Daily July 2020

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 31.07.2020
by Daily end-of-shift report 31 Jul '20

31 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-07-2020 18:00 − Freitag 31-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Office 365 phishing abuses Google Ads to bypass email filters ∗∗∗ --------------------------------------------- An Office 365 phishing campaign abused Google Ads to bypass secure email gateways (SEGs), redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-abuses-g… ∗∗∗ One Byte to rule them all ∗∗∗ --------------------------------------------- Posted by Brandon Azad, Project Zero. For the last several years, nearly all iOS kernel exploits have followed the same high-level flow: memory corruption and fake Mach ports are used to gain access to the kernel task port, which provides an ideal kernel read/write primitive to userspace. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.ht… ∗∗∗ WastedLocker: technical analysis ∗∗∗ --------------------------------------------- According to currently available information, in the attack on Garmin a targeted build of the Trojan WastedLocker was used. We have performed technical analysis of the Trojan sample. --------------------------------------------- https://securelist.com/wastedlocker-technical-analysis/97944/ ∗∗∗ Obscured by Clouds: Insights into Office 365 Attacks and How MandiantManaged Defense Investigates ∗∗∗ --------------------------------------------- With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-36… ∗∗∗ Malspam campaign caught using GuLoader after service relaunch ∗∗∗ --------------------------------------------- We discovered a spam campaign distributing GuLoader in the aftermath of the services relaunch. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caug… ∗∗∗ New infection chain of njRAT variant ∗∗∗ --------------------------------------------- Recently, 360 Security Center has detected that a variant of the remote access tool njRAT is active. --------------------------------------------- https://blog.360totalsecurity.com/en/new-infection-chain-of-njrat-variant/ ∗∗∗ Umfragen von appdoctor.me führen zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Es klingt so verlockend: Einfach kurz eine App testen und schon hat man 35 Euro verdient. Doch leider steckt hinter solchen Umfrageplattformen und Jobangeboten oftmals Betrug. So auch auf der Webseite appdoctor.me, auf der App-TesterInnen gesucht werden. Geld wird Ihnen hier jedoch nicht ausbezahlt. Stattdessen eröffnen die Kriminellen ein Konto in Ihrem Namen, um dort Geldwäsche zu betreiben. --------------------------------------------- https://www.watchlist-internet.at/news/umfragen-von-appdoctorme-fuehren-zu-… ===================== = Vulnerabilities = ===================== ∗∗∗ KDE archive tool flaw let hackers take over Linux accounts ∗∗∗ --------------------------------------------- A vulnerability exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victims computers simply by tricking them into downloading an archive and extracting it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kde-archive-tool-flaw-let-ha… ∗∗∗ If you own one of these 45 Netgear devices, replace it: Gear maker wont patch vulnerable gear despite live proof-of-concept code ∗∗∗ --------------------------------------------- Thats one way of speeding up the tech refresh cycle. Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/07/30/netgear_aban… ∗∗∗ Ripple20 impact onDistribution Automation products ∗∗∗ --------------------------------------------- On the 16th of June 2020, a series of vulnerabilities affecting a TCP/IP library from Treck Inc. were made public by JSOF Tech in Jerusalem, Israel. The products listed in this document have integrated this library and thus are affected by the vulnerabilities listed in this document. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA000473&Language… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg). --------------------------------------------- https://lwn.net/Articles/827572/ ∗∗∗ Forscher legt zwei Zero-Day-Lücken im Tor-Netzwerk und -Browser offen ∗∗∗ --------------------------------------------- Internet Service Provider können unter Umständen alle Verbindungen zum Tor-Netzwerk blockieren. Der Forscher wirft dem Tor Project vor, die von ihm gemeldeten Schwachstellen nicht zu beseitigen. Er kündigt zudem die Offenlegung weiterer Bugs an. --------------------------------------------- https://www.zdnet.de/88381926/forscher-legt-zwei-zero-day-luecken-im-tor-ne… ∗∗∗ iTunes 12.10.8 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211293 ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Apache CXF, which is shipped with IBM Tivoli Network Manager (CVE-2020-1954). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2020
by Daily end-of-shift report 30 Jul '20

30 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-07-2020 18:00 − Donnerstag 30-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TrickBots new Linux malware covertly infects Windows devices ∗∗∗ --------------------------------------------- TrickBots Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-… ∗∗∗ Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 ∗∗∗ --------------------------------------------- Posted by Maddie Stone, Project Zero. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-re… ∗∗∗ Security controls for ICS/SCADA environments ∗∗∗ --------------------------------------------- Supervisory control and data acquisition systems (SCADA) are a subset of ICS. These systems are unique in comparison to traditional IT systems. This makes using standard security controls written with traditional systems in mind somewhat tricky. --------------------------------------------- https://resources.infosecinstitute.com/security-controls-for-ics-scada-envi… ∗∗∗ ESET Threat Report Q2 2020 ∗∗∗ --------------------------------------------- A view of the Q2 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts. --------------------------------------------- https://www.welivesecurity.com/2020/07/29/eset-threat-report-q22020/ ∗∗∗ Researchers exploit HTTP/2, WPA3 protocols to stage highly efficient ‘timeless timing’ attacks ∗∗∗ --------------------------------------------- Presented at this year’s Usenix conference, the technique, named ‘Timeless Timing Attacks’, exploits the way network protocols handle concurrent requests to solve one of the endemic challenges of remote timing side-channel attacks. --------------------------------------------- https://portswigger.net/daily-swig/researchers-exploit-http-2-wpa3-protocol… ∗∗∗ Effective Threat Intelligence Through Vulnerability Analysis ∗∗∗ --------------------------------------------- The vulnerability ecosystem has matured considerably in the last few years. A significant amount of effort has been invested to capture, curate, taxonomize and communicate the vulnerabilities in terms of severity, impact and complexity of the associated exploit or attack. --------------------------------------------- https://www.tripwire.com/state-of-security/vulnerability-management/effecti… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Boothole ermöglicht Umgehung von Secure Boot ∗∗∗ --------------------------------------------- Der Fehler in dem Bootloader Grub ermöglicht damit ein dauerhaftes Bootkit. Ein komplettes Update wird aber schwierig und dauert. (grub, Linux) --------------------------------------------- https://www.golem.de/news/grub-2-boothole-ermoeglicht-umgehung-von-secure-b… ∗∗∗ CVE-2020–9934: Bypassing TCC for Unauthorized Access ∗∗∗ --------------------------------------------- In this guest blog post, security researcher Matt Shockley describes a lovely security vulnerability he uncovered in macOS. --------------------------------------------- https://objective-see.com/blog/blog_0x4C.html ∗∗∗ Sicherheitsupdates: Gefährliche Lücken in Cisco SD-WAN und Data Center ∗∗∗ --------------------------------------------- Angreifer könnten durch Schwachstellen in Cisco-Software ganze Netzwerke übernehmen. --------------------------------------------- https://heise.de/-4858759 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (October 2019) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (Apr 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020, Apr 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Open Source logback used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-open-sou… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 68.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-35/ ∗∗∗ Dell OpenManage Server Administrator: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0770 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0768 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2020
by Daily end-of-shift report 29 Jul '20

29 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-07-2020 18:00 − Mittwoch 29-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ VermieterInnen aufgepasst: Besonders in der Urlaubszeit wollen BetrügerInnen an Ihr Geld! ∗∗∗ --------------------------------------------- Betrug im Internet zielt manchmal auf ganz bestimmte Personengruppen ab. Gerade jetzt in der Urlaubszeit sind auch Zimmer- oder Ferienwohnung-VermieterInnen sowie Hoteliers im Visier von BetrügerInnen. Die Kriminellen geben sich dabei als interessierte Gäste aus und versuchen durch Scheckbetrug an das Geld der VermieterInnen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/vermieterinnen-aufgepasst-besonders-… ∗∗∗ Betrüger-Mails: Emotet klaut Dateianhänge für mehr Authentizität ∗∗∗ --------------------------------------------- Aufgepasst: Emotet hat dazu gelernt und versteckt sich nun in noch glaubhafteren Mails. --------------------------------------------- https://heise.de/-4857724 ∗∗∗ Netwalker malware: What it is, how it works and how to prevent it | Malware spotlight ∗∗∗ --------------------------------------------- Netwalker is a data encryption malware that represents an evolution of the well-known Kokoklock ransomware and has been active since September 2019. This article will detail the specific technical features of the Netwalker ransomware. --------------------------------------------- https://resources.infosecinstitute.com/netwalker-malware-what-it-is-how-it-… ∗∗∗ MMS Exploit Part 3: Constructing the Memory Corruption Primitives ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the third of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-3-construct… ===================== = Vulnerabilities = ===================== ∗∗∗ Magento gets security updates for severe code execution bugs ∗∗∗ --------------------------------------------- Adobe today released security updates to fix two code execution vulnerabilities affecting Magento Commerce and Magento Open Source, rated as important and critical severity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-gets-security-update… ∗∗∗ Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin ∗∗∗ --------------------------------------------- On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. --------------------------------------------- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulne… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, firefox-esr, luajit, and salt), Fedora (clamav, java-1.8.0-openjdk, and java-11-openjdk), Gentoo (claws-mail, dropbear, ffmpeg, libetpan, mujs, mutt, and rsync), openSUSE (qemu), Red Hat (openstack-tripleo-heat-templates), SUSE (freerdp, ldb, rubygem-puma, samba, and webkit2gtk3), and Ubuntu (mysql-5.7, mysql-8.0 and sympa). --------------------------------------------- https://lwn.net/Articles/827376/ ∗∗∗ Security Bulletin: Legacy Components of IBM Netcool Configuration Manager have been updated. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-legacy-components-of-ibm-… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1954) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed multiple Security Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Information Disclosure (CVE-2020-4463) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Security Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ IBM Informix: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0764 ∗∗∗ Stored Cross-Site Scripting (XSS) Vulnerability in Namirial SIGNificant SignAnyWhere ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/stored-cross-site-scripting-xs… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2020
by Daily end-of-shift report 28 Jul '20

28 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Montag 27-07-2020 18:00 − Dienstag 28-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ QSnatch Data-Stealing Malware Infected Over 62,000 QNAP NAS Devices ∗∗∗ --------------------------------------------- Called QSnatch (or Derek), the data-stealing malware is said to have compromised 62,000 devices since reports emerged last October, with a high degree of infection in Western Europe and North America. ... "All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes," the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) said in the alert. --------------------------------------------- https://thehackernews.com/2020/07/qnap-nas-malware-attack.html ∗∗∗ Team Pangu demonstrated an unpatchable SEP vulnerability in iOS ∗∗∗ --------------------------------------------- Xu Hao a member of Team Pangu says they have found an “unpatchable” vulnerability on the Secure Enclave Processor (SEP) chip in iPhones. Hao presented his talk – Attack Secure Boot of SEP – on 24th July at MOSEC 2020 in Shanghai, China. --------------------------------------------- https://androidrookies.com/team-pangu-demonstrates-unpatchable-secure-encla… ∗∗∗ IT-Sicherheit: Public Cloud kann zum Einfallstor in Unternehmen werden ∗∗∗ --------------------------------------------- Schlecht gepflegte Workloads und Authentifizierungsschwächen in Cloud-Umgebungen untergraben die Sicherheit – von beidem gibt es reichlich, meint eine Studie. --------------------------------------------- https://heise.de/-4856561 ∗∗∗ Vorsicht: 500 Euro Amazon-Geschenkkarte führt in Abo-Falle ∗∗∗ --------------------------------------------- Freuen Sie sich nicht zu früh, wenn Sie eine 500 Euro Amazon-Geschenkkarte in Ihrem E-Mail-Posteingang finden. Sie werden in eine Abo-Falle gelockt, denn dieses E-Mail stammt nicht von Amazon! Klicken Sie nicht auf den Link und verschieben Sie das E-Mail in den Spam-Ordner. Haben Sie auf den Link geklickt und Kreditkartendaten angeführt, wird Ihnen Monat für Monat ein Betrag zwischen 50 und 90 Euro abgebucht! Lesen Sie hier, wie Sie dieses betrügerische Abo kündigen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-500-euro-amazon-geschenkkar… ===================== = Vulnerabilities = ===================== ∗∗∗ Reverse String WooCommerce WordPress Credit Card Swiper ∗∗∗ --------------------------------------------- As 2020 continues to be the worst year in almost anybody’s lifetime, allow me to take this opportunity to stoke the fires of your existential dread even further. As a sequel to my last blog post earlier this year about the credit card swiper that I found on a WordPress ecommerce website using WooCommerce, today I found another very noteworthy infection of the same variety. --------------------------------------------- https://blog.sucuri.net/2020/07/reverse-string-woocommerce-wordpress-credit… ∗∗∗ TYPO3-CORE-SA-2020-008: Sensitive Information Disclosure ∗∗∗ --------------------------------------------- It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains .. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2020-008 ∗∗∗ TYPO3-CORE-SA-2020-007: Potential Privilege Escalation ∗∗∗ --------------------------------------------- In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php which again contains the encryptionKey as well as credentials of the database management system being used. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2020-007 ∗∗∗ TYPO3-PSA-2020-001: Critical vulnerability in legacy versions of TYPO3 CMS ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to sensitive information disclosure in previous TYPO3 versions which are not maintained by the community anymore. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2020-001 ∗∗∗ TYPO3-EXT-SA-2020-014: Sensitive Information Disclosure in extension "Media Content Element" (mediace) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Media Content Element" (mediace) is susceptible to Sensitive Information Disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-014 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (cacti, cacti-spine, go1.13, SUSE Manager Client Tools, and tomcat), Red Hat (postgresql-jdbc and python-pillow), Slackware (mozilla), SUSE (python-Django and python-Pillow), and Ubuntu (clamav, librsvg, libslirp, linux-gke-5.0, linux-oem-osp1, linux-hwe, linux-azure-5.3, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-oracle-5.3, and sqlite3). --------------------------------------------- https://lwn.net/Articles/827232/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 78.1 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-33/ ∗∗∗ Security Vulnerabilities fixed in Firefox 79 ∗∗∗ --------------------------------------------- Severity: high - CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker - CVE-2020-6514: WebRTC data channel leaks internal address to peer - CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy - CVE-2020-15659: Memory safety bugs fixed in Firefox 79 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-30/ ∗∗∗ JSA11041 - 2020-07 Security Bulletin: Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of large packets requiring fragmentation (CVE-2020-1655) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11041&actp=RSS ∗∗∗ JSA11036 - 2020-07 Security Bulletin:Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of small fragments requiring reassembly (CVE-2020-1649) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11036&actp=RSS ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service vulnerability (CVE-2020-4466) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Pentest results for IBM Netcool Operations Insight found a security vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-pentest-results-for-ibm-n… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: XML parsing vulnerability in Apache Santuario might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2019-12400 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-parsing-vulnerability… ∗∗∗ Security Bulletin: Security Bulletin: A Vulnerability in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-a-vulne… ∗∗∗ Security Bulletin: SB0003782 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb0003782/ ∗∗∗ Security Bulletin: Novalink is impacted by Swagger vulnerability affects WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-s… ∗∗∗ Security Bulletin: IBM Ingelligent Operations Center is Vulnerable to Stored Cross-Site Scripting (CVE-2020-4318) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-ingelligent-operation… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by multiple libxml2 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2020
by Daily end-of-shift report 27 Jul '20

27 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-07-2020 18:00 − Montag 27-07-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No More Ransom turns 4: Saves $632 million in ransomware payments ∗∗∗ --------------------------------------------- The No More Ransom Project celebrates its fourth anniversary today after helping over 4.2 million visitors recover from a ransomware infection and saving an estimated $632 million in ransom payments. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/no-more-ransom-turns-4-saves… ∗∗∗ ProLock ransomware – new report reveals the evolution of a threat ∗∗∗ --------------------------------------------- Ransomware crooks keep adjusting their approach to make their demands more compelling, even against companies that say theyd never pay up. --------------------------------------------- https://nakedsecurity.sophos.com/2020/07/27/prolock-ransomware-new-report-r… ∗∗∗ Cracking Maldoc VBA Project Passwords, (Sun, Jul 26th) ∗∗∗ --------------------------------------------- In diary entry "VBA Project Passwords" I explained that VBA project passwords in malicious documents don't hinder analysis: you can just extract the macros without knowing the password. It's only when you would perform a dynamic analysis with the step-by-step debugger of the VBA IDE, that the password would prevent you from doing this. But there are simple methods to remove the password, and then you can go ahead with your debugging. --------------------------------------------- https://isc.sans.edu/diary/rss/26390 ∗∗∗ Analyzing Metasploit ASP .NET Payloads, (Mon, Jul 27th) ∗∗∗ --------------------------------------------- I recently helped a friend with the analysis of a Metasploit ASP .NET payload. --------------------------------------------- https://isc.sans.edu/diary/rss/26392 ∗∗∗ Ensiko: A Webshell With Ransomware Capabilities ∗∗∗ --------------------------------------------- Ensiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshe… ∗∗∗ Jetzt patchen! Angreifer attackieren BIG-IP Appliances von F5 ∗∗∗ --------------------------------------------- Derzeit haben Angreifer eine kritische Sicherheitslücke in verschiedenen BIG-IP Appliances im Visier. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-4852900 ∗∗∗ Evolution of Valak, from Its Beginnings to Mass Distribution ∗∗∗ --------------------------------------------- Valak is an information stealer and malware loader that has become increasingly common in our threat landscape and is being mass distributed by an actor known as Shathak/TA551.The post Evolution of Valak, from Its Beginnings to Mass Distribution appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/valak-evolution/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2fsprogs, ffmpeg, milkytracker, mupdf, openjdk-11, and qemu), Fedora (bashtop), Gentoo (ant, arpwatch, awstats, cacti, chromium, curl, dbus, djvu, filezilla, firefox, freexl, fuseiso, fwupd, glib-networking, haml, hylafaxplus, icinga, jhead, lha, libexif, libreswan, netqmail, nss, ntfs3g, ntp, ocaml, okular, ossec-hids, qtgui, qtnetwork, re2c, reportlab, samba, sarg, sqlite, thunderbird, transmission, tre, twisted, webkit-gtk, wireshark, and xen), --------------------------------------------- https://lwn.net/Articles/827153/ ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4498) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2018-20852) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2018-18066) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a buffer overflow vulnerability (CVE-2015-2716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM MQ Appliance (CVE-2020-4025 and CVE-2020-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Udaya testing on production 12345 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-udaya-testing-on-producti… ∗∗∗ Security Bulletin: Dev team testing on production 123 456 789 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dev-team-testing-on-produ… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2020
by Daily end-of-shift report 24 Jul '20

24 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-07-2020 18:00 − Freitag 24-07-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 5 severe D-Link router vulnerabilities disclosed, patch now ∗∗∗ --------------------------------------------- 5 severe D-Link vulnerabilities have been disclosed that could allow an attacker to take complete control over a router without needing to login. --------------------------------------------- https://www.bleepingcomputer.com/news/security/5-severe-d-link-router-vulne… ∗∗∗ Sicherheitslücke: Wenn das Youtube-Tutorial die Cloud-Zugangsdaten leakt ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Hunderte Youtube-Tutorials ausgewertet und immer wieder Zugangsdaten entdeckt - mit diesen konnten sie sich auf AWS einloggen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-wenn-das-youtube-tutorial-die-c… ∗∗∗ MMS Exploit Part 2: Effective Fuzzing of the Qmage Codec ∗∗∗ --------------------------------------------- This post is the second of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-2-effective… ∗∗∗ Compromized Desktop Applications by Web Technologies, (Fri, Jul 24th) ∗∗∗ --------------------------------------------- For a long time now, it has been said that "the new operating system is the browser". Today, we do everything in our browsers, we connect to the office, we process emails, documents, we chat, we perform our system maintenances, ... But many popular web applications provide also desktop client: Twitter, Facebook, Slack are good examples. Such applications just replace the classic browser and use the API [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26384 ∗∗∗ Garmin Connect: Ausfall offenbar nach Ransomware-Attacke ∗∗∗ --------------------------------------------- Eine Ransomware-Attacke hat Server von Garmin lahmgelegt. Fitnesstracker und Sportuhren lassen sich nicht synchronisieren. Der Ausfall dauert wohl mehrere Tage. --------------------------------------------- https://heise.de/-4851576 ∗∗∗ New variant of Phobos ransomware is coming ∗∗∗ --------------------------------------------- In recent years, the spread of ransomware has become increasingly severe, thousands of servers and databases around the world have been invaded and destroyed. --------------------------------------------- https://blog.360totalsecurity.com/en/new-variant-of-phobos-ransomware-is-co… ∗∗∗ „Letzte Mahnung“: Ignorieren Sie diese betrügerische BAWAG-Mail! ∗∗∗ --------------------------------------------- BetrügerInnen senden derzeit vermehrt E-Mails im Namen der Bank „BAWAG P.S.K.“. Darin werden Sie aufgefordert einen neuen Dienst zu aktivieren, indem Sie Ihre Bankdaten auf einer gefälschten BAWAG-Seite eingeben sollen. Achtung, diese Daten landen direkt in den Händen der Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/letzte-mahnung-ignorieren-sie-diese-… ===================== = Vulnerabilities = ===================== ∗∗∗ Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027 ∗∗∗ --------------------------------------------- Project: Easy BreadcrumbVersion: 8.x-1.128.x-1.10Date: 2020-July-22Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross site scriptingDescription: This module enables you to use the current URL (path alias) and the current pages title to automatically extract the breadcrumbs segments and its respective links then show them as breadcrumbs on your website.The module doesnt sufficiently sanitize editor input in certain --------------------------------------------- https://www.drupal.org/sa-contrib-2020-027 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (java-11-openjdk, mod_authnz_pam, podofo, and python27), openSUSE (cni-plugins, tomcat, and xmlgraphics-batik), Oracle (dbus and thunderbird), SUSE (freerdp, kernel, libraw, perl-YAML-LibYAML, and samba), and Ubuntu (libvncserver and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/826965/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (PSIRT-ADV0022379) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: IBM QRadar Advisor with Watson App for IBM QRadar SIEM does not adequately mask all passwords during input (CVE-2020-4408) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: IBM Verify Gateway PAM components do not set restricted access permission for debug logs (CVE-2020-4405) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-pam-co… ∗∗∗ Privilege Escalation Vulnerability in SteelCentral Aternity Agent ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/privilege-escalation-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2020
by Daily end-of-shift report 23 Jul '20

23 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-07-2020 18:00 − Donnerstag 23-07-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Popular Chinese-Made Drone Is Found To Have Security Weakness ∗∗∗ --------------------------------------------- Cybersecurity researchers revealed on Thursday a newfound vulnerability in an app that controls the worlds most popular consumer drones, threatening to intensify the growing tensions between China and the United States. From a report: In two reports, the researchers contended that an app on Googles Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited .. --------------------------------------------- https://it.slashdot.org/story/20/07/23/1437214/ ∗∗∗ Skimmers in Images & GitHub Repos ∗∗∗ --------------------------------------------- MalwareBytes recently shared some information about web skimmers that store malicious code inside real .ico files. During a routine investigation, we detected a similar issue. Instead of targeting .ico files, however, attackers chose to inject content into real .png files — both on compromised sites and in booby trapped Magento repos on GitHub. Googletagmanager.png Our security analyst Keith Petkus found this piece of malware injected on a compromised Magento 2.x site. --------------------------------------------- https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html ∗∗∗ Towards native security defenses for the web ecosystem ∗∗∗ --------------------------------------------- With the recent launch of Chrome 83, and the upcoming release of Mozilla Firefox 79, web developers are gaining powerful new security mechanisms to protect their applications from common web vulnerabilities. In this post we share how our Information Security Engineering team is deploying Trusted Types, Content Security Policy, Fetch Metadata Request Headers and the Cross-Origin Opener Policy across Google to help guide and inspire other developers to similarly adopt these features to protect their applications. --------------------------------------------- https://security.googleblog.com/2020/07/towards-native-security-defenses-fo… ∗∗∗ Forensoftware vBulletin: Schlecht programmiertes Testskript als mögliche Gefahr ∗∗∗ --------------------------------------------- Wer das Skript vb_test.php zum Test von vBulletin-Installationsvoraussetzungen nutzt, sollte es danach wegen gefährlicher Lücken sofort vom Server löschen. --------------------------------------------- https://heise.de/-4851012 ===================== = Vulnerabilities = ===================== ∗∗∗ ASUS Router Vulnerable to Fake Updates and XSS ∗∗∗ --------------------------------------------- Recently ASUS patched two issues I discovered in the RT-AC1900P router firmware update functionality. These vulnerabilities could allow for complete compromise of the router and all traffic that traverses it. Finding 1: Update Accepts Forged Server Certificates (CVE-2020-15498) Finding 2: XSS in Release Notes Dialog Window (CVE-2020-15499) --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/asus-router… ∗∗∗ Drupal: Modal Form - Critical - Access bypass - SA-CONTRIB-2020-029 ∗∗∗ --------------------------------------------- Project: Modal Form Version: 8.x-1.x-dev Date: 2020-July-22 Security risk: Critical 16∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Modal form module is a toolset for quick start of using forms in modal windows.Any form is available for view and submit when the modal_form module is installed. The only requirement is to know the forms fully-qualified class name. Solution: Upgrade to modal_form-8.x-1.2. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-029 ∗∗∗ Sicherheitsupdate: Netzwerk-Schützer von Cisco sind löchrig ∗∗∗ --------------------------------------------- Admins, die Netzwerke mit Hard- und Software von Cisco schützen, sollten aus Sicherheitsgründen die aktuellen Versionen von Adaptive Security Appliance (ASA) und Firepower Threat Defense (FTD) installieren. ... Ein entfernter und unangemeldeter Angreifer könnte mittels präparierter HTTP-Anfragen auf das Web-Services-Dateisystem von anvisierten Geräten zugreifen (Directory-Traversal-Attacke). Dieses Dateisystem ist aber nur verfügbar, wenn Any-Connect- oder WebVPN-Features aktiviert sind. Davon sind alle Geräte mit verwundbaren ASA- und FTD-Versionen betroffen. (CVE-2020-3452) --------------------------------------------- https://heise.de/-4850949 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler and tomcat8), Fedora (cacti, cacti-spine, java-1.8.0-openjdk, mbedtls, mingw-python3, singularity, and xen), openSUSE (firefox, redis, and singularity), Red Hat (samba), SUSE (java-11-openjdk, qemu, and vino), and Ubuntu (ffmpeg and pillow). --------------------------------------------- https://lwn.net/Articles/826841/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Z Development and Test Environment – April 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Novalink is impacted by Denial of service vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-d… ∗∗∗ Security Bulletin: Websphere Application Server Liberty vulnerabilities used by IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Java vulnerability CVE-2019-2949 affecting IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-cve-20… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Network Deployment security vulnerabilities in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-exists-in-w… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: WebSphere security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-security-vulner… ∗∗∗ Security Bulletin: Java vulnerabilities affecting IBM Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerabilities-affe… ∗∗∗ Security Bulletin: Cross Site Scripting security vulnerabilities in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-secu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2020
by Daily end-of-shift report 22 Jul '20

22 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-07-2020 18:00 − Mittwoch 22-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime: Der Kampf um die Router ∗∗∗ --------------------------------------------- Router sind für Cyber-Kriminelle eine wichtige Ressource. Das rechtfertigt auch außergewöhnliche Maßnahmen. --------------------------------------------- https://heise.de/-4848764 ∗∗∗ Arbeiterkammer warnt: Bewertungen können zur Falle werden! ∗∗∗ --------------------------------------------- Gesucht: italienische Pizzeria. Gefunden: Pizzeria mit top Bewertungen! Vorsicht! Auch bei Online-Bewertungen gibt es Betrug. So kaufen Unternehmen Fake-Bewertungen, die die Unternehmen besser dastehen lassen sollen als sie sind. Gleichzeitig müssen auch Sie bei Bewertungen darauf achten, was Sie schreiben. Ansonsten könnte eine Klage drohen. Arbeiterkammer (AK) und Internet Ombudsmann haben rechtliche Fragen bei Bewertungsplattformen unter die Lupe genommen. --------------------------------------------- https://www.watchlist-internet.at/news/arbeiterkammer-warnt-bewertungen-koe… ∗∗∗ Phishing-Kampagne nutzt Googles Cloud-Dienste zum Diebstahl von Office-365-Anmeldedaten ∗∗∗ --------------------------------------------- Die Hacker hosten auf Google Drive eine speziell gestaltete PDF-Datei. Die Google Cloud stellt für den Angriff auch eine Phishing-Website bereit. Ähnliche Attacken missbrauchen auch Cloud-Dienste anderer Anbieter wie Microsoft Azur. --------------------------------------------- https://www.zdnet.de/88381697/phishing-kampagne-nutzt-googles-cloud-dienste… ∗∗∗ Emotet botnet is now heavily spreading QakBot malware ∗∗∗ --------------------------------------------- Researchers tracking Emotet botnet noticed that the malware started to push QakBot banking trojan at an unusually high rate, replacing the longtime TrickBot payload. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily… ∗∗∗ Format String Vulnerabilities ∗∗∗ --------------------------------------------- C++ and strings The C++ programming language has a couple of different variable types designed to manage text data. These include C strings, which are defined as arrays of characters, and the C++ string data type. These types of variables can be used for a variety of different purposes. The most visible is printing messages [...] --------------------------------------------- https://resources.infosecinstitute.com/format-string-vulnerabilities/ ∗∗∗ Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- What is a command injection vulnerability? Many applications are not designed to be wholly self-contained. They often access external systems as well, including databases, application programming interfaces (APIs) and others. Some applications are designed to run commands within the terminal of the system that they are running on. For example, a program may wish to [...] --------------------------------------------- https://resources.infosecinstitute.com/command-injection-vulnerabilities/ ∗∗∗ How to configure Internet Options for Local Group Policy ∗∗∗ --------------------------------------------- Does this sound familiar? “Welcome to Monopoly!” “All right, now we’re going to go with auctions if you don’t buy.” “Why? That’s so annoying!” “Because if we don’t, it takes forever.” “All right, fine, but I want money if I land on Free Parking.” “Fine, if that’s what it takes. But I want ‘even [...] --------------------------------------------- https://resources.infosecinstitute.com/how-to-configure-internet-options-fo… ∗∗∗ MATA: Multi-platform targeted malware framework ∗∗∗ --------------------------------------------- The MATA malware framework possesses several components, such as loader, orchestrator and plugins. The framework is able to target Windows, Linux and macOS operating systems. --------------------------------------------- https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ ∗∗∗ A few IoCs related to CVE-2020-5092, (Wed, Jul 22nd) ∗∗∗ --------------------------------------------- I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5092. As I responded I captured a number if indicators of compromise. While I have not had a lot of time to dig into them, hopefully they will be of use to somebody. --------------------------------------------- https://isc.sans.edu/diary/rss/26378 ∗∗∗ Malicious Magento User Creator ∗∗∗ --------------------------------------------- We recently found a simple malicious script leveraging Magento’s internal functions to create a new admin user with the admin role “Inchoo” ⁠— probably referring to a Croatian Magento consulting company. The script is simple but very effective and can easily be overlooked as another Magento file without closer inspection. It’s based on a sample that has been circulating the Internet since 2012 and provides a boilerplate for attackers to easily specify user [...] --------------------------------------------- https://blog.sucuri.net/2020/07/malicious-magento-user-creator.html ===================== = Vulnerabilities = ===================== ∗∗∗ Shadow Attacks: Forscher hebeln PDF-Signaturprüfung erneut aus ∗∗∗ --------------------------------------------- 2019 umgingen Forscher von der Ruhr-Universität Bochum die Signatur-Überprüfung von PDF-Software. Nun entwickelten sie erfolgreich drei neue Angriffe. --------------------------------------------- https://heise.de/-4849183 ∗∗∗ Jetzt updaten: Exploit-Code für Patchday-Lücke in SharePoint Server verfügbar ∗∗∗ --------------------------------------------- Gegen eine kritische Lücke in SharePoint Server, Visual Studio und dem .NET Framework gibt es seit dem MS-Patchday Updates. Die Gefahr eines Angriffs steigt. --------------------------------------------- https://heise.de/-4849584 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librsvg and squid), Fedora (mailman, mingw-LibRaw, php-horde-kronolith, and targetcli), openSUSE (openconnect), Red Hat (cloud-init, container-tools:rhel8, dbus, java-1.8.0-openjdk, java-11-openjdk, jbig2dec, kernel, kpatch-patch, mod_auth_openidc:2.3, nodejs:10, openstack-keystone, rh-nodejs10-nodejs, sane-backends, thunderbird, and virt:rhel), SUSE (webkit2gtk3 and xrdp), and Ubuntu (evolution-data-server, linux, linux-aws, linux-aws-hwe, [...] --------------------------------------------- https://lwn.net/Articles/826713/ ∗∗∗ Raining SYSTEM Shells with Citrix Workspace app ∗∗∗ --------------------------------------------- TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/raining-system-shells-with-ci… ∗∗∗ Security Advisory - fastjson Injection Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200722-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in jackson-databind shipped with IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not hide a cryptographic key in one of its binary files (CVE-2020-4385) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Network Deployment security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-securit… ∗∗∗ Security Bulletin: SB0003748 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb0003748/ ∗∗∗ Security Bulletin: SB0003749 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb0003749/ ∗∗∗ Security Bulletin: WebSphere Application Server security vulnerability in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Verify Gateway does not hide client secrets when debug tracing is active (CVE-2020-4372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-n… ∗∗∗ Security Bulletin: IBM Verify Gateway PAM components default to cleartext storage of client secret (CVE-2020-4369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-pam-co… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0746 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0745 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2020
by Daily end-of-shift report 21 Jul '20

21 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Montag 20-07-2020 18:00 − Dienstag 21-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft will disable insecure TLS in Office 365 on Oct 15 ∗∗∗ --------------------------------------------- Microsoft has set the official retirement date for the insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols in Office 365 starting with October 15, 2020, after temporarily halting deprecation enforcement for commercial customers due to COVID-19. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-inse… ∗∗∗ Sextortion Update: The Final Final Chapter, (Mon, Jul 20th) ∗∗∗ --------------------------------------------- Even though the Sextortion emails which began in the July of 2018 are old news, and old hat, I am still tracking the BTC Addresses that were holding the money from the successful transactions. --------------------------------------------- https://isc.sans.edu/diary/rss/26334 ∗∗∗ Couple of interesting Covid-19 related stats, (Tue, Jul 21st) ∗∗∗ --------------------------------------------- It is nothing new that Covid-19 forced many organizations around the world to quickly adopt the "work from home" model, which in turn resulted in an increased number of machines offering remote access services and protocols accessible from the internet. --------------------------------------------- https://isc.sans.edu/diary/rss/26374 ∗∗∗ Understanding the Benefits of the Capability Maturity Model Integration (CMMI) ∗∗∗ --------------------------------------------- “Cybersecurity is the leading corporate governance challenge today, yet 87% of C-suite professionals and board members lack confidence in their company’s cybersecurity capabilities. Many CISOs and CSOs focus on implementing standards and frameworks, but what good is compliance if it does not improve your overall cybersecurity resilience? --------------------------------------------- https://www.tripwire.com/state-of-security/featured/understanding-benefits-… ∗∗∗ Kleinanzeigenbetrug: Das können Opfer tun ∗∗∗ --------------------------------------------- Sie haben auf einer Kleinanzeigenplattform, wie ebay, willhaben und Co ein Produkt an einen Kriminellen verkauft? Sie haben den Betrug zu spät erkannt – das Paket wurde bereits aufgegeben? Mit ein wenig Glück, viele Recherche, Kommunikation und Hartnäckigkeit können Sie das Paket möglicherweise stoppen und wieder zurückbekommen! --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-das-koennen-opfe… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Workspace app for Windows Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in the automatic update service of Citrix Workspace app for Windows that could result in: A local user escalating their privilege level to that of an administrator on the computer running Citrix Workspace app for Windows. A remote compromise of the computer running Citrix Workspace app when Windows file sharing (SMB) is enabled. --------------------------------------------- https://support.citrix.com/article/CTX277662 ∗∗∗ Notfallpatches: Adobe stopft kritische Lücken in Bridge, Prelude und Photoshop ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe hat Sicherheitsupdates außer der Reihe für Android- und Windows-Anwendungen veröffentlicht. --------------------------------------------- https://heise.de/-4849092 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ksh), openSUSE (ant, chromium, ldb, samba, and LibVNCServer), Red Hat (dbus, kernel, kernel-rt, and NetworkManager), and SUSE (cni-plugins, firefox, openexr, Salt, salt, SUSE Manager Client Tools, and tomcat). --------------------------------------------- https://lwn.net/Articles/826603/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2019 CPU ( CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WML CE: SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-sqlite-through-3-3… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (July 2020v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: SB003732 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sb003732/ ∗∗∗ Security Bulletin: WML CE: TensorFlow: In SQLite before 3.32.3, select.c mishandles query-flattener optimization ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-tensorflow-in-sqli… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Jackson-databind Affect B2B API of IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht XXE ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0740 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0741 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2020
by Daily end-of-shift report 20 Jul '20

20 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-07-2020 18:00 − Montag 20-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet: Erste Angriffswelle nach fünfmonatiger Pause ∗∗∗ --------------------------------------------- Nach mehrmonatiger Pause haben Forscher eine neue Emotet-Angriffswelle beobachtet. Die Ziele lagen vor allem in den USA sowie im Vereinigten Königreich. --------------------------------------------- https://heise.de/-4847070 ∗∗∗ How to use Windows 10 File History to make secure backups ∗∗∗ --------------------------------------------- With File History feature on Windows, you can back up copies of files that are in the Documents, Music, Pictures, Videos, and Desktop folders. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/how-to-use-windows-10-file-… ∗∗∗ Zone.Identifier: A Coupe Of Observations, (Sat, Jul 18th) ∗∗∗ --------------------------------------------- In diary entry "Sysmon and Alternate Data Streams", we reported that Sysmon records the content of small Alternate Data Streams (containing text) in the event log. This is useful for the Zone.Identifier ADS, a stream that is added by many browsers to mark a file as orginating from the Internet. Modern browsers will include extra information in Zone.Identifier, like the URL: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26366 ∗∗∗ Online-Shop-Software: Zwei-Faktor-Authentifizierung für Magento-Shops verfügbar ∗∗∗ --------------------------------------------- Admins können Online-Shops auf Magento-Basis nun effektiver gegen feindliche Übernahmen absichern. --------------------------------------------- https://heise.de/-4847660 ===================== = Vulnerabilities = ===================== ∗∗∗ Windows 10 Store wsreset tool lets attackers bypass antivirus ∗∗∗ --------------------------------------------- A technique that exploits Windows 10 Microsoft Store called wsreset.exe can delete files to bypass antivirus protection on a host without being detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-store-wsreset-too… ∗∗∗ Scanning Activity for ZeroShell Unauthenticated Access, (Sun, Jul 19th) ∗∗∗ --------------------------------------------- In the past 36 hours, an increase in scanning activity to exploit and compromise ZeroShell Linux router began. This router software had several unauthenticated remote code execution released in the past several years, the last one was CVE-2019-12725. The router latest software version can be dowloaded here. --------------------------------------------- https://isc.sans.edu/diary/rss/26368 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libopenmpt, nginx, nss, qemu, rails, redis, ruby-sanitize, and tomcat9), Fedora (glibc, libldb, nspr, nss, samba, and webkit2gtk3), openSUSE (cairo, firefox, google-compute-engine, LibVNCServer, mumble, ntp, openconnect, openexr, openldap2, pdns-recursor, python-ipaddress, rubygem-puma, samba, singularity, slirp4netns, thunderbird, xen, and xrdp), and Oracle (.NET Core, .NET Core 3.1, java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/826537/ ∗∗∗ 3 Vulnerabilities Found on AvertX IP Cameras ∗∗∗ --------------------------------------------- Security cameras make up 5% of enterprise IoT devices but account for 33% of all security issues. We found three vulnerabilities in AvertX IP cameras. --------------------------------------------- https://unit42.paloaltonetworks.com/avertx-ip-cameras-vulnerabilities/ ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: WML CE: Pillow before 7.1.0 has multiple out-of-bounds reads ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-pillow-before-7-1-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: WML CE: In Pillow before 7.1.0, there is a Buffer Overflow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-in-pillow-before-7… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: WML CE: libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-libjpeg-turbo-2-0-… ∗∗∗ Security Bulletin: WML CE: SQLite through 3.32.2 has has a use-after-free problem. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-wml-ce-sqlite-through-3-3… ∗∗∗ Security Bulletin: A vulnerability in Jackson Databind affects IBM Operations Analytics Predictive Insights (CVE-2020-8840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jackso… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Rails ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2020