- Daily - CERT.at

Tageszusammenfassung - 10.12.2020
by Daily end-of-shift report 10 Dec '20

10 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-12-2020 18:00 − Donnerstag 10-12-2020 18:00 Handler: Stephan Richter Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Qbot malware switched to stealthy new Windows autostart method ∗∗∗ --------------------------------------------- A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-ste… ∗∗∗ Adobe Flash Player: Jetzt ist endgültig Schluss ∗∗∗ --------------------------------------------- Seit Jahren wird das Ende des Adobe Flash Players verkündet. Im Januar 2021 soll es nun aber tatsächlich so weit sein. --------------------------------------------- https://www.golem.de/news/adobe-flash-player-jetzt-ist-endgueltig-schluss-2… ∗∗∗ Python Backdoor Talking to a C2 Through Ngrok, (Thu, Dec 10th) ∗∗∗ --------------------------------------------- I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most services available on the Internet, it has been abused by attackers for a long time. --------------------------------------------- https://isc.sans.edu/diary/rss/26866 ∗∗∗ PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL ∗∗∗ --------------------------------------------- PGMiner is a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution vulnerability.The post PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-minin… ∗∗∗ Hackers are selling more than 85,000 SQL databases on a dark web portal ∗∗∗ --------------------------------------------- Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesnt want to pay the ransom demand. --------------------------------------------- https://www.zdnet.com/article/hackers-are-selling-more-than-85000-sql-datab… ∗∗∗ Proof-of-concept exploit code published for new Kerberos Bronze Bit attack ∗∗∗ --------------------------------------------- The Kerberos Bronze Bit attack can allow intruders to bypass authentication and access sensitive network services. --------------------------------------------- https://www.zdnet.com/article/proof-of-concept-exploit-code-published-for-n… ===================== = Vulnerabilities = ===================== ∗∗∗ Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites ∗∗∗ --------------------------------------------- On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator’s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin’s publisher, ...Read MoreThe post Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress --------------------------------------------- https://www.wordfence.com/blog/2020/12/reflected-xss-in-pagelayer-plugin-af… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ant, cimg, containerd, libproxy, libproxy-mozjs, libproxy-webkit, libslirp, python-lxml, tomcat8, tomcat9, and xorg-server), CentOS (firefox and thunderbird), Debian (apt, linux-4.19, python-apt, and sqlite3), Fedora (ceph, chromium, containerd, matrix-synapse, mingw-openjpeg2, openjpeg2, python-authlib, python-canonicaljson, and spice-gtk), Mageia (chromium-browser-stable), openSUSE (chromium and pngcheck), Slackware (curl), SUSE (clamav, curl, --------------------------------------------- https://lwn.net/Articles/839668/ ∗∗∗ Serious Vulnerabilities in Dualog Connection Suite ∗∗∗ --------------------------------------------- TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL […]The post Serious Vulnerabilities in Dualog Connection Suite first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/serious-vulnerabilities-in-du… ∗∗∗ Medtronic MyCareLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authentication, Heap-based Buffer Overflow, and Time-of-check Time-of-use Race Condition vulnerabilities in the Medtronic MyCareLink Patient Reader. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Check or Handling of Exceptional Conditions vulnerability in Mitsubishi Electrics MELSEC iQ-F series FX5U(C) CPU modules. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-345-01 ∗∗∗ Host Engineering H2-ECOM100 Module ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Host Engineering ECOM100 Module, an Ethernet communications module for PLC systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-345-02 ∗∗∗ Gafgyt Using Pulse Secure Vulnerability ∗∗∗ --------------------------------------------- SummaryA vulnerability in Pulse Secures Connect VPN framework is allowing for exploitation by Gafgyt. Avira details how this exploit works in a new blog.Threat TypeMalware, VulnerabilityOverviewAvira Labs has observed an increase in IoT malware binaries. These binaries have the capability to exploit CVE-2020-8218. This increase led to the discovery of a new variant of Gafgyt. Its functionality is mostly the same as the original Gafgyt with some inclusion of functionality from other malware --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/02145e80d8a7b87b486015b3588… ∗∗∗ Cisco Jabber Desktop and Mobile Client Software Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ( CVE-2020-8244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect (CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Codec ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernat… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: JRE vulnerability (CVEID: 178768) impacts IBM Aspera High-Speed Transfer Server/IBM Aspera High-Speed Transfer Endpoint version 3.9.6.2 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jre-vulnerability-cveid-1… ∗∗∗ Security Bulletin: Vulnerability in ksu affects AIX (CVE-2020-4829) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksu-affe… ∗∗∗ Symantec Messaging Gateway: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1222 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2020
by Daily end-of-shift report 09 Dec '20

09 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Montag 07-12-2020 18:00 − Mittwoch 09-12-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Credit card stealing malware bundles backdoor for easy reinstall ∗∗∗ --------------------------------------------- An almost impossible to remove malware set to automatically activate on Black Friday was deployed on multiple Magento-powered online stores by threat actors according to researchers at Dutch cyber-security company Sansec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-stealing-malware… ∗∗∗ Microsoft fixes new Windows Kerberos security bug in staged rollout ∗∗∗ --------------------------------------------- Microsoft has issued security updates to address a Kerberos security feature bypass vulnerability impacting multiple Windows Server versions in a two-phase staged rollout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-new-windows-… ∗∗∗ IT-Security: Hacker klauen Hacking-Werkzeuge von Fireeye ∗∗∗ --------------------------------------------- Das Security-Unternehmen versucht nun, das Schlimmste zu verhindern und gibt Tipps gegen die eigenen Angriffswerkzeuge. --------------------------------------------- https://www.golem.de/news/it-security-hacker-klauen-hacking-werkzeuge-von-f… ∗∗∗ OpenSSL behebt Speicherfehler ∗∗∗ --------------------------------------------- Ein Update beseitigt einen Null-Pointer-Zugriff, der laut Advisory zum Absturz führen kann. --------------------------------------------- https://heise.de/-4985050 ∗∗∗ Threat Assessment: Egregor Ransomware ∗∗∗ --------------------------------------------- Unit 42 shares courses of action that can help mitigate tactics, techniques and procedures used with Egregor ransomware. --------------------------------------------- https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/ ∗∗∗ njRAT Spreading Through Active Pastebin Command and Control Tunnel ∗∗∗ --------------------------------------------- Malware authors have been leveraging njRAT (AKA Bladabindi), a Remote Access trojan), to download and deliver second-stage payloads from Pastebin. --------------------------------------------- https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/ ∗∗∗ Achtung: Kriminelle versenden betrügerische Mails im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Derzeit versenden BetrügerInnen zahlreiche E-Mails im Namen des Finanzamtes. Angeblich würden Sie eine Steuerrückerstattung von 1.850 Euro bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-kriminelle-versenden-betrueg… ===================== = Vulnerabilities = ===================== ∗∗∗ Command Injection: NSA warnt vor VMware-Lücke ∗∗∗ --------------------------------------------- Der US-Geheimdienst NSA sieht russische Akteure hinter Angriffen auf eine Sicherheitslücke in VMware-Produkten. --------------------------------------------- https://www.golem.de/news/command-injection-nsa-warnt-vor-vmware-luecke-201… ∗∗∗ D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws ∗∗∗ --------------------------------------------- Critical vulnerabilities discovered by Digital Defense can allow attackers to gain root access and take over devices running same firmware. --------------------------------------------- https://threatpost.com/d-link-routers-zero-day-flaws/162064/ ∗∗∗ Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams ∗∗∗ --------------------------------------------- A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a targets system. --------------------------------------------- https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html ∗∗∗ ZDI-20-1400: (0Day) Realtek RTL8811AU Wi-Fi Driver rtwlane Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Realtek RTL8811AU Wi-Fi driver. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1400/ ∗∗∗ ZDI-20-1399: (0Day) Realtek RTL8811AU Wi-Fi Driver rtwlanu Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Realtek RTL8811AU Wi-Fi driver. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-20-1399/ ∗∗∗ Jetzt updaten: Cisco schiebt Update für Security-Manager-Lücke von November nach ∗∗∗ --------------------------------------------- Für eine Sicherheitslücke mit "High"-Einstufung im Security Manager stand noch ein Fix aus. Da Proof-of-Concept-Code online ist, sollten Nutzer jetzt handeln. --------------------------------------------- https://heise.de/-4983238 ∗∗∗ Patchday: Microsoft stopft kritische Lücken in Exchange Server ∗∗∗ --------------------------------------------- Für unter anderem Hyper-V, Office und Windows stehen wichtige Sicherheitsupdates zum Download bereit. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4984254 ∗∗∗ Kritische Lücke im Python-Framework PyYAML bedroht IBM Spectrum Protect ∗∗∗ --------------------------------------------- IBM hat unter anderem für IBM Db2 und Spectrum Protect wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-4983755 ∗∗∗ Patchday: Adobe schließt kritische Lücken - aber nicht in Flash ∗∗∗ --------------------------------------------- Sicherheitspatches schließen Schadcode-Lücken in Adobe Experience Manager, Lightroom und Prelude. --------------------------------------------- https://heise.de/-4984303 ∗∗∗ Patchday: SAP-Updates versperren Angriffswege über teils kritische Lücken ∗∗∗ --------------------------------------------- Neben einer NetWeaver-Schwachstelle mit dem CVSS-"Highscore" 10 hat SAP zum Patchday noch zahlreiche weitere Sicherheitsprobleme aus seinen Produkten entfernt. --------------------------------------------- https://heise.de/-4984262 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (minidlna, openssl, and trafficserver), Mageia (oniguruma, php-pear, python, python3, and x11vnc), openSUSE (minidlna), Oracle (kernel and net-snmp), Red Hat (kernel, mariadb-galera, microcode_ctl, and net-snmp), Slackware (seamonkey), SUSE (thunderbird and xen), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/839311/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-golang-x-net-dev, python-certbot, and xorg-server), Fedora (resteasy, scap-security-guide, and vips), openSUSE (chromium, python, and rpmlint), SUSE (kernel), and Ubuntu (aptdaemon, curl, gdk-pixbuf, lxml, and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/839481/ ∗∗∗ December 2020 Android Updates Patch 46 Vulnerabilities ∗∗∗ --------------------------------------------- A total of 46 vulnerabilities were addressed this week with the release of the December 2020 security updates for Android. --------------------------------------------- https://www.securityweek.com/december-2020-android-updates-patch-46-vulnera… ∗∗∗ Amnesia:33: TCP/IP-Schwachstellen gefährden Millionen internetfähige Geräte ∗∗∗ --------------------------------------------- Die 33 Anfälligkeiten verteilen sich auf vier Open-Source-Bibliotheken. Hersteller integrieren die Bibliotheken wiederum in die Firmware von Routern, Switches, Druckern und vielen anderen Geräten. Oftmals bieten diese keine Option zur Aktualisierung der Gerätesoftware. --------------------------------------------- https://www.zdnet.de/88390349/amnesia33-tcp-ip-schwachstellen-gefaehrden-mi… ∗∗∗ GE Healthcare Imaging and Ultrasound Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for Unprotected Transport of Credentials, and Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in select GE Healthcare Imaging and Ultrasound products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01 ∗∗∗ ICS-CERT Security Advisories - December 8th, 2020 ∗∗∗ --------------------------------------------- SummaryICS-CERT has released nine security advisories addressing vulnerabilities in ICS-related devices and software. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/7b486a6b0dbeee0d5e268e11454… ∗∗∗ Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Information Disclosure Vulnerability in TE Mobile Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201209-… ∗∗∗ Security Advisory - CSV Injection Vulnerability in iManager NetEco Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201209-… ∗∗∗ LibTIFF vulnerability CVE-2018-18557 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70117303 ∗∗∗ Linux kernel vulnerability CVE-2017-10661 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04337834 ∗∗∗ Linux kernel vulnerability CVE-2017-18344 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K07020416 ∗∗∗ NGINX Controller Agent vulnerability CVE-2020-27730 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43530108 ∗∗∗ Linux kernel vulnerability CVE-2018-18397 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83102920 ∗∗∗ Linux kernel vulnerability CVE-2018-1120 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42202505 ∗∗∗ Citrix Secure Mail for Android Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX286763 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2020
by Daily end-of-shift report 07 Dec '20

07 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-12-2020 18:00 − Montag 07-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Finanzmarktaufsicht und Bundeskriminalamt warnen vor Geldwäsche-Jobs ∗∗∗ --------------------------------------------- Warnung: Professionelle Geldwäscher versuchen Jobsuchende als Finanzagent anzuwerben und zur Geldwäscherei zu missbrauchen. --------------------------------------------- https://www.watchlist-internet.at/news/finanzmarktaufsicht-und-bundeskrimin… ∗∗∗ Sicherheitslücke: Remote Code Execution in Microsoft Teams ∗∗∗ --------------------------------------------- Im Desktop-Client von Microsoft Teams fand sich eine extrem kritische Sicherheitslücke, aber Microsoft hat das Problem heruntergespielt. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-remote-code-execution-in-micros… ∗∗∗ What is Ransomware - 15 Easy Steps To Protect Your System [Updated 2020] ∗∗∗ --------------------------------------------- May 12th 2017 saw the biggest ever cyber attack in Internet history (yes, bigger than the Dyn DDoS). A ransomware named WannaCry stormed through the web, with the damage epicenter being in Europe. WannaCry leveraged a vulnerability in Windows OS, first discovered by the NSA, and then publicly revealed to the world by the Shadow [...] --------------------------------------------- https://heimdalsecurity.com/blog/what-is-ransomware-protection/ ∗∗∗ Obfuscation Techniques in MARIJUANA Shell "Bypass" ∗∗∗ --------------------------------------------- Attackers are always trying to come up with new ways to evade detection from the wide range of security controls available for web applications. This also extends to malware like PHP shells, which are typically left on compromised websites as a backdoor to maintain unauthorized access. MARIJUANA is the name of a PHP shell that we have been tracking since last year. --------------------------------------------- https://blog.sucuri.net/2020/12/obfuscation-techniques-in-marijuana-shell-b… ∗∗∗ Payment Card Skimmer Group Using Raccoon Info-Stealer to Siphon Off Data ∗∗∗ --------------------------------------------- A cybercrime group known for targeting e-commerce websites unleashed a "multi-stage malicious campaign" earlier this year designed with an intent to distribute information stealers and JavaScript-based payment skimmers. In a new report published today and shared with The Hacker News, Singapore-based cybersecurity firm Group-IB attributed the operation to the same group thats been linked to a [...] --------------------------------------------- https://thehackernews.com/2020/12/payment-card-skimmer-group-using.html ∗∗∗ Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU ∗∗∗ --------------------------------------------- To better protect Windows users, we discuss how attackers might exploit CVE-2019-0708 (BlueKeep) on Windows RDP endpoints. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2019-0708-bluekeep/ ∗∗∗ Shodan Verified Vulns 2020-12 ∗∗∗ --------------------------------------------- Auch im Dezember wollen wir einen Blick auf Schwachstellen werfen, die Shodan in Österreich sieht. Die folgende Grafik basiert auf den Daten vom 2020-12-01: [...] --------------------------------------------- https://cert.at/de/aktuelles/2020/12/shodan-verified-vulns-2020-12 ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP patches QTS vulnerabilities allowing NAS device takeover ∗∗∗ --------------------------------------------- Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-patches-qts-vulnerabili… ∗∗∗ Cisco Security Manager Java Deserialization Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Java deserialization function that is used by Cisco'Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ceph, gitea, matrix-synapse, musl, mutt, neomutt, opensc, and webkit2gtk), Debian (debian-security-support, openldap, salt, xen, and xorg-server), Fedora (fossil, pdfresurrect, tcpdump, thunderbird, and xorg-x11-server), Gentoo (chromium, firefox, mariadb, pam, postgresql, seamonkey, thunderbird, and xorg-server), Mageia (mutt, pdfresurrect, privoxy, and thunderbird), openSUSE (chromium, java-1_8_0-openjdk, kernel, minidlna, neomutt, opera, [...] --------------------------------------------- https://lwn.net/Articles/839198/ ∗∗∗ HPE HP-UX: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1199 ∗∗∗ Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-pyyaml-a… ∗∗∗ Security Bulletin: Denial of Service Vulnerability in Chart.js affects IBM Spectrum Protect Plus (CVE-2020-7746) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: Upgrade to IBP v2.5.1 to address recent concerns/issues with Golang versions other than 1.14.7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-to-ibp-v2-5-1-to-… ∗∗∗ Security Bulletin: Vulnerability in Urllib3 affects IBM Spectrum Protect Container and Microsoft File Systems Agents (CVE-2020-26137) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-urllib3-… ∗∗∗ Public Service Announcement ∗∗∗ --------------------------------------------- Due to Dec 8 being a public holiday in Austria the next End-of-Day report will be published on Dec 9. --------------------------------------------- https://en.wikipedia.org/wiki/Feast_of_the_Immaculate_Conception -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2020
by Daily end-of-shift report 04 Dec '20

04 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-12-2020 18:00 − Freitag 04-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Achtung! Amazon-Phishing Mails boomen derzeit! ∗∗∗ --------------------------------------------- Der Black Friday ist vorbei, Weihnachten steht vor der Tür und Österreich befindet sich nach wie vor im Lockdown. All das sind Gründe, wieso der Online-Handel derzeit boomt – genauso boomen jedoch betrügerische Nachrichten, die im Namen von Amazon verschickt werden. Aktuell kursieren E-Mails, bei denen BetrügerInnen Ihnen eine doppelte Abbuchung vorgaukeln, um an Ihre Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-amazon-phishing-mails-boomen… ∗∗∗ Malware für den Diebstahl von Finanzdaten versteckt sich hinter Social-Media-Buttons ∗∗∗ --------------------------------------------- Die Buttons erlauben angeblich das Teilen von Inhalten per Facebook, Twitter und Instagram. Stattdessen aktivieren sie Schadcode, der es auf persönliche Informationen und Kreditkartendaten abgesehen hat. Die zugehörige Malware ist bereits seit Ende September im Umlauf. --------------------------------------------- https://www.zdnet.de/88390301/malware-fuer-den-diebstahl-von-finanzdaten-ve… ∗∗∗ Cybercrime: Trickbot lernt neuen Trick ∗∗∗ --------------------------------------------- Emotet-Infektionen werden zukünftig noch gefährlicher. Denn die nachgeladene Malware könnte sich im BIOS festsetzen. --------------------------------------------- https://heise.de/-4980197 ∗∗∗ Forscher warnen vor teils noch ungefixter Schwachstelle in diversen Android-Apps ∗∗∗ --------------------------------------------- Die ehemals verwundbare, durch Google bereits im März reparierte Play Core-Library wurde durch manche App-Entwickler (noch) nicht aktiv aktualisiert. --------------------------------------------- https://heise.de/-4979478 ∗∗∗ The chronicles of Emotet ∗∗∗ --------------------------------------------- More than six years have passed since the banking Trojan Emotet was first detected. During this time it has repeatedly mutated, changed direction, acquired partners, picked up modules, and generally been the cause of high-profile incidents and multimillion-dollar losses. --------------------------------------------- https://securelist.com/the-chronicles-of-emotet/99660/ ∗∗∗ Leaking Browser URL/Protocol Handlers ∗∗∗ --------------------------------------------- An important step in any targeted attack is reconnaissance. The more information an attacker can obtain on the victim the greater the chances for a successful exploitation and infiltration. Recently, we uncovered two information disclosure vulnerabilities affecting three of the major web browsers which can be leveraged to leak out a vast range of installed applications, including the presence of security products, allowing a threat actor to gain critical insights on the target. --------------------------------------------- https://www.fortinet.com/blog/threat-research/leaking-browser-url-protocol-… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Releases Security Updates to Address CVE-2020-4006 ∗∗∗ --------------------------------------------- VMware has released security updates to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0027.2 and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/vmware-releases-s… ∗∗∗ Webserver-Sicherheitslücke: Heikle Konfigurations- und Statusdaten publiziert ∗∗∗ --------------------------------------------- Fehlkonfigurierte Webserver von Bundesbehörden und IT-Firmen präsentierten Besucher-IPs, Benutzernamen, Meeting-Kennungen und mehr offen im Internet. --------------------------------------------- https://heise.de/-4971830 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (c-ares, pdfresurrect, webkit2gtk3, and xen), openSUSE (python3), SUSE (gdm, python-pip, rpmlint, and xen), and Ubuntu (snapcraft). --------------------------------------------- https://lwn.net/Articles/838960/ ∗∗∗ WECON LeviStudioU (Update C) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-20-238-03 WECON LeviStudioU (Update B) that was published October 29, 2020, to the ICS webpage on us-cert.cisa.gov. This advisory contains mitigations for a Stack-based Buffer Overflow vulnerability in the WECON Technology LeviStudioU software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-238-03 ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1195 ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201202… ∗∗∗ Security Advisory - Resource Management Error Vulnerability in Huawei CloudEngine 1800V Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201202… ∗∗∗ Intel CPU vulnerability CVE-2020-0591 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82356391 ∗∗∗ Intel CPU vulnerability CVE-2020-0592 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04160444 ∗∗∗ QEMU vulnerability CVE-2020-27617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41142448 ∗∗∗ Jetty vulnerability CVE-2019-10247 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41412302 ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Program Management (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: Trusteer Mobile SDK is vulnerable to CVE-2019-17362 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-trusteer-mobile-sdk-is-vu… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Sourcing (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Contract Management (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Spend Analysis (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-14621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jQuery Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-vulnerabilities-af… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow – CVE-2020-4687, CVE-2020-4760, CVE-2020-4704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Upgrade javaenv:2.2 to address Gradle oauth authentication concerns. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-upgrade-javaenv2-2-to-add… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2020
by Daily end-of-shift report 03 Dec '20

03 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-12-2020 18:00 − Donnerstag 03-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ APT-Gruppen: Turla und Co. tarnen Angriffe durch scheinbar harmlose Aktivitäten ∗∗∗ --------------------------------------------- Eine Spionage-Malware der wohl staatlich finanzierten Turla-Gang setzt auf Dropbox zum Datenklau. In einem anderen Fall verschleierte Coin-Mining Schlimmeres. --------------------------------------------- https://heise.de/-4978541 ∗∗∗ Studie: Schwachstellen in Open-Source-Software bleiben in der Regel vier Jahre unentdeckt ∗∗∗ --------------------------------------------- Patches stehen in der Regel innerhalb von vier Wochen zur Verfügung. Zudem sind nur 17 Prozent der registrierten Sicherheitslücken als "schädlich" einzustufen. GitHub sieht Open-Source-Software als "kritische Infrastruktur" an. --------------------------------------------- https://www.zdnet.de/88390280/studie-schwachstellen-in-open-source-software… ∗∗∗ What did DeathStalker hide between two ferns? ∗∗∗ --------------------------------------------- While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware "PowerPepper". --------------------------------------------- https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ ∗∗∗ Xerox DocuShare Bugs Allow Data Leaks ∗∗∗ --------------------------------------------- CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes. --------------------------------------------- https://threatpost.com/xerox-docushare-bugs/161791/ ∗∗∗ Another LILIN DVR 0-day being used to spread Mirai ∗∗∗ --------------------------------------------- In March, we reported[1] that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the vendor soon fixed the vulnerability. On August 26, 2020, our Anglerfish honeypot detected that another new LILINDVR/ [...] --------------------------------------------- https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mi… ∗∗∗ Adventures in Anti-Gravity (Part II) ∗∗∗ --------------------------------------------- Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component. --------------------------------------------- https://objective-see.com/blog/blog_0x5C.html ∗∗∗ TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected ∗∗∗ --------------------------------------------- TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known [...] --------------------------------------------- https://thehackernews.com/2020/12/trickbot-malware-gets-uefibios-bootkit.ht… ∗∗∗ Spamhaus Intelligence API: Free threat intelligence data for security developers ∗∗∗ --------------------------------------------- Spamhaus Technology releases its Intelligence API. This is the first time Spamhaus has released its extensive threat intelligence via API, providing enriched data relating to IP addresses exhibiting compromised behaviour. Available free of charge, developers can readily access enhanced data that catalogues IP addresses compromised by malware, worms, Trojan infections, devices controlled by botnets, and third party exploits, such as open proxies. The API features live and historical data, [...] --------------------------------------------- https://www.helpnetsecurity.com/2020/12/03/spamhaus-intelligence-api/ ∗∗∗ Open Source Tool Helps Secure Siemens PCS 7 Control Systems ∗∗∗ --------------------------------------------- Industrial cybersecurity company OTORIO has released an open source tool designed to help organizations harden Siemens’ SIMATIC PCS 7 distributed control systems (DCS). --------------------------------------------- https://www.securityweek.com/open-source-tool-helps-secure-siemens-pcs-7-co… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Play Apps Remain Vulnerable to High-Severity Flaw ∗∗∗ --------------------------------------------- Patches for a flaw (CVE-2020-8913) in the Google Play Core Library have not been implemented by several popular Google Play apps, including Cisco Teams and Edge. --------------------------------------------- https://threatpost.com/google-play-apps-remain-vulnerable-to-high-severity-… ∗∗∗ iCloud for Windows 11.5 ∗∗∗ --------------------------------------------- Foundation: A local user may be able to read arbitrary files ImageIO: Processing a maliciously crafted image may lead to arbitrary code execution ImageIO: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution libxml2: Processing maliciously crafted web content may lead to code execution libxml2: A remote attacker may be able to cause unexpected application termination or arbitrary code execution libxml2: Processing a maliciously crafted file may lead to arbitrary code execution SQLite: A remote attacker may be able to cause a denial of service SQLite: A remote attacker may be able to cause arbitrary code execution SQLite: A remote attacker may be able to leak memory SQLite: A maliciously crafted SQL query may lead to data corruption WebKit: Processing maliciously crafted web content may lead to arbitrary code execution --------------------------------------------- https://support.apple.com/kb/HT211935 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/838870/ ∗∗∗ Mozilla Foundation Security Advisory 2020-53 ∗∗∗ --------------------------------------------- In security advisory 2020-53, the Mozilla Foundation describes a stack overflow vulnerability (CVE-2020-26970) patched in Thunderbird 78.5.1. The issue was caused by writing an SMTP server status integer value on the stack designed to only hold one byte. This could potentially corrupt the stack which might be exploitable. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/0f933021879b159a96ec2380843… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1190 ∗∗∗ Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-pyyaml-a… ∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3rd party cryptographc vulnerability (CVE-2020-4254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big… ∗∗∗ Security Bulletin: A security bypass vulnerability in Apache Solr (lucene) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-bypass-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4447, CVE-2020-4759 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2020
by Daily end-of-shift report 02 Dec '20

02 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-12-2020 18:00 − Mittwoch 02-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Project Zero: Exploit zeigt Komplettübernahme von iPhones per WLAN ∗∗∗ --------------------------------------------- Ohne Bugfix hätten iPhones vollständig per WLAN ausgelesen werden können - über eine triviale Lücke. Apple hat den Fehler bereits behoben. --------------------------------------------- https://www.golem.de/news/project-zero-exploit-zeigt-komplettuebernahme-von… ∗∗∗ "Free" Symchanger Malware Tricks Users Into Installing Backdoor ∗∗∗ --------------------------------------------- In a previous post, I discussed how attackers can trick website owners into installing malware onto a website - granting the attacker the same unauthorized access as if they had exploited a vulnerability or compromised login details for the website. But did you know attackers use the same tactic against other bad actors? They do this by offering free malware, even going to great lengths to include a guide on how to use it. --------------------------------------------- https://blog.sucuri.net/2020/12/free-symchanger-malware-tricks-users-into-i… ∗∗∗ Remote Code Execution: Lücken in NAS-Betriebssystem QTS von Qnap geschlossen ∗∗∗ --------------------------------------------- Die Qnap-Entwickler haben eine abgesicherte Version von QTS für NAS-Geräte aus dem eigenen Haus veröffentlicht. --------------------------------------------- https://heise.de/-4977592 ∗∗∗ Paketmanager npm: Remote Access Trojan tarnt sich als JSON-Tool ∗∗∗ --------------------------------------------- Die zwei Pakete jdb.js und db-json.js versuchen njRAT zu installieren und die Windows-Firewall passend zu öffnen. --------------------------------------------- https://heise.de/-4977572 ∗∗∗ Zahlreiche betrügerische Jobangebote von rareAI und enixAI online! ∗∗∗ --------------------------------------------- „Quereinsteiger im KI-Training“ oder „Datenerfasser/KI-Trainer“ – so oder so ähnlich klingen betrügerische Jobangebote, die derzeit auf zahlreichen Plattformen inseriert werden. Dahinter stecken die angeblichen Start-Ups rareAI oder enixAI. Doch weder die Unternehmen existieren erhalten Interessierte eine bezahlte Arbeit. Stattdessen wird der Bewerbungsprozess genutzt, um im Namen der Opfer ein Konto zu eröffnen, nebenbei klauen die Kriminellen noch [...] --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-jobangebot… ===================== = Vulnerabilities = ===================== ∗∗∗ ICS Advisory (ICSA-20-336-01) Schneider Electric EcoStruxure Operator Terminal Expert runtime (Vijeo XD) ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability may allow unauthorized command execution by a local user of the Windows engineering workstation, which could result in loss of availability, confidentiality, and integrity of the workstation where EcoStruxure Operator Terminal Expert runtime is installed. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-336-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (brotli, jupyter-notebook, and postgresql-9.6), Fedora (perl-Convert-ASN1 and php-pear), openSUSE (go1.15, libqt5-qtbase, mutt, python-setuptools, and xorg-x11-server), Oracle (firefox, kernel, libvirt, and thunderbird), Red Hat (rh-postgresql10-postgresql and rh-postgresql12-postgresql), SUSE (java-1_8_0-openjdk, python, python-cryptography, python-setuptools, python3, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-kvm, linux-lts-trusty, linux-raspi2, linux-snapdragon, python-werkzeug, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/838786/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201202… ∗∗∗ HCL Domino: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1182 ∗∗∗ FreeBSD: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1185 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1184 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – July 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in firmware supporting products shipped with IBM Clouf Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2020-26217 XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-26217-xstream-be… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4447, CVE-2020-4459 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2020
by Daily end-of-shift report 01 Dec '20

01 Dec '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-11-2020 18:00 − Dienstag 01-12-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Banking-Malware Gootkit ist zurück und hat es auf PCs in Deutschland abgesehen ∗∗∗ --------------------------------------------- Das CERT-Bund und verschiedene Sicherheitsforscher warnen vor Trojaner-Attacken. Infektionen sind aber nicht ohne Weiteres möglich. --------------------------------------------- https://heise.de/-4976043 ∗∗∗ FBI warns of BEC scammers using email auto-forwarding in attacks ∗∗∗ --------------------------------------------- The FBI is warning U.S. companies about scammers actively abusing auto-forwarding rules on web-based email clients to increase the likelihood of successful Business Email Compromise (BEC) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-us… ∗∗∗ Critical Oracle WebLogic flaw actively exploited by DarkIRC malware ∗∗∗ --------------------------------------------- A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-fla… ∗∗∗ IceRat evades antivirus by running PHP on Java VM ∗∗∗ --------------------------------------------- IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware. --------------------------------------------- https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp ∗∗∗ How prevalent is DNS spoofing? Could a repeat of the Dyn/Mirai DDoS attack have the same results? ∗∗∗ --------------------------------------------- Two separate groups of academics have recently released research papers based on research into the Domain Name System (DNS). One has found that the overwhelming majority of popular site operators haven’t learned from the 2016 Dyn/Mirai incident/attack and set up a backup DNS server, and the other has shown that the rate of DNS spoofing, though still very small, has more than doubled in less than seven years. --------------------------------------------- https://www.helpnetsecurity.com/2020/12/01/dns-spoofing/ ∗∗∗ Xanthe - Docker aware miner ∗∗∗ --------------------------------------------- Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways. Cisco Talos recently discovered a cryptocurrency-mining botnet attack were calling "Xanthe," which attempted to compromise one of Ciscos security honeypots for tracking Docker-related threats. --------------------------------------------- https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html ∗∗∗ Docker malware is now common, so devs need to take Docker security seriously ∗∗∗ --------------------------------------------- Three years after the first malware attacks targeting Docker, developers are still misconfiguring and exposing their Docker servers online. --------------------------------------------- https://www.zdnet.com/article/docker-malware-is-now-common-so-devs-need-to-… ===================== = Vulnerabilities = ===================== ∗∗∗ GO SMS Pro Vulnerable to File Theft: Part 2 ∗∗∗ --------------------------------------------- Last week we released an advisory about an SMS app called GO SMS Pro. Media files sent via text in the app are stored insecurely on a publicly accessible server. With some very minor scripting, it is trivial to throw a wide net around that content. While its not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you. [...] It seems like GOMO is attempting to fix the issue, but a complete fix is still not available in the app. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/go-sms-pro-… ∗∗∗ Multiple (RCE) Vulnerabilities in Micro Focus Operations Bridge Manager ∗∗∗ --------------------------------------------- After analysing OBM, I found a mountain of critical security vulnerabilities that when combined result in a complete compromise of the application: - Use of Hard-coded Credentials - Insecure Java Deserialization (an incredible total of 41 of them) - Use of Outdated and Insecure Java Libraries - Incorrect Default Folder Permissions (resulting in Privilege Escalation to SYSTEM) All of these vulnerabilities affect the latest version, 2020.05, and possibly earlier versions. Both Windows and Linux installations are affected, except for the privilege escalation, which only affects Windows. --------------------------------------------- https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focu… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0009 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead toarbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0009.html ∗∗∗ QNAP QTS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1181 ∗∗∗ Foxit Phantom PDF Suite: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1180 ∗∗∗ HCL Domino: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1177 ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Information disclosure vulnerability may affect IBM Business Automation Workflow – CVE-2020-4900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-c… ∗∗∗ Security Bulletin: Node.js module upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-module-upgrade-fo… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: A security vulnerability in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-c… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2020
by Daily end-of-shift report 30 Nov '20

30 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-11-2020 18:00 − Montag 30-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bug oder Feature: Privilege Escalation in Windows Autopilot ∗∗∗ --------------------------------------------- SEC Consult hat im Deploymentprozess von Windows Autopilot eine Schwachstelle identifziert, die eine Erweiterung lokaler Berechtigungen ermöglicht. --------------------------------------------- https://www.sec-consult.com/./blog/2020/11/bug-oder-feature-privilege-escal… ∗∗∗ Credit card skimmer fills fake PayPal forms with stolen order info ∗∗∗ --------------------------------------------- A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-skimmer-fills-fa… ∗∗∗ Cyberthreats to financial organizations in 2021 ∗∗∗ --------------------------------------------- Let us review the forecasts we made at the end of 2019 and see how accurate we were. Then we will go through the key events of 2020 relating to financial attacks. Finally, we need to make a forecast of financial attacks in 2021. --------------------------------------------- https://securelist.com/cyberthreats-to-financial-organizations-in-2021/9959… ∗∗∗ Threat Hunting with JARM, (Fri, Nov 27th) ∗∗∗ --------------------------------------------- Recently I have been testing a new tool created by the people at Salesforce. The tool is called JARM and what it does is query TLS instances (HTTPS servers and services) to create a fingerprint of their TLS configuration. Much like analyzing the nuances of network traffic can be used to fingerprint the operating system and version of a server, JARM fingerprints TLS instances to create a fingerprint which can be used to compare one TLS service to another. --------------------------------------------- https://isc.sans.edu/diary/rss/26832 ∗∗∗ German users targeted with Gootkit banker or REvil ransomware ∗∗∗ --------------------------------------------- After a noted absence, the Gootkit banking Trojan returns en masse to hit Germany. In an interesting twist, some of the victims may receive ransomware instead. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted… ∗∗∗ SD-WAN Product Vulnerabilities Allow Hackers to Steer Traffic, Shut Down Networks ∗∗∗ --------------------------------------------- Researchers at cybersecurity consulting firm Realmode Labs have identified vulnerabilities in SD-WAN products from Silver Peak, Cisco, Citrix and VMware, including potentially serious flaws that can be exploited to steer traffic or completely shut down an organization’s network. --------------------------------------------- https://www.securityweek.com/sd-wan-product-vulnerabilities-allow-hackers-s… ∗∗∗ Tens of Dormant North American Networks Suspiciously Resurrected at Once ∗∗∗ --------------------------------------------- More than fifty networks in the North American region suddenly burst to life after being dormant for a long period of time, Spamhaus reveals. The Geneva-based international nonprofit organization is focused on tracking spam, phishing, malware, and botnets, and provides threat intelligence that can help filter spam and related threats. --------------------------------------------- https://www.securityweek.com/tens-dormant-north-american-networks-suspiciou… ∗∗∗ Hackers are targeting MacOS users with this updated malware ∗∗∗ --------------------------------------------- Researchers link new malware attacks designed to install a backdoor onto compromised systems to Vietnamese-backed hacking operation OceanLotus. --------------------------------------------- https://www.zdnet.com/article/hackers-are-targeting-macos-users-with-this-u… ∗∗∗ Whac-A-Mole: Six Years of DNS Spoofing. (arXiv:2011.12978v1 [cs.CR]) ∗∗∗ --------------------------------------------- DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. --------------------------------------------- http://arxiv.org/abs/2011.12978 ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Lücke in Trend Micro ServerProtect gefährdet Linux-Systeme ∗∗∗ --------------------------------------------- Es gibt eine abgesicherte Version von Trend Micro ServerProtect for Linux. --------------------------------------------- https://heise.de/-4974321 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, [...] --------------------------------------------- https://lwn.net/Articles/838579/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Network Time Protocol (NTP) vulnerabilities (CVE-2020-11868, CVE-2020-13817) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Classification is affected by a Eclipse Jetty (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-classificatio… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Eclipse Jetty (Publicly disclosed vulnerability) affects Content Classifaction ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-eclipse-jetty-publicly-di… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2020
by Daily end-of-shift report 27 Nov '20

27 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-11-2020 18:00 − Freitag 27-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Achtung Identitätsdiebstahl: Kriminelle versenden betrügerische E-Mails im Namen der Post! ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen melden uns derzeit eine betrügerische E-Mail, die im Namen der Österreichischen Post verschickt wird. In diesem E-Mail werden Sie dazu aufgefordert, eine Ausweiskopie zu senden, damit eine Lieferung verarbeitet werden kann. Ignorieren Sie diese E-Mail. Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-identitaetsdiebstahl-krimine… ∗∗∗ Sicherheitsupdates: Archive mit Schadcode könnten Drupal-Websites gefährden ∗∗∗ --------------------------------------------- Die Drupal-Enwickler haben zwei gefährliche Sicherheitslücken im Content Management System Drupal geschlossen. --------------------------------------------- https://heise.de/-4972845 ∗∗∗ Mit dem Bloodhound auf Active-Directory-Jagd ∗∗∗ --------------------------------------------- Auf seiner SO-CON zeigte SpecterOps viele Aktualisierungen für Security-Werkzeuge, darunter BloodHound 4.0 für Active-Directory-Angriffe. --------------------------------------------- https://heise.de/-4973049 ∗∗∗ Hackers Love Expired Domains ∗∗∗ --------------------------------------------- Sometimes, website owners no longer want to own a domain name and they allow it to expire without attempting to renew it. This happens all the time and is totally normal, but it’s important to remember that attackers regularly monitor domain expirations and may target certain domains that meet specific criteria. Vendor domains can be an easy backdoor A vendor (supplier) domain is defined as a website that is used to host and load third party Javascript resources [...] --------------------------------------------- https://blog.sucuri.net/2020/11/hackers-love-expired-domains.html ∗∗∗ Digitally Signed Bandook Malware Once Again Targets Multiple Sectors ∗∗∗ --------------------------------------------- A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. Check Point Research called out hackers affiliated with a group named Dark Caracal in a new report published yesterday for their efforts to deploy "dozens of digitally signed variants" of [...] --------------------------------------------- https://thehackernews.com/2020/11/digitally-signed-bandook-malware-once.html ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Virtual Apps and Desktops Security Update ∗∗∗ --------------------------------------------- 2020-11-25: Improved clarification on when a version is impacted and added that 1912 LTSR CU2 is now available --------------------------------------------- https://support.citrix.com/article/CTX285059 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (go, libxml2, postgresql, and wireshark-cli), Debian (drupal7 and lxml), Fedora (drupal7, java-1.8.0-openjdk-aarch32, libxml2, pacemaker, slurm, and swtpm), openSUSE (c-ares, ceph, chromium, dash, firefox, go1.14, java-1_8_0-openjdk, kernel, krb5, perl-DBI, podman, postgresql10, postgresql12, rclone, slurm, ucode-intel, wireshark, wpa_supplicant, and xen), SUSE (ceph, firefox, kernel, LibVNCServer, and python), and Ubuntu (freerdp, poppler, and [...] --------------------------------------------- https://lwn.net/Articles/838469/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2020
by Daily end-of-shift report 26 Nov '20

26 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-11-2020 18:00 − Donnerstag 26-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Risk Based Authentication: Die Krücke für Passwörter und wie sie ausgenutzt wird ∗∗∗ --------------------------------------------- Mit der Risikoabschätzung RBA wollen Online-Dienste den Passwortmissbrauch bekämpfen. Doch Cybercrime macht daraus ein Geschäft: mit digitalen Doppelgängern. --------------------------------------------- https://heise.de/-4970547 ∗∗∗ Was ist SIM‑Swapping und wie können Sie sich schützen ∗∗∗ --------------------------------------------- Bei diesem Angriff geht es um ihre Telefonnummer und zwar darum sie Ihnen wegzunehmen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/11/26/was-ist-sim-swapping-und-… ∗∗∗ Vorsicht! Der Download dieser Apps entpuppt sich als teure Abo-Falle! ∗∗∗ --------------------------------------------- Es gibt viele hilfreiche Apps für das Handy, die das Leben erleichtern können. Allerdings gibt es auch Apps, die das Leben erschweren. So tauchen immer wieder Apps im Google Play- oder im App-Store auf, bei denen ungewollte und teure Abos abgeschlossen werden. Die Kosten werden dabei entweder gar nicht erwähnt oder kaum sichtbar im Kleingedruckten versteckt. Wir zeigen Ihnen, wie Sie sich vor dieser Betrugsmasche schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-der-download-dieser-apps-en… ∗∗∗ 71 Opfer seit September: Forscher warnen vor Ransomware Egregor ∗∗∗ --------------------------------------------- Die Hintermänner sind bisher in 19 Ländern aktiv. Die Mehrheit der Opfer befindet sich jedoch in den USA. Dank ausgeklügelter Codeverschleierung können Sicherheitsforscher den Infektionsweg von Egregor bisher nicht vollständig klären. --------------------------------------------- https://www.zdnet.de/88390072/71-opfer-seit-september-forscher-warnen-vor-r… ∗∗∗ Analysis of Kinsing Malwares Use of Rootkit ∗∗∗ --------------------------------------------- The Kinsing malware has been evolving with capabilities added to increase the difficulty of detection. Trend Micro reports on the use of a rootkit in recent samples to carry out these objectives. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/6d8ebd5da62cf61982fce04b20b… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013 ∗∗∗ --------------------------------------------- The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. --------------------------------------------- https://www.drupal.org/sa-core-2020-013 ∗∗∗ Synology: Kritische Lücken aus Disk Station Manager und Safe Access beseitigt ∗∗∗ --------------------------------------------- Über Sicherheitslücken könnten Angreifer aus der Ferne Programmcode auf verwundbaren Geräten ausführen. Abgesicherte Versionen stehen teilweise noch aus. --------------------------------------------- https://heise.de/-4971807 ∗∗∗ Forscher entdeckt zufällig Zero-Day-Lücke in Windows 7 und Server 2008 ∗∗∗ --------------------------------------------- Sie erlaubt eine nicht autorisierte Ausweitung von Benutzerrechten. Neuere Windows-Versionen sind nicht betroffen. Der Forscher stößt bei der Arbeit an einem Update für sein Sicherheitstool PrivescCheck auf den Fehler. --------------------------------------------- https://www.zdnet.de/88390077/forscher-entdeckt-zufaellig-zero-day-luecke-i… ∗∗∗ BlackBerry Powered by Android Security Bulletin - November 2020 ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ BigBlueButton E-mail Validation Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110211 ∗∗∗ BigBlueButton Meeting Access Code Brute Force Vulnerability ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110210 ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) could reveal sensitive information to authenticated user (CVE-2020-4626) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) uses weaker than expected cryptographic algorithms (CVE-2020-4624) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: IBM Network Performance Insight is affected by Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-network-performance-i… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) vulnerable to session handling issue (CVE-2020-4696) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: CP4S 1.3.0.1 fails to use HTTPOnly flag (CVE-2020-4625) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cp4s-1-3-0-1-fails-to-use… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security (CP4S) is potentially vulnerable to CVS injection (CVE-2020-4627) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2020
by Daily end-of-shift report 25 Nov '20

25 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-11-2020 18:00 − Mittwoch 25-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Light-Based Attacks Expand in the Digital Home ∗∗∗ --------------------------------------------- The team that hacked Amazon Echo and other smart speakers using a laser pointer continue to investigate why MEMS microphones respond to sound. --------------------------------------------- https://threatpost.com/light-based-attacks-digital-home/161583/ ∗∗∗ [SANS ISC] Live Patching Windows API Calls Using PowerShell ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Live Patching Windows API Calls Using PowerShell“: It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function [...] --------------------------------------------- https://blog.rootshell.be/2020/11/25/sans-isc-live-patching-windows-api-cal… ∗∗∗ IBM: Aktuelle Security-Updates sichern diverse Produkte gegen Angriffe ab ∗∗∗ --------------------------------------------- Schwachstellen von "Low" bis "High" wurden aus Netezza Host Management, aus Resilient, Spectrum Protect (Plus), TNPM Wireline und weiteren Produkten beseitigt. --------------------------------------------- https://heise.de/-4970430 ∗∗∗ Stantinko Proxy Trojan Masquerades as Apache Servers ∗∗∗ --------------------------------------------- A threat group tracked as Stantinko was observed using a new version of a Linux proxy Trojan that poses as Apache servers to remain undetected. --------------------------------------------- https://www.securityweek.com/stantinko-proxy-trojan-masquerades-apache-serv… ∗∗∗ This critical software flaw is now being used to break into networks - so update fast ∗∗∗ --------------------------------------------- A vulnerability in MobileIron mobile device management software is being used by state-backed hackers and organised crime, warns security agency. --------------------------------------------- https://www.zdnet.com/article/this-software-flaw-is-being-used-to-break-int… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in McAfee Endpoint Security machen Windows angreifbar ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für McAfee Endpoint Security. Unter bestimmten Voraussetzungen könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-4970655 ∗∗∗ 2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software ∗∗∗ --------------------------------------------- cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account. The issue, tracked as "SEC-575" and discovered by researchers from Digital Defense, has been remedied by the company in versions 11.92.0.2, [...] --------------------------------------------- https://thehackernews.com/2020/11/2-factor-authentication-bypass-flaw.html ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco DNA Spaces Connector could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insufficient validation of user-supplied input in the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Edge Fog Fabric Resource Exposure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the REST API of Cisco Edge Fog Fabric could allow an authenticated, remote attacker to access files outside of their authorization sphere on an affected device. The vulnerability is due to incorrect authorization enforcement on an affected system. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could allow the attacker to overwrite arbitrary files on the affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2020-0023.3 VMware ESXi, Workstation, Fusion and NSX-T updates address multiple security vulnerabilities (CVE-2020-3981, CVE-2020-3982, CVE-2020-3992, CVE-2020-3993, CVE-2020-3994, CVE-2020-3995) ∗∗∗ --------------------------------------------- Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of section 3(a). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0023.html ∗∗∗ VMSA-2020-0026.1 VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) ∗∗∗ --------------------------------------------- Updated security advisory to add VMware Cloud Foundation 3.x and 4.x versions in the response matrix of sections 3(a) and 3(b). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0026.html ∗∗∗ ICS Advisory (ICSA-20-329-02) Fuji Electric V-Server Lite ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow for remote code execution on the device. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-329-02 ∗∗∗ ICS Advisory (ICSA-20-329-01) Rockwell Automation FactoryTalk Linx ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could allow a denial-of-service condition, remote code execution, or leak information that could be used to bypass address space layout randomization (ASLR). --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01 ∗∗∗ MISP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1170 ∗∗∗ Red Hat Virtualization: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1169 ∗∗∗ NETGEAR GS108Ev3 vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN27806339/ ∗∗∗ Security Advisory - Command Injection Vulnerability in ManageOne Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201125… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201125… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2020
by Daily end-of-shift report 24 Nov '20

24 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 23-11-2020 18:00 − Dienstag 24-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Warten auf Patches: Kritische VMware-Lücke gefährdet Linux- und Windows-Systeme ∗∗∗ --------------------------------------------- Software von VMware ist über eine Zero-Day-Lücke attackierbar. Bislang gibt es nur Workarounds zur Absicherung. --------------------------------------------- https://heise.de/-4969353 ∗∗∗ Betrügerische Trading-Plattformen: Kriminelle werben mit Kommentaren bei YouTube-Videos ∗∗∗ --------------------------------------------- In den Kommentaren zahlreicher beliebter YouTube-Videos – darunter Last Christmas von Wham! – finden sich Tipps, wie man mit Bitcoin-Handel im Internet reich werden kann. Verpackt in einer hochemotionalen Geschichte berichtet ein Nutzer, wie ihm eine Lyra Holt Dean beim Handel unterstützte. Im Kommentar gibt er auch ihre E-Mail-Adresse an. Schreiben Sie keinesfalls an diese Adresse, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-trading-plattformen-k… ∗∗∗ Lookalike domains and how to outfox them ∗∗∗ --------------------------------------------- Our approach is more complex than simply registering lookalike domains to the company and enables real-time blocking of attacks that use such domains as soon as they appear. --------------------------------------------- https://securelist.com/lookalike-domains-and-how-to-outfox-them/99539/ ∗∗∗ Blackrota, a heavily obfuscated backdoor written in Go ∗∗∗ --------------------------------------------- Recently, a malicious backdoor program written in the Go language that exploits an unauthorized access vulnerability in the Docker Remote API was caught by the our Anglerfish honeypot. We named it Blackrota, giventhat its C2 domain name is [...] --------------------------------------------- https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-… ∗∗∗ Hidden SEO Spam Link Injections on WordPress Sites ∗∗∗ --------------------------------------------- Often when a website is injected with SEO spam, the owner is completely unaware of the issue until they begin to receive warnings from search engines or blacklists. This is by design - attackers intentionally try to prevent detection by arranging injected links so they are not visible to average human traffic. One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website. --------------------------------------------- https://blog.sucuri.net/2020/11/hidden-seo-spam-link-injections-on-wordpres… ∗∗∗ MedusaLocker Ransomware Analysis ∗∗∗ --------------------------------------------- The Cybereason Nocturnus Team has published an analysis of the MedusaLocker ransomware. MedusaLocker targets Windows systems and first appeared in 2019. Since then, it has reportedly been involved in many attacks targeting a number of industry sectors, but especially the healthcare sector. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/9b5a2bd4954b29920abc8f39f0a… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A security issue has been identified that may allow privileged code running in a guest VM to compromise the host. This issue is limited to only those guest VMs where the host administrator has explicitly assigned a PCI passthrough device to the guest VM. --------------------------------------------- https://support.citrix.com/article/CTX286511 ∗∗∗ Xen Security Advisory XSA-355 - stack corruption from XSA-346 change ∗∗∗ --------------------------------------------- A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Privilege escalation as well as information leaks cannot be excluded. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-355.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, microcode_ctl, and seamonkey), Mageia (f2fs-tools, italc, python-cryptography, python-pillow, tcpreplay, and vino), Oracle (thunderbird), Red Hat (bind, kernel, microcode_ctl, net-snmp, and Red Hat Virtualization), Scientific Linux (net-snmp and thunderbird), SUSE (kernel and mariadb), and Ubuntu (atftp, libextractor, pdfresurrect, and pulseaudio). --------------------------------------------- https://lwn.net/Articles/838255/ ∗∗∗ Synology-SA-20:25 Safe Access ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Safe Access. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_25 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1161 ∗∗∗ OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1159 ∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Codec. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vuln… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – IBM SDK, Java Technology Edition v8.0.6.11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… ∗∗∗ [20201107] - Core - Write ACL violation in multiple core views ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/834-20201107-core-write-ac… ∗∗∗ [20201106] - Core - CSRF in com_privacy emailexport feature ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/833-20201106-core-csrf-in-… ∗∗∗ [20201105] - Core - User Enumeration in backend login ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/832-20201105-core-user-enu… ∗∗∗ [20201104] - Core - SQL injection in com_users list view ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/831-20201104-core-sql-inje… ∗∗∗ [20201103] - Core - Path traversal in mod_random_image ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/830-20201103-core-path-tra… ∗∗∗ [20201102] - Core - Disclosure of secrets in Global Configuration page ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/829-20201102-core-disclosu… ∗∗∗ [20201101] - Core - com_finder ignores access levels on autosuggest ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/828-20201101-core-com-find… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2020
by Daily end-of-shift report 23 Nov '20

23 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-11-2020 18:00 − Montag 23-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Jetzt patchen! Exploit-Code bedroht fast 50.000 Fortinet VPNs ∗∗∗ --------------------------------------------- Die Lage um eine ein Jahr alte Lücke in VPN-Systemen von Fortinet spitzt sich zu. Sicherheitspatches sind schon lange verfügbar. --------------------------------------------- https://heise.de/-4968392 ∗∗∗ GitHub fixes high severity security flaw spotted by Google ∗∗∗ --------------------------------------------- Two weeks after Google disclosed a security flaw in GitHub, the Microsoft-owned site has fixed the issue. --------------------------------------------- https://www.zdnet.com/article/github-fixes-high-severity-security-flaw-spot… ∗∗∗ Botnetze suchen massenhaft nach Anmeldedaten in ungesicherten ENV-Dateien ∗∗∗ --------------------------------------------- Die speichern Konfigurationsdaten von Umgebungen wie Docker, Node.js und Symfony. Sicherheitsanbieter finden zuletzt mehr als 1100 aktive Scanner für ENV-Dateien. Hacker erhalten darüber unter Umständen Zugang zu Servern, um Daten zu stehlen und Malware einzuschleusen. --------------------------------------------- https://www.zdnet.de/88389948/botnetze-suchen-massenhaft-nach-anmeldedaten-… ∗∗∗ FBI warns of increasing Ragnar Locker ransomware activity ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) Cyber Division has warned private industry partners of increased Ragnar Locker ransomware activity following a confirmed attack from April 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-increasing-ragn… ∗∗∗ LightBot: TrickBot’s new reconnaissance malware for high-value targets ∗∗∗ --------------------------------------------- The notorious TrickBot has gang has released a new lightweight reconnaissance tool used to scope out an infected victims network for high-value targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reco… ∗∗∗ TrickBot turns 100: Latest malware released with new features ∗∗∗ --------------------------------------------- The TrickBot cybercrime gang has released the hundredth version of the TrickBot malware with additional features to evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-turns-100-latest-ma… ∗∗∗ PYSA/Mespinoza Ransomware ∗∗∗ --------------------------------------------- Over the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move laterally throughout the environment, grabbing credentials from as many [...] --------------------------------------------- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ ICS Advisory (ICSA-20-324-05) Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could cause a denial-of-service condition for the affected product. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-05 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0008 ∗∗∗ --------------------------------------------- Date Reported: November 23, 2020 Advisory ID: WSA-2020-0008 CVE identifiers: CVE-2020-13584, CVE-2020-9948,CVE-2020-9951, CVE-2020-9952,CVE-2020-9983. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0008.html ∗∗∗ Multiple Vulnerabilities in ZTE WLAN router MF253V ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-zt… ∗∗∗ HCL Domino: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1155 ∗∗∗ Opera Mini für Android: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1152 ∗∗∗ Trend Micro ServerProtect: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1150 ∗∗∗ WordPress Fancy Product Designer For WooCommerce 4.5.1 File Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110179 ∗∗∗ [webapps] TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49092 ∗∗∗ Security Bulletin: IBM Spectrum Protect Server allows Triple DES (3DES) ciphers to be used (CVE-2018-1785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-serv… ∗∗∗ Security Bulletin: Improper Authentication of Websocket Endpoint in IBM Spectrum Protect Operations Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-authentication-o… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime, IBM WebSphere Application Server Liberty, and Apache Commons affect IBM Spectrum Protect Operations Center and IBM Spectrum Protect Client Management Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 and IBM Java Runtime affect IBM Spectrum Protect Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Vulnerabilities in jQuery, Spring, Dom4j, MongoDB, Linux Kernel, Targetcli-fb, Jackson, Node.js, and Apache Commons affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-jquery… ∗∗∗ Security Bulletin: Static Credential Vulnerability in IBM Spectrum Protect Plus (CVE-2020-4854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-static-credential-vulnera… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus allows use of TLS Version 1.1 protocols (CVE-2020-4783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Python affects IBM Spectrum Protect Plus Microsoft Windows File Systems agent (CVE-2020-15801) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-python-a… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons and Log4j affect IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerabilities affect the IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2020
by Daily end-of-shift report 20 Nov '20

20 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-11-2020 18:00 − Freitag 20-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management ∗∗∗ --------------------------------------------- The increase of cybersecurity incidents brings along a higher demand for enhanced security protections. Thus, in the attempt of preventing unauthorized third parties from accessing their accounts and sensitive data, companies are increasingly turning to biometric authentication. Contemporary Identity and Access Management (IAM) technologies have moved beyond basic login methods based on usernames and passwords. --------------------------------------------- https://heimdalsecurity.com/blog/iam-driven-biometrics/ ∗∗∗ [SANS ISC] Malicious Python Code and LittleSnitch Detection ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malicious Python Code and LittleSnitch Detection“: We all run plenty of security tools on our endpoints. Their goal is to protect us by preventing infection (or trying to prevent it). But all those security tools are present on our devices like normal applications --------------------------------------------- https://blog.rootshell.be/2020/11/20/sans-isc-malicious-python-code-and-lit… ∗∗∗ The malware that usually installs ransomware and you need to remove right away ∗∗∗ --------------------------------------------- [...] This article focuses on the known malware strains that have been used over the past two years to install ransomware. [...] Once any of these malware strains are detected, system administrators should drop everything, take systems offline, and audit and remove the malware as a top priority. ZDNet will keep the list up to date going forward. --------------------------------------------- https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-… ∗∗∗ Exploiting dynamic rendering engines to take control of web apps ∗∗∗ --------------------------------------------- tl;dr: - Dynamic rendering is a technique used to serve prerendered web site pages to crawlers (e.g., Google search engine, Slack or Twitter bots, etc.) - The most popular open source applications for dynamic rendering are Rendertron and Prerender; both of which may introduce vulnerabilities to a network if used improperly. --------------------------------------------- https://r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-cont… ∗∗∗ Consul by HashiCorp: from Infoleak to RCE ∗∗∗ --------------------------------------------- Consul is a software first released in 2014 for DNS-based service discovery. It provides distributed key-value storage, segmentation, and configuration. Registered services and nodes can be queried using a DNS interface or an HTTP interface. [...] An attacker can use public access to the system to obtain information about the infrastructure and its configuration. --------------------------------------------- https://lab.wallarm.com/consul-by-hashicorp-from-infoleak-to-rce/ ∗∗∗ WordPress Malware Setting Up SEO Shops ∗∗∗ --------------------------------------------- While recently looking over my honeypots, I discovered an infection where a malicious actor added a storefront on top of my existing WordPress installation. For background, this particular honeypot is a full instance of WordPress running on a Docker image. The administrator credentials are intentionally weak, in order to give those with malicious intent easy access. This way I can examine what attacks the vulnerable site will undergo and what the login access will be used for. --------------------------------------------- https://blogs.akamai.com/sitr/2020/11/wordpress-malware-setting-up-seo-shop… ∗∗∗ Purgalicious VBA: Macro Obfuscation With VBA Purging ∗∗∗ --------------------------------------------- Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in February 2020. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-… ∗∗∗ Demystifying two common misconceptions with e-commerce security ∗∗∗ --------------------------------------------- HTTPS and iframe containers augment security, but are not a panacea for online shoppers and merchants. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2020/11/demystifying-two-common-mi… ∗∗∗ Vorsicht: Zahlreiche Fake-Shops werben mit Black Friday Deals ∗∗∗ --------------------------------------------- In einer Woche ist es soweit: Der Black Friday lässt das Herz von Schnäppchenjägern höherschlagen. Ab Montag beginnt die Cyber Week, bei denen sich KonsumentInnen schon vor dem Black Friday über Rabatte im Online-Handel freuen können. Doch seien Sie vorsichtig auf der Schnäppchenjagd. Denn zu dieser Zeit macht nicht nur der Online-Handel ein gutes Geschäft, sondern auch BetrügerInnen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-zahlreiche-fake-shops-werbe… ∗∗∗ IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance ∗∗∗ --------------------------------------------- IAMFinder is a custom open-source tool that can identify users and IAM roles in AWS accounts, showing where to harden IAM configurations. --------------------------------------------- https://unit42.paloaltonetworks.com/iamfinder/ ===================== = Vulnerabilities = ===================== ∗∗∗ About the security content of macOS Big Sur 11.0.1 ∗∗∗ --------------------------------------------- The macOS Big Sur 11.0.1 software update is available for Mac mini (M1, 2020), MacBook Air (M1, 2020), and MacBook Air (13-inch, 2020), and together with macOS 11.0 includes the security content listed in this advisory. --------------------------------------------- https://support.apple.com/en-us/HT211982 ∗∗∗ VMSA-2020-0026 VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0026.html ∗∗∗ VMSA-2020-0023 Updates ∗∗∗ --------------------------------------------- Updated security advisory to add Workstation 15.x version in the response matrix of section 3(c) and 3(d). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0023.html ∗∗∗ VMSA-2020-0020 Updates ∗∗∗ --------------------------------------------- Updated security advisory to add Fusion 11.x version in the response matrix of section 3(a) and Workstation 15.x version in the response matrix of section 3(b), 3(c) & 3(d). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0020.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin). --------------------------------------------- https://lwn.net/Articles/837915/ ∗∗∗ CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. --------------------------------------------- https://support.citrix.com/article/CTX267027 ∗∗∗ Security Bulletin: Cryptographic Vulnerability Affects Map Editor in IBM Sterling B2B Integrator (CVE-2020-4937) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cryptographic-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability CVE-2020-4788 in the IBM Power9 processor affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2020-47… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: InfoSphere Master Data Management 11.6 affected due to vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-infosphere-master-data-ma… ∗∗∗ Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc… ∗∗∗ Security Bulletin: IBM has released AIX and VIOS iFixes in response to a vulnerability in IBM POWER9 (CVE-2020-4788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-released-aix-and-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 – Includes Oracle Apr 2020 CPU minus CVE-2020-2773 affects IBM MQ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2020
by Daily end-of-shift report 19 Nov '20

19 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-11-2020 18:00 − Donnerstag 19-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android chat app with 100 million installs exposes private messages ∗∗∗ --------------------------------------------- GO SMS Pro, an Android instant messaging application with over 100 million installs, is publicly exposing private multimedia files shared between its users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-chat-app-with-100-mi… ∗∗∗ CodeQL: Github findet Sicherheitslücke in Corona-Warn-App-Server ∗∗∗ --------------------------------------------- Das Sicherheitsteam von Github hat eine Remote Code Execution im Server-Code der Corona-Warn-App gefunden --------------------------------------------- https://www.golem.de/news/codeql-github-findet-sicherheitsluecke-in-corona-… ∗∗∗ Egregor-Ransomware bombardiert Nutzer mit gedruckten Lösegeldforderungen ∗∗∗ --------------------------------------------- Die Cyberkriminellen wenden die Taktik erstmals bei einem Angriff auf einen chilenischen Handelskonzern an. Sie begnügen sich nicht nur mit Office-Druckern und geben ihre Lösegeldforderung sogar auf Quittungsdruckern aus. Unklar ist, wie die Hacker dabei vorgehen. --------------------------------------------- https://www.zdnet.de/88389908/egregor-ransomware-bombardiert-nutzer-mit-ged… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Critical - Remote code execution - SA-CORE-2020-012 ∗∗∗ --------------------------------------------- Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting [...] --------------------------------------------- https://www.drupal.org/sa-core-2020-012 ∗∗∗ SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-038 ∗∗∗ Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-037 ∗∗∗ Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-036 ∗∗∗ Examples for Developers - Critical - Remote Code Execution - SA-CONTRIB-2020-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-035 ∗∗∗ VMware SD-WAN Orchestrator updates address multiple security vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0025.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares). --------------------------------------------- https://lwn.net/Articles/837767/ ∗∗∗ ICS Advisory (ICSA-20-324-03) Real Time Automation EtherNet/IP ∗∗∗ --------------------------------------------- The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-324-03 ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1136 ∗∗∗ F5 BIG-IP: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1140 ∗∗∗ [webapps] Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/49082 ∗∗∗ Security Advisory - Improper Buffer Operation Restrictions Vulnerability on Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-… ∗∗∗ Security Advisory - Command Injection Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-… ∗∗∗ Security Bulletin: TLS Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) vulnerability in IBM Cloud Pak for Data Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tls-protocol-dhe_export-c… ∗∗∗ Security Bulletin: The web server or application server are configured in an insecure way in IBM Cloud Pak for Data Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-web-server-or-applica… ∗∗∗ Security Bulletin: CVE-2020-14782 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-14782-may-affect… ∗∗∗ Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.6 (CVE-2019-17359) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufactu… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4718) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Lucky 13 Attack Vulnerability in IBM Cloud Pak for Data Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lucky-13-attack-vulnerabi… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: CVE-2019-17638 jetty double-release of a byte buffer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-17638-jetty-doub… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2020
by Daily end-of-shift report 18 Nov '20

18 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-11-2020 18:00 − Mittwoch 18-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ When Security Controls Lead to Security Issues, (Wed, Nov 18th) ∗∗∗ --------------------------------------------- The job of security professionals is to protect customers assets and, even more, today, customers data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the organizations doors. Sometimes, such solutions have side effects that go to the opposite direction and make customers more vulnerable to attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/26804 ∗∗∗ Evasive Maneuvers in Data Stealing Gateways ∗∗∗ --------------------------------------------- We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads. During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers. Continue reading Evasive --------------------------------------------- https://blog.sucuri.net/2020/11/evasive-maneuvers-in-data-stealing-gateways… ∗∗∗ WebNavigator Chromium browser published by search hijackers ∗∗∗ --------------------------------------------- A mystery Chromium browser recently made a sudden appearance, and is certainly proving popular. But what is it, and where did it come from? --------------------------------------------- https://blog.malwarebytes.com/pups/2020/11/webnavigator-chromium-browser-pu… ∗∗∗ Nibiru ransomware variant decryptor ∗∗∗ --------------------------------------------- The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant. --------------------------------------------- https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html ∗∗∗ Large-Scale Attacks Target Epsilon Framework Themes ∗∗∗ --------------------------------------------- On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites ... For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities. --------------------------------------------- https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-f… ∗∗∗ Vorsicht vor COVID-19-Hilfsfonds: Unterstützungszahlungen in Millionenhöhe sind Betrug! ∗∗∗ --------------------------------------------- Die Corona-Krise ist für viele Menschen auch eine finanzielle Krise. Verschiedene Unterstützungsangebote sollen daher helfen, durch diese Zeit zu kommen. Aber Achtung! Werfen Sie einen genauen Blick darauf, wer Ihnen Geld anbietet. Denn: Derzeit werden betrügerische E-Mails von angeblichen COVID-19 Hilfsfonds versendet, in denen hohe Geldbeträge versprochen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-covid-19-hilfsfonds-unt… ===================== = Vulnerabilities = ===================== ∗∗∗ iTunes 12.11 for Windows ∗∗∗ --------------------------------------------- Foundation Impact: A local user may be able to read arbitrary files ImageIO Impact: Processing a maliciously crafted image may lead to arbitrary code execution libxml2 Impact: Processing maliciously crafted web content may lead to code execution libxml2 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution WebKit Impact: Processing maliciously crafted web content may lead to arbitrary code execution Windows Security Impact: A malicious application may be able to access local users Apple IDs --------------------------------------------- https://support.apple.com/kb/HT211933 ∗∗∗ Tails 4.13: Anonymisierendes Betriebssystem bekommt wichtige Sicherheitsupdates ∗∗∗ --------------------------------------------- Die neue Version des Debian-basierten Live-Systems umfasst ein wenig Feinschliff an der Oberfläche, vor allem aber wichtige Security-Fixes. --------------------------------------------- https://heise.de/-4963955 ∗∗∗ Tor Browser: Desktop-Version 10.0.5 mit Firefox-Sicherheitsupdates verfügbar ∗∗∗ --------------------------------------------- Für Windows, Linux und macOS steht eine neue Version des anonymisierenden Webbrowsers bereit. Die Android-Ausgabe soll bald folgen. --------------------------------------------- https://heise.de/-4964177 ∗∗∗ Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Secure Web Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings API Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces Connector Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Improper Domain Access Control Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director File Overwrite Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Unauthenticated REST API Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Missing API Authentication Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-… ∗∗∗ Security Bulletin: An unspecified vulnerability in Java SE or Oracle Java SE could allow an unauthenticated attacker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container Dashboard is vulnerable to (CVE-2020-15168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a data corruption vulnerability (CVE-2020-4592) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability in IBM Runtime Environment Java (deferred from Oracle Jan 2020 CPU) CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2020
by Daily end-of-shift report 17 Nov '20

17 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 16-11-2020 18:00 − Dienstag 17-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Mit Hardware für 30 Dollar Intels sichere Enklave geknackt ∗∗∗ --------------------------------------------- Intels Enklave SGX soll Daten selbst vor Rechenzentrumsbetreibern mit physischem Zugang verbergen. Doch Forscher konnten auf diese Weise RSA-Schlüssel auslesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-mit-hardware-fuer-30-dollar-int… ∗∗∗ Firewall-Umgehung in macOS 11: Malware kann Apples Ausschlussliste missbrauchen ∗∗∗ --------------------------------------------- Apple-Dienste bleiben für lokale Firewalls in macOS 11 unsichtbar. Auch Malware könne so nach Hause telefonieren, warnt ein Sicherheitsforscher. --------------------------------------------- https://heise.de/-4963227 ∗∗∗ Be Very Sparing in Allowing Site Notifications ∗∗∗ --------------------------------------------- An increasing number of websites are asking visitors to approve "notifications," browser modifications that periodically display messages on the users mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters. --------------------------------------------- https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifi… ∗∗∗ YouTube: Betrügerische Werbung verlockt zu hohen Investitionen ∗∗∗ --------------------------------------------- Aktuell wird auf YouTube der Bitcoin-Handel auf unseriösen Trading-Plattformen beworben. Wer sich für die Werbung interessiert, landet bei einem gefälschten Zeitungsartikel auf einer gefälschten Kronen Zeitung Website. Dort ist ein frei erfundenes Interview mit dem Geschäftsmann Richard Lugner zu lesen, in dem er erklärt, wie man mit Bitcoin-Investitionen in nur wenigen Tagen zum Millionär wird. --------------------------------------------- https://www.watchlist-internet.at/news/youtube-betruegerische-werbung-verlo… ∗∗∗ Jupyter trojan: Newly discovered malware stealthily steals usernames and passwords ∗∗∗ --------------------------------------------- Morphisec researchers detail campaign that steals Chromium, Firefox, and Chrome browser data. --------------------------------------------- https://www.zdnet.com/article/jupyter-trojan-newly-discovered-trojan-malwar… ∗∗∗ vjw0rm Leveraging New Obfuscation Technique ∗∗∗ --------------------------------------------- Summaryvjw0rm is a malicious JavaScript program capable of propagating across removable storage devices and receiving instructions from a C2 server. A SANS Internet Storm Center (ISC) researcher has identified a sample of this worm leveraging new obfuscation techniques. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/bfbf7b77d8cbc57d1a94e7bc291… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Cisco bessert bei der Sicherheit seines "Security Managers" nach ∗∗∗ --------------------------------------------- Dank Lücken mit "High" und "Critical"-Einstufung war Ciscos Security Manager der Sicherheit eher abträglich. Software-Updates sind jetzt teilweise verfügbar. --------------------------------------------- https://heise.de/-4962719 ∗∗∗ Blind Out-Of-Band XML External Entity Injection in Avaya Web License Manager ∗∗∗ --------------------------------------------- By using an XXE injection it is possible to read confidential data like /etc/shadow or private keys. In addition, a special payload can affect the availability of the web application. --------------------------------------------- https://sec-consult.com/en/blog/advisories/blind-out-of-band-xml-external-e… ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in TYPO3 Extensions ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1127 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in TYPO3 Core ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1124 ∗∗∗ Trend Micro InterScan Web Security Virtual Appliance < 6.5 SP2 Hotfix 1919 ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trend Micro InterScan Web Security Virtual Appliance ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1128 ∗∗∗ Apple iTunes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apple iTunes ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1125 ∗∗∗ Node.js: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1126 ∗∗∗ Trend Micro Worry-Free Business Security: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1129 ∗∗∗ Western Digital My Cloud NAS Devices Security Vulnerabilities ∗∗∗ --------------------------------------------- Comparitech researches have published a paper on five vulnerabilities found in Western Digital network-attached storage (NAS) devices. If successfully exploited, the exploitation of these vulnerabilities could lead to remote code execution. Also possible is the [...] --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/2ee337a7fbea5d145289bcab311… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, openldap, pacemaker, and restic), Fedora (libmediainfo, mediainfo, mingw-python3, and seamonkey), Gentoo (libexif), openSUSE (raptor), Oracle (kernel and microcode_ctl), Scientific Linux (firefox), SUSE (kernel-firmware, postgresql, postgresql96, postgresql10 and postgresql12, and raptor), and Ubuntu (openldap and postgresql-10, postgresql-12, postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/837538/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs – February 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Business Automation Workflow – CVE-2020-4672 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2020
by Daily end-of-shift report 16 Nov '20

16 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-11-2020 18:00 − Montag 16-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Stories from the SOC – Multi-layered defense detects Windows Trojan ∗∗∗ --------------------------------------------- Malware infections are common and are often missed by antivirus software. Their impact to critical infrastructure and applications can be devastating to an organizations network, brand and customers if not remediated. With the everchanging nature of [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ∗∗∗ New TroubleGrabber Discord malware steals passwords, system info ∗∗∗ --------------------------------------------- TroubleGrabber, a new credential stealer discovered by Netskope security researchers, spreads via Discord attachments and uses Discord webhooks to deliver stolen information to its operators. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-troublegrabber-discord-m… ∗∗∗ Windows Kerberos authentication breaks due to security updates ∗∗∗ --------------------------------------------- Microsoft is investigating a new known issue causing enterprise domain controllers to experience Kerberos authentication problems after installing security updates released during this months Patch Tuesday, on November 10. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentica… ∗∗∗ Schneider Electric Warns Customers of Drovorub Linux Malware ∗∗∗ --------------------------------------------- One of the security bulletins released this week by Schneider Electric warns customers about Drovorub, a piece of Linux malware that was recently detailed by the NSA and the FBI. --------------------------------------------- https://www.securityweek.com/schneider-electric-warns-customers-drovorub-li… ∗∗∗ Ok Google: please publish your DKIM secret keys ∗∗∗ --------------------------------------------- The Internet is a dangerous place in the best of times. Sometimes Internet engineers find ways to mitigate the worst of these threats, and sometimes they fail. Every now and then, however, a major Internet company finds a solution that actually makes the situation worse for just about everyone. Today I want to talk about [...] --------------------------------------------- https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publis… ∗∗∗ The ransomware landscape is more crowded than you think ∗∗∗ --------------------------------------------- More than 25 Ransomware-as-a-Service (RaaS) portals are currently renting ransomware to other criminal groups. --------------------------------------------- https://www.zdnet.com/article/the-ransomware-landscape-is-more-crowded-than… ∗∗∗ Ngioweb Botnet Targeting IoT Devices ∗∗∗ --------------------------------------------- A new version of the Ngioweb botnet malware was discovered and analyzed by Netlab 360 researchers. Their blog post details the changes observed in these newer samples. --------------------------------------------- https://exchange.xforce.ibmcloud.com/collection/e4becb0bc47fb9b7ad74c9fb579… ===================== = Vulnerabilities = ===================== ∗∗∗ Heartbleed, BlueKeep and other vulnerabilities that didnt disappear just because we dont talk about them anymore, (Mon, Nov 16th) ∗∗∗ --------------------------------------------- Since new critical vulnerabilities are discovered and published nearly every day, it is no wonder that we (i.e. security professionals and security-oriented media) tend to focus on these and dont return to the ones that came before too often. Unless there is a massive exploitation campaign, that is. This doesnt present any problems for organizations, which manage to patch vulnerabilities on time, but for many others [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26798 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl and libvncserver), Fedora (chromium, kernel, kernel-headers, kernel-tools, krb5, libexif, libxml2, and thunderbird), Gentoo (chromium, libmaxminddb, and mit-krb5), Mageia (arpwatch, bluez, chromium-browser-stable, firefox and thunderbird, golang, java-1.8.0-op, kdeconnect-kde, kleopatra, libexif, lilypond, microcode, packagekit, ruby, and tpm2-tss), openSUSE (chromium, firefox, ImageMagick, kernel, openldap2, python-waitress, SDL, u-boot, ucode-intel, and zeromq), Oracle (fence-agents, firefox, freetype, kernel, python, python3, and thunderbird), Red Hat (rh-postgresql10-postgresql, rh-postgresql12-postgresql, and virt:8.2 and virt-devel:8.2), Slackware (seamonkey), and SUSE (firefox, gdm, kernel, and kernel-firmware). --------------------------------------------- https://lwn.net/Articles/837431/ ∗∗∗ SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110113 ∗∗∗ Opera Touch for iOS: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1123 ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1122 ∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects EBICS Client of IBM Sterling B2B Integrator (CVE-2020-4475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Information Disclosure Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: CKEditor XSS Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-17960) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ckeditor-xss-vulnerabilit… ∗∗∗ Security Bulletin: XSS Vulnerability Affects IBM Sterling B2B Integrator (CVE-2020-4705) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xss-vulnerability-affects… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects EBICS in IBM Sterling B2B Integrator (CVE-2020-4655) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: B2B API Information Disclosure Vulnerability Affects IBM Sterling B2B Integrator (CVE-2020-4566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-b2b-api-information-discl… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Business Automation Workflow – CVE-2020-4672 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cookie Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4763) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cookie-vulnerability-affe… ∗∗∗ Security Bulletin: Cookie Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cookie-vulnerability-affe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2020
by Daily end-of-shift report 13 Nov '20

13 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-11-2020 18:00 − Freitag 13-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ubuntu Linux schließt Lücken: Im Handumdrehen zum Systemverwalter ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher stolperte über eine Lücken-Kombo, mit der einfache Nutzer einen Account mit Sudo-Rechten anlegen konnten. Ubuntu hat diese nun gefixt. --------------------------------------------- https://heise.de/-4960051 ∗∗∗ Unbreak My Heart: What I Learned About Building Better Medical Devices While Troubleshooting My Pacemaker ∗∗∗ --------------------------------------------- This blog outlines the story of Veronica Schmitts journey to fixing her ICD/Pacemaker using Medical Device Forensics. --------------------------------------------- https://www.sans.org/blog/unbreak-my-heart-what-i-learned-about-building-be… ∗∗∗ A new skimmer uses WebSockets and a fake credit card form to steal sensitive data ∗∗∗ --------------------------------------------- A new skimmer attack was discovered this week, targeting various online e-commerce sites built with different frameworks. As of the writing of this blog post, the attack is still active and exfiltrating data. --------------------------------------------- https://blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-c… ∗∗∗ DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels ∗∗∗ --------------------------------------------- SAD DNS is a revival of the classic DNS cache poisoning attack (which no longer works since 2008) leveraging novel network side channels that exist in all modern operating systems, including Linux, Windows, macOS, and FreeBSD. This represents an important milestone -- the first weaponizable network side channel attack that has serious security impacts. The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache (e.g., in BIND, Unbound, dnsmasq). --------------------------------------------- https://www.saddns.net/ ∗∗∗ Surviving college distance learning during the pandemic: a cybersecurity guide ∗∗∗ --------------------------------------------- Students in higher education are exposed to online risks more than ever. Keep yourself secure while distance learning from home with this practical guide. --------------------------------------------- https://blog.malwarebytes.com/how-tos-2/2020/11/surviving-college-distance-… ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric sichert diverse ICS-Komponenten gegen Schwachstellen ab ∗∗∗ --------------------------------------------- Für Hard- und Software zur Konfiguration und Verwaltung industrieller Steuerungssysteme von Schneider Electric sind wichtige Sicherheitsupdates verfügbar. --------------------------------------------- https://heise.de/-4959299 ∗∗∗ ICS Advisory (ICSA-20-317-01) Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- A denial-of-service vulnerability due to uncontrolled resource consumption exists in MELSEC iQ-R series CPU modules. This vulnerability does not affect products when the "To Use or Not to Use Web Server" parameter of CPU modules is set to "Not Use." The default setting is "Not Use." --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-317-01 ∗∗∗ PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24 Released! ∗∗∗ --------------------------------------------- The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24. This release closes three security vulnerabilities and fixes over 65 bugs reported over the last three months. Due to the nature of CVE-2020-25695, we advise you to update as soon as possible. Additionally, this is the second-to-last release of PostgreSQL 9.5. If you are running PostgreSQL 9.5 in a production environment, we [...] --------------------------------------------- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libproxy, pacemaker, and thunderbird), Fedora (nss), openSUSE (kernel), Oracle (curl, librepo, qt and qt5-qtbase, and tomcat), Red Hat (firefox), SUSE (firefox, java-1_7_0-openjdk, and openldap2), and Ubuntu (apport, libmaxminddb, openjdk-8, openjdk-lts, and slirp). --------------------------------------------- https://lwn.net/Articles/837105/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A security issue has been identified in Citrix Hypervisor that may allow privileged code running in a guest VM to infer details of some computations occurring in other VMs on the host. This may, for example, be used to infer a secret encryption key used [...] --------------------------------------------- https://support.citrix.com/article/CTX285937 ∗∗∗ Citrix SDWAN Center Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix SD-WAN Center that, if exploited, could allow an unauthenticated attacker with network access to SD-WAN Center to perform arbitrary code execution as root. --------------------------------------------- https://support.citrix.com/article/CTX285061 ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container Designer instances may be vulnerable to CVE-2020-7760 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Novalink is impacted by Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-v… ∗∗∗ Security Bulletin: Novalink is impacted running oauth-2.0 or openidConnectServer-1.0 server features vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-runn… ∗∗∗ Security Bulletin: Vulnerability in icu CVE-2020-10531. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-icu-cve-… ∗∗∗ Security Bulletin: Vulnerability in Open Source Python affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-8492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-open-sou… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Discovery and Delivery Intelligence V5.1.0.7 and V5.1.0.8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Tivoli Netcool/OMNIbus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-tivoli… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Samba for IBM i is affected by CVE-2020-14323 and CVE-2020-14318 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-samba-for-ibm-i-is-affect… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Control (CVE-2020-8201, CVE-2020-8252) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: CVE-2020-4482 ADD SNAPSHOT STATUS REST CALL DOESN'T CHECK THE USER ROLE ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4482-add-snapsho… ∗∗∗ Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-struts-publicly-di… ∗∗∗ Security Bulletin: CVE-2018-10886 ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2018-10886-ant-before… ∗∗∗ Security Bulletin: IBM Security Directory Suite is affected by a security vulnerability (CVE-2018-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-su… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin:Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache HttpClient ( CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinsecurity-bulletin-ibm-cont… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16779). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ macOS Big Sur 11.0.1 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211931 ∗∗∗ Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211946 ∗∗∗ Safari 14.0.1 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211934 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2020
by Daily end-of-shift report 12 Nov '20

12 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-11-2020 18:00 − Donnerstag 12-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Angeblich Quellcode des Exploit-Toolkits Cobalt Strike durchgesickert ∗∗∗ --------------------------------------------- Auf GitHub findet sich seit fast zwei Wochen ein Repository mit dem Namen CobaltStrike. Es enthält angeblich den Code von Cobalt Strike 4.0. Der Autor entfernt zudem die Lizenzprüfung, was auf eine geknackte Version schließen lässt. --------------------------------------------- https://www.zdnet.de/88389725/angeblich-quellcode-des-exploit-toolkits-coba… ∗∗∗ Hungrig nach Daten – ModPipe Backdoor bedroht POS‑Software im Gastgewerbe ∗∗∗ --------------------------------------------- Die Backdoor-Autoren verfügen offenbar über umfassende Kenntnisse der Software und entschlüsseln Datenbankkennwörter aus Windows-Registry-Werten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/11/12/hungrig-nach-daten-modpip… ∗∗∗ Extrapolating Adversary Intent Through Infrastructure ∗∗∗ --------------------------------------------- Hear from Senior Security Researcher Joe Slowik to discover the significance behind domain name patterns and learn how defenders can use these thematic insights to further their security operations. --------------------------------------------- https://www.domaintools.com/resources/blog/extrapolating-adversary-intent-t… ∗∗∗ 2 More Google Chrome Zero-Days Under Active Exploitation ∗∗∗ --------------------------------------------- Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution. --------------------------------------------- https://threatpost.com/2-zero-day-bugs-google-chrome/161160/ ∗∗∗ Preventing Exposed Azure Blob Storage, (Thu, Nov 12th) ∗∗∗ --------------------------------------------- In the previous diary, I explained the three public access levels of Azure Blob Storage, and how to investigate the setup for any issues. Until a couple of months ago, there was no reliable way to prevent the problem from occurring in the first place, but thankfully, Microsoft has finally seen the light. --------------------------------------------- https://isc.sans.edu/diary/rss/26786 ∗∗∗ Attacking SCADA Part II: Vulnerabilities in Schneider Electric EcoStruxure Machine Expert and M221 PLC ∗∗∗ --------------------------------------------- We present two vulnerabilities in EcoStruxure Machine Expert v1.0 and Schneider Electric M221 (Firmware 1.10.2.2) Programmable Logic Controller (PLC). All three vulnerabilities were disclosed to Schneider Electric and the details were released on 10 November 2020. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacking-s… ∗∗∗ Exploring the Exploitability of "Bad Neighbor": The Recent ICMPv6 Vulnerability (CVE-2020-16898) ∗∗∗ --------------------------------------------- We wanted to find out whether something else could be done with this vulnerability, aside from triggering the buffer overflow and causing a blue screen (BSOD) --------------------------------------------- https://blog.zecops.com/vulnerabilities/exploring-the-exploitability-of-bad… ∗∗∗ CRAT wants to plunder your endpoints ∗∗∗ --------------------------------------------- Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. One of the plugins is a ransomware known as "Hansom." --------------------------------------------- https://blog.talosintelligence.com/2020/11/crat-and-plugins.html ∗∗∗ Avionics Safety and Secured Connectivity: A Look at DO-326A/ED-202A, DO-355 and DO-356 ∗∗∗ --------------------------------------------- One of the major improvements that the avionics industry is undergoing is an Internet of Things (IoT) upgrade. And this is inevitably affecting how airlines approach aircraft safety. From the beginning, safety has been paramount to the aviation industry. But while it is a welcome innovation, the incorporation of IoT devices in aircraft comes with [...] --------------------------------------------- https://www.tripwire.com/state-of-security/regulatory-compliance/avionics-s… ∗∗∗ Comodo open-sources its EDR solution ∗∗∗ --------------------------------------------- OpenEDR, announced in September, is available on GitHub starting this week. --------------------------------------------- https://www.zdnet.com/article/comodo-open-sources-its-edr-solution/ ∗∗∗ Why you should keep your Netflix password to yourself ∗∗∗ --------------------------------------------- Sharing is caring - except when it isn't. Here’s why you shouldn't share your password for online media services with other people. --------------------------------------------- https://www.welivesecurity.com/2020/11/11/why-you-should-keep-netflix-passw… ∗∗∗ Cryptominers Exploiting Weblogic RCE CVE-2020-14882 ∗∗∗ --------------------------------------------- Intro Towards the end of October, we started seeing attackers take advantage of a Weblogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, [...] --------------------------------------------- https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2). --------------------------------------------- https://lwn.net/Articles/836994/ ∗∗∗ Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs ∗∗∗ --------------------------------------------- Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/encryption-vulnerabilities-allow-hackers-take-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111… ∗∗∗ Security Bulletin: IBM API Connect V5 is vulnerable to denial of service (CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-vul… ∗∗∗ Security Bulletin: Vulnerability in HTTPD affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-httpd-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2020
by Daily end-of-shift report 11 Nov '20

11 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-11-2020 18:00 − Mittwoch 11-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Targeted ransomware: it’s not just about encrypting your data! ∗∗∗ --------------------------------------------- When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – it’s primarily about data exfiltration. --------------------------------------------- https://securelist.com/targeted-ransomware-encrypting-data/99255/ ∗∗∗ Decrypting OpenSSH sessions for fun and profit ∗∗∗ --------------------------------------------- A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. --------------------------------------------- https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-… ∗∗∗ So kaufen Sie Weihnachtsgeschenke sicher im Internet ein! ∗∗∗ --------------------------------------------- Damit die Weihnachtsvorfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie unseriöse Online-Shops erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/so-kaufen-sie-weihnachtsgeschenke-si… ∗∗∗ Play Store identified as main distribution vector for most Android malware ∗∗∗ --------------------------------------------- Mammoth research project using Symantec (now NortonLifeLock) telemetry confirms what everyone suspected. --------------------------------------------- https://www.zdnet.com/article/play-store-identified-as-main-distribution-ve… ∗∗∗ Neuer Android-Trojaner spioniert 153 mobile Anwendungen aus ∗∗∗ --------------------------------------------- Darunter sind auch vier Apps deutscher Banken. Die Verbreitung erfolgt über Links in Spam-E-Mails. Mithilfe der Android-Bedienungshilfen nistet sich der Trojaner dauerhaft auf einem Gerät ein und erlaubt dessen Fernsteuerung. --------------------------------------------- https://www.zdnet.de/88389654/neuer-android-trojaner-spioniert-153-mobile-a… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA fixes severe flaw in GeForce NOW cloud gaming service ∗∗∗ --------------------------------------------- NVIDIA released a security update for the GeForce Now cloud gaming Windows app to address a vulnerability that could allow attackers to execute arbitrary code or escalate privileges on systems running unpatched software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-fixes-severe-flaw-in-… ∗∗∗ VU#231329: Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks ∗∗∗ --------------------------------------------- The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. --------------------------------------------- https://kb.cert.org/vuls/id/231329 ∗∗∗ VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. --------------------------------------------- https://kb.cert.org/vuls/id/760767 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2, --------------------------------------------- https://lwn.net/Articles/836897/ ∗∗∗ Patchday: Microsoft schließt Kernel-Lücke in Windows ∗∗∗ --------------------------------------------- Es sind über 100 Sicherheitsupdates für Microsoft Office, Windows & Co. erschienen. Eine Lücke nutzen Angreifer derzeit aktiv aus. --------------------------------------------- https://heise.de/-4954195 ∗∗∗ Security Advisory - Command Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111-… ∗∗∗ XSA-351 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-351.html ∗∗∗ Citrix Systems Virtual Apps and Desktops: Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2020
by Daily end-of-shift report 10 Nov '20

10 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 09-11-2020 18:00 − Dienstag 10-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PLATYPUS - With Great Power comes Great Leakage ∗∗∗ --------------------------------------------- With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processors power consumption to infer data and extract cryptographic keys. --------------------------------------------- https://platypusattack.com/ ∗∗∗ wetransfer.com: So nutzen Sie den kostenlosen Dienst sicher ∗∗∗ --------------------------------------------- wetransfer.com - ein beliebter Dienst, um kostenlos und unkompliziert viele Dateien oder Ordner zu teilen. Beim Empfang eines E-Mails von wetransfer.com raten wir jedoch zur Vorsicht, denn Kriminelle versenden im Design des Datenversanddienstes Phishing-E-Mails oder gefährliche E-Mails mit Schadsoftware. Also: Zuerst kontrollieren, dann klicken! --------------------------------------------- https://www.watchlist-internet.at/news/wetransfercom-so-nutzen-sie-den-kost… ∗∗∗ Plötzliche Abkündigung: Avira stellt Business-Sicherheitsprodukte Ende 2021 ein ∗∗∗ --------------------------------------------- Avira weist Geschäftskunden derzeit auf die Einstellung des B2B-Bereichs hin: Bestehende Lizenzen verlieren demnach zum 01.01.22 ihre Gültigkeit. --------------------------------------------- https://heise.de/-4952577 ∗∗∗ Microsoft Teams Users Under Attack in 'FakeUpdates' Malware Campaign ∗∗∗ --------------------------------------------- Microsoft warns that cybercriminals are using Cobalt Strike to infect entire networks beyond the infection point, according to a report. --------------------------------------------- https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/ ∗∗∗ Code Comments Reveal SCP-173 Malware ∗∗∗ --------------------------------------------- We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code - for example, a short description of a feature or functionality for other developers to reference. Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes. --------------------------------------------- https://blog.sucuri.net/2020/11/code-comments-reveal-scp-173-malware.html ∗∗∗ WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques ∗∗∗ --------------------------------------------- Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW (Windows on Windows) system was coined. This layer, which will be referred to as 'WOW64' from here on out, is responsible for translating all Windows API calls from 32-bit userspace to the 64-bit operating system --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-intern… ∗∗∗ Snakes and Ladder Logic ∗∗∗ --------------------------------------------- A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn’t run everything as root in PLC and RTUs. --------------------------------------------- https://www.pentestpartners.com/security-blog/snakes-and-ladder-logic/ ∗∗∗ Npm package caught stealing sensitive Discord and browser files ∗∗∗ --------------------------------------------- Malicious code was found hidden inside a JavaScript library named Discord.dll. --------------------------------------------- https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord… ∗∗∗ IoT security is a mess. These guidelines could help fix that ∗∗∗ --------------------------------------------- New guidelines from ENISA recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure. --------------------------------------------- https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Ultimate Member Plug-in gefährdet Wordpress-Seiten ∗∗∗ --------------------------------------------- Admin-Lücken im Plug-in Ultimate Member bedrohen über 100.000 Wordpress-Websites. Eine abgesicherte Version ist verfügbar. --------------------------------------------- https://heise.de/-4952685 ∗∗∗ Remote-Code-Execution-Lücke in Firefox, Firefox ESR und Thunderbird ∗∗∗ --------------------------------------------- Mozilla hat eine kritische Schwachstelle in seinen Webbrowsern und seinem Mail-Client geschlossen. --------------------------------------------- https://heise.de/-4953356 ∗∗∗ SAP Patchday November 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1090 ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Connect (APSB20-69) and Adobe Reader Mobile (APSB20-71). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1942 ∗∗∗ Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper resource allocation when an affected device processes network traffic in software switching mode (punted). --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-492828: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK Controller ∗∗∗ --------------------------------------------- A vulnerability in S7-300 might allow an attacker to cause a Denial-of-Service condition on port 102 of the affected devices by sending specially crafted packets. Siemens is preparing updates and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-492828.txt ∗∗∗ SSA-431802: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- Siemens SCALANCE W1750D is a brandlabled device. Aruba has released a related security advisory (ARUBA-PSA-2016-004) [0] disclosing vulnerabilities in its Aruba Instant product line. The advisory contains multiple related vulnerabilities that are summarized in CVE-2016-2031. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-431802.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif). --------------------------------------------- https://lwn.net/Articles/836770/ ∗∗∗ IPAS: Security Advisories for November 2020 ∗∗∗ --------------------------------------------- Hello, It’s the second Tuesday in November and today we are releasing 40 security advisories. If this seems like a large number of advisories for Intel to be releasing, you’re right. However, there are two primary reasons for this. First, as I mentioned in August, we are aligning public disclosures, as much as possible, to [...] --------------------------------------------- https://blogs.intel.com/technology/2020/11/ipas-security-advisories-for-nov… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2020
by Daily end-of-shift report 09 Nov '20

09 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-11-2020 18:00 − Montag 09-11-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker haben mehrfach Sourcecode aus SonarQube-Instanzen abgegriffen ∗∗∗ --------------------------------------------- Das FBI warnte bereits im Oktober vor einem Angriff auf Installationen unter anderem von US-Regierungsbehörden, aber auch privater Firmen. --------------------------------------------- https://heise.de/-4951630 ∗∗∗ Lets Encrypt: Alte Android-Geräte bekommen Probleme mit Millionen Seiten ∗∗∗ --------------------------------------------- Der Zertifikatswechsel bei Lets Encrypt sorgt für Probleme bei einem Drittel aller Android-Geräte. Die Lösung dafür ist der Firefox. --------------------------------------------- https://www.golem.de/news/let-s-encrypt-alte-android-geraete-bekommen-probl… ∗∗∗ New Pay2Key ransomware encrypts networks within one hour ∗∗∗ --------------------------------------------- A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encry… ∗∗∗ How Ryuk Ransomware operators made $34 million from one victim ∗∗∗ --------------------------------------------- One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operator… ∗∗∗ Gitpaste-12 Worm Targets Linux Servers, IoT Devices ∗∗∗ --------------------------------------------- The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors. --------------------------------------------- https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/ ∗∗∗ Adventures in Anti-Gravity ∗∗∗ --------------------------------------------- Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces). --------------------------------------------- https://objective-see.com/blog/blog_0x5B.html ∗∗∗ Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th) ∗∗∗ --------------------------------------------- This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications. --------------------------------------------- https://isc.sans.edu/diary/rss/26768 ∗∗∗ How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th) ∗∗∗ --------------------------------------------- On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them. --------------------------------------------- https://isc.sans.edu/diary/rss/26770 ∗∗∗ When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777 ∗∗∗ --------------------------------------------- Vatet, PyXie and Defray777 are all associated with a financially motivated threat group. We aim to get these malware families on the radar. --------------------------------------------- https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ ∗∗∗ xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control ∗∗∗ --------------------------------------------- We observed evidence that the xHunt campaign used two backdoors on a compromised Microsoft Exchange Server at an organization in Kuwait. --------------------------------------------- https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft schwerwiegende Lücke in Webex Meetings für Windows ∗∗∗ --------------------------------------------- Die Schwachstelle kommt bei internen Tests ans Licht. Ein lokaler Angreifer kann Schadcode ausführen. Weitere Schwachstellen stecken im Web Network Recording Player und Webex Player. --------------------------------------------- https://www.zdnet.de/88389577/cisco-stopft-schwerwiegende-luecke-in-webex-m… ∗∗∗ WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug ∗∗∗ --------------------------------------------- The shopping cart application contains a PHP object-injection bug. --------------------------------------------- https://threatpost.com/wordpress_open_to_attacks_welcart_bug/161037/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, [...] --------------------------------------------- https://lwn.net/Articles/836676/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2020
by Daily end-of-shift report 06 Nov '20

06 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-11-2020 18:00 − Freitag 06-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin ∗∗∗ --------------------------------------------- A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code. The advanced malware comes equipped with reverse shell and crypto mining capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpast… ∗∗∗ Sicherheitslücke: Admin-Passwort für Rettungsdienst-System ungeschützt im Netz ∗∗∗ --------------------------------------------- Über die Software Ivena werden Notfallpatienten in Krankenhäusern angemeldet. Ein Admin-Passwort ist nun öffentlich auf der Herstellerwebseite einsehbar gewesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-admin-passwort-fuer-rettungsdie… ∗∗∗ RansomEXX Trojan attacks Linux systems ∗∗∗ --------------------------------------------- We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. --------------------------------------------- https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ ∗∗∗ ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis ∗∗∗ --------------------------------------------- We’ve seen a wider variety of PHP web shells being used by attackers this year — including a number of shells that have been significantly updated in an attempt to “improve” them. Depending on the scope of changes and feature enhancements that are added to an existing web shell’s source code, these updates can be tedious and time consuming for bad actors. For this reason, it’s common to see code for web shells reused among different, unaffiliated attackers. --------------------------------------------- https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update… ∗∗∗ Rediscovering Limitations of Stateful Firewalls: "NAT Slipstreaming" ? Implications, Detections and Mitigations ∗∗∗ --------------------------------------------- A recent {rediscovered} technique (NAT Slipstreaming) to allow an attacker remotely access any TCP/UDP service bound to a victim’s machine, thus bypassing the victim’s Network Address Translation (NAT)/firewall implementation was detailed by Samy Kamkar [1]. Samy had also shared a similar technique termed “NAT Pinning” back in 2010 [2]. The similarities in both techniques were convincing victims to access a specially crafted site implementing said techniques, resulting in [...] --------------------------------------------- https://isc.sans.edu/forums/diary/Rediscovering+Limitations+of+Stateful+Fir… ∗∗∗ Business VOIP phone systems are being hacked for profit worldwide. Is yours secure? ∗∗∗ --------------------------------------------- Security researchers have uncovered an organised gang of cybercriminals who are compromising the VOIP phone systems of over 1000 organisations worldwide. Check Point has identified a malicious campaign that has targeted a critical vulnerability in the Sangoma PBX open-source GUI, used to manage installations of Asterisk - the worlds most popular VOIP phone system for businesses. --------------------------------------------- https://businessinsights.bitdefender.com/business-voip-phone-systems-are-be… ∗∗∗ IntelMQ offers tutorial lessons and a new documentation page ∗∗∗ --------------------------------------------- The IntelMQ tutorial guiding through various features and tools of IntelMQ is available in the IntelMQ Tutorial GitHub repository. Lesson one introduces the architecture, concepts and terminology of the project. Lessons two and three delve hands-on into working with IntelMQ. Starting with installation and basic usage & configuration they go on to tackle progressively more advanced topics like using advanced features or changing the message queue software to be used. --------------------------------------------- https://cert.at/en/blog/2020/11/intelmq-tutorial-and-new-documentation-page ∗∗∗ Ryuk Speed Run, 2 Hours to Ransom ∗∗∗ --------------------------------------------- Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, [...] --------------------------------------------- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in iOS werden aktiv ausgenutzt – kein Update für iOS 13 ∗∗∗ --------------------------------------------- Apple-Nutzer sollten ihr Betriebssystem zügig aktualisieren, kritische Lücken werden wohl für Angriffe verwendet. Nicht alle Systemversionen erhalten Updates. --------------------------------------------- https://heise.de/-4950496 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sddm and wordpress), Fedora (blueman, chromium, pngcheck, and salt), openSUSE (chromium, salt, tiff, tigervnc, tmux, tomcat, transfig, and xen), Oracle (freetype, kernel, libX11, thunderbird, and xorg-x11-server), SUSE (bluez, ImageMagick, java-1_8_0-openjdk, rmt-server, salt, and u-boot), and Ubuntu (dom4j, firefox, netqmail, phpldapadmin, and tmux). --------------------------------------------- https://lwn.net/Articles/836467/ ∗∗∗ Security Advisory - Netlogon Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201105… ∗∗∗ Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2020
by Daily end-of-shift report 05 Nov '20

05 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-11-2020 18:00 − Donnerstag 05-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit für Cisco-VPN AnyConnect in Umlauf - Sicherheitsupdate steht noch aus ∗∗∗ --------------------------------------------- Attacken auf Ciscos VPN-Lösung AnyConnect könnten kurz bevor stehen. Bislang gibt es aber nur Patches für andere Lücken in IOS XR, Webwex & Co. --------------------------------------------- https://heise.de/-4948798 ∗∗∗ Attacks on industrial enterprises using RMS and TeamViewer: new data ∗∗∗ --------------------------------------------- In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another. --------------------------------------------- https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-team… ∗∗∗ Did You Spot "Invoke-Expression"?, (Thu, Nov 5th) ∗∗∗ --------------------------------------------- When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet[1]. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string. --------------------------------------------- https://isc.sans.edu/diary/rss/26762 ∗∗∗ Legacy Mauthtoken Malware Continues to Redirect Mobile Users ∗∗∗ --------------------------------------------- During malware analysis, we regularly find variations of this injected script on various compromised websites: . The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code: [...] --------------------------------------------- https://blog.sucuri.net/2020/11/legacy-mauthtoken-malware-continues-to-redi… ∗∗∗ BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers ∗∗∗ --------------------------------------------- A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations. --------------------------------------------- https://www.securityweek.com/bec-scammers-exploit-flaw-spoof-domains-racksp… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances und die Admin-Falle ∗∗∗ --------------------------------------------- Der Netzwerkausrüster F5 hat wichtige Patches zum Absichern verschiedener Appliances veröffentlicht. --------------------------------------------- https://heise.de/-4949448 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark). --------------------------------------------- https://lwn.net/Articles/836238/ ∗∗∗ In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover - CVE-2020-14871 ∗∗∗ --------------------------------------------- FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyzed the exploit to determine how it worked, reproduced the vulnerability on different versions of Solaris, and then reported it to Oracle. In this blog post we present a description of the [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overfl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily