Daily August 2019

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 30.08.2019
by Daily end-of-shift report 30 Aug '19

30 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2019 18:00 − Freitag 30-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 7: Update-Blockade für Symantec-Nutzer aufgehoben ∗∗∗ --------------------------------------------- Microsoft hat Windows-Updates wieder für Nutzer von Symantec Endpoint Protection freigegeben. --------------------------------------------- https://heise.de/-4509981 ∗∗∗ CERT-Bund warnt vor offenen Smarthome-Systemen ∗∗∗ --------------------------------------------- Fast 3000 Homematic-Systeme sind offenbar aus dem Internet erreichbar -- die meisten davon lassen sich beliebig fernsteuern. --------------------------------------------- https://heise.de/-4509977 ∗∗∗ It Saved Our Community: 16 Realistic Ransomware Defenses for Cities ∗∗∗ --------------------------------------------- Practical steps municipal governments can take to better prevent and respond to ransomware infections. --------------------------------------------- https://www.darkreading.com/edge/theedge/it-saved-our-community-16-realisti… ∗∗∗ A very deep dive into iOS Exploit chains found in the wild ∗∗∗ --------------------------------------------- Posted by Ian Beer, Project ZeroProject Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier this year Googles Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-ex… ∗∗∗ Scalable infrastructure for investigations and incident response ∗∗∗ --------------------------------------------- Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/08/30/scalable-infrastructure-for-… ∗∗∗ [SANS ISC] Malware Dropping a Local Node.js Instance ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. --------------------------------------------- https://blog.rootshell.be/2019/08/30/sans-isc-malware-dropping-a-local-node… ∗∗∗ Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware ∗∗∗ --------------------------------------------- Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Change Healthcare McKesson and Horizon Cardiology ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect default permissions vulnerability in Change Healthcares cardiology devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-01 ∗∗∗ Philips HDI 4000 Ultrasound ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Philips HDI 4000 Ultrasound Systems diagnostic tool. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-02 ∗∗∗ Cisco Firepower 4100 and 9300 Security Appliance Local Management Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the process for creating default IP blocks during device initialization for Cisco Firepower 4100 Series and Firepower 9300 Security Appliances running Cisco FXOS Software could allow an unauthenticated, remote attacker to send traffic to the local IP address of the device, bypassing any filters that are configured to deny local IP management traffic. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/797938/ ∗∗∗ Linux kernel vulnerability CVE-2019-10639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32804955 ∗∗∗ Avira Optimizer Local Privilege Escalation ∗∗∗ --------------------------------------------- https://posts.specterops.io/avira-optimizer-local-privilege-escalation-af10… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-cast-ir… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2019
by Daily end-of-shift report 29 Aug '19

29 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2019 18:00 − Donnerstag 29-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Samples Compiling Their Next Stage on Premise, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim's computer. At a first point, it seems weird but, after all, its an interesting approach to bypass low-level detection mechanisms that look for PE files. --------------------------------------------- https://isc.sans.edu/diary/rss/25278 ∗∗∗ ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information ∗∗∗ --------------------------------------------- Despite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and theyre not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hQZwZfgZ7U/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Buffer Overflow in Dovecot-Mailserver ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Dovecot-Mailserver könnte es Angreifern erlauben, Code auszuführen. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-buffer-overflow-in-dovecot-mail… ∗∗∗ Kritische Lücke mit Höchstwertung in Ciscos Betriebssystem ISO EX ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für verschiedene Betriebssystem-Versionen für Netzwerkgeräte von Cisco. --------------------------------------------- https://heise.de/-4509454 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript). --------------------------------------------- https://lwn.net/Articles/797775/ ∗∗∗ Nextgen Gallery < 3.2.11 - SQL Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9816 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/external-dns-requests-in-zyxel-u… ∗∗∗ Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/hardcoded-ftp-credentials-in-zyx… ∗∗∗ A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50375550 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0004.html ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0768 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0769 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2019
by Daily end-of-shift report 28 Aug '19

28 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2019 18:00 − Mittwoch 28-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs ∗∗∗ --------------------------------------------- Law enforcement takedown causes Retadup malware to eat itself. --------------------------------------------- https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/ ∗∗∗ [Guest Diary] Open Redirect: A Small But Very Common Vulnerability, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- This is a guest diary submitted by Jan Kopriva. Jan is working for Alef Nula (http://www.alef.com) and you can follow him on Twitter at @jk0pr --------------------------------------------- https://isc.sans.edu/diary/rss/25276 ∗∗∗ Extracting Certificates From the Windows Registry ∗∗∗ --------------------------------------------- I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. --------------------------------------------- https://blog.nviso.be/2019/08/28/extracting-certificates-from-the-windows-r… ∗∗∗ RAT Ratatouille: Backdooring PCs with leaked RATs ∗∗∗ --------------------------------------------- Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. --------------------------------------------- https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html ∗∗∗ Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Achtung: Kriminelle versenden erfundene Mails im Namen von Airbnb an zahlreiche Kundinnen und Kunden. Darin behaupten sie, dass das Konto gesperrt wurde und nun Kopien des Personalausweises, Selfies mit dem Ausweis neben dem Gesicht sowie eine handschriftliche Notiz zur Freischaltung notwendig wären. Die Nachricht muss ignoriert werden, andernfalls kommt es zu Identitätsmissbrauch! --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-mit-gefaelschte… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Controls enteliBUS Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a buffer overflow vulnerability in Delta Controllers enteliBUS Controllers industrial control systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-01 ∗∗∗ Datalogic AV7000 Linear Barcode Scanner ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass using an alternate path vulnerability in Datalogics AV7000 Linear Barcode Scanners. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/797579/ ∗∗∗ DLL Hijacking Flaw Patched in Check Point Endpoint Security ∗∗∗ --------------------------------------------- Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes. read more --------------------------------------------- https://www.securityweek.com/dll-hijacking-flaw-patched-check-point-endpoin… ∗∗∗ CVE-2019-13609 - CRLF Vulnerability in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- A Carriage Return Line Feed (CRLF) injection vulnerability has been identified in Citrix License Server for Windows and VPX that could allow an unauthenticated attacker to bypass authentication and allow a malicious website to read or modify license server [...] --------------------------------------------- https://support.citrix.com/article/CTX257644 ∗∗∗ Realtek Managed Switch Controller RTL83xx Stack Overflow ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080138 ∗∗∗ Security Advisory - Key Negotiation of Bluetooth (KNOB) Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190828-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a insecure Content-Security-Policy header vulnerability CVE-2019-4133 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2019
by Daily end-of-shift report 27 Aug '19

27 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2019 18:00 − Dienstag 27-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ macOS: Zurückgelassene Helper-Tools als Sicherheitsproblem ∗∗∗ --------------------------------------------- "Privileged Helper Tools" können es Mac-Malware erlauben, Root-Rechte zu erlangen, warnt ein Entwickler. Nutzer sollten zum Schutz selbst aktiv werden. --------------------------------------------- https://heise.de/-4507656 ∗∗∗ Mobile Menace Monday: Android Trojan raises xHelper ∗∗∗ --------------------------------------------- Since its introduction in May 2019, the xHelper dropper, an Android Trojan, has climbed to our top 10 list of most detected mobile malware. --------------------------------------------- https://blog.malwarebytes.com/android/2019/08/mobile-menace-monday-android-… ∗∗∗ New 4CAN tool helps identify vulnerabilities in on-board car computers ∗∗∗ --------------------------------------------- Modern automobiles contain hundreds of sensors and mechanics that communicate via computers to understand their surrounding environment. Those components provide real-time information to drivers, connect the vehicle to a global network, and in some cases use that telemetry to automatically drive the vehicle. Like any computer, those in vehicles are susceptible to threats, such as vulnerabilities in software ... --------------------------------------------- https://blog.talosintelligence.com/2019/08/new-4can-tool-helps-identify.html ∗∗∗ Free Decryption Tool Released for Syrk Ransomware ∗∗∗ --------------------------------------------- Security researchers have released a decryption tool which victims of Syrk ransomware can use to recover their files for free. Emsisoft found that Syrk arrived with its own decryptor, but the security firm decided to release its own utility for three reasons. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ∗∗∗ Lojack’d: Pwning Smart vehicle trackers ∗∗∗ --------------------------------------------- This research is by @evstykas with help from @Yekki_1 and @TheKenMunroShow. Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered. Probably the most well-known is LoJack, also known as Tracker in Europe. --------------------------------------------- https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-… ∗∗∗ Aufgepasst: Es kursieren gefährliche Raiffeisen-Phishing-Mails ∗∗∗ --------------------------------------------- Aktuell sind wieder Phishing-Mails im Namen der Raiffeisen Bank unterwegs. Angeblich ist eine Nachricht für Sie eingegangen. Um diese zu lesen, werden Sie aufgefordert, einem Link zu folgen. Sie landen auf einem Nachbau der Raiffeisen-Login-Seite. Kriminelle versuchen so, an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/aufgepasst-es-kursieren-gefaehrliche… ===================== = Vulnerabilities = ===================== ∗∗∗ Betriebssystem: Apple patcht WatchOS und iOS ∗∗∗ --------------------------------------------- Nutzer von Apples mobilen Betriebssystemen haben gegebenenfalls eine Update-Benachrichtigung auf ihren Geräten. Apple hat sowohl für die Apple Watch als auch für iPhone, iPod Touch und iPad ein neues Betriebssystem freigegeben. Unter iOS wird dabei auch eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.golem.de/news/betriebssystem-apple-patcht-watchos-und-ios-1908-… ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 76.0.3809.132 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/27/google-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and xymon), openSUSE (putty and vlc), Red Hat (kernel and ruby), Scientific Linux (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, keycloak-httpd-client-install, libarchive, libcgroup, libguestfs-winsupport, libjpeg-turbo, libmspack, libreoffice, libsolv, libssh2, libtiff, libvirt, ... --------------------------------------------- https://lwn.net/Articles/797442/ ∗∗∗ IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to a denial of service (CVE-2019-10072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-tomcat-as-used… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2019
by Daily end-of-shift report 26 Aug '19

26 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2019 18:00 − Montag 26-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing-Mail: Keine 1.957,05 Euro Rückzahlung vom Finanzministerium! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische Phishing-Mails im Namen des Bundesministeriums für Finanzen (BMF), in denen sie Konsument/innen über eine angebliche Rückzahlung über 1957 Euro informieren. Empfänger/innen dürfen den Links in der Nachricht nicht folgen und keine Daten bekanntgeben. Sie landen in den Händen Krimineller und können für weitere Verbrechen missbraucht werden. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-keine-195705-euro-ruec… ∗∗∗ Lenovo Crapware: Vorinstallierte Systemsoftware macht Laptops angreifbar ∗∗∗ --------------------------------------------- Wer noch das Lenovo Solution Center auf seinem System hat, sollte es schnellstmöglich deinstallieren. --------------------------------------------- https://heise.de/-4505088 ∗∗∗ Jetzt patchen! Exploit-Code für Cisco-Switches in Umlauf ∗∗∗ --------------------------------------------- Es könnten Angriffe auf Switches von Cisco bevorstehen. Sicherheitsupdates gibt es bereits seit Anfang August. --------------------------------------------- https://heise.de/-4505182 ∗∗∗ Attackers are targeting vulnerable Fortigate and Pulse Secure SSL VPNs ∗∗∗ --------------------------------------------- Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations. About the vulnerabilities Attackers have been scanning for and targeting two vulnerabilities: CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal. --------------------------------------------- https://www.helpnetsecurity.com/2019/08/26/vulnerable-fortigate-pulse-secur… ∗∗∗ Malicious WordPress Redirect Campaign Attacking Several Plugins ∗∗∗ --------------------------------------------- Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations. --------------------------------------------- https://www.wordfence.com/blog/2019/08/malicious-wordpress-redirect-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, libreoffice-still, nginx, nginx-mainline, and subversion), Debian (commons-beanutils, h2o, libapache2-mod-auth-openidc, libmspack, qemu, squid, and tiff), Fedora (kubernetes, libmodbus, nfdump, and nodejs), openSUSE (dkgpg, libTMCG, go1.12, neovim, python, qbittorrent, schismtracker, teeworlds, thunderbird, and zstd), and SUSE (go1.11, go1.12, python-SQLAlchemy, and python-Twisted). --------------------------------------------- https://lwn.net/Articles/797286/ ∗∗∗ IBM Security Bulletin: IBM Db2 Mirror for i is affected by CVE-2019-4536 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-mirror-for-i-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a forbidden resouce redirect for bad API path CVE-2019-4132 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2019
by Daily end-of-shift report 23 Aug '19

23 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2019 18:00 − Freitag 23-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Many Possibilities of CVE-2019-8646 ∗∗∗ --------------------------------------------- CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-many-possibilities-of-cv… ∗∗∗ Instagram phishing uses 2FA as a lure ∗∗∗ --------------------------------------------- If the phishing page looks OK, and it has an HTTPS padlock, how are you supposed to spot phishes these days? --------------------------------------------- https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-… ∗∗∗ Simple Mimikatz & RDPWrapper Dropper, (Thu, Aug 22nd) ∗∗∗ --------------------------------------------- Let's review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25262 ∗∗∗ Sommerferien vorbei – Emotet ist zurück ∗∗∗ --------------------------------------------- Seit Freitag früh sind die Server der wohl gefährlichsten Cybercrime-Bande wieder aktiv. --------------------------------------------- https://heise.de/-4503467 ∗∗∗ Hackers Target Vulnerabilities in Fortinet, Pulse Secure Products ∗∗∗ --------------------------------------------- Recently disclosed vulnerabilities affecting enterprise virtual private network (VPN) products from Fortinet and Pulse Secure have been exploited in the wild, a researcher reported on Thursday. --------------------------------------------- https://www.securityweek.com/hackers-target-vulnerabilities-fortinet-pulse-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, nginx, and openjdk-7), Fedora (httpd, mod_md, nghttp2, and patch), and SUSE (rubygem-loofah). --------------------------------------------- https://lwn.net/Articles/797049/ ∗∗∗ PrivEsc in Lenovo Solution Centre, 10 minutes later ∗∗∗ --------------------------------------------- CVE-2019-6177 – Lenovo Solution Centre Privilege Escalation. Slow, but sure. TL;DR We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices. Lenovo say LSC has been shipped since 2011, but haven’t been clear about when they stopped shipping it by default with new devices. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-ce… ∗∗∗ IBM Security Bulletin: Remote Execution Vulnerability Affects Red Hat Linux Used By IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter (CVE-2019-12735) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-remote-execution-vuln… ∗∗∗ Spectre SWAPGS gadget vulnerability CVE-2019-1125 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31085564 ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2019
by Daily end-of-shift report 22 Aug '19

22 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2019 18:00 − Donnerstag 22-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ICS Protocols ∗∗∗ --------------------------------------------- ICS stands for Industrial Control Systems. ICS is a generic term used to describe various control systems and their instrumentation, used for controlling and monitoring industrial processes. ICS basically integrates hardware, software and their network connectivity for running and supporting critical infrastructure. ICS systems get data from remote sensors and send commands to the [...] --------------------------------------------- https://resources.infosecinstitute.com/ics-protocols/ ∗∗∗ Nach dem Datenleck: Mastercard benachrichtigt Kunden ∗∗∗ --------------------------------------------- Nachdem in den vergangenen Tagen Daten von Mastercard-Kunden im Internet auftauchten, hat das Unternehmen nun weitere Informationen per Mail verschickt. --------------------------------------------- https://heise.de/-4502408 ∗∗∗ KNOB-Attacke: Apple liefert Patch gegen Bluetooth-Schwachstelle ∗∗∗ --------------------------------------------- In der jüngsten Version der Betriebssysteme hat Apple eine grundlegende Schwachstelle ausgeräumt, die ein Knacken der Bluetooth-Verschlüsselung ermöglicht. --------------------------------------------- https://heise.de/-4503139 ∗∗∗ Android‑Spyware im Google Play Store aufgetaucht ∗∗∗ --------------------------------------------- ESET-Forscher entdeckten gleich zweimal Android-Spyware im Google Play Store. Die erste ihrer Art, die auf der Open-Source RAT-Software AhMyth aufbaut. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/08/22/android-spyware-google-pl… ∗∗∗ Hinter modellbau-billiger.de steckt Betrug ∗∗∗ --------------------------------------------- Modellbau-Fans stoßen auf der Suche nach Modelleisenbahnen, ferngesteuerten Autos, Flugzeugen oder Drohnen womöglich auf den Fake-Shop modellbau-billiger.de. Die Kriminellen nutzen dabei die Impressumsdaten eines seriösen Unternehmens, um Vertrauen zu stiften. Hier darf nichts bestellt werden. Die Zahlungen per Vorkasse sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/hinter-modellbau-billigerde-steckt-b… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Cisco schließt 27 Sicherheitslücken in diversen Produkten ∗∗∗ --------------------------------------------- Vor allem Nutzer von Ciscos IMC Supervisor und UCS Director sollten einen Blick auf die aktuellen Sicherheitshinweise werfen. Kritische Lücken wurden gefixt. --------------------------------------------- https://heise.de/-4502617 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2). --------------------------------------------- https://lwn.net/Articles/796949/ ∗∗∗ IBM Security Bulletin: IBM Security Access Manager for Enterprise Single-Sign On is affected by an XML External Entity Injection (XXE) vulnerability (CVE-2019-4513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-access-m… ∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE-2019-4169 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd… ∗∗∗ IBM Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2018 – Includes Oracle Oct.2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-sdk-java-technolog… ∗∗∗ Multiple Vulnerabilities in OpenPGP.js ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-open… ∗∗∗ HPESBST03951 rev.1 - HPE Command View Advanced EditionCVAE (Virtual Appliance only), Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03952 rev.1 - HPE Command View Advanced Edition (CVAE) Products using JAVA, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03953 rev.1 - HPE Command View Advanced Edition (CVAE), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabiities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0746 ∗∗∗ Red Hat Ceph Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0751 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2019
by Daily end-of-shift report 21 Aug '19

21 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2019 18:00 − Mittwoch 21-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortnite Ransomware Masquerades as an Aimbot Game Hack ∗∗∗ --------------------------------------------- Attackers are taking aim at Fortnites global community of 250 million gamers. --------------------------------------------- https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-ha… ∗∗∗ KAPE: Kroll Artifact Parser and Extractor, (Wed, Aug 21st) ∗∗∗ --------------------------------------------- KAPE vs Commando, another Red vs Blue vignette --------------------------------------------- https://isc.sans.edu/diary/rss/25258 ∗∗∗ CERT-Bund warnt vor öffentlich erreichbaren Sphinx-Suchservern ∗∗∗ --------------------------------------------- In der Standardkonfiguration sind Sphinx-Server aus dem Internet erreichbar. Dieses Sicherheitsrisiko sollten Admins eindämmen. --------------------------------------------- https://heise.de/-4501757 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ghostscript, pango, and squirrelmail), openSUSE (libcryptopp, squid, tcpdump, and wireshark), SUSE (flatpak), and Ubuntu (giflib and NLTK). --------------------------------------------- https://lwn.net/Articles/796834/ ∗∗∗ Zebra Industrial Printers ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-232-01 ∗∗∗ ZDI-19-764: (0Day) WECON LeviStudioU ShortMessage_Module SMtext Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-764/ ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Libvirt affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-op… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Open Source Libreswan affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Netezza Host Management is affected by the vulnerabilities known as Intel Microarchitectural Data Sampling (MDS) and other Kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-netezza-host-mana… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Spring Framework affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-enterprise-content-ma… ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-op… ∗∗∗ IBM Security Bulletin: Privilege escalation in IBM DB2 HPU debug binary via trusted PATH ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-privilege-escalation-… ∗∗∗ Unauthenticated sensitive information leakage in ZOHO ServiceDesk Software ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/unauthenticated-sensitive-inform… ∗∗∗ FreeBSD Project FreeBSD OS: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0743 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2019
by Daily end-of-shift report 20 Aug '19

20 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2019 18:00 − Dienstag 20-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kernel: Defekte Dateisysteme bringen Linux zum Stolpern ∗∗∗ --------------------------------------------- In einer Diskussion um die Aufnahme eines neuen Dateisystems in den Linux-Kernel wird klar, dass viele Dateisystemtreiber mit defekten Daten nicht klarkommen. Das kann nicht nur zu Abstürzen führen, sondern auch zu Sicherheitslücken. ... Das Mounten von fremden Dateisystemen ist aber unter den gegebenen Umständen riskant. Wie die Diskussion zeigt, kann man sich nicht darauf verlassen, dass Linux-Dateisystemtreiber mit bösartigen Eingabedaten klarkommen. --------------------------------------------- https://www.golem.de/news/kernel-defekte-dateisysteme-bringen-linux-zum-sto… ∗∗∗ Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th) ∗∗∗ --------------------------------------------- A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals. --------------------------------------------- https://isc.sans.edu/diary/rss/25222 ∗∗∗ GitHub Token Scanning—one billion tokens identified and five new partners ∗∗∗ --------------------------------------------- If you’ve ever accidentally shared a token or credentials in a GitHub repository, or read about someone who has, you know how damaging it could be if a malicious user finds and exploits it. About a year ago, we introduced token scanning to help scan pushed commits and prevent fraudulent use of any credentials that are shared accidentally. --------------------------------------------- https://github.blog/2019-08-19-github-token-scanning-one-billion-tokens-ide… ∗∗∗ GAME OVER: Detecting and Stopping an APT41 Operation ∗∗∗ --------------------------------------------- In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and… ∗∗∗ Falsche Versionsangaben: Mehrere Security Bulletins zu Apache Struts korrigiert ∗∗∗ --------------------------------------------- Struts-2-Anwender, die sich beim Updaten an offizielle Advisories halten, sollten erneut draufschauen – oder gleich zu Versionen ab 2.3.35 / 2.5.17 wechseln. --------------------------------------------- https://heise.de/-4500834 ∗∗∗ Erpressung mit Pädophilie per E-Mail ignorieren ∗∗∗ --------------------------------------------- Angeblich wurde Ihr Computer gehackt und Sie wurden beim Masturbieren gefilmt. Damit das Video nicht veröffentlicht wird, muss ein Schweigegeld bezahlt werden. Es besteht jedoch kein Grund zur Sorge, es handelt sich um eine Betrugsmasche. Weder wurde Ihre Webcam gehackt, noch wurden intime Videos über Sie angefertigt! Verschieben Sie dieses Mail in den Spam-Ordner. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-mit-paedophilie-per-e-mai… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Flaws in Kubernetes Expose All Servers to DoS Attacks ∗∗∗ --------------------------------------------- Two high severity security flaws impacting the Kubernetes open-source system for handling containerized apps can allow an unauthorized attacker to trigger a denial of services state remotely, without user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-e… ∗∗∗ Remote Code Execution: Doppelte Hintertür in Webmin ∗∗∗ --------------------------------------------- In der Systemkonfigurationssoftware Webmin waren offenbar für über ein Jahr Hintertüren, mit denen sich übers Netz Code ausführen lässt. Den Angreifern gelang es dabei offenbar, die Release-Dateien des Projekts zu manipulieren. --------------------------------------------- https://www.golem.de/news/remote-code-execution-doppelte-hintertuer-in-webm… ∗∗∗ iOS 12.4 jailbreak released after Apple ‘accidentally un-patches’ an old flaw ∗∗∗ --------------------------------------------- A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long time—thanks to Apple. Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4. --------------------------------------------- https://thehackernews.com/2019/08/ios-iphone-jailbreak.html ∗∗∗ SphinxSearch 0.0.0.0:9306 (CVE-2019-14511) ∗∗∗ --------------------------------------------- TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible. --------------------------------------------- https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-1… ∗∗∗ Security Bulletin VLC 3.0.8 ∗∗∗ --------------------------------------------- If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed. We have not seen exploits performing code execution through these vulnerabilities --------------------------------------------- https://www.videolan.org/security/sb-vlc308.html ∗∗∗ Ruby rest-client 1.6.13 ∗∗∗ --------------------------------------------- It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru.zzz.com.ua --------------------------------------------- https://github.com/rest-client/rest-client/issues/713 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs ∗∗∗ --------------------------------------------- Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. --------------------------------------------- https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.h… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap). --------------------------------------------- https://lwn.net/Articles/796759/ ∗∗∗ IBM Security Bulletin: IBM MQ is vulnerable to a denial of service attack within the error logging function (CVE-2019-4049) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-is-vulnerable-… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM License Metric Tool v9 (CVE-2019-4046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM License Key Server Administration & Reporting Tool and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance affected by an OpenSSH vulnerability (CVE-2019-6110) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-affe… ∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Global Name Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Identity Insight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Error Message Vulnerabilities Affect IBM Emptoris Sourcing, IBM Emptoris Contract Management and IBM Emptoris Spend Analysis. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-error-message-vulnera… ∗∗∗ IBM Security Bulletin: Cross-site Scripting Affects IBM Emptoris Spend Analysis (CVE-2019-4482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… ∗∗∗ IBM Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management (CVE-2019-4481, CVE-2019-4483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-affects… ∗∗∗ IBM Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-ibm-mq-secur… ∗∗∗ IBM Security Bulletin: API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-ova… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal is impacted by a path traversal vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2019-6471. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by Linux Kernel security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ IBM Security Bulletin: XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-i… ∗∗∗ IBM Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-reverse-tabnabbing-vu… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Docker (CVE-2018-15664) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-privileg… ∗∗∗ IBM Security Bulletin: Vulnerability in NTP affects AIX (CVE-2019-8936) Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ntp-… ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46011592 ∗∗∗ HTTP/2 Settings Flood vulnerability CVE-2019-9515 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50233772 ∗∗∗ HTTP/2 Ping Flood vulnerability CVE-2019-9512 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98053339 ∗∗∗ HTTP/2 Reset Flood vulnerability CVE-2019-9514 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01988340 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2019
by Daily end-of-shift report 19 Aug '19

19 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2019 18:00 − Montag 19-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Router Network Isolation Broken By Covert Data Exfiltration ∗∗∗ --------------------------------------------- Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration. --------------------------------------------- https://www.bleepingcomputer.com/news/security/router-network-isolation-bro… ∗∗∗ IT threat evolution Q2 2019 ∗∗∗ --------------------------------------------- Targeted attacks, malware campaigns and other security news in Q2 2019. --------------------------------------------- https://securelist.com/it-threat-evolution-q2-2019/91994/ ∗∗∗ The DAA File Format, (Fri, Aug 16th) ∗∗∗ --------------------------------------------- In diary entry "Malicious .DAA Attachments", we extracted a malicious executable from a Direct Access Archive file. --------------------------------------------- https://isc.sans.edu/diary/rss/25246 ∗∗∗ What Hackers Do after Gaining Access to a Website ∗∗∗ --------------------------------------------- A hack or cyber attack is the act of maliciously entering, taking control over, or manipulating by force a web application, server, or file that belongs to someone else. --------------------------------------------- https://blog.sucuri.net/2019/08/what-hackers-do-after-gaining-access-to-a-w… ∗∗∗ Sicherheitspanne: Kernel-Schwachstelle zurück in iOS 12.4, Jailbreak verfügbar ∗∗∗ --------------------------------------------- Zum ersten Mal seit Langem lassen sich Apples Sicherheitsfunktionen in der aktuellen iOS-Version durch einen öffentlich verfügbaren Jailbreak aushebeln. --------------------------------------------- https://heise.de/-4500038 ∗∗∗ QxSearch hijacker fakes failed installs ∗∗∗ --------------------------------------------- QxSearch is a group of search hijackers that try to make the user think the install failed or was incomplete. Is it that they dont want to be found and removed? Or just bad programming? --------------------------------------------- https://blog.malwarebytes.com/pups/2019/08/qxsearch-hijacker-fakes-failed-i… ∗∗∗ Gefälschte "Ihr Jahresabonnemеnt Whatsapp"-Mail im Umlauf ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine angebliche WhatsApp-E-Mail. Darin heißt es, dass sie ihr Abonnement verlängern müssen. Über einen Link in der Nachricht gelangen Nutzer/innen auf eine gefälschte WhatsApp-Website. Darauf sollen sie ihr Jahresabonnement unter Bekanntgabe ihrer Zahlungsdaten verlängern. Kommen Konsument/innen der Aufforderung nach, werden sie Opfer eines Datendiebstahls und verlieren ihr Geld an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-ihr-jahresabonnement-wha… ∗∗∗ Offensive Lateral Movement ∗∗∗ --------------------------------------------- Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell is not a new concept anymore and even moderately mature shops will detect on it and shut it down quickly, or any half decent AV product will kill it before a malicious command is ran. --------------------------------------------- https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder Sicherheitsmechanismen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K19-0726 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, [...] --------------------------------------------- https://lwn.net/Articles/796640/ ∗∗∗ Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper handling of HTTP requests, including those communicated over a secure HTTPS connection, that contain maliciously crafted headers. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the stream reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper reassembly of traffic streams. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the normalization functionality of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to insufficient normalization of a text-based payload. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper detection of the initial use of a protocol on a nonstandard port. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Four Remote Code Execution Vulnerabilities in Some Microsoft Windows Systems ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190819-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily August 2019