual Appliance only), Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03952 rev.1 - HPE Command View Advanced Edition (CVAE) Products using JAVA, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03953 rev.1 - HPE Command View Advanced Edition (CVAE), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabiities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0746 ∗∗∗ Red Hat Ceph Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0751 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2019
by Daily end-of-shift report 21 Aug '19

21 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2019 18:00 − Mittwoch 21-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortnite Ransomware Masquerades as an Aimbot Game Hack ∗∗∗ --------------------------------------------- Attackers are taking aim at Fortnites global community of 250 million gamers. --------------------------------------------- https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-ha… ∗∗∗ KAPE: Kroll Artifact Parser and Extractor, (Wed, Aug 21st) ∗∗∗ --------------------------------------------- KAPE vs Commando, another Red vs Blue vignette --------------------------------------------- https://isc.sans.edu/diary/rss/25258 ∗∗∗ CERT-Bund warnt vor öffentlich erreichbaren Sphinx-Suchservern ∗∗∗ --------------------------------------------- In der Standardkonfiguration sind Sphinx-Server aus dem Internet erreichbar. Dieses Sicherheitsrisiko sollten Admins eindämmen. --------------------------------------------- https://heise.de/-4501757 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ghostscript, pango, and squirrelmail), openSUSE (libcryptopp, squid, tcpdump, and wireshark), SUSE (flatpak), and Ubuntu (giflib and NLTK). --------------------------------------------- https://lwn.net/Articles/796834/ ∗∗∗ Zebra Industrial Printers ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-232-01 ∗∗∗ ZDI-19-764: (0Day) WECON LeviStudioU ShortMessage_Module SMtext Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-764/ ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Libvirt affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-op… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Open Source Libreswan affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Netezza Host Management is affected by the vulnerabilities known as Intel Microarchitectural Data Sampling (MDS) and other Kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-netezza-host-mana… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Spring Framework affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-enterprise-content-ma… ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-op… ∗∗∗ IBM Security Bulletin: Privilege escalation in IBM DB2 HPU debug binary via trusted PATH ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-privilege-escalation-… ∗∗∗ Unauthenticated sensitive information leakage in ZOHO ServiceDesk Software ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/unauthenticated-sensitive-inform… ∗∗∗ FreeBSD Project FreeBSD OS: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0743 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2019
by Daily end-of-shift report 20 Aug '19

20 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2019 18:00 − Dienstag 20-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kernel: Defekte Dateisysteme bringen Linux zum Stolpern ∗∗∗ --------------------------------------------- In einer Diskussion um die Aufnahme eines neuen Dateisystems in den Linux-Kernel wird klar, dass viele Dateisystemtreiber mit defekten Daten nicht klarkommen. Das kann nicht nur zu Abstürzen führen, sondern auch zu Sicherheitslücken. ... Das Mounten von fremden Dateisystemen ist aber unter den gegebenen Umständen riskant. Wie die Diskussion zeigt, kann man sich nicht darauf verlassen, dass Linux-Dateisystemtreiber mit bösartigen Eingabedaten klarkommen. --------------------------------------------- https://www.golem.de/news/kernel-defekte-dateisysteme-bringen-linux-zum-sto… ∗∗∗ Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th) ∗∗∗ --------------------------------------------- A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals. --------------------------------------------- https://isc.sans.edu/diary/rss/25222 ∗∗∗ GitHub Token Scanning—one billion tokens identified and five new partners ∗∗∗ --------------------------------------------- If you’ve ever accidentally shared a token or credentials in a GitHub repository, or read about someone who has, you know how damaging it could be if a malicious user finds and exploits it. About a year ago, we introduced token scanning to help scan pushed commits and prevent fraudulent use of any credentials that are shared accidentally. --------------------------------------------- https://github.blog/2019-08-19-github-token-scanning-one-billion-tokens-ide… ∗∗∗ GAME OVER: Detecting and Stopping an APT41 Operation ∗∗∗ --------------------------------------------- In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and… ∗∗∗ Falsche Versionsangaben: Mehrere Security Bulletins zu Apache Struts korrigiert ∗∗∗ --------------------------------------------- Struts-2-Anwender, die sich beim Updaten an offizielle Advisories halten, sollten erneut draufschauen – oder gleich zu Versionen ab 2.3.35 / 2.5.17 wechseln. --------------------------------------------- https://heise.de/-4500834 ∗∗∗ Erpressung mit Pädophilie per E-Mail ignorieren ∗∗∗ --------------------------------------------- Angeblich wurde Ihr Computer gehackt und Sie wurden beim Masturbieren gefilmt. Damit das Video nicht veröffentlicht wird, muss ein Schweigegeld bezahlt werden. Es besteht jedoch kein Grund zur Sorge, es handelt sich um eine Betrugsmasche. Weder wurde Ihre Webcam gehackt, noch wurden intime Videos über Sie angefertigt! Verschieben Sie dieses Mail in den Spam-Ordner. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-mit-paedophilie-per-e-mai… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Flaws in Kubernetes Expose All Servers to DoS Attacks ∗∗∗ --------------------------------------------- Two high severity security flaws impacting the Kubernetes open-source system for handling containerized apps can allow an unauthorized attacker to trigger a denial of services state remotely, without user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-e… ∗∗∗ Remote Code Execution: Doppelte Hintertür in Webmin ∗∗∗ --------------------------------------------- In der Systemkonfigurationssoftware Webmin waren offenbar für über ein Jahr Hintertüren, mit denen sich übers Netz Code ausführen lässt. Den Angreifern gelang es dabei offenbar, die Release-Dateien des Projekts zu manipulieren. --------------------------------------------- https://www.golem.de/news/remote-code-execution-doppelte-hintertuer-in-webm… ∗∗∗ iOS 12.4 jailbreak released after Apple ‘accidentally un-patches’ an old flaw ∗∗∗ --------------------------------------------- A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long time—thanks to Apple. Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4. --------------------------------------------- https://thehackernews.com/2019/08/ios-iphone-jailbreak.html ∗∗∗ SphinxSearch 0.0.0.0:9306 (CVE-2019-14511) ∗∗∗ --------------------------------------------- TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible. --------------------------------------------- https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-1… ∗∗∗ Security Bulletin VLC 3.0.8 ∗∗∗ --------------------------------------------- If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed. We have not seen exploits performing code execution through these vulnerabilities --------------------------------------------- https://www.videolan.org/security/sb-vlc308.html ∗∗∗ Ruby rest-client 1.6.13 ∗∗∗ --------------------------------------------- It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru.zzz.com.ua --------------------------------------------- https://github.com/rest-client/rest-client/issues/713 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs ∗∗∗ --------------------------------------------- Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. --------------------------------------------- https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.h… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap). --------------------------------------------- https://lwn.net/Articles/796759/ ∗∗∗ IBM Security Bulletin: IBM MQ is vulnerable to a denial of service attack within the error logging function (CVE-2019-4049) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-is-vulnerable-… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM License Metric Tool v9 (CVE-2019-4046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM License Key Server Administration & Reporting Tool and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance affected by an OpenSSH vulnerability (CVE-2019-6110) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-affe… ∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Global Name Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Identity Insight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Error Message Vulnerabilities Affect IBM Emptoris Sourcing, IBM Emptoris Contract Management and IBM Emptoris Spend Analysis. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-error-message-vulnera… ∗∗∗ IBM Security Bulletin: Cross-site Scripting Affects IBM Emptoris Spend Analysis (CVE-2019-4482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… ∗∗∗ IBM Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management (CVE-2019-4481, CVE-2019-4483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-affects… ∗∗∗ IBM Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-ibm-mq-secur… ∗∗∗ IBM Security Bulletin: API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-ova… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal is impacted by a path traversal vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2019-6471. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by Linux Kernel security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ IBM Security Bulletin: XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-i… ∗∗∗ IBM Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-reverse-tabnabbing-vu… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Docker (CVE-2018-15664) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-privileg… ∗∗∗ IBM Security Bulletin: Vulnerability in NTP affects AIX (CVE-2019-8936) Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ntp-… ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46011592 ∗∗∗ HTTP/2 Settings Flood vulnerability CVE-2019-9515 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50233772 ∗∗∗ HTTP/2 Ping Flood vulnerability CVE-2019-9512 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98053339 ∗∗∗ HTTP/2 Reset Flood vulnerability CVE-2019-9514 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01988340 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2019
by Daily end-of-shift report 19 Aug '19

19 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2019 18:00 − Montag 19-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Router Network Isolation Broken By Covert Data Exfiltration ∗∗∗ --------------------------------------------- Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration. --------------------------------------------- https://www.bleepingcomputer.com/news/security/router-network-isolation-bro… ∗∗∗ IT threat evolution Q2 2019 ∗∗∗ --------------------------------------------- Targeted attacks, malware campaigns and other security news in Q2 2019. --------------------------------------------- https://securelist.com/it-threat-evolution-q2-2019/91994/ ∗∗∗ The DAA File Format, (Fri, Aug 16th) ∗∗∗ --------------------------------------------- In diary entry "Malicious .DAA Attachments", we extracted a malicious executable from a Direct Access Archive file. --------------------------------------------- https://isc.sans.edu/diary/rss/25246 ∗∗∗ What Hackers Do after Gaining Access to a Website ∗∗∗ --------------------------------------------- A hack or cyber attack is the act of maliciously entering, taking control over, or manipulating by force a web application, server, or file that belongs to someone else. --------------------------------------------- https://blog.sucuri.net/2019/08/what-hackers-do-after-gaining-access-to-a-w… ∗∗∗ Sicherheitspanne: Kernel-Schwachstelle zurück in iOS 12.4, Jailbreak verfügbar ∗∗∗ --------------------------------------------- Zum ersten Mal seit Langem lassen sich Apples Sicherheitsfunktionen in der aktuellen iOS-Version durch einen öffentlich verfügbaren Jailbreak aushebeln. --------------------------------------------- https://heise.de/-4500038 ∗∗∗ QxSearch hijacker fakes failed installs ∗∗∗ --------------------------------------------- QxSearch is a group of search hijackers that try to make the user think the install failed or was incomplete. Is it that they dont want to be found and removed? Or just bad programming? --------------------------------------------- https://blog.malwarebytes.com/pups/2019/08/qxsearch-hijacker-fakes-failed-i… ∗∗∗ Gefälschte "Ihr Jahresabonnemеnt Whatsapp"-Mail im Umlauf ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine angebliche WhatsApp-E-Mail. Darin heißt es, dass sie ihr Abonnement verlängern müssen. Über einen Link in der Nachricht gelangen Nutzer/innen auf eine gefälschte WhatsApp-Website. Darauf sollen sie ihr Jahresabonnement unter Bekanntgabe ihrer Zahlungsdaten verlängern. Kommen Konsument/innen der Aufforderung nach, werden sie Opfer eines Datendiebstahls und verlieren ihr Geld an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-ihr-jahresabonnement-wha… ∗∗∗ Offensive Lateral Movement ∗∗∗ --------------------------------------------- Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell is not a new concept anymore and even moderately mature shops will detect on it and shut it down quickly, or any half decent AV product will kill it before a malicious command is ran. --------------------------------------------- https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder Sicherheitsmechanismen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K19-0726 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, [...] --------------------------------------------- https://lwn.net/Articles/796640/ ∗∗∗ Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper handling of HTTP requests, including those communicated over a secure HTTPS connection, that contain maliciously crafted headers. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the stream reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper reassembly of traffic streams. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the normalization functionality of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to insufficient normalization of a text-based payload. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper detection of the initial use of a protocol on a nonstandard port. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Four Remote Code Execution Vulnerabilities in Some Microsoft Windows Systems ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190819-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2019
by Daily end-of-shift report 16 Aug '19

16 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2019 18:00 − Freitag 16-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Warns of Phishing Attacks Using Custom 404 Pages ∗∗∗ --------------------------------------------- Microsoft security researchers discovered an unusual phishing campaign which employs custom 404 error pages to trick potential victims into handing out their Microsoft credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Energy Sector Phish Swims Past Microsoft Email Security via Google Drive ∗∗∗ --------------------------------------------- The savvy technique of avoiding malicious links in the email allowed the phishing attack to reach its targets. --------------------------------------------- https://threatpost.com/energy-phish-microsoft-security-google-drive/147397/ ∗∗∗ Analysis of a Spearphishing Maldoc, (Thu, Aug 15th) ∗∗∗ --------------------------------------------- A spearphishing attack with a VBA maldoc on US utility companies was mentioned in SANS NewsBites Vol. 21, Num. 61. I always like to take a look at malicious documents mentioned in the news. Luckily for me, Proofpoint's analysis includes the hashes of the maldocs, and one maldoc can be found on VirusTotal. --------------------------------------------- https://isc.sans.edu/diary/rss/25242 ∗∗∗ VoIP-Sicherheitslücken: Viele Büro-Telefonanlagen grundlegend unsicher ∗∗∗ --------------------------------------------- 33 Geräte von 25 Herstellern lassen sich kapern. Angreifer können spionieren, andere Systeme angreifen oder die Organisation durch einen Totalausfall schwächen. --------------------------------------------- https://heise.de/-4499202 ∗∗∗ MITRE ATT&CK July 2019 Update ∗∗∗ --------------------------------------------- On the last day of July, MITRE released its most recent update to the ATT&CK framework. The ATT&CK framework is a curated knowledge base of tactics, techniques, software, that adversarial groups have leveraged when compromising enterprise systems. The July 2019 update is relatively minor compared to the April 2019 update, which saw a new tactic [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/mitre-a… ∗∗∗ Many Apache Struts Security Advisories Updated Following Review ∗∗∗ --------------------------------------------- Two dozen security advisories for the Apache Struts open source development framework have been updated after researchers determined that they contained incorrect information regarding which versions of the software were impacted by a vulnerability. --------------------------------------------- https://www.securityweek.com/many-apache-struts-security-advisories-updated… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo Warns of ThinkPad Bugs, One Unpatched ∗∗∗ --------------------------------------------- The notebook maker is warning users of three separate vulnerabilities. --------------------------------------------- https://threatpost.com/lenovo-warns-bugs-thinkpads/147338/ ∗∗∗ Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again ∗∗∗ --------------------------------------------- If you are using LibreOffice, you need to update it once again. LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities. --------------------------------------------- https://thehackernews.com/2019/08/libreoffice-patch-update.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (irssi, ledger, libheimdal, libmediainfo, libqb, and libsass) and Slackware (mozilla). --------------------------------------------- https://lwn.net/Articles/796311/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freetype, libreoffice, and openjdk-7), Fedora (edk2, mariadb, mariadb-connector-c, mariadb-connector-odbc, python-django, and squirrelmail), Gentoo (chromium, cups, firefox, glibc, kconfig, libarchive, libreoffice, oracle-jdk-bin, polkit, proftpd, sqlite, wget, zeromq, and znc), openSUSE (bzip2, chromium, dosbox, evince, gpg2, icedtea-web, java-11-openjdk, java-1_8_0-openjdk, kconfig, kdelibs4, mariadb, mariadb-connector-c, nodejs8, pdns, polkit, [...] --------------------------------------------- https://lwn.net/Articles/796455/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2019
by Daily end-of-shift report 14 Aug '19

14 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-08-2019 18:00 − Mittwoch 14-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic ∗∗∗ --------------------------------------------- A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bluetooth-knob-flaw-lets… ∗∗∗ Dejablue: Erneut Sicherheitslücken im Windows-Remote-Desktop ∗∗∗ --------------------------------------------- Microsoft warnt vor zwei Remote-Code-Execution-Bugs im Remote Desktop Service. Damit lassen sich Windows-Rechner übers Netz kapern, wenn sie die Remoteadministration aktiviert haben. Alle aktuellen Windows-Versionen sind betroffen. --------------------------------------------- https://www.golem.de/news/dejablue-erneut-sicherheitsluecken-im-windows-rem… ∗∗∗ Project Zero: Windows-Texteingabesystem bietet viele Angriffsmöglichkeiten ∗∗∗ --------------------------------------------- Ein Systemdienst für Texteingabemethoden, das es seit Windows XP gibt, wurde offenbar mit wenig Sicherheitsbewusstsein entwickelt. Tavis Ormandy von Google gelang es damit, als Nutzer Systemrechte zu erlangen. Es gibt ein Update von Microsoft, doch das behebt wohl nicht alle Probleme. --------------------------------------------- https://www.golem.de/news/project-zero-windows-texteingabesystem-bietet-vie… ∗∗∗ Debugging for Malware Analysis ∗∗∗ --------------------------------------------- This article provides an overview of debugging and how to use some of the most commonly used debuggers. We will begin by discussing OllyDbg; using it, we will explore topics such as setting up breakpoints, stepping through the instructions and modifying the flow of execution. We will then discuss WinDbg, which can be used [...] --------------------------------------------- https://resources.infosecinstitute.com/debugging-for-malware-analysis/ ∗∗∗ Nehmen Sie sich vor gefälschten Zahlungsanweisungen in Acht! ∗∗∗ --------------------------------------------- Zahlreiche Unternehmen wenden sich mit erfundenen Überweisungs-Aufforderungen im Namen der Geschäftsführung oder anderer Führungspersonen an uns. Die E-Mails stammen von Kriminellen, die die Mail-Adressen durch „Spoofing“ imitieren und dadurch nichtsahnende Mitarbeiter/innen zu Überweisungen auf fremde Konten bringen wollen. --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-sich-vor-gefaelschten-zah… ∗∗∗ This new cryptojacking malware uses a sneaky trick to remain hidden ∗∗∗ --------------------------------------------- Norman cryptomining malware was found to have infected almost every system in one organisation during an investigation by security researchers. --------------------------------------------- https://www.zdnet.com/article/this-new-cryptojacking-malware-uses-a-sneaky-… ===================== = Vulnerabilities = ===================== ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates: RAID Web Console 2 Advisory INTEL-SA-00246 NUC Advisory INTEL-SA-00272 [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/13/intel-releases-sec… ∗∗∗ Trend Micro Password Manager - Privilege Escalation to SYSTEM ∗∗∗ --------------------------------------------- SafeBreach Labs discovered a new vulnerability in Trend Micro Password Manager software. In this post, we will demonstrate how this vulnerability could have been used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM. --------------------------------------------- https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalati… ∗∗∗ DoS-Attacken: Viele Web-Server mit HTTP/2 angreifbar ∗∗∗ --------------------------------------------- Forschern zufolge ist ein Großteil von Web-Servern mit HTTP/2 nicht optimal konfiguriert, sodass die Sicherheit gefährdet ist. Patches sind verfügbar. --------------------------------------------- https://heise.de/-4496647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.9, otrs2, and tomcat8), Fedora (igraph and jhead), openSUSE (ansible, GraphicsMagick, kconfig, kdelibs4, live555, mumble, phpMyAdmin, proftpd, python-Django, and znc), Oracle (kernel and openssl), Red Hat (kernel, openssl, and rh-mysql80-mysql), Scientific Linux (kernel and openssl), Slackware (kernel), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork and mariadb-100), and Ubuntu (linux, linux-aws, linux-kvm, [...] --------------------------------------------- https://lwn.net/Articles/796193/ ∗∗∗ SAP Patches Highest Number of Critical Flaws Since 2014 ∗∗∗ --------------------------------------------- SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014. --------------------------------------------- https://www.securityweek.com/sap-patches-highest-number-critical-flaws-2014 ∗∗∗ Mitsubishi Electric smartRTU and INEA ME-RTU ∗∗∗ --------------------------------------------- CISA is aware of a public report of a proof-of-concept (PoC) exploit code vulnerability affecting Mitsubishi Electric smartRTU devices. According to this report, there are multiple vulnerabilities that could result in remote code execution with root privileges. CISA is issuing this alert to provide early notice of the report. --------------------------------------------- https://www.us-cert.gov/ics/alerts/ics-alert-19-255-01 ∗∗∗ Delta Industrial Automation DOPSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for out-of-bounds read and use after free vulnerabilities reported in Delta Electronics’ Delta Industrial Automation DOPSoft HMI editing software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-225-01 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- This advisory includes mitigations for inclusion of sensitive information in log files and protection mechanism failure vulnerabilities reported in OSIsoft LLC’s OSIsoft PI Web API. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-225-02 ∗∗∗ Key Negotiation of Bluetooth Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Two Denial of Service Vulnerabilities on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190814-… ∗∗∗ August 13, 2019 TNS-2019-05 [R1] Nessus 8.6.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2019-05 ∗∗∗ Synology-SA-19:33 HTTP/2 DoS Attacks ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_33 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2019
by Daily end-of-shift report 13 Aug '19

13 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 12-08-2019 18:00 − Dienstag 13-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Steam Security Vulnerability Fixed, Researchers Dont Agree ∗∗∗ --------------------------------------------- Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored. --------------------------------------------- https://www.bleepingcomputer.com/news/security/steam-security-vulnerability… ∗∗∗ Troldesh Ransomware Dropper ∗∗∗ --------------------------------------------- Over the past few weeks, we’ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors. The malware often uses a PHP file that acts as a delivery tool for downloading the host malware dropper: hxxp://doolaekhun[.]com/cgi-bin/[redacted].php --------------------------------------------- https://blog.sucuri.net/2019/08/troldesh-ransomware-dropper.html ∗∗∗ Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices ∗∗∗ --------------------------------------------- Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself "Asher" [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/jgzb2S8LB8M/ ∗∗∗ MANRS Observatory: Monitoring the State of Internet Routing Security ∗∗∗ --------------------------------------------- Routing security is vital to the future and stability of the Internet, but it’s under constant threat. Which is why we’ve launched a free online tool so that network operators can see how they’re doing, and what they can improve, while anyone can see the health of the Internet at a glance. --------------------------------------------- https://www.internetsociety.org/blog/2019/08/manrs-observatory-monitoring-t… ∗∗∗ The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? ∗∗∗ --------------------------------------------- In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/the-twin-journe… ∗∗∗ CEO Cyber Quiz: What’s Your IT Security IQ? ∗∗∗ --------------------------------------------- Every business leader understands that, when it comes to cybersecurity, the stakes are extraordinarily high. CEOs tend to take notice when they read headlines about yet another big-name company being victimized by a massive data breach or about industry forecasts suggesting that the annual cost of crime losses and damage will hit $6 trillion by [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-awareness/ceo-cyber-sec… ∗∗∗ Datingfalle.at: Kostenlose Hilfe bei Online-Dating-Fallen! ∗∗∗ --------------------------------------------- Auf www.datingfalle.at bietet der Internet Ombudsmann kostenlose Hilfe bei rechtlichen Problemen mit Online-Dating-Plattformen, Erotik-Portalen und Singlebörsen. Neben Infos und Tipps steht eine außergerichtliche Streitschlichtung zur Verfügung. Hier gibt es Hilfestellung bei Abo-Fallen, automatischer Vertragsverlängerung, Kündigungsschwierigkeiten oder Inkasso-Schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/datingfalleat-kostenlose-hilfe-bei-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe After Effects CC (APSB19-31), Adobe Character Animator CC (APSB19-32), Adobe Premiere Pro CC (APSB19-33), Adobe Prelude CC (APSB19-35), Adobe Creative Cloud Desktop Application (APSB19-39), Adobe Acrobat and Reader (APSB19-41), Adobe Experience Manager (APSB19-42) and Adobe Photoshop CC (APSB19-44). Adobe recommends users update their product installations to the latest versions using the instructions referenced [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1773 ∗∗∗ [20190801] - Core - Hardening com_contact contact form ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.6.2 - 3.9.10 Exploit type: Incorrect Access Control Reported Date: 2019-April-09 Fixed Date: 2019-August-13 CVE Number: CVE-2019-XXXXX Description Inadequate checks in com_contact could allowed mail submission in disabled forms. Affected Installs Joomla! CMS versions 1.6.2 - 3.9.10 Solution Upgrade to version 3.9.11 --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/H1jmq28mUAw/789-20190801-c… ∗∗∗ # SSA-671286: Multiple Vulnerabilities in SCALANCE Products ∗∗∗ --------------------------------------------- The latest update for SCALANCE SC-600 fixes multiple vulnerabilities. The most severe could allow authenticated local users with physical access to the device to execute arbitrary commands on the device under certain conditions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-671286.txt ∗∗∗ # SSA-530931: Denial-of-Service in Webserver of Industrial Products ∗∗∗ --------------------------------------------- A vulnerability in the affected products could allow an unauthorized attacker with network access to the webserver of an affected device to perform a denial-of-service attack. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-530931.txt ∗∗∗ # SSA-232418: Vulnerabilities in SIMATIC S7-1200 and SIMATIC S7-1500 CPU families ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the SIMATIC S7-1200 and the SIMATIC S7-1500 CPU families. One vulnerability could allow an attacker with network access to affected devices to modify the user program stored on these devices such that the source code differs from the actual running code. The other vulnerability could allow an attacker in a Man-in-the-Middle position to modify network traffic exchanged on port 102/tcp. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-232418.txt ∗∗∗ # SSA-100232: Denial-of-Service vulnerability in SCALANCE X switches ∗∗∗ --------------------------------------------- A vulnerability in the affected devices could allow an unauthenticated attacker with network access to an affected device to perform a denial-of-service. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-100232.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, postgresql, and postgresql-libs), Debian (atril, chromium, evince, ghostscript, jackson-databind, kernel, and php5), Fedora (kf5-kconfig, mingw-sqlite, pam-u2f, and poppler), Mageia (kernel), openSUSE (aubio, chromium, kconfig, kdelibs4, nodejs10, osc, and zstd), Red Hat (ghostscript), and Ubuntu (ghostscript and MariaDB). --------------------------------------------- https://lwn.net/Articles/796075/ ∗∗∗ [remote] Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47230 ∗∗∗ [remote] ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47229 ∗∗∗ [remote] ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47228 ∗∗∗ [remote] ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47227 ∗∗∗ Linux kernel vulnerability CVE-2016-7097 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31603170 ∗∗∗ SAP Patchday August: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0714 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2019
by Daily end-of-shift report 12 Aug '19

12 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-08-2019 18:00 − Montag 12-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Beware of Fake Microsoft Account Unusual Sign-in Activity Emails ∗∗∗ --------------------------------------------- In this article we take a look at a phishing campaign that pretends to be an "Unusual sign-in activity" alertfrom Microsoft that could easily trick someone into clicking on the enclosed link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beware-of-fake-microsoft-acc… ∗∗∗ Malware Analysis and Reverse Engineering ∗∗∗ --------------------------------------------- Introduction This article provides a high-level overview of malware analysis and reverse engineering. If you are planning to get started with malware analysis and reverse engineering, this article can be a good starting point, as it covers a high-level overview of what you need to know before you download that debugger and get your hands [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-analysis-and-reverse-enginee… ∗∗∗ DEF CON 2019: Delta ICS Flaw Allows Total Industrial Takeover ∗∗∗ --------------------------------------------- The bug exists in a controller that oversees HVAC, lighting, sensor and alarm systems, to name a few. --------------------------------------------- https://threatpost.com/def-con-2019-delta-ics-flaw-allows-total-industrial-… ∗∗∗ Inside the Hidden World of Elevator Phone Phreaking ∗∗∗ --------------------------------------------- Eavesdropping, reprogramming, talking to strangers: Welcome to the harmless and not-so-harmless fun of hacking elevator call boxes. --------------------------------------------- https://www.wired.com/story/elevator-phone-phreaking-defcon ∗∗∗ Amazon Web Services: Tausende virtuelle Festplatten frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Forscher fand tausendfach offen zugängliche Elastic Block Store-Volumes mit vertraulichen Daten im Netz, wo sie sich beliebig durchsuchen lassen. --------------------------------------------- https://heise.de/-4493402 ∗∗∗ Windows-Treiber von Intel, AMD, Nvidia und vielen Mainboard-Herstellern unsicher ∗∗∗ --------------------------------------------- Über mehr als 40 weit verbreitete Hardware-Treiber können Angreifer sich Kernel-Rechte auf einem System verschaffen. --------------------------------------------- https://heise.de/-4494929 ∗∗∗ Cruise Releases Automated Firmware Security Analyzer to Open Source ∗∗∗ --------------------------------------------- The growth of IoT devices has highlighted the difficulties in ensuring firmware security -- especially where the device and software are initially sourced from third parties, or developed under time pressures in-house. Now a new firmware analyzer has been released to open source on GitHub. --------------------------------------------- https://www.securityweek.com/gm-cruise-releases-automated-firmware-security… ∗∗∗ Hotellerie-Betriebe: Vorsicht vor kriminellen Buchungs- & Stornierungsversuchen! ∗∗∗ --------------------------------------------- Vermeintliche Interessent/innen kontaktieren gezielt Hotels, Pensionen, Apartments und sonstige Unterkünfte für eine Buchung. Kurz nach einer (ungültigen) Zahlung per Kreditkarte folgen schreckliche Nachrichten: Aufgrund tragischer Ereignisse bei den geplanten Gästen muss die Buchung storniert und das Geld zurücküberwiesen werden. Hotellerie-Betriebe dürfen den Aufforderungen nicht nachkommen! --------------------------------------------- https://www.watchlist-internet.at/news/hotellerie-betriebe-vorsicht-vor-kri… ∗∗∗ Hunting the Public Cloud for Exposed Hosts and Misconfigurations ∗∗∗ --------------------------------------------- This research explores the security landscape of the Internet-facing services hosted in Amazon AWS, Microsoft Azure and Google Cloud Platform. --------------------------------------------- https://unit42.paloaltonetworks.com/hunting-the-public-cloud-for-exposed-ho… ∗∗∗ Clever attack uses SQLite databases to hack other apps, malware servers ∗∗∗ --------------------------------------------- Tainted SQLite database can run malicious code inside other apps, such as web apps or Apples iMessage. --------------------------------------------- https://www.zdnet.com/article/clever-attack-uses-sqlite-databases-to-hack-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fusiondirectory, gosa, kconfig, kernel, pango1.0, and python-django), Fedora (aubio, icedtea-web, java-1.8.0-openjdk, kernel, kernel-headers, kernel-tools, libslirp, openqa, os-autoinst, and upx), Gentoo (JasPer, libvncserver, and redis), Mageia (cyrus-imapd and php), Oracle (kernel), Red Hat (chromium-browser, cockpit-ovirt, Red Hat Virtualization, and rhvm-appliance), SUSE (ImageMagick, libvirt, python, and wireshark), and Ubuntu (poppler). --------------------------------------------- https://lwn.net/Articles/795963/ ∗∗∗ PPOM for WooCommerce <= 18.3 - Authenticated Stored XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9502 ∗∗∗ ZDI-19-701: (0Day) EZAutomation EZPLC EZC File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-701/ ∗∗∗ ZDI-19-700: (0Day) EZAutomation EZTouch Editor EZP File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-700/ ∗∗∗ iControl REST and tmsh vulnerability CVE-2019-6621 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20541896 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2019
by Daily end-of-shift report 09 Aug '19

09 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2019 18:00 − Freitag 09-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackerone: Sicherheitslücke in Steam bleibt vorerst ungefixt ∗∗∗ --------------------------------------------- Auf Windows-Systemen, auf denen der Spiele-Launcher Steam installiert ist, können einfache Nutzer Programme mit Systemrechten ausführen. Der Entdecker der Lücke meldete diese über die Plattform Hackerone, dort erklärte man den Bug für ungültig und wollte eine Veröffentlichung verhindern. --------------------------------------------- https://www.golem.de/news/hackerone-sicherheitsluecke-in-steam-bleibt-vorer… ∗∗∗ Protect against BlueKeep ∗∗∗ --------------------------------------------- DART offers steps you can take to protect your network from BlueKeep, the “wormable” vulnerability that can create a large-scale outbreak due to its ability to replicate and propagate. --------------------------------------------- https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ ∗∗∗ Hidden Algorithm Flaws Expose Websites to DoS Attacks ∗∗∗ --------------------------------------------- Why throw a bunch of junk traffic at a service, when all it takes to stall it out is just a few bytes? --------------------------------------------- https://www.wired.com/story/algorithm-dos-attack ∗∗∗ How Safecrackers Can Unlock an ATM in Minutes—Without Leaving a Trace ∗∗∗ --------------------------------------------- At Defcon this week, security researcher Mike Davis will show how he can pick the lock of an ATM safe in no time, thanks to its electric leaks. --------------------------------------------- https://www.wired.com/story/atm-lock-hack-electric-leaks ∗∗∗ Saefko: A new multi-layered RAT ∗∗∗ --------------------------------------------- Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module. --------------------------------------------- https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat ∗∗∗ Are Your Out-of-Office Replies Revealing Too Much? ∗∗∗ --------------------------------------------- Whether you’re traveling for business or pleasure, it’s common practice to create an automatic out-of-office reply for incoming emails. While business continuity is important, it’s critical to remember that some emails that arrive in your inbox will come from people you don’t know - and, in some cases, cybercriminals who wish to do you harm. The details you provide could be used for malicious purposes and expose your organization to attack. --------------------------------------------- https://www.proofpoint.com/us/security-awareness/post/are-your-out-office-r… ∗∗∗ New Windows Process Injection Can Be Useful for Stealthy Malware ∗∗∗ --------------------------------------------- Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft. --------------------------------------------- https://www.securityweek.com/new-windows-process-injection-can-be-useful-st… ∗∗∗ Analyse: Ransomware-Angriffe auf Firmen fast vervierfacht ∗∗∗ --------------------------------------------- Die Zahl der Infektionen mit Ransomware bei Firmen hat im Vergleich zum Vorjahr um 365 Prozent zugenommen. Groß im Geschäft: das Trio Emotet/Trickbot/Ryuk. --------------------------------------------- https://heise.de/-4492497 ∗∗∗ Skype, Slack, VS Code, Atom: Electron-Apps haben eine gefährliche Achilles-Ferse ∗∗∗ --------------------------------------------- Programme, die auf dem Electron Framework basieren, können von lokalen Angreifern trojanisiert und als Angriffsplattform missbraucht werden. --------------------------------------------- https://heise.de/-4493195 ∗∗∗ Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs ∗∗∗ --------------------------------------------- Malicious actors could use rogue engineering workstations to take control of Siemens programmable logic controllers (PLCs), and they can hide the attack from the engineer monitoring the system, researchers from two universities in Israel have demonstrated. --------------------------------------------- https://www.securityweek.com/hackers-can-use-rogue-engineering-stations-tar… ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Big-IP-Produkten von F5 Networks ∗∗∗ --------------------------------------------- Der finnische Sicherheitsspezialist F-Secure warnt vor einer Sicherheitslücke, die möglicherweise zahlreiche Unternehmen zu Zielen für Cyberangriffe macht. Betroffen sind Big-IP-Produkte von F5 Networks. Der Anbieter dementiert. --------------------------------------------- https://www.it-business.de/schwerwiegende-sicherheitsluecke-in-big-ip-produ… ∗∗∗ Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware ∗∗∗ --------------------------------------------- Avaya is the second largest VOIP solution provider (source) with an install base covering 90% of the Fortune 100 companies (source), with products targeting a wide spectrum of customers, from small business and midmarket, to large corporations. As part of the ongoing McAfee Advanced Threat Research effort into researching critical vulnerabilities in widely deployed software [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/avaya-deskphone… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11, postgresql-9.4, and postgresql-9.6), Fedora (exiv2), openSUSE (python-Django and vlc), Oracle (kernel), Red Hat (qemu-kvm-rhev), SUSE (evince, nodejs10, python, and squid), and Ubuntu (postgresql-10, postgresql-11, postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/795821/ ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0708 ∗∗∗ BlackBerry Powered by Android Security Bulletin - August 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Notice - Statement on Brute Forcing Encrypted Backup Data for Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2019/huawei-sn-20190809-01-… ∗∗∗ BIG-IP DHCPv6 vulnerability CVE-2019-6643 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36228121 ∗∗∗ iControl REST vulnerability CVE-2019-6646 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53990093 ∗∗∗ F5 Container Ingress Service vulnerability CVE-2019-6648 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74327432 ∗∗∗ iRulesLX debug NodeJS vulnerability CVE-2019-6644 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75532331 ∗∗∗ BIG-IP mcpd vulnerability CVE-2019-6647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87920510 ∗∗∗ The BIG-IP DNS Configuration utility may erroneously display the TSIG key secret in plain text form ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03332436 ∗∗∗ BIG-IP SSL connection security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41515225 ∗∗∗ BIG-IP FTP profile vulnerability CVE-2019-6645 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15759349 ∗∗∗ F5 Container Ingress Services vulnerability CVE-2019-6648 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74327432 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2019
by Daily end-of-shift report 08 Aug '19

08 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2019 18:00 − Donnerstag 08-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Fully Remote Attack Surface of the iPhone ∗∗∗ --------------------------------------------- While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as the underlying attack surface they occur in. I investigated the remote, interaction-less attack surface of the iPhone, and found several serious vulnerabilities. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surf… ∗∗∗ [Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign", (Thu, Aug 8th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/25218 ∗∗∗ Magento Skimmers: From Atob to Alibaba ∗∗∗ --------------------------------------------- Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this: It uses the JavaScript atob function to decode base64-encoded domain names and URL patterns. In the sample above, it’s hxxps://livegetpay[.]com/pay.js?v=2.2.9 and “onepage”, respectively. The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report. --------------------------------------------- https://blog.sucuri.net/2019/08/magento-skimmers-from-atob-to-alibaba.html ∗∗∗ Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V ∗∗∗ --------------------------------------------- Remember the Reverse RDP Attack? Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsofts Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely. --------------------------------------------- https://thehackernews.com/2019/08/reverse-rdp-windows-hyper-v.html ∗∗∗ ACSC Releases Advisory on Password Spraying Attacks ∗∗∗ --------------------------------------------- Original release date: August 8, 2019The Australian Cyber Security Centre (ACSC) has released an advisory on password spraying attacks. Password spraying is a type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. The ACSC provides recommendations for organizations to detect and --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advi… ∗∗∗ Erpressungsversuche mit Masturbations-Video! ∗∗∗ --------------------------------------------- Die Wahrscheinlichkeit betrügerische Erpressungs-E-Mails im eigenen Posteingang zu finden, ist momentan äußerst hoch. Kriminelle behaupten, die Systeme ihrer Opfer mit Schadsoftware infiziert, Zugriff auf Webcam und Kontakte erhalten zu haben und nun in Besitz eines Masturbations-Videos zu sein. Betroffene dürfen nichts bezahlen. Die Nachrichten von „Anonymer Hacker“ sind erfunden! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsversuche-mit-masturbation… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet FortiRecorder 2.7.3 Hardcoded Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080028 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, python-django, python2-django, and sdl2), Debian (proftpd-dfsg), Fedora (php and sqlite), openSUSE (proftpd), Red Hat (kernel), Slackware (kdelibs), SUSE (nodejs10, squid, and tcpdump), and Ubuntu (php5 and ruby-rack). --------------------------------------------- https://lwn.net/Articles/795725/ ∗∗∗ Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack ∗∗∗ --------------------------------------------- The vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_32 ∗∗∗ Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Server Open Redirection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SPA112 2-Port Phone Adapter Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software VNC Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Web-Based Management Interface Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Arbitrary File Read Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Password Recovery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Intermediate System–to–Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Intermediate System–to–Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software File Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director TLS Renegotiation Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Header Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2019
by Daily end-of-shift report 07 Aug '19

07 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2019 18:00 − Mittwoch 07-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Smominru Cryptominer Scrapes Credentials for Half-Million Machines ∗∗∗ --------------------------------------------- The adversaries have retooled with EternalBlue and credential theft to add a new "access mining" revenue stream. --------------------------------------------- https://threatpost.com/smominru-cryptominer-scrapes-credentials-half-millio… ∗∗∗ Autoloaded Server-Side Swiper ∗∗∗ --------------------------------------------- Front-end JavaScript-based credit card stealing malware has garnered a lot of attention within the security community. This makes sense, since the “swipers” can be easily detected by simply scanning the web pages of e-commerce sites. However, this isn’t the only way to steal payment details and sensitive user information from compromised sites. Server-side swipers are almost as prevalent as client-side ones, and [...] --------------------------------------------- https://blog.sucuri.net/2019/08/autoloaded-server-side-swiper.html ∗∗∗ Vorsicht bei zu günstigen Angeboten auf Amazon ∗∗∗ --------------------------------------------- Vermehrt erreichen uns Meldungen von Konsument/innen, die auf unseriöse Amazon Marketplace Shops gestoßen sind. Die extrem günstigen Angebote locken zu einem schnellen Kauf. Im späteren Nachrichtenverlauf werden die Opfer über „Fehler 2045“ informiert und aufgefordert, das Geld auf externe Konten zu überweisen. Wer dies tut, verliert den Betrag und erhält keine Waren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-angeboten… ===================== = Vulnerabilities = ===================== ∗∗∗ SWAPGSAttack: Seitenkanal-Schwachstelle trifft wieder nur Intel ∗∗∗ --------------------------------------------- Mit der Spectre-ähnlichen SWAPGSAttack kann auf eigentlich geschützte Speicherbereiche zugegriffen werden, indem die spekulative Ausführung des Befehls ausgenutzt wird. Betroffen sind alle Intel-CPUs seit Ivy Bridge von 2012, von Microsoft gibt es bereits Patches für Windows 10. --------------------------------------------- https://www.golem.de/news/swapgsattack-seitenkanal-schwachstelle-trifft-wie… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (hostapd), openSUSE (aubio and spamassassin), Oracle (kernel), Red Hat (augeas, kernel-rt, libssh2, perl, procps-ng, redis:5, and systemd), SUSE (bzip2, evince, kernel, linux-azure, nodejs4, nodejs8, osc, python, python-Twisted, and python3), and Ubuntu (BWA and Mercurial). --------------------------------------------- https://lwn.net/Articles/795626/ ∗∗∗ Security Advisory - Double Free Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190807-… ∗∗∗ Security Advisory - Information Leak Vulnerability on Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190807-… ∗∗∗ HPESBST03938 rev.1 - Command View Advanced Edition (CVAE) Products, Local and Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2019
by Daily end-of-shift report 06 Aug '19

06 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 05-08-2019 18:00 − Dienstag 06-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mass Spoofing Campaign Takes Aim at Walmart ∗∗∗ --------------------------------------------- The sites are targeting job-seekers, movie aficionados and shoppers in hopes of harvesting their personal information. --------------------------------------------- https://threatpost.com/mass-spoofing-campaign-walmart/146994/ ∗∗∗ LokiBot Gains New Persistence Mechanism, Uses Steganography to Hide Its Tracks ∗∗∗ --------------------------------------------- First advertised as an information stealer and keylogger when it first appeared in underground forums, LokiBot has added various capabilities over the years. Recent activity has seen the malware family abusing Windows Installer for its installation and introducing a new delivery method that involves spam mails containing malicious ISO file attachments. Our analysis of a new LokiBot variant shows that it has improved its capabilities [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/_k1Sozs3GX4/ ∗∗∗ Malicious Plugin Used to Encrypt WordPress Posts ∗∗∗ --------------------------------------------- During a recent cleanup, we found an interesting malicious WordPress plugin, "WP Security", that was being used to encrypt blog post content. The website owner complained of a newly installed and activated plugin on their website that was rendering their original content unreadable. --------------------------------------------- https://blog.sucuri.net/2019/08/malicious-plugin-used-to-encrypt-wordpress-… ∗∗∗ Code-Signed malware: Whats all the buzz about? Looking at the "Ryuk" ransomware as an example. ∗∗∗ --------------------------------------------- Certificates are an established method for verifying the legitimacy of an application. If malicious actors succeed in undermining a certificate authority (CA) by either stealing a valid certificate or compromising the CA, the entire model unravels. We have taken a look at a case where this has happened. --------------------------------------------- https://www.gdatasoftware.com/blog/2019/08/35046-whats-all-the-buzz-about-l… ∗∗∗ Erstmals gezielte Spionage-Angriffe über "intelligente Dinge" dokumentiert ∗∗∗ --------------------------------------------- Die Hacker, die in den Bundestag einbrachen, haben eine neue Angriffstechnik im Repertoire: Sie steigen über Drucker oder VoIP-Phones in Firmennetze ein. --------------------------------------------- https://heise.de/-4489325 ∗∗∗ Hinter dem Shop sportfroger.com steckt Betrug ∗∗∗ --------------------------------------------- sportfroger.com bietet ein breites Sortiment an Sportgeräten. Ob Ergometer, Hantelsets oder Laufband – hier finden Konsument/innen was sie suchen. Nach einer Zahlung per Vorkasse folgt der Schock, denn die bestellte Ware wird nie geliefert und das Geld ist verloren. --------------------------------------------- https://www.watchlist-internet.at/news/hinter-dem-shop-sportfrogercom-steck… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Google sichert Android gegen "QualPwn" und andere kritische Lücken ab ∗∗∗ --------------------------------------------- Auch diesen Monat weist Google auf beseitigte Android-Lücken hin. Mit dabei: eine Exploit-Chain aus teils kritischen Qualcomm-Lücken namens QualPwn. --------------------------------------------- https://heise.de/-4489232 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium), Debian (glib2.0 and python-django), Fedora (gvfs, kernel, kernel-headers, kernel-tools, and subversion), Oracle (icedtea-web, nss and nspr, and ruby:2.5), Red Hat (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, kernel-rt, keycloak-httpd-client-install, libarchive, libcgroup, [...] --------------------------------------------- https://lwn.net/Articles/795506/ ∗∗∗ Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 220 Series Smart Switches Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2019
by Daily end-of-shift report 05 Aug '19

05 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-08-2019 18:00 − Montag 05-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dragonfly: Neue Sicherheitslücken in Verschlüsselungsstandard WPA3 ∗∗∗ --------------------------------------------- Wie lange ein kryptografisches Verfahren braucht, kann ungewollt Informationen verraten. Mit einer solchen Schwachstelle konnten Forscher Passwörter bei der WLAN-Verschlüsselung WPA3 knacken. --------------------------------------------- https://www.golem.de/news/dragonfly-neue-sicherheitsluecken-in-verschluesse… ∗∗∗ MegaCortex Ransomware Revamps for Mass Distribution ∗∗∗ --------------------------------------------- Manual steps have been replaced by automation. --------------------------------------------- https://threatpost.com/megacortex-ransomware-mass-distribution/146933/ ∗∗∗ Combining Low Tech Scams: SMS + SET + Credit Card Harvesting, (Fri, Aug 2nd) ∗∗∗ --------------------------------------------- As Infosec folks, we spend a lot of time on the latest and greatest exploits, attacks and malware - we seem to be (abnormally) driven towards continuing education in our field. This is a great thing, but often we lose sight of the fact that the attackers dont always try so hard. --------------------------------------------- https://isc.sans.edu/diary/rss/25198 ∗∗∗ Erpressungstrojaner GermanWiper löscht Daten ∗∗∗ --------------------------------------------- Lösegeld hilft nicht: Wer den GermanWiper aktiviert, dessen Daten werden nicht etwa wiederherstellbar verschlüsselt, sondern endgültig mit Nullen überschrieben. --------------------------------------------- https://heise.de/-4487825 ∗∗∗ Say hello to Lord Exploit Kit ∗∗∗ --------------------------------------------- In this blog, we take a look at a new exploit kit distributed via malvertising that calls itself Lord EK. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2019/08/say-hello-to-lord-exp… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in NVIDIA Windows GPU Display Driver, VMware ESXi, Workstation and Fusion ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability that can be triggered using a specially crafted shader file. This vulnerability can be triggered from a VMware guest, affecting the VMware host, leading to a crash (denial-of-service) of the vmware-vmx.exe process on the host (TALOS-2019-0757). However, when the host/guest systems are using an NVIDIA graphics card, the VMware [...] --------------------------------------------- https://blog.talosintelligence.com/2019/08/nvidia-vmware-gpu-rce-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2019-0012 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion updates address out-of-bounds read/write vulnerabilities (CVE-2019-5521, CVE-2019-5684) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0012.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and vim), Fedora (java-11-openjdk and matrix-synapse), Gentoo (binutils and libpng), Mageia (kernel), and SUSE (openexr and python-Django). --------------------------------------------- https://lwn.net/Articles/795344/ ∗∗∗ ZDI-19-687: (0Day) SolarWinds Orion Network Performance Monitor ExecuteExternalProgram Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-687/ ∗∗∗ Linux kernel vulnerability CVE-2017-12190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93472064 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2019
by Daily end-of-shift report 02 Aug '19

02 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-08-2019 18:00 − Freitag 02-08-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Orgs network connect to GitHub and Pastebin much? Its a Rocke road to cryptojacking country ∗∗∗ --------------------------------------------- You might also be slurping Chinese malware Palo Alto Networks has spotted a new cryptomining malware technique that not only wipes out any other miners present on the target machine but uses GitHub and Pastebin as part of its command-and-control (C2) infrastructure.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/08/01/palo_alto_n… ∗∗∗ Google Project Zero: 95.8% of all bug reports are fixed before deadline expires ∗∗∗ --------------------------------------------- Google Project Zero: Disclosing technical bug reports and PoCs help defenders more than attackers. --------------------------------------------- https://www.zdnet.com/article/google-project-zero-95-8-of-all-bug-reports-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Veritas Resiliency Platform (VRP) Traversal / Command Execution ∗∗∗ --------------------------------------------- Topic: Veritas Resiliency Platform (VRP) Traversal / Command Execution Risk: High Text:Four vulnerabilities have been fixed in VRP 3.4 HF1, one of which is of critical severity. Directory traversal vulnerability... --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080002 ∗∗∗ Advantech WebAccess HMI Designer ∗∗∗ --------------------------------------------- This advisory provides mitigation recommendations for an out-of-bounds write vulnerability reported in the Advantech WebAccess HMI Designer product. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-01 ∗∗∗ Fuji Electric FRENIC Loader ∗∗∗ --------------------------------------------- This advisory includes mitigations for an out-of-bounds read vulnerability reported in the Fuji Electric FRENIC Loader AC drive. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-02 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 ∗∗∗ --------------------------------------------- This advisory includes mitigations for two vulnerabilities, unverified ownership and uncontrolled memory allocation, reported in the 3S-Smart Software Solutions GmbH CODESYS V3 products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-03 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 ∗∗∗ --------------------------------------------- This advisory includes mitigations for an insufficiently protected credentials vulnerability reported in the 3S-Smart Software Solutions GmbH CODESYS V3 products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-04 ∗∗∗ Rockwell Automation Arena Simulation Software ∗∗∗ --------------------------------------------- This advisory provides information about, and mitigation recommendations for, two vulnerabilities reported in the Rockwell Automation Arena Automation software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-05 ∗∗∗ SSA-632562 (Last Update: 2019-08-02): Vulnerabilities in SIPROTEC 5 Ethernet plug-in communication modules and devices ∗∗∗ --------------------------------------------- The SIPROTEC 5 Ethernet plug-in communication modules and devices are affected by multiple security vulnerabilities. These vulnerabilities could allow an attacker to leverage various attacks, e.g. to execute arbitrary code over the network.Eleven of these vulnerabilities affect the underlying Wind River VxWorks network stack and were recently patched by Wind River. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-632562.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), openSUSE (openexr and rmt-server), Oracle (bind, container-tools:rhel8, cyrus-imapd, dotnet, edk2, firefox, flatpak, freeradius:3.0, ghostscript, gvfs, httpd:2.4, java-1.8.0-openjdk, java-11-openjdk, kernel, mod_auth_mellon, pacemaker, pki-deps:10.6, python-jinja2, python27:2.7, python3, python36:3.6, systemd, thunderbird, vim, virt:rhel, WALinuxAgent, and wget), Slackware (mariadb), SUSE (java-1_8_0-openjdk, polkit, and [...] --------------------------------------------- https://lwn.net/Articles/795223/ ∗∗∗ HPESBST03946 rev.1 - HPE 3PAR StoreServ Management Console (SSMC), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03942 rev.1 - 3PAR Service Processor 5.0.5, Multiple remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ QEMU: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0683 ∗∗∗ PHP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0684 ∗∗∗ IBM Security Bulletin: IBM Cloud Private ingress log files contain sensitive information (CVE-2019-4284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-ing… ∗∗∗ IBM Security Bulletin: IBM MQ clients are vulnerable to a denial of service attack caused by consuming specifically crafted messages (CVE-2019-4261) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-clients-are-vu… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2018-5391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-announced-a-r… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: IBM WebSphere Application Server Security Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2019-4046, CVE-2018-1902, CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-applica… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the Linux kernel affect the IBM FlashSystem models V840 and V9000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2019
by Daily end-of-shift report 01 Aug '19

01 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-07-2019 18:00 − Donnerstag 01-08-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Brand-New SystemBC Proxy Malware Spotted Using SOCKS5 for Stealth ∗∗∗ --------------------------------------------- The proxy is being distributed by the RIG and Fallout exploit kits. --------------------------------------------- https://threatpost.com/systembc-proxy-malware-socks5-stealth/146879/ ∗∗∗ Unpatched Flaws in IoT Smart Deadbolt Open Homes to Danger ∗∗∗ --------------------------------------------- Researchers are warning that unpatched flaws found in the Hickory Smart Bluetooth Enabled Deadbolt allow an attacker with access to a victims phone to break into their houses. --------------------------------------------- https://threatpost.com/unpatched-flaws-in-iot-smart-deadbolt-open-homes-to-… ∗∗∗ Google Chrome: Sicherheitsupdate mit 43 Security-Fixes veröffentlicht ∗∗∗ --------------------------------------------- Google hat für die kürzlich erschienene Chrome-Version 76 ein Update veröffentlicht. Einige der gefixten Sicherheitslücken weisen den Schweregrad "High" auf. --------------------------------------------- https://heise.de/-4485571 ∗∗∗ No summer break for Magecart as web skimming intensifies ∗∗∗ --------------------------------------------- Despite the heat, criminals are hard at work stealing credit card data from unaware shoppers. July marks a notable increase in web skimmer attacks over previous months. --------------------------------------------- https://blog.malwarebytes.com/web-threats/2019/08/no-summer-break-for-magec… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache Subversion svnserve vulnerabilities ∗∗∗ --------------------------------------------- The recent releases of Apache Subversion 1.12.2, 1.10.6, 1.9.12, contain fixes for two security issues, CVE-2018-11782 and CVE-2019-0203. These issues affect Subversion svnserve servers. We encourage server operators to upgrade to the latest appropriate version as soon as reasonable. --------------------------------------------- https://seclists.org/oss-sec/2019/q3/105 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (httpd, libssh2, and qemu-kvm), Debian (glib2.0, squirrelmail, subversion, and wpa), Fedora (proftpd), Oracle (icedtea-web), Red Hat (icedtea-web), Scientific Linux (icedtea-web), SUSE (icedtea-web, java-1_7_0-openjdk, subversion, and zypper, libzypp and libsolv), and Ubuntu (linux-hwe, openjdk-lts, pango1.0, python-django, and subversion). --------------------------------------------- https://lwn.net/Articles/795082/ ∗∗∗ Cisco Nexus 9000 Series ACI Mode Switch Software Link Layer Discovery Protocol Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Remote Execution Vulnerability Affects Red Hat Linux Used By IBM WebSphere Application Server in IBM Cloud (CVE-2019-12735) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-remote-execution-vuln… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK (April 2019) affecting IBM Application Delivery Intelligence for IBM Z V5.1.0, V5.0.5, and V5.0.4 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-… ∗∗∗ IBM Security Bulletin: Information disclosure in WebSphere Application Server Admin Console in IBM Cloud (CVE-2019-4269) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: IBM Jazz for Service Management could allow an unauthorized local user to create unique catalog names that could cause a denial of service (CVE-2019-4275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-jazz-for-service-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect for Enterprise Resource Planning (CVE-2018-1890, CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2018-1890, CVE-2018-12547) Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Password disclosure via application trace affects IBM Spectrum Protect for Enterprise Resource Planning (CVE-2018-1987) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services for Multi-Platform v2.1.1 is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IcedTea-Web: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0679 ∗∗∗ Symantec Endpoint Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0681 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2019
by Daily end-of-shift report 31 Jul '19

31 Jul '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-07-2019 18:00 − Mittwoch 31-07-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Smart Home: Philips Hue und Kameras über unsichere Protokolle gehackt ∗∗∗ --------------------------------------------- Sicherheitsforschern ist es gelungen, Steuerungsbefehle an Überwachungskameras und Philips-Hue-Lampen zu schicken. Die Geräte übertragen Daten und Befehle standardmäßig auf eine unsichere Weise. --------------------------------------------- https://www.golem.de/news/smart-home-philips-hue-und-kameras-ueber-unsicher… ∗∗∗ Keeping a Hidden Identity: Mirai C&Cs in Tor Network ∗∗∗ --------------------------------------------- We found new samples of Mirai targeting IP cameras and DVRs with exposed ports and default credentials. Like its predecessors, it allows attackers remote access and the use of infected devices to form a botnet for DDoS attacks. However, the C&Cs were traced back to the Tor network, keeping the cybercriminals identities anonymous and protecting the servers from being shut down despite discovery. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/keeping-a-hidde… ∗∗∗ IoT home security camera allows hackers to listen in over HTTP ∗∗∗ --------------------------------------------- "The Amcrest IP2M-841B IP camera firmware version V2.520.AC00.18.R does not require authentication to access the HTTP endpoint /videotalk," the vulnerabilitys description reads. "An unauthenticated, remote person can connect to this endpoint and listen to the audio the camera is capturing." --------------------------------------------- https://www.zdnet.com/article/iot-home-security-camera-allows-hackers-to-li… ∗∗∗ Malvertising: Online Advertisings Darker Side ∗∗∗ --------------------------------------------- The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient. As this blog will cover in detail, malvertising is a problem not strictly associated with basic web browsing. It can also come with other software programs including adware or potentially unwanted applications (PUA). These latter examples require the most attention. --------------------------------------------- https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html ∗∗∗ Gefährliche PayPal Phishing-Nachrichten in Umlauf ∗∗∗ --------------------------------------------- Vorsicht vor betrügerischen Nachrichten im Namen PayPals, die an zahlreiche Konsument/innen verschickt werden. In der E-Mail wird behauptet, das Konto sei eingeschränkt worden und die Daten müssten bestätigt werden. Es handelt sich um einen Versuch Krimineller, an Zahlungsdaten zu kommen, um diese für weitere Verbrechen missbrauchen zu können! --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-paypal-phishing-nachric… ∗∗∗ Gefälschte DHL-Mails enthalten gefährliche Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden massenhaft E-Mails, in denen sie sich als DHL ausgeben und behaupten, dass Ihr Paket nicht zugestellt werden konnte. Nähere Infos, über das weitere Vorgehen, finden Sie angeblich im Dateianhang. Öffnen Sie keinesfalls die Datei, es handelt sich um Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-dhl-mails-enthalten-gefa… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates verfügbar: OXID eShop repariert verwundbares Admin-Panel ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in mehreren OXID-eShop-Versionen ermöglichte das Einschleusen und Ausführen beliebiger SQL-Befehle mittels speziell präparierter URLs. --------------------------------------------- https://heise.de/-4484390 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, curl, and kernel), Debian (libssh2), Fedora (kernel, kernel-headers, and oniguruma), openSUSE (chromium, openexr, thunderbird, and virtualbox), Oracle (389-ds-base, curl, httpd, kernel, and libssh2), Red Hat (nss and nspr and ruby:2.5), Scientific Linux (httpd and kernel), SUSE (java-1_8_0-openjdk, mariadb, mariadb-connector-c, polkit, and python-requests), and Ubuntu (openjdk-8, openldap, and sox). --------------------------------------------- https://lwn.net/Articles/795007/ ∗∗∗ Prima Systems FlexAir ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-211-02 ∗∗∗ IBM Security Bulletin: IBM Netcool Agile Service Manager is affected by a Jetty vulnerability (CVE-2018-12545) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-netcool-agile-ser… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio (CVE-2019-2684) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-ident… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Secure Gateway is affected by a Denial of Service vulnerability (CVE-2019-5428) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-secure-gateway-is-aff… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2019
by Daily end-of-shift report 30 Jul '19

30 Jul '19

===================== = End-of-Day report = ===================== Timeframe: Montag 29-07-2019 18:00 − Dienstag 30-07-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ E-Bikes nicht bei limebikes.de bestellen ∗∗∗ --------------------------------------------- Haben Sie vor, sich ein E-Bike zu kaufen? Dann sollten Sie es keinesfalls bei limebikes.de bestellen. Die ansprechende Website und die unschlagbaren Preise sind Fake, es handelt sich um einen betrügerischen Shop. Ihr Bike wird trotz Bezahlung nie geliefert! --------------------------------------------- https://www.watchlist-internet.at/news/e-bikes-nicht-bei-limebikesde-bestel… ===================== = Vulnerabilities = ===================== ∗∗∗ PowerDNS Security Advisory 2019-06: Denial of service via crafted zone records ∗∗∗ --------------------------------------------- Updated packages (that only contain a Postgres schema change) will be released later. Just upgrading at that time will not fix the vulnerability - applying the schema change is mandatory. --------------------------------------------- https://mailman.powerdns.com/pipermail/pdns-announce/2019-July/001123.html ∗∗∗ OpenSSL Security Advisory: Windows builds with insecure path defaults (CVE-2019-1552) ∗∗∗ --------------------------------------------- OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. ... However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of C:/usr/local, which may be world writable, which enables untrusted users to modify OpenSSLs default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. Severity: Low --------------------------------------------- https://www.openssl.org/news/secadv/20190730.txt ∗∗∗ Google Project Zero: Sechs interaktionslose iMessage-Lücken, eine ohne Patch ∗∗∗ --------------------------------------------- Das Sicherheitsprojekt der Suchmaschine hat ein halbes Dutzend Fehler im Apple-Betriebssystem iOS offengelegt, davon diverse kritische. --------------------------------------------- https://heise.de/-4483807 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cutter-re and radare2), Oracle (389-ds-base, httpd, kernel, libssh2, and qemu-kvm), Red Hat (389-ds-base, chromium-browser, curl, docker, httpd, keepalived, kernel, kernel-alt, kernel-rt, libssh2, perl, podman, procps-ng, qemu-kvm, qemu-kvm-ma, ruby, samba, and vim), Scientific Linux (389-ds-base, curl, libssh2, and qemu-kvm), SUSE (bzip2 and openexr), and Ubuntu (python-urllib3 and tmpreaper). --------------------------------------------- https://lwn.net/Articles/794920/ ∗∗∗ 2019-07-30: Cyber Security Notification - WindRiver VxWorks IPNet Vulnerabilities, impact on High Voltage Products ∗∗∗ --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=2GHV057194&LanguageC… ∗∗∗ 2019-07-30: Cyber Security Notification - WindRiver VxWorks IPNet Vulnerabilities, impact on ABB Power Grids - Grid Automation products ∗∗∗ --------------------------------------------- https://new.abb.com/news/detail/28733/cyber-security-notification ∗∗∗ 2019-07-30: Cyber Security Notification - WindRiver VxWorks IPNet Vulnerabilities, impact on ABB Robot Controller Software ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20192&LanguageCod… ∗∗∗ 2019-07-30: Cyber Security Notification - WindRiver VxWorks IPNet Vulnerabilities, impact on AC 800PEC ∗∗∗ --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A6671&Lang… ∗∗∗ Security Advisory - Three Vulnerabilities in Huawei PCManager Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190710-… ∗∗∗ IBM Security Bulletin: IBM StoredIQ is affected by a missing function level access control vulnerability (CVE-2019-4163) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storediq-is-affec… ∗∗∗ IBM Security Bulletin: IBM StoredIQ is affected by a denial of service attack vulnerability (CVE-2019-4165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storediq-is-affec… ∗∗∗ IBM Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Monitor (CVE-2018-1885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-external-service-invo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2019
by Daily end-of-shift report 29 Jul '19

29 Jul '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-07-2019 18:00 − Montag 29-07-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rare Steganography Hack Can Compromise Fully Patched Websites ∗∗∗ --------------------------------------------- An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America. According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites. --------------------------------------------- https://threatpost.com/rare-steganography-hack-can-compromise-fully-patched… ∗∗∗ A VxWorks Operating System Bug Exposes 200 Million Critical Devices ∗∗∗ --------------------------------------------- VxWorks is designed as a secure, "real-time" operating system for continuously functioning devices, like medical equipment, elevator controllers, or satellite modems. --------------------------------------------- https://www.wired.com/story/vxworks-vulnerabilities-urgent11 ∗∗∗ Finding Evil in Windows 10 Compressed Memory, Part One: Volatility andRekall Tools ∗∗∗ --------------------------------------------- Paging all digital forensicators, incident responders, and memory manager enthusiasts! Have you ever found yourself at a client site working around the clock to extract evil from a Windows 10 image? Have you hit the wall at step zero, running into difficulties viewing a process tree, or enumerating kernel modules? Or even worse, had to face the C-Suite and let them know you couldn’t find any evil? Well fear no more – FLARE has you covered. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows… ∗∗∗ Examining the Link Between TLD Prices and Abuse ∗∗∗ --------------------------------------------- Briefing Over the years, McAfee researchers have observed that certain new top-level Domains (TLDs) are more likely to be abused by cyber criminals for malicious activities than others. Our investigations reveal a negative relationship between the likelihood for abuse and registration price of some TLDs, as reported by the McAfee URL and email intelligence team. --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/examining-the-l… ===================== = Vulnerabilities = ===================== ∗∗∗ BlackBerry Powered by Android Security Bulletin - July 2019 ∗∗∗ --------------------------------------------- BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ iTunes und iCloud für Windows mit Sicherheitslücken – Updates einspielen ∗∗∗ --------------------------------------------- iTunes 12.9.6 und iCloud für Windows sollen kritische Schwachstellen beseitigen, die Apple auch in eigenen Betriebssystemen behoben hat. --------------------------------------------- https://heise.de/-4480524 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (patch, sdl-image1.2, and unzip), Fedora (deepin-clone, dtkcore, dtkwidget, and sqlite), Mageia (virtualbox), openSUSE (firefox), and SUSE (cronie and firefox). --------------------------------------------- https://lwn.net/Articles/794838/ ∗∗∗ LibreOffice: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in LibreOffice ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0662 ∗∗∗ Trend Micro OfficeScan: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode und DoS ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro OfficeScan ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen und um einen Denial of Service zu verursachen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0666 ∗∗∗ OpenLDAP: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- OpenLDAP ist eine frei verfügbare Implementierung des Verzeichnisdienstes LDAP. Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in OpenLDAP ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0665 ∗∗∗ xpdf: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in xpdf ausnutzen, um beliebigen Programmcode auszuführen, einen Denial of Service Zustand herzustellen oder Informationen auszuspähen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0663 ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by an issue with API endpoints behind the ‘docker cp’ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty Admin Center (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Digital Payments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Asset Analyzer. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Digital Payments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM i2 Intelligent Analyis Platform is affected by a XML External Entity (XXE) vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i2-intelligent-an… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Digital Payments for Multi-Platform is affected by vulnerabilities in IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Planning Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-1871) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ HPESBUX03927 rev.1 - HP-UX BIND, Remote Denial of Service (DoS) and Remote Unauthorized Data Modification ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03944 rev.1 - HPE HP2910al-48G switches, local Arbitrary Command Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2019
by Daily end-of-shift report 26 Jul '19

26 Jul '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-07-2019 18:00 − Freitag 26-07-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ No More Ransom Success Story: Saves $108+ Million in Ransomware Payments ∗∗∗ --------------------------------------------- Today marks the third anniversary of No More Ransom and through its partners from the public and private sectors, law enforcement, academia, and researchers, the project has been able to help hundreds of thousands, if not millions, of victims get their encrypted files back for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/no-more-ransom-success-story… ∗∗∗ New Loader Variant Behind Widespread Malware Attacks ∗∗∗ --------------------------------------------- Malware infection technique called TxHollower gets updated with stealthy features. --------------------------------------------- https://threatpost.com/new-loader-variant-behind-widespread-malware-attacks… ∗∗∗ MyDoom Still Active in 2019 ∗∗∗ --------------------------------------------- MyDoom is an infamous computer worm first noted in early 2004. This malware has been featured in top ten lists of the most destructive computer viruses, causing an estimated $38 billion in damage. Although now well past its heyday, MyDoom continues to be a presence in the cyber threat landscape. While not as prominent as other malware families, over the past few years MyDoom has remained relatively consistent, averaging approximately 1.1 percent of all emails we see with malware attachments. --------------------------------------------- https://unit42.paloaltonetworks.com/mydoom-still-active-in-2019/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh2 and patch), Fedora (kernel and kernel-headers), Mageia (vlc), Red Hat (rh-redis32-redis), SUSE (libgcrypt, libsolv, libzypp, zypper, and rmt-server), and Ubuntu (exim4, firefox, libebml, linux, linux-aws, linux-kvm, linux-raspi2, and vlc). --------------------------------------------- https://lwn.net/Articles/794694/ ∗∗∗ Vuln: Qualcomm Components CVE-2019-2307 Integer Underflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/109383 ∗∗∗ Security Advisory - DoS Vulnerability in Huawei S Series Switch Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190522-… ∗∗∗ Security Advisory - DoS Vulnerability in RTSP Module of Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190523-… ∗∗∗ IBM Security Bulletin: ViewONE is vulnerable to XXE attack via HTTP payload (CVE-2019-4456) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-viewone-is-vulnerable… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential SQL Injection vulnerability (CVE-2019-4032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ cURL and libcurl vulnerability CVE-2019-5436 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55133295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily