Daily October 2020

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 16.10.2020
by Daily end-of-shift report 16 Oct '20

16 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-10-2020 18:00 − Freitag 16-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NPM nukes NodeJS malware opening Windows, Linux reverse shells ∗∗∗ --------------------------------------------- NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data. These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-ope… ∗∗∗ CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability, (Thu, Oct 15th) ∗∗∗ --------------------------------------------- Highlights - Do not disable IPv6 entirely unless you want to break Windows in interesting ways. - This can only be exploited from the local subnet. - But it may lead to remote code execution / BSOD - PoC exploit is easy, but actual RCE is hard. - Patch For more details, see also the YouTube video I just published: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26684 ∗∗∗ Traffic Analysis Quiz: Ugly-Wolf.net, (Fri, Oct 16th) ∗∗∗ --------------------------------------------- It's that time of the month again... Time for another traffic analysis quiz! This one is from a Windows 10 client logged into an Active Directory (AD) environment. --------------------------------------------- https://isc.sans.edu/diary/rss/26688 ∗∗∗ CVE-2020-15157 "ContainerDrip" Write-up ∗∗∗ --------------------------------------------- CVE-2020-15157: If an attacker publishes a public image with a crafted manifest that directs one of the image layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used by ctr/containerd to access that registry. In some cases, this may be the user’s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other [...] --------------------------------------------- https://darkbit.io/blog/cve-2020-15157-containerdrip ∗∗∗ CMS Drupal: OAuth Server-Modul anfällig für SQL-Injection-Angriffe ∗∗∗ --------------------------------------------- Das OAuth Server-Modul für Drupal 8 benötigt ein Update auf 8.x-1.1. Die neue Version schließt eine "moderat kritische" Lücke. --------------------------------------------- https://heise.de/-4930778 ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Horizon Client update addresses a denial-of-service vulnerability (CVE-2020-3991) ∗∗∗ --------------------------------------------- VMware Horizon Client for Windows contains a denial-of-service vulnerability due to a file system access control issue during install time. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0022.html ∗∗∗ Kritische Lücke in SonicWall Firewall für Denial-of-Service-Angriffe ausnutzbar ∗∗∗ --------------------------------------------- Es stehen Updates für mehrere Versionen von SonicOS bereit, die eine kritische sowie zehn weitere Sicherheitslücken von "Medium" bis "High" beseitigen. --------------------------------------------- https://heise.de/-4930351 ∗∗∗ CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ∗∗∗ Adobe patches Magento bugs that lead to code execution, customer list tampering ∗∗∗ --------------------------------------------- The out-of-band security update tackles eight critical and important vulnerabilities. --------------------------------------------- https://www.zdnet.com/article/adobe-patches-magento-bugs-that-lead-to-code-… ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Jackson Core affect IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3RD PARTY Cryptographc vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Authentication Bypass (CVE-2020-4493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerabilities in Apache ActiveMQ affect IBM Operations Analytics Predictive Insights (CVE-2020-11998, CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Resilient SOAR could allow a privileged user to inject malicious commands through Python3 scripting (CVE-2020-4636). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-could-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2020
by Daily end-of-shift report 15 Oct '20

15 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-10-2020 18:00 − Donnerstag 15-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bleedingtooth: Google und Intel warnen vor neuen Bluetooth-Lücken ∗∗∗ --------------------------------------------- Laut Google lässt sich über die Sicherheitslücken Code aus der Ferne ausführen. Intel hat sie veröffentlicht, bevor Patches ausgeliefert wurden. --------------------------------------------- https://www.golem.de/news/bleedingtooth-google-und-intel-warnen-vor-neuen-b… ∗∗∗ Security Analysis of CHERI ISA ∗∗∗ --------------------------------------------- Is it possible to get to a state where memory safety issues would be deterministically mitigated? Our quest to mitigate memory corruption vulnerabilities led us to examine CHERI (Capability Hardware Enhanced RISC Instructions), which provides memory protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits. --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/10/14/security-analysis-of-cheri-i… ∗∗∗ Magento Phishing Leverages JavaScript For Exfiltration ∗∗∗ --------------------------------------------- During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page. --------------------------------------------- https://blog.sucuri.net/2020/10/magento-phishing-leverages-javascript-for-e… ∗∗∗ [SANS ISC] Nicely Obfuscated Python RAT ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Nicely Obfuscated Python RAT“: While hunting, I found an interesting Python script. It matched one of my YARA rules due to the interesting list of imports but the content itself was nicely obfuscated. --------------------------------------------- https://blog.rootshell.be/2020/10/15/sans-isc-nicely-obfuscated-python-rat/ ∗∗∗ Dockerfile Security Best Practices ∗∗∗ --------------------------------------------- Container security is a broad problem space and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some rules when writing Dockerfiles. --------------------------------------------- https://cloudberry.engineering/article/dockerfile-security-best-practices/ ∗∗∗ QR code scams are making a comeback ∗∗∗ --------------------------------------------- With QR codes being used more as a means to help create a COVID-19 proof environment, were also seeing a comeback of QR codes scams. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/10/qr-code-scams-are-making-a-come… ∗∗∗ This major criminal hacking group just switched to ransomware attacks ∗∗∗ --------------------------------------------- A newly detailed financial cybercrime group has been conducting attacks around the world since 2016 - but now theyve switched to ransomware because its the biggest and easiest pay day. --------------------------------------------- https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switch… ∗∗∗ New Emotet attacks use fake Windows Update lures ∗∗∗ --------------------------------------------- Emotet diversifies arsenal with new lures to trick users into infecting themselves. --------------------------------------------- https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lu… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034 ∗∗∗ --------------------------------------------- Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) Date: 2020-October-14 Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability: SQL Injection Description: This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection. Solution: Install the latest version: If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1 --------------------------------------------- https://www.drupal.org/sa-contrib-2020-034 ∗∗∗ Juniper Security Bulletins 2020-10 ∗∗∗ --------------------------------------------- JSA11045 - 2020-10 Security Bulletin: JSA Series: Intel CPUs could allow a local authenticated attacker to obtain sensitive information (CVE-2019-11135) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11045 JSA11046 - 2020-10 Security Bulletin: Junos OS: FreeBSD-SA-20:03.thrmisc: kernel stack data disclosure (CVE-2019-15875) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11046 JSA11047 - 2020-10 Security Bulletin: FreeBSD-SA-19:20.bsnmp : Insufficient message length validation in bsnmp library (CVE-2019-5610) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11047 JSA11048 - 2020-10 Security Bulletin: Junos Space and Junos Space Security Director: Zombie POODLE and GOLDENDOODLE resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11048 JSA11049 - 2020-10 Security Bulletin: Junos OS: When a DHCPv6 Relay-Agent is configured upon receipt of a specific DHCPv6 client message, Remote Code Execution may occur. (CVE-2020-1656) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11049 JSA11050 - 2020-10 Security Bulletin: Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11050 JSA11053 - 2020-10 Security Bulletin: Junos OS: NFX Series: Multiple vulnerabilities resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11053 JSA11054 - 2020-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packets can cause services card to restart when DNS filtering is configured. (CVE-2020-1660) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11054 JSA11055 - 2020-10 Security Bulletin: Junos OS: Multiple SQLite vulnerabilities resolved. https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11055 JSA11056 - 2020-10 Security Bulletin: Junos OS: jdhcpd process crash when forwarding a malformed DHCP packet. (CVE-2020-1661) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11056 JSA11062 - 2020-10 Security Bulletin: Junos OS: MX series/EX9200 Series: IPv6 DDoS protection does not work as expected. (CVE-2020-1665) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11062 JSA11076 - 2020-10 Security Bulletin: Junos OS: PTX/QFX Series: Kernel Routing Table (KRT) queue stuck after packet sampling a malformed packet when the tunnel-observation mpls-over-udp configuration is enabled. (CVE-2020-1679) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11076 JSA11079 - 2020-10 Security Bulletin: Junos OS: SRX1500, vSRX, SRX4K, NFX150: Denial of service vulnerability executing local CLI command (CVE-2020-1682) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11079 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0992 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernat… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM WebSphere Liberty fixed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14062 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2020
by Daily end-of-shift report 14 Oct '20

14 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-10-2020 18:00 − Mittwoch 14-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Patchday: Aktuelle Updates von Microsoft beugen Angriffen aus der Ferne vor ∗∗∗ --------------------------------------------- Aktive Angriffe auf die zum Patch Tuesday beseitigten, teils kritischen Sicherheitslücken wurden bislang nicht beobachtet. Zügig updaten sollte man dennoch. --------------------------------------------- https://heise.de/-4928145 ∗∗∗ Apples Sicherheitschip T2: Exploit in Aktion gezeigt ∗∗∗ --------------------------------------------- Ein Hackerteam hat demonstriert, wie sich der aktuelle Sicherheitschip im Mac knacken lässt – mit einem simplen manipulierten USB-C-Kabel. --------------------------------------------- https://heise.de/-4928042 ∗∗∗ Vorsicht vor Phishing-Anrufen im Namen von Magenta ∗∗∗ --------------------------------------------- Immer häufiger nutzen Kriminelle das Telefon, um an persönliche Daten zu kommen. Derzeit geben sich BetrügerInnen als Magenta aus und versuchen per Anruf an das Kundenpasswort der Opfer und weitere persönliche Daten zu gelangen. Heben Sie daher bei Anrufen von der Telefonnummer 0800799742 nicht ab! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-anrufen-im-nam… ===================== = Vulnerabilities = ===================== ∗∗∗ For Foxits sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns ∗∗∗ --------------------------------------------- CISA points spotlight at PDF reader n creator suite Windows and Mac users running Foxits popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/10/13/foxit_phanto… ∗∗∗ October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw ∗∗∗ --------------------------------------------- On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise Adobe has delivered security updates for Adobe Flash Player Intel warns about flaws in BlueZ, the official Linux Bluetooth protocol stack SAP has released 15 security notes and updates to 6 previously released ones. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/13/october-2020-patch-tuesday/ ∗∗∗ SAP-Patchday: Lücke mit Höchstwertung in CA Introscope Enterprise Manager gefixt ∗∗∗ --------------------------------------------- SAP-Admins sollten die verfügbaren Sicherheitsupdates zeitnah unter die Lupe nehmen und wo nötig einspielen. Die Risikoeinstufung "High" ist mehrfach vertreten. --------------------------------------------- https://heise.de/-4928265 ∗∗∗ Vulnerability Spotlight: Information leak vulnerability in Google Chrome WebGL ∗∗∗ --------------------------------------------- Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to carry out a range of malicious actions. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics. --------------------------------------------- https://blog.talosintelligence.com/2020/10/vuln-spotlight-chrome-web-gl-inf… ∗∗∗ SonicWall VPN Portal Critical Flaw (CVE-2020-5135) ∗∗∗ --------------------------------------------- Tripwire VERT has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access. --------------------------------------------- https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critic… ∗∗∗ Kubernetes AWS IAM Integration Issues ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020100083 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0975 ∗∗∗ Trend Micro AntiVirus for Mac: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0977 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in the Bluetooth Module of Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - JavaScript Injection Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Apache Derby as used by IBM QRadar SIEM is vulnerable to Improper Input Validation (CVE-2018-1313) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-as-used-by-i… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Unzip as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unzip-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4528) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2020
by Daily end-of-shift report 13 Oct '20

13 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 12-10-2020 18:00 − Dienstag 13-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Update can be abused to execute malicious programs ∗∗∗ --------------------------------------------- The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-update-can-be-abused… ∗∗∗ Angreifer auf US-Regierungsnetzwerke kombinieren "Zerologon" mit weiteren Lücken ∗∗∗ --------------------------------------------- Sicherheitslücken in FortiOS und MobileIron Core & Connector werden mit Zerologon zu einer Exploit-Chain verwoben, warnen CISA und FBI. --------------------------------------------- https://heise.de/-4927692 ∗∗∗ 55 Sicherheitslücken bei Apple‑Diensten entdeckt ∗∗∗ --------------------------------------------- Fünf Hacker haben in einem Zeitraum von nur 3 Monaten fast 300.000 US-Dollar an Bug-Bounty-Belohnungen erhalten --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/13/55-sicherheitsluecken-bei… ∗∗∗ Anatomy of Ryuk Attack: 29 Hours From Initial Email to Full Compromise ∗∗∗ --------------------------------------------- An attack involving the Ryuk ransomware required 29 hours from an email being sent to the target to full environment compromise and the encryption of systems, according to the DFIR Report, a project that provides threat intelligence from real attacks observed by its honeypots. --------------------------------------------- https://www.securityweek.com/anatomy-ryuk-attack-29-hours-initial-email-ful… ∗∗∗ Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances ∗∗∗ --------------------------------------------- Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security. --------------------------------------------- https://www.securityweek.com/study-finds-400000-vulnerabilities-across-2200… ∗∗∗ Diese Scamming-Maschen sollten Sie kennen ∗∗∗ --------------------------------------------- Scamming, ein Sammelbegriff für zahlreiche Betrugsmaschen. Aber was ist Scamming? Mit Sicherheit kamen auch Sie bereits mit dieser Betrugsmasche in Berührung oder haben zumindest bereits davon gehört! Hier erfahren Sie mehr über die gängigsten Vorschussbetrugsmaschen und wie Sie sich davor schützen! --------------------------------------------- https://www.watchlist-internet.at/news/diese-scamming-maschen-sollten-sie-k… ∗∗∗ Red Team deckt IAM-Schwächen auf ∗∗∗ --------------------------------------------- Ein Red Team von Palo Alto Networks hat aufgezeigt, wie Angreifer gezielt Lücken und Fehlkonfigurationen im Identity und Access Management (IAM) in der Cloud ausnutzen, um an kritische Informationen zu gelangen. --------------------------------------------- https://www.zdnet.de/88388335/red-team-deckt-iam-schwaechen-auf/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates Available for Adobe Flash Player (APSB20-58) ∗∗∗ --------------------------------------------- Adobe has released security updates for Adobe Flash Player (APSB20-58) for Windows, macOS, Linux and Chrome OS. These updates address a vulnerability rated Critical in Adobe Flash Player. Successful exploitation could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1925 ∗∗∗ SSA-384879 (Last Update: 2020-10-13): Authentication Bypass Vulnerability in SIPORT MP ∗∗∗ --------------------------------------------- SIPORT MP version 3.2.1 fixes an authentication bypass vulnerability which could enable an attacker to impersonate other users of the system and perform administrative actions. Siemens recommends to apply the update. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-384879.txt ∗∗∗ SSA-226339 (Last Update: 2020-10-13): Multiple Web Application Vulnerabilities in Desigo Insight ∗∗∗ --------------------------------------------- The latest hotfix for Desigo Insight fixes three vulnerabilities that have been identified in the web server, including SQL injection (CVE-2020-15792), clickjacking (CVE-2020-15793), and full path disclosure (CVE-2020-15794). Siemens recommends updating to the latest version of Desigo Insight and to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-226339.txt ∗∗∗ Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions ∗∗∗ --------------------------------------------- Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges. The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals. --------------------------------------------- https://www.securityweek.com/acronis-patches-privilege-escalation-flaws-bac… ∗∗∗ SAP Patchday Oktober 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0972 ∗∗∗ Citrix Gateway Plug-in for Windows Security Update ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX282684 ∗∗∗ IPAS: Security Advisories for October 2020 ∗∗∗ --------------------------------------------- Hi everyone, For October 2020, we are releasing just one security advisory addressing two vulnerabilities in the BlueZ open-source Bluetooth stack. Affected Linux users are encouraged to update to Linux kernel version 5.9 or later. More information can be found in INTEL-SA-00435 and at www.bluez.org. --------------------------------------------- https://blogs.intel.com/technology/2020/10/ipas-security-advisories-for-oct… ∗∗∗ Remote Desktop Services Remote Code Execution Vulnerability in Rexroth Industrial PCs ∗∗∗ --------------------------------------------- BOSCH-SA-856281: Microsoft has published information [1] for several versions of Microsoft Windows XP Microsoft Windows XP embedded Microsoft Windows 7 and Microsoft Windows 7 Embedded Standard regarding a vulnerability in the Remote Desktop Service. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the target system if the system exposes the service to the network. Rexroth Industrial PCs on these operating systems are affected by this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-856281.html ∗∗∗ Webmin: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0973 ∗∗∗ BSRT-2020-003 Vulnerability in UEM Core Impacts BlackBerry UEM ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4557 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Docker affects Cloud Pak Sytem (CVE-2020-13401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-docker-a… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Qemu affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2020
by Daily end-of-shift report 12 Oct '20

12 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-10-2020 18:00 − Montag 12-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sophisticated Android Ransomware Executes with the Home Button ∗∗∗ --------------------------------------------- The malware also has a unique machine-learning module. --------------------------------------------- https://threatpost.com/android-ransomware-home-button/160001/ ∗∗∗ Open Packaging Conventions, (Sat, Oct 10th) ∗∗∗ --------------------------------------------- Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types. --------------------------------------------- https://isc.sans.edu/diary/rss/26662 ∗∗∗ Operation TrickBot – ein globaler Schlag gegen das Botnetz ∗∗∗ --------------------------------------------- ESET Forscher unterstützten den erfolgreichen Schlag gegen eines der größten Botnetze und Schadcode-Verbreiter. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/12/operation-trickbot-eset-i… ∗∗∗ Deepfake Voice Technology Iterates on Old Phishing Strategies ∗∗∗ --------------------------------------------- As the world of AI and deepfake technology grows more complex, the risk that deepfakes pose to firms and individuals grows increasingly potent. This growing sophistication of the latest software and algorithms has allowed malicious hackers, scammers and cyber criminals who work tirelessly behind the scenes to stay one step ahead of the authorities, making [...] --------------------------------------------- https://www.tripwire.com/state-of-security/featured/deepfake-voice-technolo… ∗∗∗ Vorsicht vor dem Fake-Shop sport-monkey.de! ∗∗∗ --------------------------------------------- Über das Wochenende erreichten die Watchlist Internet unzählige Meldungen zu dem Online-Shop sport-monkey.de. Dieser bietet ein breites Sortiment an Sportausrüstung zu schier unglaublichen Preisen an. Die Preise sind aus einem einzigen Grund so niedrig: Es handelt sich um einen Fake-Shop, der trotz Zahlung per Vorkasse keine Waren liefert. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dem-fake-shop-sport-mon… ∗∗∗ Event Report - A convenient mechanism to edit, visualize and share reports ∗∗∗ --------------------------------------------- MISP is widely known as a powerful tool to gather, correlate and share information. As a response to the growing information-sharing maturity of the community, more features have been introduced over the past few years to meet analyst skills and requirements. --------------------------------------------- https://www.misp-project.org/2020/10/08/Event-Reports.html ∗∗∗ Hacker nutzen Bugs in VPN und Windows Netlogon ∗∗∗ --------------------------------------------- Angreifer verschaffen sich Zugang zu Behördennetzwerken, indem sie gezielt Schwachstellen in VPN-Systemen und Windows Netlogon ausnutzen. --------------------------------------------- https://www.zdnet.de/88383319/hacker-nutzen-bugs-in-vpn-und-windows-netlogo… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A previous version of this bulletin had links to hotfixes that addressed the security issues but caused stability issues for some deployments that were using the Hypervisor Introspection (HVI) functionality of Citrix Hypervisor. Customers who are not using HVI functionality and who have already applied the earlier updates need take no further action. --------------------------------------------- https://support.citrix.com/article/CTX282314 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0970 ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0969 ∗∗∗ Reflected Cross-Site Scripting and Unauthenticated Malicious File Upload in Sage DPW ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/reflected-cross-site-scripting… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to HTML injection. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to deserialization of untrusted data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure and denial of service (CVE-2020-4414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4387) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service attack (CVE-2020-4420) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2020
by Daily end-of-shift report 09 Oct '20

09 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-10-2020 18:00 − Freitag 09-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Phishing kits as far as the eye can see, (Fri, Oct 9th) ∗∗∗ --------------------------------------------- If you've never delved too deep into the topic of phishing kits, you might quite reasonably expect that they would be the sort of tools, which are traded almost exclusively on dark web marketplaces. This is however not the case. --------------------------------------------- https://isc.sans.edu/diary/rss/26660 ∗∗∗ Firebase: Google Cloud’s Evil Twin - Excerpt ∗∗∗ --------------------------------------------- Firebase is the most popular developer tool that security has never heard of. We will bring its numerous flaws to light. --------------------------------------------- https://www.sans.org/blog/firebase-google-cloud-s-evil-twin-condensed ∗∗∗ BSI-Team räumt bei CHES-Challenge alle Preise ab ∗∗∗ --------------------------------------------- Vom 14. bis 18. September 2020 veranstaltete die International Association for Cryptologic Research (IACR) die Conference on Cryptographic Hardware and Embedded Systems (CHES). Die CHES ist die weltweit größte und renommierteste hardwarenahe Kryptographietagung. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/CHES-Challe… ∗∗∗ verbraucherclub.de: Warnung vor unseriösen Werbeschaltungen! ∗∗∗ --------------------------------------------- Haben Sie bereits von der Smartwatch „KoreTrak“ gehört, die ein Lebensretter für SeniorInnen sein soll? Oder von der LiveWave Antenna, die Ihnen gratis Fernsehen ins Wohnzimmer zaubert? Wenn ja, dann sind Sie wohl auf eine unseriöse Werbeschaltung von verbraucherclub.de gestoßen. --------------------------------------------- https://www.watchlist-internet.at/news/verbraucherclubde-warnung-vor-unseri… ∗∗∗ Microsoft Exchange CVE-2020-0688 Revisited -- in zwei Akten ∗∗∗ --------------------------------------------- Im April veröffentlichten wir einen Blogpost über Microsoft Exchange Server, die für die bereits im Februar 2020 gepatchte Lücke CVE-2020-0688 anfällig waren. --------------------------------------------- https://cert.at/de/aktuelles/2020/10/microsoft-exchange-cve-2020-0688-revis… ===================== = Vulnerabilities = ===================== ∗∗∗ Apples T2: Wenn der Sicherheitschip zum Keylogger wird ∗∗∗ --------------------------------------------- Eigentlich soll Apples T2-Chip für Sicherheit sorgen, ein Forscherteam könnte ihn jedoch in einen Keylogger umwandeln. --------------------------------------------- https://www.golem.de/news/apples-t2-wenn-der-sicherheitschip-zum-keylogger-… ∗∗∗ We Hacked Apple for 3 Months: Here’s What We Found ∗∗∗ --------------------------------------------- During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victims iCloud account, retrieve source code for internal Apple projects, [...] --------------------------------------------- https://samcurry.net/hacking-apple/ ∗∗∗ Credit card skimmer targets virtual conference platform ∗∗∗ --------------------------------------------- Criminals have gone after an online conference platform to steal credit card data from virtual attendees. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2020/10/credit-card-skimmer… ∗∗∗ Security Bulletin: An XPath vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4774) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-xpath-vulnerability-ma… ∗∗∗ Security Bulletin: IBM Cúram Social Program Management uses MD5 algorithm (CVE-2020-4778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cram-social-program-m… ∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xs… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: An improper input validation vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-improper-input-validat… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service via Kubernetes (CVE-2020-8557, CVE-2020-8559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Access Manager and IBM Security Verify Access (CVE-2020-4661, CVE-2020-4699, CVE-2020-4660) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2020
by Daily end-of-shift report 08 Oct '20

08 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-10-2020 18:00 − Donnerstag 08-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SiteCheck Malware Report: September Summary ∗∗∗ --------------------------------------------- In September alone, a total of 17,138,086 website scans were performed using SiteCheck. Of those scans, 178,299 infected sites were detected. --------------------------------------------- https://blog.sucuri.net/2020/10/sitecheck-malware-report-september-summary.… ∗∗∗ Researchers Find Vulnerabilities in Microsoft Azure Cloud Service ∗∗∗ --------------------------------------------- Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server. ... Discovered by Paul Litvak of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them. --------------------------------------------- https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP NAS: Neue Version der Helpdesk-App beseitigt zwei kritische Lücken ∗∗∗ --------------------------------------------- Die Helpdesk-App für Netzwerkspeicher von QNAP wies zwei Sicherheitslücken auf, über die Angreifer die Kontrolle über die Geräte hätten erlangen können. --------------------------------------------- https://heise.de/-4923916 ∗∗∗ Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins ∗∗∗ --------------------------------------------- Multiple Confluence Plugins from different vendors are affected by stored cross-site scripting vulnerabilities which allow attackers to inject malicious JavaScript code into Confluence pages. PlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status Business recommendation: Update to the latest versions of the plugins. --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-cross-site-scripting-… ∗∗∗ Vulnerability Exposes Over 4 Million Sites Using WPBakery ∗∗∗ --------------------------------------------- On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. [...] a final sufficient patch was released on September 24, 2020. We highly recommend updating to the latest version, 6.4.1 as of today, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/10/vulnerability-exposes-over-4-million… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat eine Reihe von Security Bulletins veröffentlicht: * https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… * https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… * https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Videoüberwachung von Cisco deaktivieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Patches für unter anderem Überwachungskameras und die Online-Meeting-Software Webex veröffentlicht. Liste nach Bedrohungsgrad absteigend sortiert: * Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service * Webex Teams Client for Windows DLL Hijacking * Identity Services Engine Authorization Bypass * Industrial Network Director Denial of Service * Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Memory Leak * Vision Dynamic Signage Director Missing Authentication * SD-WAN vManage Cross-Site Scripting * StarOS Privilege Escalation * Expressway Series and TelePresence Video Communication Server Denial of Service * Email Security Appliance URL Filtering Bypass * Nexus Data Broker Software Path Traversal * Firepower Management Center Cross-Site Scripting * Identity Services Engine Cross-Site Scripting * StarOS Privilege Escalation --------------------------------------------- https://heise.de/-4924026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2020
by Daily end-of-shift report 07 Oct '20

07 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-10-2020 18:00 − Mittwoch 07-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Backdoor Shell Dropper Deploys CMS-Specific Malware ∗∗∗ --------------------------------------------- A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want. --------------------------------------------- https://blog.sucuri.net/2020/10/backdoor-shell-dropper-deploys-cms-specific… ∗∗∗ Alert (AA20-280A): Emotet Malware ∗∗∗ --------------------------------------------- Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa20-280a ∗∗∗ New HEH botnet can wipe routers and IoT devices ∗∗∗ --------------------------------------------- The disk-wiping feature is present in the code but has not been used yet. --------------------------------------------- https://www.zdnet.com/article/new-heh-botnet-can-wipe-routers-and-iot-devic… ∗∗∗ Betrügerische Post-Mail verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Derzeit werden betrügerische E-Mails im Namen der Post willkürlich an zahlreiche EmpfängerInnen versendet. Die Kriminellen drohen den Opfern mit einer Geldstrafe, da bestimmte Kosten noch nicht bezahlt wurden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-post-mail-verbreitet-… ===================== = Vulnerabilities = ===================== ∗∗∗ Enter the Vault: Authentication Issues in HashiCorp Vault ∗∗∗ --------------------------------------------- Posted by Felix Wilhelm, Project Zero: In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services (AWS) and Google Cloud Platform (GCP). --------------------------------------------- https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-… ∗∗∗ 90 days, 16 bugs, and an Azure Sphere Challenge ∗∗∗ --------------------------------------------- Cisco Talos reports 16 vulnerabilities in Microsoft Azure Spheres sponsored research challenge. --------------------------------------------- https://blog.talosintelligence.com/2020/10/Azure-Sphere-Challenge.html ∗∗∗ Security Bulletin: Security vulnerabilities in OpenSSH and OpenSSL shipped with IBM Security Access Manager Appliance (CVE-2018-15473, CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Node.js (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache commons beanutils 1.9.2 library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2020
by Daily end-of-shift report 06 Oct '20

06 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 05-10-2020 18:00 − Dienstag 06-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker group compromises mobile provider to steal credit cards ∗∗∗ --------------------------------------------- Credit card skimming group Fullz House has compromised and injected the website of US mobile virtual network operator (MVNO) Boom! Mobile with a credit card stealer script. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-group-compromises-mob… ∗∗∗ Ransomware threat surge, Ryuk attacks about 20 orgs per week ∗∗∗ --------------------------------------------- Malware researchers monitoring ransomware threats noticed a sharp increase in these attacks over the past months compared to the first six months of 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-threat-surge-ryuk… ∗∗∗ Obfuscation and Repetition, (Mon, Oct 5th) ∗∗∗ --------------------------------------------- The obfuscated payload of a maldoc submitted by a reader can be quickly extracted with the "strings method" I explained in diary entry "Quickie: String Analysis is Still Useful". --------------------------------------------- https://isc.sans.edu/diary/rss/26648 ∗∗∗ Release the Kraken: Fileless APT attack abuses Windows Error Reporting service ∗∗∗ --------------------------------------------- We discovered a new attack that injected its payload—dubbed "Kraken" into the Windows Error Reporting (WER) service as a defense evasion mechanism. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuse… ∗∗∗ Betrug auf Amazon erkennen: So geht‘s ∗∗∗ --------------------------------------------- Auch auf Amazon können Sie auf betrügerische Angebote stoßen. Das Positive jedoch vorweg: Ein betrügerisches Angebot kann schnell entlarvt werden, indem Sie sich das Profil der Marketplace-HändlerInnen genauer ansehen. Werden Sie dort aufgefordert, sich vor einer Bestellung per E-Mail an den Verkäufer/ die Verkäuferin zu wenden, handelt es sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-amazon-erkennen-so-gehts/ ∗∗∗ 5 steps to secure your connected devices ∗∗∗ --------------------------------------------- As we steadily adopt smart devices into our lives, we shouldn’t forget about keeping them secured and our data protected. --------------------------------------------- https://www.welivesecurity.com/2020/10/05/5-steps-secure-connected-devices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Smart male chastity lock cock-up ∗∗∗ --------------------------------------------- TL;DR Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs – February 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to a Denial of Service (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway can expose remote credentials to local users (CVE-2020-4528) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-can… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Liberty as shipped in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site Scripting (XSS) fixed in IBM Security Access Manager 9.0.7.2 (CVE-2019-4725) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-xss-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway may allow a potential DoS when importing malicious ZIP files (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-may… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Python vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ October 2020 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2020-10-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2020
by Daily end-of-shift report 05 Oct '20

05 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-10-2020 18:00 − Montag 05-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MosaicRegressor: Lurking in the Shadows of UEFI ∗∗∗ --------------------------------------------- We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild. --------------------------------------------- https://securelist.com/mosaicregressor/98849/ ∗∗∗ Egregor Ransomware Threatens ‘Mass-Media’ Release of Corporate Data ∗∗∗ --------------------------------------------- The newly discovered ransomware is hitting companies worldwide, including the GEFCO global logistics company. --------------------------------------------- https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/ ∗∗∗ Scanning for SOHO Routers, (Sat, Oct 3rd) ∗∗∗ --------------------------------------------- In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear. --------------------------------------------- https://isc.sans.edu/diary/rss/26638 ∗∗∗ Raccine-Tool soll Schattenkopien von Windows vor Ransomware schützen ∗∗∗ --------------------------------------------- Erpressungstrojaner verschlüsseln Dateien und löschen Daten, die Opfer zur Wiederherstellung nutzen könnten. Das Gratis-Tool Raccine will Hilfe anbieten. --------------------------------------------- https://heise.de/-4920206 ∗∗∗ Attacks Aimed at Disrupting the Trickbot Botnet ∗∗∗ --------------------------------------------- Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations. --------------------------------------------- https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbo… ∗∗∗ Black-T: New Cryptojacking Variant from TeamTnT ∗∗∗ --------------------------------------------- Code within the Black-T malware sample gives evidence of a shift in tactics, techniques and procedures for TeamTnT operations. --------------------------------------------- https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ∗∗∗ Shodan Verified Vulns 2020-10-05 ∗∗∗ --------------------------------------------- Wie in unserem Blogpost vom September angekündigt, wollen wir monatlich einen Überblick zu Shodans "Verified Vulnerablilities" in Österreich bieten. --------------------------------------------- https://cert.at/de/aktuelles/2020/10/shodan-verified-vulns-2020-10-05 ===================== = Vulnerabilities = ===================== ∗∗∗ Tenda Router Zero-Days Emerge in Spyware Botnet Campaign ∗∗∗ --------------------------------------------- A variant of the Mirai botnet, called Ttint, has added espionage capabilities to complement its denial-of-service functions. --------------------------------------------- https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/ ∗∗∗ Dringend patchen: Rund eine viertel Million Exchange-Server angreifbar ∗∗∗ --------------------------------------------- Kriminelle nutzen eine Lücke in Microsoft Exchange, um Server zu übernehmen. Dabei gibt es seit Februar einen Patch. --------------------------------------------- https://heise.de/-4920095 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration Operators affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- Operators for BM Cloud Pak for Integration (CP4I) version 2020.2 are affected by vulnerabilities in Go prior to Go version 1.14.7. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Multiple critical vulnerabilities in RocketLinx Series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilitie… ∗∗∗ WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-029 ∗∗∗ WAGO: Vulnerability in web-based authentication in WAGO 750-8XX Version <= FW07 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-027 ∗∗∗ WAGO: Authentication Bypass Vulnerability in WAGO 750-36X and WAGO 750-8XX Versions <= FW03 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-028 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily October 2020