October 2019 - Daily

Tageszusammenfassung - 31.10.2019
by Daily end-of-shift report 31 Oct '19

31 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2019 18:00 − Donnerstag 31-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st) ∗∗∗ --------------------------------------------- Ive recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful. --------------------------------------------- https://isc.sans.edu/diary/rss/25474 ∗∗∗ Data URLs and HTML Entities in New WordPress Malware ∗∗∗ --------------------------------------------- Last week, an ongoing WordPress malware campaign started a new wave which included a variety of experimental injection types. Scripts as Data URLs The first type looks pretty similar to what we discussed in our recent post. However, instead of placing the code between the … tags, these injections have begun to embed them inline using a so called data URL notation in the src parameter. --------------------------------------------- https://blog.sucuri.net/2019/10/data-urls-and-html-entities-in-new-wordpres… ∗∗∗ MS-ISAC Releases EOS Software Report List ∗∗∗ --------------------------------------------- Original release date: October 30, 2019The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an end-of-support (EOS) software report list. Software that has reached its EOS date no longer receives security updates and patches from the vendor and is, therefore, susceptible to exploitation from security vulnerabilities. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/30/ms-isac-releases-e… ∗∗∗ 5th eHealth Security Conference: ENISA advises on cybersecurity for hospitals ∗∗∗ --------------------------------------------- ENISA, the EU Agency for Cybersecurity organised the 5th consecutive eHealth Security Conference in cooperation with the Spanish Authorities and the Centre for Information Security of Catalonia (CESICAT) on the 30th October in Barcelona. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/5th-ehealth-security-conference… ∗∗∗ Office 365 Users Targeted by Voicemail Scam Pages ∗∗∗ --------------------------------------------- Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/office-365-user… ∗∗∗ Ungenutzte E-Mail-Adressen ermöglichen Zugang zu persönlichen Konten ∗∗∗ --------------------------------------------- E-Mail-Adressen, die nicht mehr genutzt werden, werden oft neu vergeben. Wenn diese Adressen noch bei Social-Media-Konten, Gaming-Accounts, Online-Shops oder anderen Zugangsdaten hinterlegt sind, können sich die neuen BesitzerInnen Zugang zu diesen Konten verschaffen. Kriminelle nutzen das zu Betrugs- und Erpressungszwecken aus. --------------------------------------------- https://www.watchlist-internet.at/news/ungenutzte-e-mail-adressen-ermoeglic… ∗∗∗ Untitled Goose Game security hole could have allowed hackers to wreak havoc ∗∗∗ --------------------------------------------- The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer. --------------------------------------------- https://hotforsecurity.bitdefender.com/blog/untitled-goose-game-security-ho… ∗∗∗ Home & Small Office Wireless Routers Exploited to Attack Gaming Servers ∗∗∗ --------------------------------------------- Unit 42 researchers discovered an updated Gafgy variant that looks to infect home and small office WiFi routers of known commercial brands, like Zyxel, Huawei, and Realtek to attack gaming servers. More than 32,000 WiFi routers are potentially vulnerable to these exploits around the world. --------------------------------------------- https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-expl… ∗∗∗ Vorwarnung: Neue Webseite kommt nächste Woche ∗∗∗ --------------------------------------------- tl;dr: Nein, wir werden nächste Woche nicht gehackt, wir stellen nur eine neue Webseite online. --------------------------------------------- http://www.cert.at/services/blog/20191031121150-2561.html ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-299 Security Vulnerability ∗∗∗ --------------------------------------------- IBM is aware of a reported XSA-299 security vulnerability (CVE-2019-18421) that potentially would permit an attacker from within a VSI to elevate privileges to that of the host.There are no known malicious exploits of this vulnerability, which potentially impacts the hypervisor.IBM is implementing updates to remediate this vulnerability. No downtime for clients is expected and no client action is necessary for IBM Cloud virtual servers. While we do not anticipate any issues with remediation, we [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/xsa-299-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (italc and python-ecdsa), Fedora (php and sudo), openSUSE (binutils and docker-runc), Oracle (thunderbird), Red Hat (firefox and sudo), SUSE (ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, [...] --------------------------------------------- https://lwn.net/Articles/803583/ ∗∗∗ XSA-303 - ARM: Interrupts are unconditionally unmasked in exception handlers ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-303.html ∗∗∗ XSA-302 - passed through PCI devices may corrupt host memory after deassignment ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-302.html ∗∗∗ XSA-301 - add-to-physmap can be abused to DoS Arm hosts ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-301.html ∗∗∗ XSA-299 - Issues with restartable PV type change operations ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-299.html ∗∗∗ XSA-298 - missing descriptor table limit checking in x86 PV emulation ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-298.html ∗∗∗ XSA-296 - VCPUOP_initialise DoS ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-296.html Next End-of-Day report: 2019-11-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2019
by Daily end-of-shift report 30 Oct '19

30 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2019 18:00 − Mittwoch 30-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Paradise Ransomware Decryptor Gets Your Files Back for Free ∗∗∗ --------------------------------------------- A decryptor for the Paradise Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-decrypto… ∗∗∗ A1 warnt Android-Nutzer vor App, die Bankdaten stiehlt ∗∗∗ --------------------------------------------- Kunden sollten sich vor einer App mit dem Titel „Netztest“ in Acht nehmen. --------------------------------------------- https://futurezone.at/digital-life/a1-warnt-android-nutzer-vor-app-die-bank… ∗∗∗ Gewinnversprechen von Coca-Cola in Höhe von 1 Million US-Dollar ist Scam ∗∗∗ --------------------------------------------- Wenn Sie per E-Mail über einen Gewinn in Millionenhöhe benachrichtigt werden, handelt es sich um einen Betrugsversuch. Aktuell geben sich Kriminelle als Kommunikationsbeauftragte von Coca-Cola aus und informieren Sie über einen vermeintlichen Gewinn. Die Gewinnsumme wird im Austausch Ihrer persönlichen Daten und Ausweiskopien übermittelt. Vorsicht: Kriminelle versuchen an Ihr Geld zu kommen, stehlen Ihre Identität und missbrauchen sie für Straftaten in Ihrem [...] --------------------------------------------- https://www.watchlist-internet.at/news/gewinnversprechen-von-coca-cola-in-h… ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT Automation Worx Software Suite ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in Phoenix Contacts Automation Worx Software Suite products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-302-01 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: October 30, 2019Content: Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/30/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imapfilter, libvncserver, and pam-python), Fedora (tcpdump), Mageia (file, graphviz, kernel, and php, pcre2), openSUSE (nfs-utils), Red Hat (heketi and samba), Scientific Linux (thunderbird), SUSE (libtomcrypt, php7, and runc), and Ubuntu (apport, libarchive, libidn2, samba, and whoopsie). --------------------------------------------- https://lwn.net/Articles/803474/ ∗∗∗ Synology-SA-19:35 Samba ∗∗∗ --------------------------------------------- These vulnerabilities allow remote attackers to bypass security constraints via a susceptible version of DiskStation Manager (DSM), Synology Router Manager (SRM), and allow remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_35 ∗∗∗ Security Advisory - Two Heap Buffer Overflow Vulnerabilities in Broadcom WiFi Chipset Drivers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191030-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2019
by Daily end-of-shift report 29 Oct '19

29 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2019 18:00 − Dienstag 29-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke in EU-Authentifizierungssoftware (eIDAS Node) ∗∗∗ --------------------------------------------- SEC Consult identifizierte kritische Schwachstellen in eIDAS-Node, die es einem Angreifer ermöglichen könnten, sich als beliebiger EU-Bürger auszugeben. --------------------------------------------- https://www.sec-consult.com/blog/2019/10/sicherheitsluecke-in-eu-authentifi… ∗∗∗ File Inclusions: kleiner Programmierfehler, fatale Wirkung ∗∗∗ --------------------------------------------- Angriffe über File Inclusions sind vor allem in PHP und JSP nach wie vor möglich und können verheerende Folgen haben. --------------------------------------------- https://heise.de/-4570773 ∗∗∗ MikroTik Router Vulnerabilities Can Lead to Backdoor Creation ∗∗∗ --------------------------------------------- A chain of vulnerabilities in MikroTik routers could allow an attacker to gain a backdoor. The chain starts with DNS poisoning, goes on to downgrading the installed version of MikroTiks RouterOS software, and ends with enabling a backdoor. read more --------------------------------------------- https://www.securityweek.com/mikrotik-router-vulnerabilities-can-lead-backd… ∗∗∗ Achtung Abo-Falle: endlich-windelfrei.de & baby-endlich-schlafen.de ∗∗∗ --------------------------------------------- Die Websites endlich-windelfrei.de und baby-endlich-schlafen.de versprechen Eltern große Erleichterungen beim Abgewöhnen der Windel und Schlafenlegen der Kinder. Die Systeme „Endlich Schlaf für Ihr Baby“ und „Von der Windel zum Töpfchen – in nur 3 Tagen“ können um nur 1 Euro erworben werden. Doch Vorsicht: Der Kauf führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-abo-falle-endlich-windelfrei… ∗∗∗ Modern Wireless Tradecraft Pt I ∗∗∗ --------------------------------------------- The past few years have seen some exciting developments in the subtle art of forcing wireless devices to connect to malicious access points. We’ve seen the resurgence of karma-style attacks with Dominic White’s and Ian de Villiers’ work on MANA, as well George Chatzisofroniou’s Lure10 and Known Beacon attacks, which can be used to target devices that are immune to karma [1][2]. --------------------------------------------- https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro schließt zwei Schwachstellen in Sicherheitssoftware für Windows ∗∗∗ --------------------------------------------- Patches für Apex One, OfficeScan und WFBS fixen zwei Schwachstellen. Trend Micro hat Exploit-Versuche beobachtet und rät zum zügigen Update. --------------------------------------------- https://heise.de/-4571304 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.0, php7.3, ruby-loofah, and spip), Fedora (proftpd), openSUSE (lz4 and sysstat), Red Hat (chromium-browser, jss, kernel, kernel-alt, kpatch-patch, pango, polkit, sudo, systemd, and thunderbird), SUSE (graphite-web, python3, and samba), and Ubuntu (php5, php7.0, php7.2, php7.3, and samba). --------------------------------------------- https://lwn.net/Articles/803381/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0005 ∗∗∗ --------------------------------------------- Date Reported: October 29, 2019 Advisory ID: WSA-2019-0005 CVE identifiers: CVE-2019-8625, CVE-2019-8674,CVE-2019-8707, CVE-2019-8719,CVE-2019-8720, CVE-2019-8726,CVE-2019-8733, CVE-2019-8735,CVE-2019-8763, CVE-2019-8768,CVE-2019-8769, CVE-2019-8771. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8625 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before2.26.0. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted [...] --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0005.html ∗∗∗ Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC ∗∗∗ --------------------------------------------- As part of its features, the Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-014/ ∗∗∗ Unsafe Storage of Credentials in Carel pCOWeb HVAC ∗∗∗ --------------------------------------------- The Carel pCOWeb card stores password hashes in the file "/etc/passwd",allowing privilege escalation by authenticated users. Additionally,plaintext copies of the passwords are stored. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-013/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - October 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ tcpdump vulnerability CVE-2018-14880 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56551263?utm_source=f5support&utm_mediu… ∗∗∗ Open Redirect Vulnerability Patched In Bridge Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2019/10/open-redirect-vulnerability-patched-… ∗∗∗ PHOENIX CONTACT improper access control exists on FL NAT devices when using MAC-based port security ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-020 ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0945 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0944 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2019
by Daily end-of-shift report 28 Oct '19

28 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2019 18:00 − Montag 28-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Network traffic analysis for IR: Analyzing fileless malware ∗∗∗ --------------------------------------------- Fileless malware is malware authors’ response to traditional malware identification and analysis techniques. Many antiviruses operate by using signature-based analysis to identify malicious files on a computer. By ensuring that a malicious file is never saved on the filesystem, malware authors can make their attacks much more difficult to detect and [...] --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-anal… ∗∗∗ Steam-powered scammers ∗∗∗ --------------------------------------------- One of the most popular platforms among users (and hence cybercriminals) is Steam, and we’ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated. --------------------------------------------- https://securelist.com/steam-powered-scammers/94553/ ∗∗∗ Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise ∗∗∗ --------------------------------------------- Experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations. --------------------------------------------- https://www.microsoft.com/security/blog/2019/10/28/experts-on-demand-your-d… ∗∗∗ Using scdbg to Find Shellcode, (Sun, Oct 27th) ∗∗∗ --------------------------------------------- I've written a couple of diary entries about scdbg, a Windows 32-bit shellcode emulator. --------------------------------------------- https://isc.sans.edu/diary/rss/25460 ∗∗∗ VB2019 paper: Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry ∗∗∗ --------------------------------------------- Today we publish the VB2019 paper by RiskIQ researcher Yonathan Klijnsma, who looked at the Magecart web-skimming attacks. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/10/vb2019-paper-inside-magecart… ∗∗∗ Ouroboros Ransomware decryption tool ∗∗∗ --------------------------------------------- Ouroboros ransomware has been around for more than a year in various forms, operated by different cybercrime groups. Ouroboros, known to spread via Remote Desktop Protocol bruteforce attacks and deceptive downloads, has claimed a significant number of victims worldwide. We’re now happy to announce the availability of a new decryptor that can restore the .Lazarus, and .Lazarus+ file extensions to their original, unencrypted form. --------------------------------------------- https://labs.bitdefender.com/2019/10/ouroboros-ransomware-decryption-tool/ ∗∗∗ New Ransomware CCryptor struck, which can encrypt 362 file types ∗∗∗ --------------------------------------------- Recently, 360 Security Center captured a new type of ransomware CCryptor. The attacker spread the virus by delivering phishing emails, and the CVE-2017-11882 vulnerability was [...] --------------------------------------------- https://blog.360totalsecurity.com/en/new-ransomware-ccryptor-struck-which-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für PHP7: NGINX-Server mit PHP-FPM waren aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Betreiber eines NGINX-Webservers mit PHP-FPM sollten zügig updaten: Aktuelle PHP-Versionen schließen eine Lücke, für die es Exploit-Code gibt. --------------------------------------------- https://heise.de/-4570800 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, php, and thunderbird), Debian (file, golang-1.11, libarchive, libxslt, mosquitto, php5, and proftpd-dfsg), Fedora (apache-commons-compress, chromium, java-1.8.0-openjdk, java-11-openjdk, jss, kernel, kernel-headers, kernel-tools, libpcap, mod_auth_openidc, tcpdump, and xpdf), openSUSE (kernel, openconnect, procps, python, sysstat, and zziplib), and SUSE (binutils, docker-runc, ImageMagick, nfs-utils, and xen). --------------------------------------------- https://lwn.net/Articles/803318/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2019
by Daily end-of-shift report 25 Oct '19

25 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2019 18:00 − Freitag 25-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin ∗∗∗ --------------------------------------------- A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies. --------------------------------------------- https://heimdalsecurity.com/blog/vendor-email-compromise-vec/ ∗∗∗ ACSC Releases Advisory on Emotet Malware Campaign ∗∗∗ --------------------------------------------- Original release date: October 25, 2019The Australian Cyber Security Centre (ACSC) has released an advisory on an ongoing, widespread Emotet malware campaign. Emotet is a Trojan—commonly spread via malicious email attachments—that attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. ACSC provides indicators of compromise (IOCs) and recommendations to help organizations defend against Emotet malware. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/25/acsc-releases-advi… ∗∗∗ Your smart doorbell may be collecting more data than you think, study finds ∗∗∗ --------------------------------------------- The study tested 81 IoT devices to analyze their behavior and tracking habits, and in some cases brought rather surprising findings The post Your smart doorbell may be collecting more data than you think, study finds appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/10/25/iot-smart-doorbell-collecting-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Urgent security issue in NGINX/php-fpm ∗∗∗ --------------------------------------------- [...] a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you. --------------------------------------------- https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/ ∗∗∗ Philips IntelliSpace Perinatal ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for an exposure of resource to wrong sphere vulnerability in Philips’ IntelliSpace Perinatal obstetrics information management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-297-01 ∗∗∗ Rittal Chiller SK 3232-Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function and use of hard-coded vulnerabilities in Rittals Chiller SK 3232-series IT application cooler. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-297-01 ∗∗∗ Honeywell IP-AK2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function vulnerability in Honeywells IP-AK2 access control panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-297-02 ∗∗∗ VMSA-2019-0019 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0019.html ∗∗∗ VMSA-2019-0018 ∗∗∗ --------------------------------------------- VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0018.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Gentoo (php), Oracle (firefox), Scientific Linux (sudo), and SUSE (accountsservice, binutils, nfs-utils, and xen). --------------------------------------------- https://lwn.net/Articles/803158/ ∗∗∗ Mattermost security update 5.16.1 / 5.15.2 / 5.14.5 / 5.9.6 (ESR) released ∗∗∗ --------------------------------------------- We have released a recommended security update via Mattermost Team Edition 5.16.1, 5.15.2, 5.14.5, 5.9.6 (ESR) and Mattermost Enterprise Edition 5.16.1, 5.15.2, 5.14.5, 5.9.6 (ESR). This security update addresses a high level vulnerability discovered during a security research review by Roman Shchekin. Follow the standard upgrade instructions to apply the updates. --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-5-16-1-5-15-2-5-14-5… ∗∗∗ 2019-10-22: Vulnerability in Relion® 650 series and Relion® 670 series - Terminal Reboot ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9256&Lan… ∗∗∗ 2019-10-22: Vulnerability in Relion® 670 series - MMS Path Traversal ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9255&Lan… ∗∗∗ 2019-10-22: Vulnerabilities in Relion® 650 series version 2.1 and Relion® 670 series version 2.1 - OpenSSL ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9254&Lan… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is impacted by a a confidential information leak(CVE-2019-4600) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM Maximo Health, Safety, and Environment Manager Installation Gives Application Access to Non-Authorized Users (CVE-2019-4546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-health-saf… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cleartext Transmission of Sensitive Information vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Cookie Secure Attribute vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Hazardous Input Validation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a One-Way Hash without a Salt vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Information Exposure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of Hard-coded Credentials vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Authentication for Critical Function vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2019
by Daily end-of-shift report 24 Oct '19

24 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2019 18:00 − Donnerstag 24-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Your Supply Chain Doesnt End At Receiving: How Do You Decommission Network Equipment?, (Thu, Oct 24th) ∗∗∗ --------------------------------------------- Trying to experiment with cutting edge security tools, without breaking the bank, often leads me to used equipment on eBay. High-end enterprise equipment is usually available at a bargain-basement price. For experiments or use in a home/lab network, I am willing to take the risk to receive the occasional "dud," and I usually can do without the support and other perks that come with equipment purchased full price. --------------------------------------------- https://isc.sans.edu/diary/rss/25448 ∗∗∗ Windows Debugging & Exploiting Part 1 - Environment Setup ∗∗∗ --------------------------------------------- In this blog series, I will try to set some base knowledge for Windows system debugging & exploitation and present how to setup an environment for remote kernel debugging. This environment will be useful for learning Windows internals and indispensable for our future posts about its exploitation. About Windows internals, I really recommend the training from Pavel Yosifovich on Pluralsight that will expand your familiarity with the system if you are new to the topic. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb… ∗∗∗ Warnung vor Handybezahlfalle auf Facebook ∗∗∗ --------------------------------------------- Bei der Rundfunk und Telekom Regulierungs-GmbH (RTR) häufen sich derzeit Beschwerden über unerwartet hohe Handyrechnungen. Die Betroffenen wurden über Facebook in eine Handyfalle gelockt. Sie tätigten unwissentlich teure Einkäufe, die dann über ihr Handy bezahlt wurden. --------------------------------------------- https://help.orf.at/stories/2993419/ ∗∗∗ Android Adware‑Entwickler aufgespürt ∗∗∗ --------------------------------------------- ESET-Forscher beschreiben, wie sie eine einjährige Adware-Kampagne bei Google Play entdeckten, die Millionen von Usern beeinträchtigte. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/10/24/android-adware-entwickler… ∗∗∗ Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey ∗∗∗ --------------------------------------------- ATLANTA — SECURITYWEEK 2019 ICS CYBER SECURITY CONFERENCE — Some of the recent cybersecurity incidents involving industrial control systems (ICS) have resulted in injury and even loss of life, according to a survey conducted by Control Systems Cyber Security Association International (CS2AI). --------------------------------------------- https://www.securityweek.com/some-ics-security-incidents-resulted-injury-lo… ∗∗∗ Führerscheine legal online kaufen? Mitnichten! ∗∗∗ --------------------------------------------- KonsumentInnen, die sich im Internet über den Führerschein informieren, stoßen womöglich auch auf Websites wie billigerfuehrerschein.com oder fuhrerschein-online.com. Die betrügerischen Websites werben mit dem legalen Verkauf von Führerscheinen ohne Fahr- und Theorieprüfungen. Achtung: Sowohl die Herstellung als auch die Nutzung derartiger Dokumente ist illegal, es kommt zu keiner Lieferung und bezahltes Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fuehrerscheine-legal-online-kaufen-m… ∗∗∗ Practical Behavioral Profiling of PowerShell Scripts through Static Analysis (Part 2) ∗∗∗ --------------------------------------------- Part 2 of a 3-part blog series that offers a more technical perspective and begins looking at common obfuscation techniques and methods for hiding data within PowerShell that can be reversed. --------------------------------------------- https://unit42.paloaltonetworks.com/practical-behavioral-profiling-of-power… ===================== = Vulnerabilities = ===================== ∗∗∗ EOL D-Link Routers Vulnerable to Remote Command Execution ∗∗∗ --------------------------------------------- Original release date: October 24, 2019The CERT Coordination Center (CERT/CC) has released information on a vulnerability (CVE-2019-16920) affecting multiple D-Link routers. A remote attacker could exploit this vulnerability to take control of an affected device.D-Link no longer provides support to the affected end-of-life (EOL) devices, and updates will not be made available. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/24/eol-d-link-routers… ∗∗∗ SYSS-2019-009, SYSS-2019-010 und SYSS-2019-011: Schwachstellen in weiterer Funktastatur mit "sicherer" 2,4-GHz-Technologie ∗∗∗ --------------------------------------------- SySS IT-Sicherheitsexperte Matthias Deeg fand im Rahmen eines Forschungsprojekts zu drahtlosen Eingabegeräten (siehe auch 1 und 2) drei Sicherheitsschwachstellen im Fujitsu Wireless Keyboard Set LX390. Diese drei Schwachstellen betreffen einen fehlenden Schutz vor Replay-Angriffen, eine fehlende Verschlüsselung von per Funkkommunikation übertragenen sensiblen Daten und die Möglichkeit für Keystroke Injection-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/2019/syss-2019-009-syss-2019-010-und-syss-… ∗∗∗ Sicherheitspatches: Angreifer könnten mit Admin-Rechten auf Junos OS zugreifen ∗∗∗ --------------------------------------------- Die Entwickler des Betriebssystems für Netzwerkgeräte Junos OS haben eine gefährliche Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-4567444 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (file), Mageia (bind, chromium-browser-stable, java-1.8.0-openjdk, libsndfile, mediawiki, and virtualbox), Oracle (firefox), Red Hat (firefox and sudo), Scientific Linux (firefox and OpenAFS), SUSE (kernel, lz4, rust, and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/803068/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in MongoDB server affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2019-10197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-sa… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM i HTTP Server affect IBM i. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud (CVE-2019-4304, CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ libcurl vulnerability CVE-2018-16890 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03314397 ∗∗∗ Linux kernel vulnerability CVE-2019-15916 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K57418558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2019
by Daily end-of-shift report 23 Oct '19

23 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2019 18:00 − Mittwoch 23-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VB2019 papers: Emotet and Ryuk ∗∗∗ --------------------------------------------- Today we publish VB2019 papers by Luca Nagy (Sophos) on Emotet and Gabriela Nicolao and Luciano Martins (Deloitte) on Ryuk, as well as the corresponding videos of their presentations. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/10/vb2019-papers-emotet-and-ryu… ∗∗∗ CPDoS: Cache Poisoned Denial of Service ∗∗∗ --------------------------------------------- Cache-Poisoned Denial-of-Service (CPDoS) is a new class of web cache poisoning attacks aimed at disabling web resources and websites. --------------------------------------------- https://cpdos.org/ ∗∗∗ Tech, Security Firms Launch Operational Technology Cyber Security Alliance ∗∗∗ --------------------------------------------- Several major tech and cybersecurity companies have joined forces for a new initiative called the Operational Technology Cyber Security Alliance (OTCSA), which aims to help industrial and critical infrastructure organizations address challenges related to OT security by providing guidance and resources. --------------------------------------------- https://www.securityweek.com/tech-security-firms-launch-operational-technol… ∗∗∗ Investment-Firmen fordern Zugriff auf Ihr System? Nehmen Sie Abstand! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Investments bei unseriösen Firmen wie aurumpro.co beziehungsweise Muller Enterprise LTD in Acht. Angebliche BeraterInnen kontaktieren Sie telefonisch und verleiten Sie zu immer höheren Investments. Um "effektiver" handeln zu können, verlangt man die Installation von Fernwartungssoftware wie AnyDesk oder TeamViewer. Tun Sie dies nicht und nehmen Sie Abstand – man hat es auf Ihr Vermögen abgesehen! --------------------------------------------- https://www.watchlist-internet.at/news/investment-firmen-fordern-zugriff-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric ProClima ∗∗∗ --------------------------------------------- This advisory contains mitigations for code injection, improper restriction of operations within the bounds of a memory buffer, and uncontrolled search path element vulnerabilities in Schneider Electrics ProClima building and automation control products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-295-01 ∗∗∗ Firefox, Chrome Bugs Allow Arbitrary Code-Execution ∗∗∗ --------------------------------------------- Multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1 in particular affect medium and large government entities and enterprises. --------------------------------------------- https://threatpost.com/critical-firefox-bugs-arbitrary-code-execution/14945… ∗∗∗ OpenAFS Security Advisory 2019-001 ∗∗∗ --------------------------------------------- Topic: information leakage from uninitialized RPC output variables on error Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt ∗∗∗ OpenAFS Security Advisory 2019-002 ∗∗∗ --------------------------------------------- Topic: information leakage from uninitialized scalars Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-002.txt ∗∗∗ OpenAFS Security Advisory 2019-003 ∗∗∗ --------------------------------------------- Topic: database server crash from unserialized data access Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-003.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (go, go-pie, pacman, and xpdf), CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, and patch), openSUSE (gcc7), Red Hat (firefox, kernel, and qemu-kvm-rhev), Slackware (mozilla), SUSE (kernel, libcaca, openconnect, python, sysstat, and zziplib), and Ubuntu (libxslt, linux-azure, and linux-lts-xenial, linux-aws). --------------------------------------------- https://lwn.net/Articles/802941/ ∗∗∗ Avast, Avira Products Vulnerable to DLL Hijacking ∗∗∗ --------------------------------------------- Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered. read more --------------------------------------------- https://www.securityweek.com/avast-avira-products-vulnerable-dll-hijacking ∗∗∗ Security Advisory - Out-Of-Bound Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1547, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Commons Beanutils affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-apac… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4486) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana… ∗∗∗ IBM Security Bulletin: A security vulnerability affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition (CVE-2019-4398) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by ASoC vulnerability (CVE-2019-4459) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-orchestrato… ∗∗∗ IBM Security Bulletin: A security vulnerability affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition (CVE-2019-4397) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by glibc vulnerabilities (CVE-2018-20796, CVE-2019-9169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ BIND vulnerability CVE-2018-5743 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74009656 ∗∗∗ BIG-IP vulnerability CVE-2018-15333 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53620021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2019
by Daily end-of-shift report 22 Oct '19

22 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2019 18:00 − Dienstag 22-10-2019 18:00 Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Three Service Account Secrets Straight from Hackers and Security Pros ∗∗∗ --------------------------------------------- A survey of nearly 300 Black Hat conference attendees this year showed strong agreement that service accounts are an attractive target. --------------------------------------------- https://threatpost.com/service-account-secrets/148996/ ∗∗∗ MISP Summit 0x05 Wrap-Up ∗∗∗ --------------------------------------------- I’m in Luxembourg for a full week of infosec events. It started today with the MISP summit. It was already the fifth edition and, based on the number of attendees, the tool is getting more and more popularity. --------------------------------------------- https://blog.rootshell.be/2019/10/21/misp-summit-0x05-wrap-up/ ∗∗∗ emotet_network_protocol ∗∗∗ --------------------------------------------- This repository has been created with the idea of helping the community of cybersecurity researchers and malware researchers. It explains in detail how the network communication protocol used by Emotet to communicate with the C&Cs works. Knowing all these details, it should be relatively easy to emulate the communication, and obtain the new modules and distributed malware directly from the c&c. --------------------------------------------- https://d00rt.github.io/emotet_network_protocol/ ∗∗∗ Avast, NordVPN Breaches Tied to Phantom User Accounts ∗∗∗ --------------------------------------------- Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that -- while otherwise unrelated -- shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password. --------------------------------------------- https://krebsonsecurity.com/2019/10/avast-nordvpn-breaches-tied-to-phantom-… ∗∗∗ The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT ∗∗∗ --------------------------------------------- Bread crumbs left behind open up a possible connection between Magecart Group 5 and Carbanak. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-… ∗∗∗ Malspam Campaign Targeted German Organizations with Buran Ransomware ∗∗∗ --------------------------------------------- Researchers spotted a malspam campaign that targeted German organizations with samples of the Buran crypto-ransomware family. In early October, Bromium observed a malspam campaign whose emails impersonated online fax service eFax. The emails contained hyperlinks to a PHP page that served up malicious Word documents. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/malspam… ∗∗∗ genosyla.net und versandhaus-voss.de liefern keine Ware ∗∗∗ --------------------------------------------- Bei genosyla.net und versandhaus-voss.de finden Sie günstige Elektrogeräte. Viele Produkte sind im Schnitt 100 Euro billiger als bei anderen Shops. Der Haken: die Ware wird trotz Bezahlung nie geliefert. Es handelt sich um betrügerische Webshops. Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/genosylanet-und-versandhaus-vossde-l… ∗∗∗ Browser-based attacks, our customers, and us ∗∗∗ --------------------------------------------- While some browser-based attacks such as web skimming steal customer data and thus victimize both the organization and the users, other attacks leverage an organizations website to attack the customers or to attack another organization entirely. --------------------------------------------- https://www.zdnet.com/article/browser-based-attacks-our-customers-and-us/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (jss and kernel), Debian (libpcap, openjdk-8, and tcpdump), Fedora (java-11-openjdk), openSUSE (libreoffice), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk, python, and wget), Scientific Linux (java-1.7.0-openjdk), SUSE (ceph, ceph-iscsi, ses-manual_en, dhcp, openconnect, and procps), and Ubuntu (exiv2, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, [...] --------------------------------------------- https://lwn.net/Articles/802863/ ∗∗∗ ZDI-19-908: Foxit Studio Photo JPEG Batch Processing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-908/ ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2019
by Daily end-of-shift report 21 Oct '19

21 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2019 18:00 − Montag 21-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Network Breached As Hackers Target CCleaner Again ∗∗∗ --------------------------------------------- Avast said it believes that threat actors are again looking to target CCleaner in a supply chain attack. --------------------------------------------- https://threatpost.com/avast-network-breached-as-hackers-target-ccleaner-ag… ∗∗∗ Attention: Your blog may be used to spread the Emotet Trojan! ∗∗∗ --------------------------------------------- Emotet was originally a banking Trojan that targeted bank customers in Europe and stole relevant bank credentials. In 2017, Emotet changed its business model from [...] --------------------------------------------- https://blog.360totalsecurity.com/en/attention-your-blog-may-be-used-to-spr… ∗∗∗ Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor ∗∗∗ --------------------------------------------- Notorious cyberespionage group debases MSSQL --------------------------------------------- https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sq… ===================== = Vulnerabilities = ===================== ∗∗∗ Linux: Kritische Zeroday-Lücke im WLAN-Treiber ∗∗∗ --------------------------------------------- Mit speziell präparierten WLAN-Paketen könnten Angreifer Linux-Systeme kapern, die Realtek-Chips einsetzen. --------------------------------------------- https://heise.de/-4562505 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, graphite-web, imagemagick, mediawiki, milkytracker, nfs-utils, and openjdk-11), Fedora (kernel, kernel-headers, kernel-tools, mediawiki, and radare2), openSUSE (dhcp, libpcap, lighttpd, and tcpdump), Scientific Linux (java-1.8.0-openjdk), Slackware (python), SUSE (bluez, kernel, and python-xdg), and Ubuntu (aspell). --------------------------------------------- https://lwn.net/Articles/802776/ ∗∗∗ AVM FRITZ!OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/10/warn… ∗∗∗ Trend Micro Anti-Threat Toolkit (ATTK) < = v1.62.0.1218 Remote Code Execution 0day ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100137 ∗∗∗ IBM Security Bulletin: Version 8.15.0 of Node.js included in IBM Cloud Event Management 2.3.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-version-8-15-0-of-nod… ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by HTTP Server vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-orchestrato… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2018-1996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ Linux kernel vulnerability CVE-2019-16089 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03814795?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-15666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53420251?utm_source=f5support&utm_mediu… ∗∗∗ Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX261055 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2019
by Daily end-of-shift report 18 Oct '19

18 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2019 18:00 − Freitag 18-10-2019 18:00 Handler: n/a Co-Handler: n/a ===================== = News = ===================== ∗∗∗ STOP Ransomware Decryptor Released for 148 Variants ∗∗∗ --------------------------------------------- The release of Emsisofts STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer. It should be noted, though, that while this decryptor can help with the majority of STOP variants, anyone who was infected after August 2019 cannot be helped. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-re… ∗∗∗ REvil Ransomware Affiliates Partner with Corporate Intruders ∗∗∗ --------------------------------------------- Experienced network intruders and ransomware groups have struck an alliance helping each other monetize their skills by spreading malware to company networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-affiliates-… ∗∗∗ Ordinypt: Resurgence ∗∗∗ --------------------------------------------- Recently, the Ordinypt malware has seen a resurgence in the wild, disguised as fake job applications sent via email to human resource departments in German companies. The malware uses social engineering to infect the user’s files and trick them into paying cryptocurrency to restore the infected files. --------------------------------------------- https://www.gdatasoftware.com/blog/2019/10/35358-resurgence ∗∗∗ Quick Malicious VBS Analysis, (Fri, Oct 18th) ∗∗∗ --------------------------------------------- Lets have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This technique is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. --------------------------------------------- https://isc.sans.edu/diary/rss/25430 ∗∗∗ Fake UpdraftPlus Plugins ∗∗∗ --------------------------------------------- We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality. --------------------------------------------- https://blog.sucuri.net/2019/10/fake-updraftplus-plugins.html ∗∗∗ Samsung to patch S10 fingerprint sensor bug next week ∗∗∗ --------------------------------------------- Samsung promises software patch next week; recommends not using custom screen covers in the meantime. --------------------------------------------- https://www.zdnet.com/article/samsung-to-patch-s10-fingerprint-sensor-bug-n… ===================== = Vulnerabilities = ===================== ∗∗∗ AVEVA Vijeo Citect and Citect SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in the AVEVA Vijeo Citect and Citect SCADA. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-290-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper input validation and out-of-bounds write vulnerabilities in Horner Automations Cscape control system application programming software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-290-02 ∗∗∗ VMSA-2019-0017 ∗∗∗ --------------------------------------------- VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0017.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10). --------------------------------------------- https://lwn.net/Articles/802622/ ∗∗∗ Synology-SA-19:34 WordPress ∗∗∗ --------------------------------------------- These vulnerabilities allow remote attackers to inject arbitrary web script or HTML, obtain sensitive information, or access intranet resources via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_34 ∗∗∗ InfoZIP vulnerability CVE-2019-13232 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K80311892 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2019
by Daily end-of-shift report 17 Oct '19

17 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2019 18:00 − Donnerstag 17-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 10 Steps for Ransomware Protection ∗∗∗ --------------------------------------------- Here are things you can do right now to shore up your defenses and help your recovery when you get hit. --------------------------------------------- https://threatpost.com/10-steps-ransomware-protection/149259/ ∗∗∗ Betrüger übernehmen alte E-Mail-Adressen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt (BKA) warnt vor missbräuchlicher Verwendung alter E-Mail-Adressen. Betrüger würden sich länger nicht genutzte E-Mail-Adressen aneignen, um damit Zugang zu persönlichen Nutzerkonten zu erlangen, so das BKA. Gaming Accounts und Nutzerkonten in Sozialen Medien seien besonders betroffen. --------------------------------------------- https://help.orf.at/stories/2993027/ ∗∗∗ l+f: Leise rieselt der Crypto-Miner ∗∗∗ --------------------------------------------- Forscher entdecken Crypto-Miner und Backdoors, die sich in WAV-Dateien verstecken. --------------------------------------------- https://heise.de/-4558856 ∗∗∗ Cisco fixes serious flaws in enterprise-grade Catalyst and Aironet access points ∗∗∗ --------------------------------------------- Cisco has released another batch of security updates, the most critical of which fixes a vulnerability that could allow unauthenticated, remote attackers to gain access to vulnerable Cisco Aironet wireless access points. Cisco Aironet APs are enterprise-grade access points used for branch offices, campuses, organizations of all sizes, enterprise and carrier-operator Wi-Fi deployments, and so on. --------------------------------------------- https://www.helpnetsecurity.com/2019/10/17/cisco-aironet-vulnerabilities/ ∗∗∗ KRACK‑Sicherheitslücke in Alexa Smart Home Geräten ∗∗∗ --------------------------------------------- Das ESET Smart Home Research Team entdeckte KRACK-Sicherheitslücken in einigen Amazon Echo- und Kindle-Geräten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/10/17/krack-sicherheitsluecke-a… ∗∗∗ Werbung für betrügerische Elektriker auf Google ∗∗∗ --------------------------------------------- Wenn zu Hause der Strom ausfällt, verschafft oft nur eine Fachkraft Abhilfe. Die Suche über Google am Smartphone liegt dabei natürlich nahe. Doch Vorsicht: Die Gefahr, über die Anzeigen auf unseriöse Angebote zu stoßen, ist hoch! Opfer landen beispielsweise auf elektriker-mg.at, elektriker-dienst.at oder elektriker.24std.expert, wo die großen Versprechen in schlechter Arbeit zu horrenden Preisen münden. --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-betruegerische-elektrik… ===================== = Vulnerabilities = ===================== ∗∗∗ Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS ∗∗∗ --------------------------------------------- The flaws in the container technology, CVE-2019-16276 and CVE-2019-11253, are simple to exploit. --------------------------------------------- https://threatpost.com/kubernetes-bugs-authentication-bypass-dos/149265/ ∗∗∗ Security updates available in Foxit Reader 9.7, Foxit PhantomPDF 9.7 and Foxit PhantomPDF Mac 3.4 ∗∗∗ --------------------------------------------- Foxit has released Foxit Reader 9.7 and Foxit PhantomPDF 9.7, which addresses potential security and stability issues. Foxit has released Foxit PhantomPDF Mac 3.4, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ VMSA-2019-0017 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), Debian (libsdl1.2 and libsdl2), Mageia (e2fsprogs, kernel, libpcap and tcpdump, nmap, and sudo), openSUSE (GraphicsMagick and sudo), Oracle (java-1.8.0-openjdk, java-11-openjdk, jss, and kernel), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (jss), SUSE (gcc7 and libreoffice), and Ubuntu (leading to a double-free, libsdl1.2, and tiff). --------------------------------------------- https://lwn.net/Articles/802537/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/10/warn… ∗∗∗ CyberArk Password Vault 10.6 Authentication Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100114 ∗∗∗ Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-074 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Vim/Neovim vulnerability CVE-2019-12735 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_mediu… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0924 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2019
by Daily end-of-shift report 16 Oct '19

16 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2019 18:00 − Mittwoch 16-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Docker Containers Riddled with Graboid Crypto-Worm ∗∗∗ --------------------------------------------- A worm with a randomized propagation method is spreading via the popular container technology. --------------------------------------------- https://threatpost.com/docker-containers-graboid-crypto-worm/149235/ ∗∗∗ Security Monitoring: At Network or Host Level?, (Wed, Oct 16th) ∗∗∗ --------------------------------------------- Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25420 ∗∗∗ Messing with Azorult Part 1: Malware Breakdown ∗∗∗ --------------------------------------------- In this blog series, we dive into an information stealing Trojan called Azorult that we analysed during a recent Digital Forensics and Incident Response (DFIR) investigation. During our analysis, we also take a look at the bot’s control panel and its vulnerability. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/messing-wit… ∗∗∗ Patchday bei Adobe: 64 Lücken im Reader ∗∗∗ --------------------------------------------- Außerdem gibt es auch Updates für den Experience Manager, Experience Manager Forms und den Adobe Download Manager. --------------------------------------------- https://heise.de/-4557403 ∗∗∗ Schadsoftware in vermeintlichen Banking-Apps aus unbekannter Quelle! ∗∗∗ --------------------------------------------- Immer wieder versenden Kriminelle massenhaft E-Mails im Design diverser Banken. Sie beziehen sich darin gehäuft auf die sogenannte PSD2-Richtlinie, die zu diversen Änderungen beim Online-Banking geführt hat und verlangen die Bestätigung persönlicher Daten oder die Installation einer App aus unbekannter Quelle. Nur so ließe sich die Sperre Ihres Kontos verhindern. Es dürfen keine Daten bekanntgegeben und die Apps nicht installiert werden. Es handelt sich um [...] --------------------------------------------- https://www.watchlist-internet.at/news/schadsoftware-in-vermeintlichen-bank… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Patch Update: Oracle veröffentlicht 219 Sicherheitspatches ∗∗∗ --------------------------------------------- Es gibt abgesicherte Versionen von unter anderem Fusion Middleware und NoSQL Database, in denen Oracle kritische Sicherheitslücken geschlossen hat. --------------------------------------------- https://heise.de/-4557788 ∗∗∗ VMSA-2019-0016 ∗∗∗ --------------------------------------------- VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0016.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and unbound), Fedora (opendmarc, runc, and sudo), openSUSE (epiphany, GraphicsMagick, and libopenmpt), Oracle (kernel and sudo), Red Hat (java-1.8.0-openjdk, jss, kernel, kernel-rt, and kpatch-patch), SUSE (crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer, libpcap, sudo, [...] --------------------------------------------- https://lwn.net/Articles/802451/ ∗∗∗ Linux kernel vulnerability CVE-2019-13233 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13331647?utm_source=f5support&utm_mediu… ∗∗∗ HPESBHF03960 rev.1 - HPE Lights Out 100 (LO100) Remote Management for ProLiant G1 - G6 servers, Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle gefährdet Verfügbarkeit und Integrität ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0905 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0913 ∗∗∗ Publish SBA-ADV-20190913-04: WordPress Plugin - All in One SEO Pack -… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/478f4828ddc618f6bdb9530640… ∗∗∗ Publish SBA-ADV-20190913-03: WordPress Plugin - Events Manager - Stor… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/eb0047b9fb067ec171007b14df… ∗∗∗ Publish SBA-ADV-20190913-02: WordPress Plugin - Broken Link Checker -… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/3e79665a02f0cd2e7666e7738e… ∗∗∗ Publish SBA-ADV-20190913-01: WordPress Plugin - EU Cookie Law (GDPR) … ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/51b3d30fc0d9e69a760203b32d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2019
by Daily end-of-shift report 15 Oct '19

15 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2019 18:00 − Dienstag 15-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriffe: Attribution ist wie ein Indizienprozess ∗∗∗ --------------------------------------------- Russland hat den Bundestag gehackt! China wollte die Bayer AG ausspionieren! Bei großen Hackerangriffen ist oft der Fingerzeig auf den mutmaßlichen Täter nicht weit. Knallharte Beweise dafür gibt es selten, Hinweise sind aber kaum zu vermeiden. --------------------------------------------- https://www.golem.de/news/cyberangriffe-attribution-ist-wie-ein-indizienpro… ∗∗∗ Update now! Windows users targeted by iTunes Software Updater zero-day ∗∗∗ --------------------------------------------- The flaw is a rare ‘unquoted path class’ described as "so thoroughly documented that you would expect programmers to be well aware..." But thats not the case. --------------------------------------------- https://nakedsecurity.sophos.com/2019/10/15/update-now-windows-users-target… ∗∗∗ Top 10 Website Hardening Tips ∗∗∗ --------------------------------------------- Website hardening means adding layers of protection to reduce the risk of website attacks, a process known as “defense in depth.” Here are our top 10 virtual hardening principles: [...] --------------------------------------------- https://blog.sucuri.net/2019/10/top-10-website-hardening-tips.html ∗∗∗ Threat Actor Profile: TA407, the Silent Librarian ∗∗∗ --------------------------------------------- [...] Since our blog post, colleagues at Secureworks have provided further details on one actor we highlighted, tracked by Proofpoint as TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute. In this blog, we provide additional insight into the actor and their evolving TTPs in ongoing, academia-focused campaigns. --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta40… ∗∗∗ Europol: Ransomware remains top threat in IOCTA report ∗∗∗ --------------------------------------------- The European Union Agency for Law Enforcement Cooperation, or Europol, just released its annual Internet Organized Crime Threat Assessment (IOCTA) report. We highlight their key findings and remind readers how to better protect themselves. --------------------------------------------- https://blog.malwarebytes.com/awareness/2019/10/europol-ransomware-remains-… ∗∗∗ Researchers Find New Backdoor Used by Winnti Hackers ∗∗∗ --------------------------------------------- ESET security researchers were able to identify a new backdoor associated with the threat actor known as the Winnti Group. --------------------------------------------- https://www.securityweek.com/researchers-find-new-backdoor-used-winnti-hack… ∗∗∗ SMS von „InfoSMS“ führt in Abo-Falle ∗∗∗ --------------------------------------------- Aktuell sind vermehrt betrügerische SMS vom Absender „InfoSMS“ im Umlauf. In der SMS heißt es, dass der Besitzer der Handynummer gesucht wird. Für nähere Informationen werden Sie aufgefordert, einem Link zu folgen. Sie landen dann auf einer gefälschten Media Markt Seite, wo ein angeblicher Gewinn auf Sie wartet. Sie werden Ihren Gewinn jedoch nie erhalten, es handelt sich um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-infosms-fuehrt-in-abo-falle/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Experience Manager (APSB19-48), Adobe Acrobat and Reader (APSB19-49), Adobe Experience Manager Forms (APSB19-50) and Adobe Download Manager (APSB19-51). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1795 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sudo and xtrlock), openSUSE (sudo), Red Hat (Single Sign-On), Slackware (sudo), SUSE (binutils, dhcp, ffmpeg, kernel, kubernetes-salt, sudo, and tcpdump), and Ubuntu (sudo). --------------------------------------------- https://lwn.net/Articles/802328/ ∗∗∗ PHOENIX CONTACT Security Advisory for Automation Worx Software Suite ∗∗∗ --------------------------------------------- Phoenix Contact Automationworx Suite: *.bcp-file Memory Corruption Remote Code Execution Vulnerability and *.mwt-file Out-OfBounds Read Remote Code Execution Vulnerability --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-016 ∗∗∗ sudo: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0902 ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0903 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2019-11479, CVE-2019-11478 and CVE-2019-11477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-is-a… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence is affected by a Using Components with Known Vulnerabilities vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-4031 affects IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ TYPO3-EXT-SA-2019-018: Remote Code Execution in extension "freeCap CAPTCHA" (sr_freecap) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-018/ ∗∗∗ TYPO3-EXT-SA-2019-017: Multiple vulnerabilities in extension "SLUB: Event Registration" (slub_events) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-017/ ∗∗∗ TYPO3-EXT-SA-2019-016: Information Disclosure in extension "Direct Mail" (direct_mail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-016/ ∗∗∗ TYPO3-EXT-SA-2019-015: SQL Injection in extension "URL redirect" (url_redirect) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2019-015/ ∗∗∗ Linux kernel vulnerability CVE-2019-16714 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48351130?utm_source=f5support&utm_mediu… ∗∗∗ OpenLDAP vulnerability CVE-2019-13565 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98008862?utm_source=f5support&utm_mediu… ∗∗∗ HPESBHF03933 rev.6 - HPE Products using certain Intel Processors, Microarchitectural Data Sampling (MDS) Side Channel Vulnerabilities, Local Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2019
by Daily end-of-shift report 14 Oct '19

14 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2019 18:00 − Montag 14-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Week in Ransomware - October 11th 2019 - Decryptors Released! ∗∗∗ --------------------------------------------- We had some interesting news this week, such as the HildaCrypt ransomware releasing their keys, RobbinHood Ransomware bragging about their past exploits, a Muhstik Ransomware victim hacking back and stealing the decryption keys, and a Nemty decryptor being released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-octob… ∗∗∗ Sodinokibi Ransomware: Following the Affiliate Money Trail ∗∗∗ --------------------------------------------- After a Sodinokibi ransomware affiliate posted partial transaction IDs for ransomware payments, researchers were able to use that information to follow the money trail for affiliates and in some cases, how they spend their illicit earnings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-follow… ∗∗∗ Simjacker: SIM-Karten in 29 Ländern anfällig für SMS-Angriff ∗∗∗ --------------------------------------------- Mit einer präparierten SMS können Daten aus dem Mobiltelefon ausgelesen werden. Die Sicherheitsfirma Adaptive Mobile hat den Simjacker genannten Angriff entdeckt und die betroffenen Staaten veröffentlicht. Demnach nutzte in drei Ländern eine Überwachungsfirma die Lücke aktiv aus. --------------------------------------------- https://www.golem.de/news/simjacker-sim-karten-in-29-laendern-anfaellig-fue… ∗∗∗ Pass the AppleJeus ∗∗∗ --------------------------------------------- A new macOS backdoor written by the infamous Lazarus APT group needs analyzing. Here, we examine its infection vector, method of persistence, capabilities, and more! --------------------------------------------- https://objective-see.com/blog/blog_0x49.html ∗∗∗ Another successful edition of the European Cyber Security Challenge concluded in Romania ∗∗∗ --------------------------------------------- The sixth edition of the European Cyber Security Challenge (ECSC), organised from 9 to 11 October in Bucharest at the Palace of the Parliament, the heaviest building and the second-largest building in the world, has concluded. Team Romania - followed by Italy and Austria - has proven successful in completing the most advanced and complex cybersecurity challenges and is thereby the proud winner of ECSC2019. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/another-successful-edition-of-t… ∗∗∗ Most SSL certificate misissuance caused by software bugs and rule misinterpretations ∗∗∗ --------------------------------------------- Academic study analyzed 379 incidents of incorrectly-issued SSL certificates from a total of 1,300+ known cases. --------------------------------------------- https://www.zdnet.com/article/most-ssl-certificate-misissuance-caused-by-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB19-49) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB19-49) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, October 15, 2019. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well as the Adobe PSIRT Blog. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1793 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, sdl, and unbound), Debian (clamav, libdatetime-timezone-perl, openssl, tcpdump, and tzdata), Fedora (cutter-re, jackson-annotations, jackson-bom, jackson-core, jackson-databind, jackson-parent, libapreq2, ming, opendmarc, radare2, and thunderbird), openSUSE (chromium), Oracle (kernel), and SUSE (axis, jakarta-commons-fileupload, kernel, sles12sp3-docker-image, sles12sp4-image, system-user-root, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/802268/ ∗∗∗ Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution ∗∗∗ --------------------------------------------- A critical vulnerability patched recently by Sophos in its Cyberoam firewall appliances allows a remote, unauthenticated attacker to execute arbitrary commands with root privileges. --------------------------------------------- https://www.securityweek.com/critical-flaw-sophos-cyberoam-appliances-allow… ∗∗∗ Swift 5.1.1 for Ubuntu ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT210647 ∗∗∗ Reflected XSS vulnerability in OpenProject (CVE-2019-17092) ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/reflected-xss-vulnerability-in-o… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2019
by Daily end-of-shift report 11 Oct '19

11 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2019 18:00 − Freitag 11-10-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Remote-Angriffe und Denial-of-Service: Schwachstellen in Juniper-Netzwerktechnik ∗∗∗ --------------------------------------------- Juniper-Geräte der Serien SRX, NFX, QFX, PTX, ACX, MX, und EX sowie das Betriebssystem JUNOS weisen Schwachstellen auf die umgehend gepatcht werden sollten. --------------------------------------------- https://heise.de/-4553168 ∗∗∗ Researchers released a free decryptor for the Nemty Ransomware ∗∗∗ --------------------------------------------- Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files. --------------------------------------------- https://securityaffairs.co/wordpress/92386/malware/nemty-ransomware-decrypt… ∗∗∗ Examining the Ryuk Ransomware ∗∗∗ --------------------------------------------- Ryuk ransomware had a disturbingly successful debut, being used to hit at least three organizations in its first two months of activity for more than $640,000 in ransom. Several attacks followed, where the attackers demanded even greater amounts of ransom. The attackers were able to demand and receive high ransoms because of a unique trait in the Ryuk code: the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. --------------------------------------------- https://www.zscaler.com/blogs/research/examining-ryuk-ransomware ∗∗∗ Staying Hidden on the Endpoint: Evading Detection with Shellcode ∗∗∗ --------------------------------------------- True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response (EDR) products have matured over the years, the red teams must follow suit. This blog post will provide some insights into how the FireEye Mandiant Red Team crafts payloads to bypass modern EDR products and get full command and control (C2) on their [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lucene-solr and ruby-openid), Fedora (krb5 and SDL2), openSUSE (kernel and libopenmpt), and Ubuntu (python2.7, python3.4). --------------------------------------------- https://lwn.net/Articles/802086/ ∗∗∗ IBM Security Bulletin: IBM FileNet Content Manager and Case Foundation security vulnerability in Process Orchestration Web Service logging ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-filenet-content-m… ∗∗∗ IBM Security Bulletin: IBM FileNet Content Manager and Case Foundation are affected by Publicly disclosed vulnerability in Java July 2019 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-filenet-content-m… ∗∗∗ Linux kernel vulnerability CVE-2017-18551 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K48073202?utm_source=f5support&utm_mediu… ∗∗∗ Apache Tomcat vulnerability CVE-2019-0221 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_mediu… ∗∗∗ ImageMagick vulnerability CVE-2019-13136 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03512441?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2019
by Daily end-of-shift report 10 Oct '19

10 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2019 18:00 − Donnerstag 10-10-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HP Touchpoint Analytics LPE Vulnerability Affects Most HP PCs ∗∗∗ --------------------------------------------- HP patched a vulnerability discovered in the HP Touchpoint Analytics software installed by default on most of its Windows laptops and desktops, a flaw allowing attackers to escalate privileges and execute arbitrary code using SYSTEM privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-touchpoint-analytics-lpe-… ∗∗∗ Gamers Warned of High-Severity Intel, Nvidia Flaws ∗∗∗ --------------------------------------------- The Intel NUC and Nvidia Shield both are vulnerable to high-severity flaws, Intel and Nvidia warned in dual advisories. --------------------------------------------- https://threatpost.com/gamers-high-severity-intel-nvidia-flaws/149034/ ∗∗∗ Apple iTunes Bug Actively Exploited in BitPaymer/iEncrypt Campaign ∗∗∗ --------------------------------------------- Attackers exploit an “unquoted path” flaw in the Bonjour updater in iTunes for Windows to deliver ransomware attacks. --------------------------------------------- https://threatpost.com/apple-itunes-bug-bitpaymer-iencrypt/149075/ ∗∗∗ Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques ∗∗∗ --------------------------------------------- During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-… ∗∗∗ Security Descriptor Auditing Methodology: Investigating Event Log Security ∗∗∗ --------------------------------------------- Upon gaining access to a system, what level of access is granted to an attacker who has yet to elevate their privileges? --------------------------------------------- https://posts.specterops.io/security-descriptor-auditing-methodology-invest… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Networks Releases Security Updates ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/10/juniper-networks-r… ∗∗∗ Sicherheitsupdates: Intel sichert NUC-PCs und Serverwartungstool ab ∗∗∗ --------------------------------------------- Angreifer könnten sich auf NUCs und auf Intel-Servern höhere Rechte aneignen. Eine Lücke bleibt jedoch ungepatcht. --------------------------------------------- https://heise.de/-4550829 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, libtomcrypt, and rsyslog), Fedora (suricata), SUSE (libopenmpt and python-requests), and Ubuntu (libsoup2.4 and octavia). --------------------------------------------- https://lwn.net/Articles/801974/ ∗∗∗ ZDI-19-866: NETGEAR AC1200 mini_httpd Poison Null Byte Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-866/ ∗∗∗ Maxlength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-073 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ OpenSSL vulnerability CVE-2019-1563 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_mediu… ∗∗∗ OpenSSL vulnerability CVE-2019-1547 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2019
by Daily end-of-shift report 09 Oct '19

09 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2019 18:00 − Mittwoch 09-10-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Microsoft NTLM Flaws May Allow Full Domain Compromise ∗∗∗ --------------------------------------------- Two security vulnerabilities in Microsofts NTLM authentication protocol allow attackers to bypass the MIC (Message Integrity Code) protection and downgrade NTLM security features leading to full domain compromise of a network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-microsoft-ntlm-flaws-may… ∗∗∗ Doctor Web’s overview of malware detected on mobile devices in September 2019 ∗∗∗ --------------------------------------------- October 9, 2019 In September, Android users were threatened by various malware, many of which was distributed via Google Play. Those were the Android.DownLoader downloaders, the Android.Banker and Android.HiddenAds banking and adware trojans, as well as other threats. Doctor Web experts have also discovered several new versions of potentially dangerous applications, designed to spy on users, including Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor. --------------------------------------------- https://news.drweb.com/show/?i=13446&lng=en&c=9 ∗∗∗ Twitter: iOS-Apps verwenden altes Twitterkit mit Sicherheitslücke ∗∗∗ --------------------------------------------- Das Fraunhofer SIT hat eine Sicherheitslücke im eingestellten Twitterkit entdeckt, die nicht mehr geschlossen werden soll. Über diese kann ein Man-in-the-Middle-Angriff durchgeführt werden. Einige iOS-Apps verwenden die Software noch, um auf Tweets zuzugreifen oder einen Login mit Twitter anzubieten. --------------------------------------------- https://www.golem.de/news/twitter-ios-apps-verwenden-altes-twitterkit-mit-s… ∗∗∗ Vermeintliche Kündigung führt zu teurem Vertrag ∗∗∗ --------------------------------------------- Unternehmen aufgepasst: Unseriöse Firmen kontaktieren Unternehmen und behaupten, dass ein bereits laufender Vertrag zu einem Branchenbucheintrag nun gekündigt werden könne. Dazu müsse lediglich ein Fax unterzeichnet und retourniert werden. Wer das tut, kündigt nicht, sondern schließt einen teuren Vertrag ab. Unternehmen müssen den Betrag nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/vermeintliche-kuendigung-fuehrt-zu-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft sichert Windows und Browser gegen Angriffe ab ∗∗∗ --------------------------------------------- Microsoft hat Windows-Patches veröffentlicht, unter anderem aber auch einige gefährliche Angriffsmöglichkeiten auf Edge und Internet Explorer beseitigt. --------------------------------------------- https://heise.de/-4549555 ∗∗∗ Forensoftware vBulletin: Weitere Sicherheits-Patches veröffentlicht ∗∗∗ --------------------------------------------- Auf Patch-Level 1 folgte zügig Patch-Level 2 für die Foren-Software. Angesichts jüngst erfolgter Angriffe auf vBulletin-Foren sollte man zügig updaten. --------------------------------------------- https://heise.de/-4549270 ∗∗∗ SMA Solar Technology AG Sunny WebBox ∗∗∗ --------------------------------------------- This advisory includes mitigations for a cross-site request forgery vulnerability reported in the SMA Solar Technology AG Sunny WebBox communications hub. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-281-01 ∗∗∗ GE Mark VIe Controller ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper authorization and use of hard-coded credentials vulnerabilities reported in GE’s Mark VIe controller. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-281-02 ∗∗∗ Vulnerability Spotlight: Multiple remote code execution bugs in NitroPDF ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple remote code execution vulnerabilities in NitroPDF. Nitro PDF allows users to save, read, sign and edit PDF files on their machines. --------------------------------------------- https://blog.talosintelligence.com/2019/10/vuln-spotlight-Nitro-PDF-RCE-bug… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7). --------------------------------------------- https://lwn.net/Articles/801838/ ∗∗∗ Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit ∗∗∗ --------------------------------------------- A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. --------------------------------------------- https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-aud… ∗∗∗ VU#719689: Multiple vulnerabilities found in the Cobham EXPLORER 710 satcom terminal ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/719689 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM SPSS Modeler (CVE-2019-4473,CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Maximo Anywhere does not have device root detection. (CVE-2019-4265) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-anywhere-d… ∗∗∗ ImageMagick vulnerability CVE-2019-13135 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20336394 ∗∗∗ Beckhoff TwinCAT Denial-of-Service in Profinet driver ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-019 ∗∗∗ CVE-2019-TBD - Citrix Application Delivery Management (ADM) Console Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX261735 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2019
by Daily end-of-shift report 08 Oct '19

08 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2019 18:00 − Dienstag 08-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ D-Link Home Routers Open to Remote Takeover Will Remain Unpatched ∗∗∗ --------------------------------------------- CVE-2019-16920 allows remote unauthenticated attackers to execute code on a target device. --------------------------------------------- https://threatpost.com/d-link-home-routers-unpatched/148941/ ∗∗∗ Kriminelle versenden gefälschte Apple Rechnung ∗∗∗ --------------------------------------------- Kriminelle fälschen App Store Rechnungen und senden diese wahllos an zahlreiche E-Mail-Adressen. Angeblich wurden Spiele im Wert von rund 80 Euro per Kreditkarte gekauft. Für die Stornierung und Rückerstattung des Betrages haben besorgte EmpfängerInnen die Möglichkeit, einem Link zu folgen. Ignorieren Sie diese Rechnung und klicken Sie nicht auf den Link, denn dieser führt zu einer Phishing-Seite. Im schlimmsten Fall wird Ihr Computer mit Schadsoftware infiziert. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-app… ∗∗∗ Zero-day published for old Joomla CMS versions ∗∗∗ --------------------------------------------- Proof-of-concept code available online; trivial to exploit. --------------------------------------------- https://www.zdnet.com/article/zero-day-published-for-old-joomla-cms-version… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/08/apple-releases-sec… ∗∗∗ Patchday: Google schließt zahlreiche kritische Android-Lücken ∗∗∗ --------------------------------------------- Zum Oktober-Patchday hat Google unter anderem die kürzlich von Project Zero veröffentlichte kritische Sicherheitslücke in Pixel 1 und 2 beseitigt. --------------------------------------------- https://heise.de/-4548538 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjpeg2, openssh, and xen), openSUSE (dovecot23, jasper, libseccomp, lxc, putty, and singularity), Red Hat (bind, kernel, polkit, python, and wget), and Ubuntu (unbound). --------------------------------------------- https://lwn.net/Articles/801692/ ∗∗∗ SAP Security Patch Day – October 2019 ∗∗∗ --------------------------------------------- [...] On 8th of October 2019, SAP Security Patch Day saw the release of 7 Security Notes. There is 1 update to previously released Patch Day [...] --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050 ∗∗∗ All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9898 ∗∗∗ SSA-608355: Processor Vulnerabilities Affecting SIMATIC WinAC RTX (F) 2010 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-608355.txt ∗∗∗ SSA-878278: Denial-of-Service Vulnerability in SIMATIC WinAC RTX (F) 2010 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-878278.txt ∗∗∗ SSA-984700: Password Storage Vulnerability in SIMATIC IT UADM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-984700.txt ∗∗∗ SSA-473245: Denial-of-Service Vulnerability in Profinet Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-473245.txt ∗∗∗ SSA-349422: Denial-of-Service in Industrial Real-Time (IRT) Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-349422.txt ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where the local attacker can obtain root privilege by injecting parameters into setuid files (CVE-2019-4558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-has-b… ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to Information Disclosure (CVE-2019-4512) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana… ∗∗∗ Bash vulnerability CVE-2012-6711 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05122252 ∗∗∗ Linux kernel vulnerability CVE-2019-15505 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28222050 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2019
by Daily end-of-shift report 07 Oct '19

07 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2019 18:00 − Montag 07-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Betrügerische Mahnungen von Streaming-Seiten ignorieren! ∗∗∗ --------------------------------------------- Auf der Suche nach den neuesten Hollywood-Blockbustern im Internet stolpern zahlreiche KonsumentInnen über kinox.su. Beim Versuch, kostenlos Filme anzusehen, werden sie auf Websites wie streamovo.de, streamado.de, streamamy.de oder streamjuju.de weitergeleitet. Achtung: Die gratis Anmeldung auf diesen Websites führt nicht zu unbegrenztem Filmgenuss, sondern zu Rechnungen und Mahnungen über 395,88 Euro. Es besteht kein Grund zur Zahlung! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mahnungen-von-streami… ∗∗∗ visNetwork for Network Data, (Sun, Oct 6th) ∗∗∗ --------------------------------------------- DFIR Redefined Part 3 - Deeper Functionality for Investigators with R series continued --------------------------------------------- https://isc.sans.edu/diary/rss/25390 ∗∗∗ Factsheet DNS monitoring will get harder ∗∗∗ --------------------------------------------- New DNS transport protocols make it harder to monitor or modify DNS requests. This is beneficial on today’s untrusted networks. At the same time the shift may render your organisation’s security controls ineffective, expose internal naming or break connectivity. These negative side effects are hard to mitigate at a network level and require mitigation at DNS infrastructure and individual devices. --------------------------------------------- https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dn… ∗∗∗ NISTs Zero Trust Taxonomy Introduces Components, Threats and Migration Routes ∗∗∗ --------------------------------------------- NIST has published a draft Zero Trust Architecture (ZTA) special publication (SP.800.207). The purpose is to develop a technology-neutral lexicon of the logical components of a zero trust strategy, and to define ZTA, describe possible deployment scenarios, and highlight threats. --------------------------------------------- https://www.securityweek.com/nists-zero-trust-taxonomy-introduces-component… ∗∗∗ A year after patch, Drupalgeddon2 is still being employed in cybercriminal attacks ∗∗∗ --------------------------------------------- The remote code execution bug is being used in attacks against high-profile websites. --------------------------------------------- https://www.zdnet.com/article/old-drupalgeddon2-rce-is-still-being-employed… ∗∗∗ White-hat hacks Muhstik ransomware gang and releases decryption keys ∗∗∗ --------------------------------------------- Annoyed victim hacks back ransomware gang and releases all their decryption keys, along with a free decrypter. --------------------------------------------- https://www.zdnet.com/article/white-hat-hacks-muhstik-ransomware-gang-and-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities exploited in VPN products used worldwide ∗∗∗ --------------------------------------------- The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse secure, Palo Alto and Fortinet. --------------------------------------------- https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities ∗∗∗ Großer Lausch-Anruf: Signal für Android nimmt selbsttätig Anrufe an ∗∗∗ --------------------------------------------- Eine Lücke im Messenger Signal führt unter Android dazu, dass Nutzer belauscht werden könnten. Die App nimmt Sprachanrufe ohne Nutzerinteraktion entgegen. --------------------------------------------- https://heise.de/-4546500 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jackson-databind, libapreq2, libreoffice, novnc, phpbb3, and ruby-mini-magick), Fedora (mbedtls and mosquitto), Mageia (xpdf), openSUSE (bind, firefox, nginx, openssl-1_0_0, php7, python-numpy, and thunderbird), Oracle (kernel), SUSE (ansible1, ardana-ansible, ardana-cluster, ardana-db, ardana-extensions-nsx, ardana-glance, ardana-input-model, ardana-installer-ui, ardana-manila, ardana-monasca, ardana-neutron, ardana-nova, ardana-octavia, [...] --------------------------------------------- https://lwn.net/Articles/801469/ ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Rational® Quality Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by an openssh vulnerability (CVE-2018-15473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-se… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by openssl vulnerabilities (CVE-2019-1559, CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-se… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by Linux kernel vulnerabilities (CVE-2019-11479, CVE-2019-11478, CVE-2019-11477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2019
by Daily end-of-shift report 04 Oct '19

04 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-10-2019 18:00 − Freitag 04-10-2019 18:00 Handler: Stephan Richter Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Lost Files Data Wiper Poses as a Windows Security Scanner ∗∗∗ --------------------------------------------- A Windows Security Scanner that states it encrypted your files is being distributed by spam, but whether by bug or design, it instead corrupts binary data in a victims files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lost-files-data-wiper-poses-… ∗∗∗ Linux-Kernel: Android-Bug wird von NSO Group angegriffen ∗∗∗ --------------------------------------------- Googles Project Zero berichtet über einen Bug im Linux-Kernel, mit dem sich Android-Telefone angreifen lassen. Laut Google wird offenbar ein Exploit für den Bug bereits aktiv ausgenutzt. Pikant: Gefunden wurde der Bug bereits 2017 - von Google selbst. --------------------------------------------- https://www.golem.de/news/linux-kernel-android-bug-wird-von-nso-group-angeg… ∗∗∗ Investigating the security of Lime scooters ∗∗∗ --------------------------------------------- I've been looking at the security of the Lime escooters. These caught my attention because:(1) There's a whole bunch of them outside my building, and(2) I can see them via Bluetooth from my sofa which, given that I'm extremely lazy, made them more attractive targets than something that would actually require me to leave my home. --------------------------------------------- https://mjg59.dreamwidth.org/53024.html ∗∗∗ Down the Malware Rabbit Hole – Part 1 ∗∗∗ --------------------------------------------- It’s common for malware to be encoded to hide itself—or its true intentions—but have you ever given thought to what lengths attackers will go to hide their malicious code? In our first post in this series, we’ll describe how bad actors hide their malicious code and the steps taken to reveal its true form. --------------------------------------------- https://blog.sucuri.net/2019/10/down-the-malware-rabbit-hole-part-1.html ∗∗∗ COMpfun successor Reductor infects files on the fly to compromise TLS traffic ∗∗∗ --------------------------------------------- In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. Analysis of the malware allowed us to confirm that the operators have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly. --------------------------------------------- https://securelist.com/compfun-successor-reductor/93633/ ∗∗∗ Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI ∗∗∗ --------------------------------------------- AMSI offers a fantastic interface for endpoint security vendors to gain insight into in-memory buffers from components that choose have their content scanned. --------------------------------------------- https://posts.specterops.io/antimalware-scan-interface-detection-optics-ana… ∗∗∗ macOS systems abused in DDoS attacks ∗∗∗ --------------------------------------------- Up to 40,000 macOS systems expose a particular port online that can be abused for pretty big DDoS attacks. --------------------------------------------- https://www.zdnet.com/article/macos-systems-abused-in-ddos-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Interpeak IPnet TCP/IP Stack (Update A) ∗∗∗ --------------------------------------------- This updated medical advisory is a follow-up to the original advisory titled ICSMA-19-274-01 Interpeak IPnet TCP/IP Stack that was published October 1, 2019, on the ICS webpage on us-cert.gov. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-274-01 ∗∗∗ Microsoft Re-Releases Security Updates ∗∗∗ --------------------------------------------- Microsoft has re-released security updates to address a vulnerability in Microsoft software. A remote attacker could exploit this vulnerability to take control of an affected system. Updates are now available automatically via Windows Update or Windows Server Update Services. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/03/microsoft-re-relea… ∗∗∗ FreeType vulnerability CVE-2015-9290 ∗∗∗ --------------------------------------------- In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict ... --------------------------------------------- https://support.f5.com/csp/article/K38315305 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, ruby, ruby-rdoc, ruby2.5, and systemd), Debian (openconnect), Mageia (thunderbird), openSUSE (lxc and mosquitto), Oracle (kernel and patch), Scientific Linux (patch), SUSE (firefox, java-1_7_0-ibm, and sqlite3), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/801318/ ∗∗∗ Security Advisory 2019-13: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2019-13-security-update-for-ot… ∗∗∗ IBM Security Bulletin: Linux Kernel as used by IBM QRadar SIEM is vulnerable to Denial of Service(CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2019
by Daily end-of-shift report 03 Oct '19

03 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-10-2019 18:00 − Donnerstag 03-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sodinokibi Ransomware Builds An All-Star Team of Affiliates ∗∗∗ --------------------------------------------- The Sodinokibi Ransomware (REvil) has been making news lately as they target the enterprise, MSPs, and government entities through their hand-picked team of all-star affiliates. These affiliates appear to have had a prior history with the GandCrab RaaS and use similar distribution methods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-builds… ∗∗∗ A New Wave of Buggy WordPress Infections ∗∗∗ --------------------------------------------- We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities. Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. --------------------------------------------- https://blog.sucuri.net/2019/10/a-new-wave-of-buggy-wordpress-infections.ht… ∗∗∗ FBI: Don’t pay ransomware demands, stop encouraging cybercriminals to target others ∗∗∗ --------------------------------------------- The FBI has some unambiguous advice for organisations on how they should handle ransomware demands: Dont pay. --------------------------------------------- https://www.tripwire.com/state-of-security/featured/fbi-dont-pay-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Lücke in Magenta-Routern entdeckt ∗∗∗ --------------------------------------------- Die bereits in UPC-Zeiten verteilte Connect Box kann von außen übernommen werden. Ein Firmware-Update soll Abhilfe schaffen. --------------------------------------------- https://futurezone.at/produkte/gefaehrliche-luecke-in-magenta-routern-entde… ∗∗∗ WhatsApp Flaw Opens Android Devices to Remote Code Execution ∗∗∗ --------------------------------------------- A double-free bug could allow an attacker to achieve remote code execution; users are encouraged to update to a patched version of the messaging app. --------------------------------------------- https://threatpost.com/whatsapp-flaw-opens-android-devices-to-remote-code-e… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (jackson-databind, libapreq2, and subversion), Fedora (glpi, memcached, and zeromq), openSUSE (rust), Oracle (kernel), Red Hat (patch), and SUSE (dovecot23, git, jasper, libseccomp, and thunderbird). --------------------------------------------- https://lwn.net/Articles/801226/ ∗∗∗ Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-072 ∗∗∗ Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-071 ∗∗∗ Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-070 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Cross-Site Scripting (CVE-2019-4564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by information exposure (CVE-2019-4514) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Connect:Direct Web Services (CVE-2019-10246, CVE-2019-10247, CVE-2019-10241 & CVE-2018-12545) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: IBM MQ AMQP Listeners are vulnerable to a session fixation attack (CVE-2019-4227) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-amqp-listeners… ∗∗∗ HPESBST03958 rev.1 - HPE Command View Advanced Edition (CVAE) Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03959 rev.1 - HPE Command View Advanced Edition (CVAE) Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2019
by Daily end-of-shift report 02 Oct '19

02 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-10-2019 18:00 − Mittwoch 02-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ethical hacking: Passive information gathering with Maltego ∗∗∗ --------------------------------------------- In this article, we’ll discuss passive information gathering. We’ll first look at how we can use Maltego, a common information gathering tool, to perform this form of reconnaissance. Using a hands-on walkthrough of Maltego, we’ll see how you can acquire IP addresses, sub-domains and perform different levels of reconnaissance to inform your information gathering [...] --------------------------------------------- https://resources.infosecinstitute.com/ethical-hacking-passive-information-… ∗∗∗ Hackers Turn to OpenDocument Format to Avoid AV Detection ∗∗∗ --------------------------------------------- Malware laced OpenDocument files target Microsoft Office, OpenOffice and LibreOffice users. --------------------------------------------- https://threatpost.com/hackers-turn-to-opendocument/148817/ ∗∗∗ Magecart hits again, leveraging compromised sites and newly registered domains ∗∗∗ --------------------------------------------- During alert monitoring, ThreatLabZ researchers came across multiple cases of shopping sites being compromised and injected with a skimming script. This injected script looks for the payment method and personally identifiable information (PII) and captures supplied financial information which is then sent to an adversary-controlled gate server even before the user hits the submit form. --------------------------------------------- https://www.zscaler.com/blogs/research/magecart-hits-again-leveraging-compr… ∗∗∗ Erfundene Speditionen beim Autokauf über Kleinanzeigen! ∗∗∗ --------------------------------------------- Auf der Suche nach günstigen Gebrauchtautos, Wohnmobilen, Motorrädern oder Oldtimern sind Kleinanzeigenplattformen häufig die beste Option. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich angeblich im Ausland befindet und der Kauf über eine Spedition abgewickelt werden soll. Meist handelt es sich hierbei um Kriminelle, die Ihnen das Geld aus der Tasche ziehen wollen. Das versprochene Gefährt erhalten Sie nie! --------------------------------------------- https://www.watchlist-internet.at/news/erfundene-speditionen-beim-autokauf-… ∗∗∗ Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe ∗∗∗ --------------------------------------------- https://posts.specterops.io/understanding-and-defending-against-access-toke… ===================== = Vulnerabilities = ===================== ∗∗∗ Interpeak IPnet TCP/IP Stack ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection, and null pointer dereference vulnerabilities in the Interpeak IPnet TCP/IP stack. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-274-01 ∗∗∗ Yokogawa Products ∗∗∗ --------------------------------------------- This advisory includes mitigations for an unquoted search path or element vulnerability reported in Yokogawa’s Exaopc, Exaplog, Exaquantum, Exasmoc, Exarqe, GA10, and InsightSuiteAE products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-274-02 ∗∗∗ Moxa EDR 810 Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation and improper access control vulnerabilities reported in Moxa’s EDR 810 router. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-274-03 ∗∗∗ Inadequate Patch in Hewlett Packard Enterprise iMC 7.3 E0703 ∗∗∗ --------------------------------------------- [...] This means there are (at least) two unpatched, known vulnerabilities in iMC with a CVSSv2 base score of 10.0. Basically, these bugs have been lurking around without proper patches since December 2018. --------------------------------------------- https://medium.com/tenable-techblog/inadequate-patch-in-hewlett-packard-ent… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and openssl1.0), Fedora (expat, kernel, kernel-headers, kernel-tools, and phpMyAdmin), openSUSE (nghttp2 and u-boot), Oracle (kernel), Red Hat (rh-nodejs8-nodejs), Slackware (libpcap), SUSE (bind, jasper, libgcrypt, openssl-1_0_0, and php7), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/801130/ ∗∗∗ PuTTY: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0863 ∗∗∗ Fortinet FortiSIEM 5.0 / 5.2.1 Improper Certification Validation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100006 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Information disclosure vulnerability in WebSphere Application Server (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by an Escalation of Privileges vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Vulnerabilities in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2019-14439, CVE-2019-14379, CVE-2019-12814, CVE-2019-12086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-fa… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance has shipped a security vulnerability fix for WebSphere Application Server (CVE-2019-4046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-access-m… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private for Data – OpenSSL (CVE-2019-1543), Kubernetes (CVE-2019-1002100) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2019
by Daily end-of-shift report 01 Oct '19

01 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 30-09-2019 18:00 − Dienstag 01-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Free Ouroboros Ransomware (Zeropadypt NextGen) Decryption Available ∗∗∗ --------------------------------------------- Victims of the Ouroboros Ransomware, otherwise known as Zeropadypt NextGen, can get their files decrypted for free with the help of a security researcher and a decryptor that has been made for different variants. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-ouroboros-ransomware-ze… ∗∗∗ Beyond the SISSDEN event horizon ∗∗∗ --------------------------------------------- Between May 2016 and April 2019, The Shadowserver Foundation participated in the SISSDEN EU Horizon 2020 project. The main goal of the project was to improve the cybersecurity posture of EU entities and end users through the development of situational awareness and sharing of actionable information. It exceeded KPIs, with 257 sensors in 59 countries, using 974 IP addresses across 119 ASNs and 383 unique /24 (Class C) networks, and collected 31TB of threat data. --------------------------------------------- https://www.shadowserver.org/news/beyond-the-sissden-event-horizon/ ∗∗∗ Decades-Old Code Is Putting Millions of Critical Devices at Risk ∗∗∗ --------------------------------------------- Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light. --------------------------------------------- https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices ∗∗∗ Vorsicht bei zu günstigen Technik-Angeboten ∗∗∗ --------------------------------------------- sgt-sonic.store, alpha-tech.store, omega-tech.store, grand-elec.store und beta-elec.store bieten ein breites Technik-Sortiment mit unschlagbaren Angeboten. Sehen Sie jedoch von einer Bestellung ab, denn es handelt sich um Fake-Shops. Die Ware wird trotz Vorab-Zahlung nie geliefert. Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-technik-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Noch ein Update für iOS, iPadOS und watchOS ∗∗∗ --------------------------------------------- Bei Apple kommen die Aktualisierungen Schlag auf Schlag. iOS 13.1.2, iPadOS 13.1.2 und watchOS 6.0.1 beheben erneut Fehler. --------------------------------------------- https://heise.de/-4543459 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, linux-4.9, netty, phpbb3, and poppler), openSUSE (chromium, djvulibre, ghostscript, python-numpy, SDL2, and varnish), Oracle (nodejs:10), Red Hat (httpd24-httpd and httpd24-nghttp2, kpatch-patch, and rh-nodejs10-nodejs), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and SDL 2.0). --------------------------------------------- https://lwn.net/Articles/801010/ ∗∗∗ Red Hat Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0860 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0862 ∗∗∗ Theme Editor <= 2.1 - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9894 ∗∗∗ Cisco Webex Meetings Enumeration Attack ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities have been addressed in IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 and LCM8 & LCM16 KVM Switch Firmware (CVE-2018-0732 CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op… ∗∗∗ HPESBHF03955 rev.1 - HPE Simplivity Omnistack, Local and Remote File Modification and Deletion ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03956 rev.1 - HPE Simplivity Omnistack, Local and Remote Arbitrary Command Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03954 rev.1 - HPE UioT, Remote Unauthorized Access and Access to sensitive Data ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily October 2019