Daily July 2018

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 17.07.2018
by Daily end-of-shift report 17 Jul '18

17 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 16-07-2018 18:00 − Dienstag 17-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication ∗∗∗ --------------------------------------------- Blackgear (also known as Topgear and Comnie) is a cyberespionage campaign dating back to 2008, at least based on the Protux backdoor used by its operators. It targets organizations in Japan, South Korea, and Taiwan, leveling its attacks on public sector agencies and telecommunications and other high-technology industries. In 2016, for instance, we .. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/6Rxca1hyaeA/ ∗∗∗ Sicherheitsupdates: Angreifer könnte Passwörter in Typo3 überschreiben ∗∗∗ --------------------------------------------- Im freien Content Management System Typo3 klaffen mitunter kritische Sicherheitslücken. Patches schließen mehrere Schwachstellen. --------------------------------------------- http://heise.de/-4111640 ∗∗∗ 007: Schutzsoftware mit der Lizenz zum Töten von Spectre-Code ∗∗∗ --------------------------------------------- Eine neue, nach James Bond benannte Schutztechnik, soll Spectre-Schwachstellen mit nur 2 Prozent Performance-Einbußen in Programmcode erkennen und eliminieren. --------------------------------------------- http://heise.de/-4112150 ∗∗∗ A deep dive down the Vermin RAThole ∗∗∗ --------------------------------------------- ESET researchers have analyzed remote access tools cybercriminals have been using in an ongoing espionage campaign to systematically spy on Ukrainian government institutions .. --------------------------------------------- https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4247 ruby-rack-protection - security update ∗∗∗ --------------------------------------------- A timing attack was discovered in the function for CSRF token validationof the Ruby rack protection framework. --------------------------------------------- https://www.debian.org/security/2018/dsa-4247 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2018
by Daily end-of-shift report 16 Jul '18

16 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-07-2018 18:00 − Montag 16-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TLS: Mozilla, Cloudflare und Apple wollen verschlüsselte SNI ∗∗∗ --------------------------------------------- Mit der TLS-Erweiterung SNI können beliebig viele Webseiten samt eigenen Zertifikaten auf einer IP gehostet werden. Dabei könnte jedoch der Name der Domain von Dritten belauscht werden. Ein .. --------------------------------------------- https://www.golem.de/news/tls-mozilla-cloudflare-und-apple-wollen-verschlue… ∗∗∗ Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111) ∗∗∗ --------------------------------------------- Unit 42 shares their analysis of the DHCP Client Script Code Execution .. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/07/unit42-analysis-dhcp-cl… ∗∗∗ Red Alert v2.0: Misadventures in Reversing Android Bot Malware ∗∗∗ --------------------------------------------- It all started with a spam message, which curiously had an Android App attachment. The spam email vaguely claims that the attachment was a dating app for finding .. --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/Red-Alert-v2-0--Misadventur… ∗∗∗ GitHub to Pythonistas: Let us save you from vulnerable code ∗∗∗ --------------------------------------------- Third language added to security scanner GitHubs added Python to the list of programming languages it can auto-scan for known vulnerabilities. --------------------------------------------- www.theregister.co.uk/2018/07/16/github_to_pythonistas_let_us_save_you_from… ∗∗∗ Does malware based on Spectre exist? ∗∗∗ --------------------------------------------- The Spectre attack has received massive coverage since the beginning of 2018, and by now, it is likely that everyone in computer science has at least heard about .. --------------------------------------------- https://www.virusbulletin.com/virusbulletin/2018/07/does-malware-based-spec… ∗∗∗ Fernwartungs-Tool hatte Trojaner im Gepäck ∗∗∗ --------------------------------------------- Die Remote-Admin-Software Ammyy Admin wurde offenbar erneut über die Herstellerseite mit einem Trojaner verteilt. --------------------------------------------- http://heise.de/-4111069 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4246 mailman - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4246 ∗∗∗ DSA-4245 imagemagick - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4245 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2018
by Daily end-of-shift report 13 Jul '18

13 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-07-2018 18:00 − Freitag 13-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with coders ∗∗∗ --------------------------------------------- Tokens killed after eslint-scope JavaScript utility compromised An unfortunate chain reaction was averted today after miscreants tampered with a widely used JavaScript programming tool to steal other developers NPM login tokens.… --------------------------------------------- www.theregister.co.uk/2018/07/12/npm_eslint/ ∗∗∗ Cryptominers and stealers – malware edition ∗∗∗ --------------------------------------------- It all started in 2008 with a paper on the first decentralized digital currency, Bitcoin, created by an unknown person or persons referred to as Satoshi Nakamoto. Bitcoin is a peer-to-peer currency based on cryptography .. --------------------------------------------- https://www.zscaler.com/blogs/research/cryptominers-and-stealers-malware-ed… ∗∗∗ Patchday: Kritische Lücke in SAP Business Client ∗∗∗ --------------------------------------------- Im Juli hat SAP 11 neue Sicherheitswarnungen veröffentlicht. Davon gilt aber nur eine als kritisch. Sicherheitsupdates sind verfügbar. --------------------------------------------- http://heise.de/-4108062 ∗∗∗ Advanced Mobile Malware Campaign in India uses Malicious MDM ∗∗∗ --------------------------------------------- Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we dont know how the attacker .. --------------------------------------------- https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Mal… ∗∗∗ Heres Why Your Static Website Needs HTTPS ∗∗∗ --------------------------------------------- It was Jan last year that I suggested HTTPS adoption had passed the "tipping point", that is, it had passed the moment of critical mass and as I said at the time, "will very shortly become the norm". Since that time, .. --------------------------------------------- https://www.troyhunt.com/heres-why-your-static-website-needs-https/ ∗∗∗ Gefälschte World4You-Phishingmail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte World4You-Phishingmail. Darin fordern sie Empfänger/innen dazu auf, dass sie sich auf einer Website als echte Kontoinhaber/innen ausweisen. Geben Kund/innen ihre persönlichen Daten bekannt, übermitteln sie diese an Datendiebe. Verbrechen unter ihrem Namen sind möglich. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-world4you-phishingmail-i… ∗∗∗ IT-Security - Erpresser verschicken Drohmails mit echten Passwörtern ∗∗∗ --------------------------------------------- Wollen Nutzer beim Besuch von Pornoportalen gefilmt haben und verlangen "Schweigegeld" --------------------------------------------- https://derstandard.at/2000083434963/Erpresser-verschicken-Drohmails-mit-ec… ===================== = Vulnerabilities = ===================== ∗∗∗ Eaton 9000X Drive ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in the Eaton 9000X Drive. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-193-01 ∗∗∗ JSA10864 - 2018-07 Security Bulletin: Junos OS: Junos OS: MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2), PTX3K-FPC3 and PTX1K: Line card may crash upon receipt of specific MPLS packet (CVE-2018-0030) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10864&actp=RSS ∗∗∗ Critical Patch Update - July 2018 - Pre-Release Announcement ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2018
by Daily end-of-shift report 12 Jul '18

12 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-07-2018 18:00 − Donnerstag 12-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis ∗∗∗ --------------------------------------------- Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they .. --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogg… ∗∗∗ Ransomware is so 2017, its all cryptomining now among the script kiddies ∗∗∗ --------------------------------------------- Plus: Hackers take crack at cloud, phones come pre-pwned, malwares going multi-plat The number of organisations affected by cryptomining malware in the first half of 2018 ramped up to 42 per cent, compared to 20.5 per cent .. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/12/malware_sit… ∗∗∗ Mitigating Spectre with Site Isolation in Chrome ∗∗∗ --------------------------------------------- Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, were excited to announce that Chrome 67 has enabled a security .. --------------------------------------------- https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolat… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Web Security Appliance Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ TYPO3-CORE-SA-2018-003: Privilege Escalation & SQL Injection in TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered, that TYPO3 CMS is vulnerable to Privilege Escalation and SQL Injection. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2018-003/ ∗∗∗ TYPO3-CORE-SA-2018-002: Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered, that TYPO3 CMS is vulnerable to Insecure Deserialization & Arbitrary Code Execution. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2018-002/ ∗∗∗ TYPO3-CORE-SA-2018-001: Authentication Bypass in TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered, that TYPO3 CMS is vulnerable to Authentication Bypass. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2018-001/ ∗∗∗ EU Cookie Compliance - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-047 ∗∗∗ Remote Code Execution and Local File Disclosure in Zeta Producer Desktop CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-… ∗∗∗ Synology-SA-18:35 File Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_35 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2018
by Daily end-of-shift report 11 Jul '18

11 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-07-2018 18:00 − Mittwoch 11-07-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ CoinRocket GmbH sucht Finanzverwalter für strafbare Arbeit ∗∗∗ --------------------------------------------- Die CoinRocket GmbH mit Sitz in Hard in der Steiermark betreibt die Website coinrocket.at. Auf Jobportalen inseriert die angebliche Firma Stellenausschreibungen für die Position eines/r FinanzverwaltungsassistentIn in Heimarbeit. InteressentInnen müssen bei dieser Arbeit ihre Kontodaten bekannt geben und sollen eingehende Zahlungen weiterleiten. Das Geld stammt dabei von Verbrechen und die FinanzverwalterInnen machen sich durch ihr Zutun strafbar. --------------------------------------------- https://www.watchlist-internet.at/news/coinrocket-gmbh-sucht-finanzverwalte… ∗∗∗ New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed ∗∗∗ --------------------------------------------- Two security researchers have revealed details about two new Spectre-class vulnerabilities, which theyve named Spectre 1.1 and Spectre 1.2. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-11-and-spectre-1… ∗∗∗ Internet: Viele ISPs geben BGP-Probleme einfach weiter ∗∗∗ --------------------------------------------- Immer wieder kommt es per BGP-Hijacking zum Umleiten von Internetverkehr. Ebenso werden falsche BGP-Routen auch einfach weitergeleitet. Eine Auswertung zeigt, dass die großen ISPs hier zu wenig agieren. Es gibt aber auch Abhilfe gegen besonders bösartige Akteure. (BGP, DE-CIX) --------------------------------------------- https://www.golem.de/news/internet-viele-isps-geben-bgp-probleme-einfach-we… ∗∗∗ July 2018 Security Update Release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found on the Security Update Guide. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2018/07/10/july-2018-security-upda… ∗∗∗ Department of Commerce Report on the Botnet Threat ∗∗∗ --------------------------------------------- Last month, the US Department of Commerce released a report on the threat of botnets and what to do about it. I note that it explicitly said that the IoT makes the threat worse, and that the solutions are largely economic.T --------------------------------------------- https://www.schneier.com/blog/archives/2018/07/department_of_c.html ∗∗∗ Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week ∗∗∗ --------------------------------------------- Massive patch dump with 112 fixes... and thats just for the Photoshop giant IT admins face a busy week ahead as Microsoft, Intel, and Adobe have issued bundles of scheduled security fixes addressing more than 150 CVE-listed vulnerabilities.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/july_patch_… ∗∗∗ Spectre-NG: Intel dokumentiert "spekulativen Buffer Overflow" ∗∗∗ --------------------------------------------- Wie sich jetzt herausstellt, können Spectre-NG-Exploits nicht nur geschützten Speicher auslesen, sondern auch schreiben, wo sie wollen – vorläufig zumindest. --------------------------------------------- http://heise.de/-4108008 ===================== = Vulnerabilities = ===================== ∗∗∗ Arch Linux PDF reader package poisoned ∗∗∗ --------------------------------------------- Trust nobody: abandoned code was adopted by a miscreant Arch Linux has pulled a user-provided AUR (Arch User Repository) package, because it contained malware. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/07/11/someone_mod… ∗∗∗ Patchday: Kritische Lücke in SAP Bussines Client ∗∗∗ --------------------------------------------- Im Juli hat SAP 11 neue Sicherheitswarnungen veröffentlicht. Davon gilt aber nur eine als kritisch. Sicherheitsupdates sind verfügbar. --------------------------------------------- http://heise.de/-4108062 ∗∗∗ SSA-635129 (Last Update: 2018-07-11): Denial-of-Service Vulnerabilities in EN100 Ethernet Communication Module and SIPROTEC 5 relays ∗∗∗ --------------------------------------------- The EN100 Ethernet communication module and SIPROTEC 5 relays are affected by security vulnerabilities which could allow an attacker to conduct a Denial-of-Service attack over the network.Siemens has released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups), Oracle (kernel and qemu-kvm), Red Hat (ansible, kernel, kernel-rt, and qemu-kvm), Scientific Linux (kernel and qemu-kvm), Slackware (thunderbird), and Ubuntu (curl, firefox, imagemagick, and xapian-core). --------------------------------------------- https://lwn.net/Articles/759525/ ∗∗∗ IBM Security Bulletin: Vulnerability in IPSec-Tools affects IBM Integrated Management Module II (IMM2) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716865 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Virtual Fabric 10Gb Switch Module is affected by vulnerabilites in libxml2 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10715837 ∗∗∗ IBM Security Bulletin: Vulnerability in bind affects IBM Integrated Management Module II (IMM2) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716769 ∗∗∗ IBM Security Bulletin: FileNet Content Management Interoperability Services (CMIS), which ships with IBM Content Navigator, is affected by the ability to parse untrusted XML input containing a reference to an external entity ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22017354 ∗∗∗ IBM Security Bulletin: Multiple Security Issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016643 ∗∗∗ IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016869 ∗∗∗ HPESBHF03856 rev.1 - Comware v7 and Intelligent Management Center Products, Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2018
by Daily end-of-shift report 10 Jul '18

10 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Montag 09-07-2018 18:00 − Dienstag 10-07-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ APT Trends Report Q2 2018 ∗∗∗ --------------------------------------------- These summaries are a representative snapshot of what has been discussed in greater detail in our private reports during Q2 2018. They aim to highlight the significant events and findings that we feel people should be aware of. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2018/86487/ ∗∗∗ Researchers Reveal Bypass for Apple’s USB Restricted Mode ∗∗∗ --------------------------------------------- Researchers released a workaround for Apples USB Restricted Mode security feature the same day it was rolled out. --------------------------------------------- https://threatpost.com/researchers-reveal-bypass-for-apples-usb-restricted-… ∗∗∗ Apple Patches Everything Again., (Tue, Jul 10th) ∗∗∗ --------------------------------------------- As usual for Apple patches, vulnerabilities tend to affect all/most Apple operating systems. One notable security issue that was addressed, but is not listed here, is the "USB accessory unlock" issue. This allowed systems like Greylock to unlock phones by brute forcing the passcode via the lightning port / USB. iOS 11.4.1 only allows USB devices to connect within 1 hour after the phone/tablet is locked. This is enabled by default but can be disabled by the user. OS X also fixes the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23852 ∗∗∗ Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp), (Tue, Jul 10th) ∗∗∗ --------------------------------------------- Today, I noticed a marked increase in %%port:5555%% scans. --------------------------------------------- https://isc.sans.edu/diary/rss/23856 ∗∗∗ What’s New in the Xen Project Hypervisor 4.11 ∗∗∗ --------------------------------------------- This release contains mitigations for the Meltdown and Spectre vulnerabilities. It is worth noting that we spent a significant amount of time on completing and optimizing fixes for Meltdown and Spectre vulnerabilities. --------------------------------------------- https://blog.xenproject.org/2018/07/10/whats-new-in-the-xen-project-hypervi… ∗∗∗ Betrügerische Urlaubsnachricht von Kriminellen ∗∗∗ --------------------------------------------- Internet-Nutzer/innen erhalten von ihren Kontakten die Nachricht, dass sie im Ausland seien und Hilfe benötigen, denn sie haben ihre "Tasche verloren samt Reispass und kreditkarte". Aus diesem Grund sollen Empfänger/innen Geld mit Western Union ins Ausland überweisen. Es wird für ein "ticket und die hotelrechnungen" benötigt. In Wahrheit stammt die Nachricht von Kriminellen. Das Geld ist bei einer Auslandsüberweisung verloren. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-urlaubsnachricht-von-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB18-21), Adobe Connect (APSB18-22), Adobe Experience Manager (APSB18-23) and Adobe Flash Player (APSB18-24). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1581 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-sprockets), Red Hat (ansible and rh-git29-git), Scientific Linux (firefox), SUSE (ceph), and Ubuntu (libjpeg-turbo, ntp, and openslp-dfsg). --------------------------------------------- https://lwn.net/Articles/759436/ ∗∗∗ [webapps] D-Link DIR601 2.02 - Credential Disclosure ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/45002/?rss ∗∗∗ IBM Security Bulletin: Vulnerabilities in ntp affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10716319 ∗∗∗ IBM Security Bulletin: OpenSSL vulnerabilties affect IBM NeXtScale Fan Power Controller (FPC) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716741 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache CXF affects IBM TRIRIGA Application Platform (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10716291 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10715747 ∗∗∗ WAGO Multiple vulnerabilities in e!DISPLAY products ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2018
by Daily end-of-shift report 09 Jul '18

09 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-07-2018 18:00 − Montag 09-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker stehlen 2300 Liter Benzin von Tankstelle ∗∗∗ --------------------------------------------- Eine Zapfsäule einer Tankstelle in den USA wurde so manipuliert, dass sie kostenlos Sprit ausgab. --------------------------------------------- https://futurezone.at/digital-life/hacker-stehlen-2300-liter-benzin-von-tan… ∗∗∗ In cryptoland, trust can be costly ∗∗∗ --------------------------------------------- While the legal status of cryptocurrencies and laws to regulate them continue to be hammered out, scammers are busy exploiting the digital gold rush. Besides hacking cryptocurrency exchanges, exploiting smart-contract .. --------------------------------------------- https://securelist.com/in-cryptoland-trust-can-be-costly/86367/ ∗∗∗ PROPagate Code Injection Seen in the Wild ∗∗∗ --------------------------------------------- Last year, researchers wrote about a new Windows code injection technique called PROPagate. Last week, it was first seen in malware:This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same .. --------------------------------------------- https://www.schneier.com/blog/archives/2018/07/propagate_code_.html ∗∗∗ Stolen D-Link Certificate Used to Digitally Sign Spying Malware ∗∗∗ --------------------------------------------- Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from .. --------------------------------------------- https://thehackernews.com/2018/07/digital-certificate-malware.html ∗∗∗ Domain Factory confirms January 2018 data breach ∗∗∗ --------------------------------------------- German name n hosting outfit tells customers told to reset passwords after hacker taunts German hosting company Domainfactory has taken down its forums after someone posted messages alleging to have compromised the compa .. --------------------------------------------- www.theregister.co.uk/2018/07/09/domainfactory_in_germany_confirms_brdata_b… ∗∗∗ The Worst Cybersecurity Breaches of 2018 So Far ∗∗∗ --------------------------------------------- There havent been as many hacks and attacks compared to this time last year, but thats where the good news ends. --------------------------------------------- https://www.wired.com/story/2018-worst-hacks-so-far ∗∗∗ Jetzt patchen! Exploit-Code für extrem kritische Lücke in HPE iLO4 öffentlich ∗∗∗ --------------------------------------------- Sendet ein Angreifer eine cURL-Anfrage mit „AAAAAAAAAAAAAAAAAAAAAAAAAAAAA“ an verwundbare HP-Proliant-Server, könnte er diese übernehmen. --------------------------------------------- http://heise.de/-4104590 ∗∗∗ iTunes und iCloud für Windows: Update dringend angeraten ∗∗∗ --------------------------------------------- Die jüngsten Versionen von Apples Medienabpieler und der Cloud-Unterstützung für den PC beheben problematische Sicherheitslücken. --------------------------------------------- http://heise.de/-4104663 ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2018-0016 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion updates address multiple out-of-bounds read vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0016.html ∗∗∗ VMSA-2018-0011.1 ∗∗∗ --------------------------------------------- Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0011.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle and ca-certificates), Fedora (cantata, cinnamon, php-symfony3, and transifex-client), openSUSE (ghostscript, openssl, openvpn, php7, rubygem-yard, thunderbird, ucode-intel, and unzip), and SUSE (libqt4, nodejs8, and openslp). --------------------------------------------- https://lwn.net/Articles/759361/ ∗∗∗ VLC: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/07/warn… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2018
by Daily end-of-shift report 06 Jul '18

06 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-07-2018 18:00 − Freitag 06-07-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HNS Botnet Recent Activities ∗∗∗ --------------------------------------------- Author: Rootkiter, yegenshenHNS is an IoT botnet (Hide and Seek) originally discovered by BitDefender in January this year. In that report, the researchers pointed out that HNS used CVE-2016-10401, and other vulnerabilities to propagate malicious code and stole user information. The HNS communicates through the P2P mechanism, which is [...] --------------------------------------------- http://blog.netlab.360.com/hns-botnet-recent-activities-en/ ∗∗∗ CoinImp Cryptominer and Fully Qualified Domain Names ∗∗∗ --------------------------------------------- We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period). E.g. "www.example.com", where "www" is a subdomain, "example" is a second level domain, and "com" is a top level domain. However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names. --------------------------------------------- https://blog.sucuri.net/2018/07/coinimp-cryptominer-and-fully-qualified-dom… ∗∗∗ Schädlinge unterminieren Windows-Zertifikats-System ∗∗∗ --------------------------------------------- Immer mehr Trojaner installieren eigene Root-CAs in Windows, um damit ihre Schadprogramme signieren oder Web-Seiten-Aufrufe manipulieren zu können. --------------------------------------------- http://heise.de/-4100993 ∗∗∗ Apple stopft WLAN-Lücken auf Macs unter Windows ∗∗∗ --------------------------------------------- Mit einem Update sollen zwei Angriffspunkte in den Boot-Camp-Treibern behoben werden, mit denen Macs das Microsoft-Betriebssystem nutzen. --------------------------------------------- http://heise.de/-4102490 ∗∗∗ Datenleck bei Domainfactory: Hacker knackt Systeme, lässt Kundendaten mitgehen ∗∗∗ --------------------------------------------- Die Systeme des Hosters Domainfactory wurden offensichtlich von einem Hacker kompromittiert, der nun Zugang zu sensiblen Daten der Kunden hat. --------------------------------------------- http://heise.de/-4102881 ∗∗∗ IT-Sicherheit - Elektronikhändler e-tec und Ditech wurden Kundendaten gestohlen ∗∗∗ --------------------------------------------- Altes Passwort ist abgelaufen und muss neu gesetzt werden, Zahlungsdaten zu Kreditkarten und Kontoverbindungen nicht betroffen --------------------------------------------- https://derstandard.at/2000082932960/Elektronikhaendler-e-tec-und-Ditech-wu… ∗∗∗ What is it that Makes a Microsoft Executable a Microsoft Executable? ∗∗∗ --------------------------------------------- What exactly is it that separates arbitrary code from code that originates from Microsoft? I would wager that the reaction of most people would be to claim, "well... if it's signed by Microsoft, then it comes from Microsoft. What else is there to talk about?" --------------------------------------------- https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco 5000 Series Enterprise Network Compute System and Cisco UCS E-Series Servers BIOS Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers could allow an unauthenticated, local attacker to bypass the BIOS authentication and execute actions as an unprivileged user. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ WordPress 4.9.7 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory. --------------------------------------------- https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance… ∗∗∗ Stored XSS under CA and CRL certificate view page ∗∗∗ --------------------------------------------- Javascript code and HTML tags can be injected into the CN value of CA and CRL certificates via the import CA and CRL certificates feature of the GUI. The injected code may be executed when the GUI administrator views the CA certificate details and browses CRL certificates when CN values are rendered. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-17-305 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dokuwiki, libsoup2.4, mercurial, php7.0, and phpmyadmin), Fedora (ant, gnupg, libgit2, and libsoup), openSUSE (cairo, git-annex, postgresql95, and zsh), Scientific Linux (firefox), Slackware (mozilla), SUSE (nodejs6 and rubygem-yard), and Ubuntu (AMD microcode, devscripts, and firefox). --------------------------------------------- https://lwn.net/Articles/759212/ ∗∗∗ 2018-07-06: Vulnerability in Panel Builder 800 - Improper Input Validation ∗∗∗ --------------------------------------------- http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&Langu… ∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by a resource leakage vulnerability (CVE-2018-1548) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22017136 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22017003 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016892 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016895 ∗∗∗ IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10716005 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015940 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects IBM SPSS Analytic Server (CVE-2018-2602, CVE-2018-2634) ∗∗∗ --------------------------------------------- https://www-prd-trops.events.ibm.com/node/715345 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=ibm10713469 ∗∗∗ PEPPERL+FUCHS Security advisory for MELTDOWN and SPECTRE attacks in ecom mobile Devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-009 ∗∗∗ PEPPERL+FUCHS Remote Code Execution Vulnerability in HMI Devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-008 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2018
by Daily end-of-shift report 05 Jul '18

05 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-07-2018 18:00 − Donnerstag 05-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ First-Ever Person Sentenced for Malicious Use of Coinhive Library ∗∗∗ --------------------------------------------- Authorities in Japan have sentenced a man for the first time for using the Coinhive JavaScript library for malicious purposes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/first-ever-person-sentenced-… ∗∗∗ Analysis: Downloader with a twist ∗∗∗ --------------------------------------------- In this latest analysis, we will stay on the topic of fileless malware. Having dissected the Rozena backdoor in the last article, we have taken a peek into another malware that uses “fileless” techniques. Case in point: a downloader. --------------------------------------------- https://www.gdatasoftware.com/blog/07/30876-analysis-downloader-with-a-twist ∗∗∗ How to Check App Permissions on iOS, Android, Windows, and macOS ∗∗∗ --------------------------------------------- Its never a bad time to audit your app permissions. In fact, its more important than ever. --------------------------------------------- https://www.wired.com/story/how-to-check-app-permissions-ios-android-macos-… ∗∗∗ NSO-Mitarbeiter bietet iOS-Spyware Pegasus im Darknet an ∗∗∗ --------------------------------------------- Der geheimnisumwitterten israelischen Sicherheitsfirma NSO Group sind mächtige Spyware-Tools abhanden gekommen. Ein Insider wollte sie im Darknet verkaufen. --------------------------------------------- http://heise.de/-4101187 ∗∗∗ Gentoos GitHub mirror compromise incident report ∗∗∗ --------------------------------------------- LWN reported on June 29 that Gentoos GitHub mirror had been compromised. Gentoo now considers the incident resolved and the full report is available. "An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make .. --------------------------------------------- https://lwn.net/Articles/759046/ ∗∗∗ Warnung vor gefälschtem Microsoft-Sicherheitshinweis ∗∗∗ --------------------------------------------- Konsument/innen sehen in ihrem Browser eine gefälschte Microsoft-Sicherheitswarnung. Darin heißt es, dass ihr Computer mit Schadsoftware befallen sei. Aus diesem Grund sollen sie einen technischen Support anrufen und ein Programm auf ihrem Computer installieren. Es ermöglicht Kriminellen, bei Bezahlung von Rechnungen die Kreditkartendaten ihrer Opfern zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-gefaelschtem-microsoft-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Custom Tokens - Moderately critical - Arbitrary Code Execution - SA-CONTRIB-2018-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-046 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2018
by Daily end-of-shift report 04 Jul '18

04 Jul '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-07-2018 18:00 − Mittwoch 04-07-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files ∗∗∗ --------------------------------------------- Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-authors-seem-intent-… ∗∗∗ Lücken in Provider-Routern entdeckt ∗∗∗ --------------------------------------------- Durch Lücken in Routern des Herstellers ADB kann sich ein Angreifer Root-Rechte verschaffen. Das kann auch für die Provider zum Problem werden. --------------------------------------------- http://heise.de/-4099449 ∗∗∗ Phishing tales: Microsoft Access Macro (.MAM) shortcuts ∗∗∗ --------------------------------------------- Previously, I blogged about the ability to create malicious .ACCDE Microsoft Access Database files and using them as a phishing vector. This post expands on using the ACCDE format and will be introducing Microsoft Access Macro “MAM” .. --------------------------------------------- https://posts.specterops.io/phishing-tales-microsoft-access-macro-mam-short… ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation Allen-Bradley Stratix 5950 ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation, improper certificate validation, and resource management error vulnerabilities in the Allen-Bradley Stratix 5950 security appliance. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01 ∗∗∗ Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-lin… ∗∗∗ Authorization Bypass in all ADB Broadband Gateways / Routers ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-… ∗∗∗ Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-net… ∗∗∗ Security vulnerabilities fixed in Thunderbird 52.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2018