Daily August 2019

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.08.2019
by Daily end-of-shift report 16 Aug '19

16 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2019 18:00 − Freitag 16-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Warns of Phishing Attacks Using Custom 404 Pages ∗∗∗ --------------------------------------------- Microsoft security researchers discovered an unusual phishing campaign which employs custom 404 error pages to trick potential victims into handing out their Microsoft credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Energy Sector Phish Swims Past Microsoft Email Security via Google Drive ∗∗∗ --------------------------------------------- The savvy technique of avoiding malicious links in the email allowed the phishing attack to reach its targets. --------------------------------------------- https://threatpost.com/energy-phish-microsoft-security-google-drive/147397/ ∗∗∗ Analysis of a Spearphishing Maldoc, (Thu, Aug 15th) ∗∗∗ --------------------------------------------- A spearphishing attack with a VBA maldoc on US utility companies was mentioned in SANS NewsBites Vol. 21, Num. 61. I always like to take a look at malicious documents mentioned in the news. Luckily for me, Proofpoint's analysis includes the hashes of the maldocs, and one maldoc can be found on VirusTotal. --------------------------------------------- https://isc.sans.edu/diary/rss/25242 ∗∗∗ VoIP-Sicherheitslücken: Viele Büro-Telefonanlagen grundlegend unsicher ∗∗∗ --------------------------------------------- 33 Geräte von 25 Herstellern lassen sich kapern. Angreifer können spionieren, andere Systeme angreifen oder die Organisation durch einen Totalausfall schwächen. --------------------------------------------- https://heise.de/-4499202 ∗∗∗ MITRE ATT&CK July 2019 Update ∗∗∗ --------------------------------------------- On the last day of July, MITRE released its most recent update to the ATT&CK framework. The ATT&CK framework is a curated knowledge base of tactics, techniques, software, that adversarial groups have leveraged when compromising enterprise systems. The July 2019 update is relatively minor compared to the April 2019 update, which saw a new tactic [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/mitre-a… ∗∗∗ Many Apache Struts Security Advisories Updated Following Review ∗∗∗ --------------------------------------------- Two dozen security advisories for the Apache Struts open source development framework have been updated after researchers determined that they contained incorrect information regarding which versions of the software were impacted by a vulnerability. --------------------------------------------- https://www.securityweek.com/many-apache-struts-security-advisories-updated… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo Warns of ThinkPad Bugs, One Unpatched ∗∗∗ --------------------------------------------- The notebook maker is warning users of three separate vulnerabilities. --------------------------------------------- https://threatpost.com/lenovo-warns-bugs-thinkpads/147338/ ∗∗∗ Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again ∗∗∗ --------------------------------------------- If you are using LibreOffice, you need to update it once again. LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities. --------------------------------------------- https://thehackernews.com/2019/08/libreoffice-patch-update.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (irssi, ledger, libheimdal, libmediainfo, libqb, and libsass) and Slackware (mozilla). --------------------------------------------- https://lwn.net/Articles/796311/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freetype, libreoffice, and openjdk-7), Fedora (edk2, mariadb, mariadb-connector-c, mariadb-connector-odbc, python-django, and squirrelmail), Gentoo (chromium, cups, firefox, glibc, kconfig, libarchive, libreoffice, oracle-jdk-bin, polkit, proftpd, sqlite, wget, zeromq, and znc), openSUSE (bzip2, chromium, dosbox, evince, gpg2, icedtea-web, java-11-openjdk, java-1_8_0-openjdk, kconfig, kdelibs4, mariadb, mariadb-connector-c, nodejs8, pdns, polkit, [...] --------------------------------------------- https://lwn.net/Articles/796455/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2019
by Daily end-of-shift report 14 Aug '19

14 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-08-2019 18:00 − Mittwoch 14-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic ∗∗∗ --------------------------------------------- A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bluetooth-knob-flaw-lets… ∗∗∗ Dejablue: Erneut Sicherheitslücken im Windows-Remote-Desktop ∗∗∗ --------------------------------------------- Microsoft warnt vor zwei Remote-Code-Execution-Bugs im Remote Desktop Service. Damit lassen sich Windows-Rechner übers Netz kapern, wenn sie die Remoteadministration aktiviert haben. Alle aktuellen Windows-Versionen sind betroffen. --------------------------------------------- https://www.golem.de/news/dejablue-erneut-sicherheitsluecken-im-windows-rem… ∗∗∗ Project Zero: Windows-Texteingabesystem bietet viele Angriffsmöglichkeiten ∗∗∗ --------------------------------------------- Ein Systemdienst für Texteingabemethoden, das es seit Windows XP gibt, wurde offenbar mit wenig Sicherheitsbewusstsein entwickelt. Tavis Ormandy von Google gelang es damit, als Nutzer Systemrechte zu erlangen. Es gibt ein Update von Microsoft, doch das behebt wohl nicht alle Probleme. --------------------------------------------- https://www.golem.de/news/project-zero-windows-texteingabesystem-bietet-vie… ∗∗∗ Debugging for Malware Analysis ∗∗∗ --------------------------------------------- This article provides an overview of debugging and how to use some of the most commonly used debuggers. We will begin by discussing OllyDbg; using it, we will explore topics such as setting up breakpoints, stepping through the instructions and modifying the flow of execution. We will then discuss WinDbg, which can be used [...] --------------------------------------------- https://resources.infosecinstitute.com/debugging-for-malware-analysis/ ∗∗∗ Nehmen Sie sich vor gefälschten Zahlungsanweisungen in Acht! ∗∗∗ --------------------------------------------- Zahlreiche Unternehmen wenden sich mit erfundenen Überweisungs-Aufforderungen im Namen der Geschäftsführung oder anderer Führungspersonen an uns. Die E-Mails stammen von Kriminellen, die die Mail-Adressen durch „Spoofing“ imitieren und dadurch nichtsahnende Mitarbeiter/innen zu Überweisungen auf fremde Konten bringen wollen. --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-sich-vor-gefaelschten-zah… ∗∗∗ This new cryptojacking malware uses a sneaky trick to remain hidden ∗∗∗ --------------------------------------------- Norman cryptomining malware was found to have infected almost every system in one organisation during an investigation by security researchers. --------------------------------------------- https://www.zdnet.com/article/this-new-cryptojacking-malware-uses-a-sneaky-… ===================== = Vulnerabilities = ===================== ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates: RAID Web Console 2 Advisory INTEL-SA-00246 NUC Advisory INTEL-SA-00272 [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/13/intel-releases-sec… ∗∗∗ Trend Micro Password Manager - Privilege Escalation to SYSTEM ∗∗∗ --------------------------------------------- SafeBreach Labs discovered a new vulnerability in Trend Micro Password Manager software. In this post, we will demonstrate how this vulnerability could have been used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM. --------------------------------------------- https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalati… ∗∗∗ DoS-Attacken: Viele Web-Server mit HTTP/2 angreifbar ∗∗∗ --------------------------------------------- Forschern zufolge ist ein Großteil von Web-Servern mit HTTP/2 nicht optimal konfiguriert, sodass die Sicherheit gefährdet ist. Patches sind verfügbar. --------------------------------------------- https://heise.de/-4496647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.9, otrs2, and tomcat8), Fedora (igraph and jhead), openSUSE (ansible, GraphicsMagick, kconfig, kdelibs4, live555, mumble, phpMyAdmin, proftpd, python-Django, and znc), Oracle (kernel and openssl), Red Hat (kernel, openssl, and rh-mysql80-mysql), Scientific Linux (kernel and openssl), Slackware (kernel), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork and mariadb-100), and Ubuntu (linux, linux-aws, linux-kvm, [...] --------------------------------------------- https://lwn.net/Articles/796193/ ∗∗∗ SAP Patches Highest Number of Critical Flaws Since 2014 ∗∗∗ --------------------------------------------- SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014. --------------------------------------------- https://www.securityweek.com/sap-patches-highest-number-critical-flaws-2014 ∗∗∗ Mitsubishi Electric smartRTU and INEA ME-RTU ∗∗∗ --------------------------------------------- CISA is aware of a public report of a proof-of-concept (PoC) exploit code vulnerability affecting Mitsubishi Electric smartRTU devices. According to this report, there are multiple vulnerabilities that could result in remote code execution with root privileges. CISA is issuing this alert to provide early notice of the report. --------------------------------------------- https://www.us-cert.gov/ics/alerts/ics-alert-19-255-01 ∗∗∗ Delta Industrial Automation DOPSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for out-of-bounds read and use after free vulnerabilities reported in Delta Electronics’ Delta Industrial Automation DOPSoft HMI editing software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-225-01 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- This advisory includes mitigations for inclusion of sensitive information in log files and protection mechanism failure vulnerabilities reported in OSIsoft LLC’s OSIsoft PI Web API. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-225-02 ∗∗∗ Key Negotiation of Bluetooth Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Two Denial of Service Vulnerabilities on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190814-… ∗∗∗ August 13, 2019 TNS-2019-05 [R1] Nessus 8.6.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2019-05 ∗∗∗ Synology-SA-19:33 HTTP/2 DoS Attacks ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_33 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2019
by Daily end-of-shift report 13 Aug '19

13 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 12-08-2019 18:00 − Dienstag 13-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Steam Security Vulnerability Fixed, Researchers Dont Agree ∗∗∗ --------------------------------------------- Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored. --------------------------------------------- https://www.bleepingcomputer.com/news/security/steam-security-vulnerability… ∗∗∗ Troldesh Ransomware Dropper ∗∗∗ --------------------------------------------- Over the past few weeks, we’ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors. The malware often uses a PHP file that acts as a delivery tool for downloading the host malware dropper: hxxp://doolaekhun[.]com/cgi-bin/[redacted].php --------------------------------------------- https://blog.sucuri.net/2019/08/troldesh-ransomware-dropper.html ∗∗∗ Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices ∗∗∗ --------------------------------------------- Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself "Asher" [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/jgzb2S8LB8M/ ∗∗∗ MANRS Observatory: Monitoring the State of Internet Routing Security ∗∗∗ --------------------------------------------- Routing security is vital to the future and stability of the Internet, but it’s under constant threat. Which is why we’ve launched a free online tool so that network operators can see how they’re doing, and what they can improve, while anyone can see the health of the Internet at a glance. --------------------------------------------- https://www.internetsociety.org/blog/2019/08/manrs-observatory-monitoring-t… ∗∗∗ The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? ∗∗∗ --------------------------------------------- In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/the-twin-journe… ∗∗∗ CEO Cyber Quiz: What’s Your IT Security IQ? ∗∗∗ --------------------------------------------- Every business leader understands that, when it comes to cybersecurity, the stakes are extraordinarily high. CEOs tend to take notice when they read headlines about yet another big-name company being victimized by a massive data breach or about industry forecasts suggesting that the annual cost of crime losses and damage will hit $6 trillion by [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-awareness/ceo-cyber-sec… ∗∗∗ Datingfalle.at: Kostenlose Hilfe bei Online-Dating-Fallen! ∗∗∗ --------------------------------------------- Auf www.datingfalle.at bietet der Internet Ombudsmann kostenlose Hilfe bei rechtlichen Problemen mit Online-Dating-Plattformen, Erotik-Portalen und Singlebörsen. Neben Infos und Tipps steht eine außergerichtliche Streitschlichtung zur Verfügung. Hier gibt es Hilfestellung bei Abo-Fallen, automatischer Vertragsverlängerung, Kündigungsschwierigkeiten oder Inkasso-Schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/datingfalleat-kostenlose-hilfe-bei-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe After Effects CC (APSB19-31), Adobe Character Animator CC (APSB19-32), Adobe Premiere Pro CC (APSB19-33), Adobe Prelude CC (APSB19-35), Adobe Creative Cloud Desktop Application (APSB19-39), Adobe Acrobat and Reader (APSB19-41), Adobe Experience Manager (APSB19-42) and Adobe Photoshop CC (APSB19-44). Adobe recommends users update their product installations to the latest versions using the instructions referenced [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1773 ∗∗∗ [20190801] - Core - Hardening com_contact contact form ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.6.2 - 3.9.10 Exploit type: Incorrect Access Control Reported Date: 2019-April-09 Fixed Date: 2019-August-13 CVE Number: CVE-2019-XXXXX Description Inadequate checks in com_contact could allowed mail submission in disabled forms. Affected Installs Joomla! CMS versions 1.6.2 - 3.9.10 Solution Upgrade to version 3.9.11 --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/H1jmq28mUAw/789-20190801-c… ∗∗∗ # SSA-671286: Multiple Vulnerabilities in SCALANCE Products ∗∗∗ --------------------------------------------- The latest update for SCALANCE SC-600 fixes multiple vulnerabilities. The most severe could allow authenticated local users with physical access to the device to execute arbitrary commands on the device under certain conditions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-671286.txt ∗∗∗ # SSA-530931: Denial-of-Service in Webserver of Industrial Products ∗∗∗ --------------------------------------------- A vulnerability in the affected products could allow an unauthorized attacker with network access to the webserver of an affected device to perform a denial-of-service attack. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-530931.txt ∗∗∗ # SSA-232418: Vulnerabilities in SIMATIC S7-1200 and SIMATIC S7-1500 CPU families ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the SIMATIC S7-1200 and the SIMATIC S7-1500 CPU families. One vulnerability could allow an attacker with network access to affected devices to modify the user program stored on these devices such that the source code differs from the actual running code. The other vulnerability could allow an attacker in a Man-in-the-Middle position to modify network traffic exchanged on port 102/tcp. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-232418.txt ∗∗∗ # SSA-100232: Denial-of-Service vulnerability in SCALANCE X switches ∗∗∗ --------------------------------------------- A vulnerability in the affected devices could allow an unauthenticated attacker with network access to an affected device to perform a denial-of-service. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-100232.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, postgresql, and postgresql-libs), Debian (atril, chromium, evince, ghostscript, jackson-databind, kernel, and php5), Fedora (kf5-kconfig, mingw-sqlite, pam-u2f, and poppler), Mageia (kernel), openSUSE (aubio, chromium, kconfig, kdelibs4, nodejs10, osc, and zstd), Red Hat (ghostscript), and Ubuntu (ghostscript and MariaDB). --------------------------------------------- https://lwn.net/Articles/796075/ ∗∗∗ [remote] Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47230 ∗∗∗ [remote] ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47229 ∗∗∗ [remote] ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47228 ∗∗∗ [remote] ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47227 ∗∗∗ Linux kernel vulnerability CVE-2016-7097 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31603170 ∗∗∗ SAP Patchday August: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0714 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2019
by Daily end-of-shift report 12 Aug '19

12 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-08-2019 18:00 − Montag 12-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Beware of Fake Microsoft Account Unusual Sign-in Activity Emails ∗∗∗ --------------------------------------------- In this article we take a look at a phishing campaign that pretends to be an "Unusual sign-in activity" alertfrom Microsoft that could easily trick someone into clicking on the enclosed link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beware-of-fake-microsoft-acc… ∗∗∗ Malware Analysis and Reverse Engineering ∗∗∗ --------------------------------------------- Introduction This article provides a high-level overview of malware analysis and reverse engineering. If you are planning to get started with malware analysis and reverse engineering, this article can be a good starting point, as it covers a high-level overview of what you need to know before you download that debugger and get your hands [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-analysis-and-reverse-enginee… ∗∗∗ DEF CON 2019: Delta ICS Flaw Allows Total Industrial Takeover ∗∗∗ --------------------------------------------- The bug exists in a controller that oversees HVAC, lighting, sensor and alarm systems, to name a few. --------------------------------------------- https://threatpost.com/def-con-2019-delta-ics-flaw-allows-total-industrial-… ∗∗∗ Inside the Hidden World of Elevator Phone Phreaking ∗∗∗ --------------------------------------------- Eavesdropping, reprogramming, talking to strangers: Welcome to the harmless and not-so-harmless fun of hacking elevator call boxes. --------------------------------------------- https://www.wired.com/story/elevator-phone-phreaking-defcon ∗∗∗ Amazon Web Services: Tausende virtuelle Festplatten frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Forscher fand tausendfach offen zugängliche Elastic Block Store-Volumes mit vertraulichen Daten im Netz, wo sie sich beliebig durchsuchen lassen. --------------------------------------------- https://heise.de/-4493402 ∗∗∗ Windows-Treiber von Intel, AMD, Nvidia und vielen Mainboard-Herstellern unsicher ∗∗∗ --------------------------------------------- Über mehr als 40 weit verbreitete Hardware-Treiber können Angreifer sich Kernel-Rechte auf einem System verschaffen. --------------------------------------------- https://heise.de/-4494929 ∗∗∗ Cruise Releases Automated Firmware Security Analyzer to Open Source ∗∗∗ --------------------------------------------- The growth of IoT devices has highlighted the difficulties in ensuring firmware security -- especially where the device and software are initially sourced from third parties, or developed under time pressures in-house. Now a new firmware analyzer has been released to open source on GitHub. --------------------------------------------- https://www.securityweek.com/gm-cruise-releases-automated-firmware-security… ∗∗∗ Hotellerie-Betriebe: Vorsicht vor kriminellen Buchungs- & Stornierungsversuchen! ∗∗∗ --------------------------------------------- Vermeintliche Interessent/innen kontaktieren gezielt Hotels, Pensionen, Apartments und sonstige Unterkünfte für eine Buchung. Kurz nach einer (ungültigen) Zahlung per Kreditkarte folgen schreckliche Nachrichten: Aufgrund tragischer Ereignisse bei den geplanten Gästen muss die Buchung storniert und das Geld zurücküberwiesen werden. Hotellerie-Betriebe dürfen den Aufforderungen nicht nachkommen! --------------------------------------------- https://www.watchlist-internet.at/news/hotellerie-betriebe-vorsicht-vor-kri… ∗∗∗ Hunting the Public Cloud for Exposed Hosts and Misconfigurations ∗∗∗ --------------------------------------------- This research explores the security landscape of the Internet-facing services hosted in Amazon AWS, Microsoft Azure and Google Cloud Platform. --------------------------------------------- https://unit42.paloaltonetworks.com/hunting-the-public-cloud-for-exposed-ho… ∗∗∗ Clever attack uses SQLite databases to hack other apps, malware servers ∗∗∗ --------------------------------------------- Tainted SQLite database can run malicious code inside other apps, such as web apps or Apples iMessage. --------------------------------------------- https://www.zdnet.com/article/clever-attack-uses-sqlite-databases-to-hack-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fusiondirectory, gosa, kconfig, kernel, pango1.0, and python-django), Fedora (aubio, icedtea-web, java-1.8.0-openjdk, kernel, kernel-headers, kernel-tools, libslirp, openqa, os-autoinst, and upx), Gentoo (JasPer, libvncserver, and redis), Mageia (cyrus-imapd and php), Oracle (kernel), Red Hat (chromium-browser, cockpit-ovirt, Red Hat Virtualization, and rhvm-appliance), SUSE (ImageMagick, libvirt, python, and wireshark), and Ubuntu (poppler). --------------------------------------------- https://lwn.net/Articles/795963/ ∗∗∗ PPOM for WooCommerce <= 18.3 - Authenticated Stored XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9502 ∗∗∗ ZDI-19-701: (0Day) EZAutomation EZPLC EZC File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-701/ ∗∗∗ ZDI-19-700: (0Day) EZAutomation EZTouch Editor EZP File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-700/ ∗∗∗ iControl REST and tmsh vulnerability CVE-2019-6621 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20541896 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2019
by Daily end-of-shift report 09 Aug '19

09 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2019 18:00 − Freitag 09-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackerone: Sicherheitslücke in Steam bleibt vorerst ungefixt ∗∗∗ --------------------------------------------- Auf Windows-Systemen, auf denen der Spiele-Launcher Steam installiert ist, können einfache Nutzer Programme mit Systemrechten ausführen. Der Entdecker der Lücke meldete diese über die Plattform Hackerone, dort erklärte man den Bug für ungültig und wollte eine Veröffentlichung verhindern. --------------------------------------------- https://www.golem.de/news/hackerone-sicherheitsluecke-in-steam-bleibt-vorer… ∗∗∗ Protect against BlueKeep ∗∗∗ --------------------------------------------- DART offers steps you can take to protect your network from BlueKeep, the “wormable” vulnerability that can create a large-scale outbreak due to its ability to replicate and propagate. --------------------------------------------- https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ ∗∗∗ Hidden Algorithm Flaws Expose Websites to DoS Attacks ∗∗∗ --------------------------------------------- Why throw a bunch of junk traffic at a service, when all it takes to stall it out is just a few bytes? --------------------------------------------- https://www.wired.com/story/algorithm-dos-attack ∗∗∗ How Safecrackers Can Unlock an ATM in Minutes—Without Leaving a Trace ∗∗∗ --------------------------------------------- At Defcon this week, security researcher Mike Davis will show how he can pick the lock of an ATM safe in no time, thanks to its electric leaks. --------------------------------------------- https://www.wired.com/story/atm-lock-hack-electric-leaks ∗∗∗ Saefko: A new multi-layered RAT ∗∗∗ --------------------------------------------- Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module. --------------------------------------------- https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat ∗∗∗ Are Your Out-of-Office Replies Revealing Too Much? ∗∗∗ --------------------------------------------- Whether you’re traveling for business or pleasure, it’s common practice to create an automatic out-of-office reply for incoming emails. While business continuity is important, it’s critical to remember that some emails that arrive in your inbox will come from people you don’t know - and, in some cases, cybercriminals who wish to do you harm. The details you provide could be used for malicious purposes and expose your organization to attack. --------------------------------------------- https://www.proofpoint.com/us/security-awareness/post/are-your-out-office-r… ∗∗∗ New Windows Process Injection Can Be Useful for Stealthy Malware ∗∗∗ --------------------------------------------- Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft. --------------------------------------------- https://www.securityweek.com/new-windows-process-injection-can-be-useful-st… ∗∗∗ Analyse: Ransomware-Angriffe auf Firmen fast vervierfacht ∗∗∗ --------------------------------------------- Die Zahl der Infektionen mit Ransomware bei Firmen hat im Vergleich zum Vorjahr um 365 Prozent zugenommen. Groß im Geschäft: das Trio Emotet/Trickbot/Ryuk. --------------------------------------------- https://heise.de/-4492497 ∗∗∗ Skype, Slack, VS Code, Atom: Electron-Apps haben eine gefährliche Achilles-Ferse ∗∗∗ --------------------------------------------- Programme, die auf dem Electron Framework basieren, können von lokalen Angreifern trojanisiert und als Angriffsplattform missbraucht werden. --------------------------------------------- https://heise.de/-4493195 ∗∗∗ Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs ∗∗∗ --------------------------------------------- Malicious actors could use rogue engineering workstations to take control of Siemens programmable logic controllers (PLCs), and they can hide the attack from the engineer monitoring the system, researchers from two universities in Israel have demonstrated. --------------------------------------------- https://www.securityweek.com/hackers-can-use-rogue-engineering-stations-tar… ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Big-IP-Produkten von F5 Networks ∗∗∗ --------------------------------------------- Der finnische Sicherheitsspezialist F-Secure warnt vor einer Sicherheitslücke, die möglicherweise zahlreiche Unternehmen zu Zielen für Cyberangriffe macht. Betroffen sind Big-IP-Produkte von F5 Networks. Der Anbieter dementiert. --------------------------------------------- https://www.it-business.de/schwerwiegende-sicherheitsluecke-in-big-ip-produ… ∗∗∗ Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware ∗∗∗ --------------------------------------------- Avaya is the second largest VOIP solution provider (source) with an install base covering 90% of the Fortune 100 companies (source), with products targeting a wide spectrum of customers, from small business and midmarket, to large corporations. As part of the ongoing McAfee Advanced Threat Research effort into researching critical vulnerabilities in widely deployed software [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/avaya-deskphone… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11, postgresql-9.4, and postgresql-9.6), Fedora (exiv2), openSUSE (python-Django and vlc), Oracle (kernel), Red Hat (qemu-kvm-rhev), SUSE (evince, nodejs10, python, and squid), and Ubuntu (postgresql-10, postgresql-11, postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/795821/ ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0708 ∗∗∗ BlackBerry Powered by Android Security Bulletin - August 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Notice - Statement on Brute Forcing Encrypted Backup Data for Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2019/huawei-sn-20190809-01-… ∗∗∗ BIG-IP DHCPv6 vulnerability CVE-2019-6643 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36228121 ∗∗∗ iControl REST vulnerability CVE-2019-6646 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53990093 ∗∗∗ F5 Container Ingress Service vulnerability CVE-2019-6648 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74327432 ∗∗∗ iRulesLX debug NodeJS vulnerability CVE-2019-6644 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75532331 ∗∗∗ BIG-IP mcpd vulnerability CVE-2019-6647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87920510 ∗∗∗ The BIG-IP DNS Configuration utility may erroneously display the TSIG key secret in plain text form ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03332436 ∗∗∗ BIG-IP SSL connection security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41515225 ∗∗∗ BIG-IP FTP profile vulnerability CVE-2019-6645 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15759349 ∗∗∗ F5 Container Ingress Services vulnerability CVE-2019-6648 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74327432 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2019
by Daily end-of-shift report 08 Aug '19

08 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2019 18:00 − Donnerstag 08-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Fully Remote Attack Surface of the iPhone ∗∗∗ --------------------------------------------- While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as the underlying attack surface they occur in. I investigated the remote, interaction-less attack surface of the iPhone, and found several serious vulnerabilities. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surf… ∗∗∗ [Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign", (Thu, Aug 8th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/25218 ∗∗∗ Magento Skimmers: From Atob to Alibaba ∗∗∗ --------------------------------------------- Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this: It uses the JavaScript atob function to decode base64-encoded domain names and URL patterns. In the sample above, it’s hxxps://livegetpay[.]com/pay.js?v=2.2.9 and “onepage”, respectively. The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report. --------------------------------------------- https://blog.sucuri.net/2019/08/magento-skimmers-from-atob-to-alibaba.html ∗∗∗ Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V ∗∗∗ --------------------------------------------- Remember the Reverse RDP Attack? Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsofts Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely. --------------------------------------------- https://thehackernews.com/2019/08/reverse-rdp-windows-hyper-v.html ∗∗∗ ACSC Releases Advisory on Password Spraying Attacks ∗∗∗ --------------------------------------------- Original release date: August 8, 2019The Australian Cyber Security Centre (ACSC) has released an advisory on password spraying attacks. Password spraying is a type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. The ACSC provides recommendations for organizations to detect and --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advi… ∗∗∗ Erpressungsversuche mit Masturbations-Video! ∗∗∗ --------------------------------------------- Die Wahrscheinlichkeit betrügerische Erpressungs-E-Mails im eigenen Posteingang zu finden, ist momentan äußerst hoch. Kriminelle behaupten, die Systeme ihrer Opfer mit Schadsoftware infiziert, Zugriff auf Webcam und Kontakte erhalten zu haben und nun in Besitz eines Masturbations-Videos zu sein. Betroffene dürfen nichts bezahlen. Die Nachrichten von „Anonymer Hacker“ sind erfunden! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsversuche-mit-masturbation… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet FortiRecorder 2.7.3 Hardcoded Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080028 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, python-django, python2-django, and sdl2), Debian (proftpd-dfsg), Fedora (php and sqlite), openSUSE (proftpd), Red Hat (kernel), Slackware (kdelibs), SUSE (nodejs10, squid, and tcpdump), and Ubuntu (php5 and ruby-rack). --------------------------------------------- https://lwn.net/Articles/795725/ ∗∗∗ Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack ∗∗∗ --------------------------------------------- The vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_32 ∗∗∗ Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Server Open Redirection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SPA112 2-Port Phone Adapter Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software VNC Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Web-Based Management Interface Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Arbitrary File Read Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Password Recovery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Intermediate System–to–Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Intermediate System–to–Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software File Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director TLS Renegotiation Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Header Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2019
by Daily end-of-shift report 07 Aug '19

07 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2019 18:00 − Mittwoch 07-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Smominru Cryptominer Scrapes Credentials for Half-Million Machines ∗∗∗ --------------------------------------------- The adversaries have retooled with EternalBlue and credential theft to add a new "access mining" revenue stream. --------------------------------------------- https://threatpost.com/smominru-cryptominer-scrapes-credentials-half-millio… ∗∗∗ Autoloaded Server-Side Swiper ∗∗∗ --------------------------------------------- Front-end JavaScript-based credit card stealing malware has garnered a lot of attention within the security community. This makes sense, since the “swipers” can be easily detected by simply scanning the web pages of e-commerce sites. However, this isn’t the only way to steal payment details and sensitive user information from compromised sites. Server-side swipers are almost as prevalent as client-side ones, and [...] --------------------------------------------- https://blog.sucuri.net/2019/08/autoloaded-server-side-swiper.html ∗∗∗ Vorsicht bei zu günstigen Angeboten auf Amazon ∗∗∗ --------------------------------------------- Vermehrt erreichen uns Meldungen von Konsument/innen, die auf unseriöse Amazon Marketplace Shops gestoßen sind. Die extrem günstigen Angebote locken zu einem schnellen Kauf. Im späteren Nachrichtenverlauf werden die Opfer über „Fehler 2045“ informiert und aufgefordert, das Geld auf externe Konten zu überweisen. Wer dies tut, verliert den Betrag und erhält keine Waren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-angeboten… ===================== = Vulnerabilities = ===================== ∗∗∗ SWAPGSAttack: Seitenkanal-Schwachstelle trifft wieder nur Intel ∗∗∗ --------------------------------------------- Mit der Spectre-ähnlichen SWAPGSAttack kann auf eigentlich geschützte Speicherbereiche zugegriffen werden, indem die spekulative Ausführung des Befehls ausgenutzt wird. Betroffen sind alle Intel-CPUs seit Ivy Bridge von 2012, von Microsoft gibt es bereits Patches für Windows 10. --------------------------------------------- https://www.golem.de/news/swapgsattack-seitenkanal-schwachstelle-trifft-wie… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (hostapd), openSUSE (aubio and spamassassin), Oracle (kernel), Red Hat (augeas, kernel-rt, libssh2, perl, procps-ng, redis:5, and systemd), SUSE (bzip2, evince, kernel, linux-azure, nodejs4, nodejs8, osc, python, python-Twisted, and python3), and Ubuntu (BWA and Mercurial). --------------------------------------------- https://lwn.net/Articles/795626/ ∗∗∗ Security Advisory - Double Free Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190807-… ∗∗∗ Security Advisory - Information Leak Vulnerability on Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190807-… ∗∗∗ HPESBST03938 rev.1 - Command View Advanced Edition (CVAE) Products, Local and Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2019
by Daily end-of-shift report 06 Aug '19

06 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 05-08-2019 18:00 − Dienstag 06-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mass Spoofing Campaign Takes Aim at Walmart ∗∗∗ --------------------------------------------- The sites are targeting job-seekers, movie aficionados and shoppers in hopes of harvesting their personal information. --------------------------------------------- https://threatpost.com/mass-spoofing-campaign-walmart/146994/ ∗∗∗ LokiBot Gains New Persistence Mechanism, Uses Steganography to Hide Its Tracks ∗∗∗ --------------------------------------------- First advertised as an information stealer and keylogger when it first appeared in underground forums, LokiBot has added various capabilities over the years. Recent activity has seen the malware family abusing Windows Installer for its installation and introducing a new delivery method that involves spam mails containing malicious ISO file attachments. Our analysis of a new LokiBot variant shows that it has improved its capabilities [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/_k1Sozs3GX4/ ∗∗∗ Malicious Plugin Used to Encrypt WordPress Posts ∗∗∗ --------------------------------------------- During a recent cleanup, we found an interesting malicious WordPress plugin, "WP Security", that was being used to encrypt blog post content. The website owner complained of a newly installed and activated plugin on their website that was rendering their original content unreadable. --------------------------------------------- https://blog.sucuri.net/2019/08/malicious-plugin-used-to-encrypt-wordpress-… ∗∗∗ Code-Signed malware: Whats all the buzz about? Looking at the "Ryuk" ransomware as an example. ∗∗∗ --------------------------------------------- Certificates are an established method for verifying the legitimacy of an application. If malicious actors succeed in undermining a certificate authority (CA) by either stealing a valid certificate or compromising the CA, the entire model unravels. We have taken a look at a case where this has happened. --------------------------------------------- https://www.gdatasoftware.com/blog/2019/08/35046-whats-all-the-buzz-about-l… ∗∗∗ Erstmals gezielte Spionage-Angriffe über "intelligente Dinge" dokumentiert ∗∗∗ --------------------------------------------- Die Hacker, die in den Bundestag einbrachen, haben eine neue Angriffstechnik im Repertoire: Sie steigen über Drucker oder VoIP-Phones in Firmennetze ein. --------------------------------------------- https://heise.de/-4489325 ∗∗∗ Hinter dem Shop sportfroger.com steckt Betrug ∗∗∗ --------------------------------------------- sportfroger.com bietet ein breites Sortiment an Sportgeräten. Ob Ergometer, Hantelsets oder Laufband – hier finden Konsument/innen was sie suchen. Nach einer Zahlung per Vorkasse folgt der Schock, denn die bestellte Ware wird nie geliefert und das Geld ist verloren. --------------------------------------------- https://www.watchlist-internet.at/news/hinter-dem-shop-sportfrogercom-steck… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Google sichert Android gegen "QualPwn" und andere kritische Lücken ab ∗∗∗ --------------------------------------------- Auch diesen Monat weist Google auf beseitigte Android-Lücken hin. Mit dabei: eine Exploit-Chain aus teils kritischen Qualcomm-Lücken namens QualPwn. --------------------------------------------- https://heise.de/-4489232 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium), Debian (glib2.0 and python-django), Fedora (gvfs, kernel, kernel-headers, kernel-tools, and subversion), Oracle (icedtea-web, nss and nspr, and ruby:2.5), Red Hat (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, kernel-rt, keycloak-httpd-client-install, libarchive, libcgroup, [...] --------------------------------------------- https://lwn.net/Articles/795506/ ∗∗∗ Cisco Small Business 220 Series Smart Switches Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 220 Series Smart Switches Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business 220 Series Smart Switches Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2019
by Daily end-of-shift report 05 Aug '19

05 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-08-2019 18:00 − Montag 05-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dragonfly: Neue Sicherheitslücken in Verschlüsselungsstandard WPA3 ∗∗∗ --------------------------------------------- Wie lange ein kryptografisches Verfahren braucht, kann ungewollt Informationen verraten. Mit einer solchen Schwachstelle konnten Forscher Passwörter bei der WLAN-Verschlüsselung WPA3 knacken. --------------------------------------------- https://www.golem.de/news/dragonfly-neue-sicherheitsluecken-in-verschluesse… ∗∗∗ MegaCortex Ransomware Revamps for Mass Distribution ∗∗∗ --------------------------------------------- Manual steps have been replaced by automation. --------------------------------------------- https://threatpost.com/megacortex-ransomware-mass-distribution/146933/ ∗∗∗ Combining Low Tech Scams: SMS + SET + Credit Card Harvesting, (Fri, Aug 2nd) ∗∗∗ --------------------------------------------- As Infosec folks, we spend a lot of time on the latest and greatest exploits, attacks and malware - we seem to be (abnormally) driven towards continuing education in our field. This is a great thing, but often we lose sight of the fact that the attackers dont always try so hard. --------------------------------------------- https://isc.sans.edu/diary/rss/25198 ∗∗∗ Erpressungstrojaner GermanWiper löscht Daten ∗∗∗ --------------------------------------------- Lösegeld hilft nicht: Wer den GermanWiper aktiviert, dessen Daten werden nicht etwa wiederherstellbar verschlüsselt, sondern endgültig mit Nullen überschrieben. --------------------------------------------- https://heise.de/-4487825 ∗∗∗ Say hello to Lord Exploit Kit ∗∗∗ --------------------------------------------- In this blog, we take a look at a new exploit kit distributed via malvertising that calls itself Lord EK. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2019/08/say-hello-to-lord-exp… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in NVIDIA Windows GPU Display Driver, VMware ESXi, Workstation and Fusion ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability that can be triggered using a specially crafted shader file. This vulnerability can be triggered from a VMware guest, affecting the VMware host, leading to a crash (denial-of-service) of the vmware-vmx.exe process on the host (TALOS-2019-0757). However, when the host/guest systems are using an NVIDIA graphics card, the VMware [...] --------------------------------------------- https://blog.talosintelligence.com/2019/08/nvidia-vmware-gpu-rce-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2019-0012 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion updates address out-of-bounds read/write vulnerabilities (CVE-2019-5521, CVE-2019-5684) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0012.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and vim), Fedora (java-11-openjdk and matrix-synapse), Gentoo (binutils and libpng), Mageia (kernel), and SUSE (openexr and python-Django). --------------------------------------------- https://lwn.net/Articles/795344/ ∗∗∗ ZDI-19-687: (0Day) SolarWinds Orion Network Performance Monitor ExecuteExternalProgram Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-687/ ∗∗∗ Linux kernel vulnerability CVE-2017-12190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93472064 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2019
by Daily end-of-shift report 02 Aug '19

02 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-08-2019 18:00 − Freitag 02-08-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Orgs network connect to GitHub and Pastebin much? Its a Rocke road to cryptojacking country ∗∗∗ --------------------------------------------- You might also be slurping Chinese malware Palo Alto Networks has spotted a new cryptomining malware technique that not only wipes out any other miners present on the target machine but uses GitHub and Pastebin as part of its command-and-control (C2) infrastructure.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/08/01/palo_alto_n… ∗∗∗ Google Project Zero: 95.8% of all bug reports are fixed before deadline expires ∗∗∗ --------------------------------------------- Google Project Zero: Disclosing technical bug reports and PoCs help defenders more than attackers. --------------------------------------------- https://www.zdnet.com/article/google-project-zero-95-8-of-all-bug-reports-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Veritas Resiliency Platform (VRP) Traversal / Command Execution ∗∗∗ --------------------------------------------- Topic: Veritas Resiliency Platform (VRP) Traversal / Command Execution Risk: High Text:Four vulnerabilities have been fixed in VRP 3.4 HF1, one of which is of critical severity. Directory traversal vulnerability... --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080002 ∗∗∗ Advantech WebAccess HMI Designer ∗∗∗ --------------------------------------------- This advisory provides mitigation recommendations for an out-of-bounds write vulnerability reported in the Advantech WebAccess HMI Designer product. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-01 ∗∗∗ Fuji Electric FRENIC Loader ∗∗∗ --------------------------------------------- This advisory includes mitigations for an out-of-bounds read vulnerability reported in the Fuji Electric FRENIC Loader AC drive. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-02 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 ∗∗∗ --------------------------------------------- This advisory includes mitigations for two vulnerabilities, unverified ownership and uncontrolled memory allocation, reported in the 3S-Smart Software Solutions GmbH CODESYS V3 products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-03 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 ∗∗∗ --------------------------------------------- This advisory includes mitigations for an insufficiently protected credentials vulnerability reported in the 3S-Smart Software Solutions GmbH CODESYS V3 products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-04 ∗∗∗ Rockwell Automation Arena Simulation Software ∗∗∗ --------------------------------------------- This advisory provides information about, and mitigation recommendations for, two vulnerabilities reported in the Rockwell Automation Arena Automation software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-213-05 ∗∗∗ SSA-632562 (Last Update: 2019-08-02): Vulnerabilities in SIPROTEC 5 Ethernet plug-in communication modules and devices ∗∗∗ --------------------------------------------- The SIPROTEC 5 Ethernet plug-in communication modules and devices are affected by multiple security vulnerabilities. These vulnerabilities could allow an attacker to leverage various attacks, e.g. to execute arbitrary code over the network.Eleven of these vulnerabilities affect the underlying Wind River VxWorks network stack and were recently patched by Wind River. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-632562.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), openSUSE (openexr and rmt-server), Oracle (bind, container-tools:rhel8, cyrus-imapd, dotnet, edk2, firefox, flatpak, freeradius:3.0, ghostscript, gvfs, httpd:2.4, java-1.8.0-openjdk, java-11-openjdk, kernel, mod_auth_mellon, pacemaker, pki-deps:10.6, python-jinja2, python27:2.7, python3, python36:3.6, systemd, thunderbird, vim, virt:rhel, WALinuxAgent, and wget), Slackware (mariadb), SUSE (java-1_8_0-openjdk, polkit, and [...] --------------------------------------------- https://lwn.net/Articles/795223/ ∗∗∗ HPESBST03946 rev.1 - HPE 3PAR StoreServ Management Console (SSMC), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03942 rev.1 - 3PAR Service Processor 5.0.5, Multiple remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ QEMU: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0683 ∗∗∗ PHP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0684 ∗∗∗ IBM Security Bulletin: IBM Cloud Private ingress log files contain sensitive information (CVE-2019-4284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-ing… ∗∗∗ IBM Security Bulletin: IBM MQ clients are vulnerable to a denial of service attack caused by consuming specifically crafted messages (CVE-2019-4261) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-clients-are-vu… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2018-5391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-announced-a-r… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: IBM WebSphere Application Server Security Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2019-4046, CVE-2018-1902, CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-applica… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the Linux kernel affect the IBM FlashSystem models V840 and V9000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily August 2019