- Daily - CERT.at

Tageszusammenfassung - 16.10.2020
by Daily end-of-shift report 16 Oct '20

16 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-10-2020 18:00 − Freitag 16-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NPM nukes NodeJS malware opening Windows, Linux reverse shells ∗∗∗ --------------------------------------------- NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data. These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-ope… ∗∗∗ CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability, (Thu, Oct 15th) ∗∗∗ --------------------------------------------- Highlights - Do not disable IPv6 entirely unless you want to break Windows in interesting ways. - This can only be exploited from the local subnet. - But it may lead to remote code execution / BSOD - PoC exploit is easy, but actual RCE is hard. - Patch For more details, see also the YouTube video I just published: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26684 ∗∗∗ Traffic Analysis Quiz: Ugly-Wolf.net, (Fri, Oct 16th) ∗∗∗ --------------------------------------------- It's that time of the month again... Time for another traffic analysis quiz! This one is from a Windows 10 client logged into an Active Directory (AD) environment. --------------------------------------------- https://isc.sans.edu/diary/rss/26688 ∗∗∗ CVE-2020-15157 "ContainerDrip" Write-up ∗∗∗ --------------------------------------------- CVE-2020-15157: If an attacker publishes a public image with a crafted manifest that directs one of the image layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used by ctr/containerd to access that registry. In some cases, this may be the user’s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other [...] --------------------------------------------- https://darkbit.io/blog/cve-2020-15157-containerdrip ∗∗∗ CMS Drupal: OAuth Server-Modul anfällig für SQL-Injection-Angriffe ∗∗∗ --------------------------------------------- Das OAuth Server-Modul für Drupal 8 benötigt ein Update auf 8.x-1.1. Die neue Version schließt eine "moderat kritische" Lücke. --------------------------------------------- https://heise.de/-4930778 ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Horizon Client update addresses a denial-of-service vulnerability (CVE-2020-3991) ∗∗∗ --------------------------------------------- VMware Horizon Client for Windows contains a denial-of-service vulnerability due to a file system access control issue during install time. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0022.html ∗∗∗ Kritische Lücke in SonicWall Firewall für Denial-of-Service-Angriffe ausnutzbar ∗∗∗ --------------------------------------------- Es stehen Updates für mehrere Versionen von SonicOS bereit, die eine kritische sowie zehn weitere Sicherheitslücken von "Medium" bis "High" beseitigen. --------------------------------------------- https://heise.de/-4930351 ∗∗∗ CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ∗∗∗ Adobe patches Magento bugs that lead to code execution, customer list tampering ∗∗∗ --------------------------------------------- The out-of-band security update tackles eight critical and important vulnerabilities. --------------------------------------------- https://www.zdnet.com/article/adobe-patches-magento-bugs-that-lead-to-code-… ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Jackson Core affect IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3RD PARTY Cryptographc vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Authentication Bypass (CVE-2020-4493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerabilities in Apache ActiveMQ affect IBM Operations Analytics Predictive Insights (CVE-2020-11998, CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Resilient SOAR could allow a privileged user to inject malicious commands through Python3 scripting (CVE-2020-4636). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-could-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2020
by Daily end-of-shift report 15 Oct '20

15 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-10-2020 18:00 − Donnerstag 15-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bleedingtooth: Google und Intel warnen vor neuen Bluetooth-Lücken ∗∗∗ --------------------------------------------- Laut Google lässt sich über die Sicherheitslücken Code aus der Ferne ausführen. Intel hat sie veröffentlicht, bevor Patches ausgeliefert wurden. --------------------------------------------- https://www.golem.de/news/bleedingtooth-google-und-intel-warnen-vor-neuen-b… ∗∗∗ Security Analysis of CHERI ISA ∗∗∗ --------------------------------------------- Is it possible to get to a state where memory safety issues would be deterministically mitigated? Our quest to mitigate memory corruption vulnerabilities led us to examine CHERI (Capability Hardware Enhanced RISC Instructions), which provides memory protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits. --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/10/14/security-analysis-of-cheri-i… ∗∗∗ Magento Phishing Leverages JavaScript For Exfiltration ∗∗∗ --------------------------------------------- During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page. --------------------------------------------- https://blog.sucuri.net/2020/10/magento-phishing-leverages-javascript-for-e… ∗∗∗ [SANS ISC] Nicely Obfuscated Python RAT ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Nicely Obfuscated Python RAT“: While hunting, I found an interesting Python script. It matched one of my YARA rules due to the interesting list of imports but the content itself was nicely obfuscated. --------------------------------------------- https://blog.rootshell.be/2020/10/15/sans-isc-nicely-obfuscated-python-rat/ ∗∗∗ Dockerfile Security Best Practices ∗∗∗ --------------------------------------------- Container security is a broad problem space and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some rules when writing Dockerfiles. --------------------------------------------- https://cloudberry.engineering/article/dockerfile-security-best-practices/ ∗∗∗ QR code scams are making a comeback ∗∗∗ --------------------------------------------- With QR codes being used more as a means to help create a COVID-19 proof environment, were also seeing a comeback of QR codes scams. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/10/qr-code-scams-are-making-a-come… ∗∗∗ This major criminal hacking group just switched to ransomware attacks ∗∗∗ --------------------------------------------- A newly detailed financial cybercrime group has been conducting attacks around the world since 2016 - but now theyve switched to ransomware because its the biggest and easiest pay day. --------------------------------------------- https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switch… ∗∗∗ New Emotet attacks use fake Windows Update lures ∗∗∗ --------------------------------------------- Emotet diversifies arsenal with new lures to trick users into infecting themselves. --------------------------------------------- https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lu… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034 ∗∗∗ --------------------------------------------- Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) Date: 2020-October-14 Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability: SQL Injection Description: This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection. Solution: Install the latest version: If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1 --------------------------------------------- https://www.drupal.org/sa-contrib-2020-034 ∗∗∗ Juniper Security Bulletins 2020-10 ∗∗∗ --------------------------------------------- JSA11045 - 2020-10 Security Bulletin: JSA Series: Intel CPUs could allow a local authenticated attacker to obtain sensitive information (CVE-2019-11135) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11045 JSA11046 - 2020-10 Security Bulletin: Junos OS: FreeBSD-SA-20:03.thrmisc: kernel stack data disclosure (CVE-2019-15875) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11046 JSA11047 - 2020-10 Security Bulletin: FreeBSD-SA-19:20.bsnmp : Insufficient message length validation in bsnmp library (CVE-2019-5610) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11047 JSA11048 - 2020-10 Security Bulletin: Junos Space and Junos Space Security Director: Zombie POODLE and GOLDENDOODLE resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11048 JSA11049 - 2020-10 Security Bulletin: Junos OS: When a DHCPv6 Relay-Agent is configured upon receipt of a specific DHCPv6 client message, Remote Code Execution may occur. (CVE-2020-1656) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11049 JSA11050 - 2020-10 Security Bulletin: Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11050 JSA11053 - 2020-10 Security Bulletin: Junos OS: NFX Series: Multiple vulnerabilities resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11053 JSA11054 - 2020-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packets can cause services card to restart when DNS filtering is configured. (CVE-2020-1660) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11054 JSA11055 - 2020-10 Security Bulletin: Junos OS: Multiple SQLite vulnerabilities resolved. https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11055 JSA11056 - 2020-10 Security Bulletin: Junos OS: jdhcpd process crash when forwarding a malformed DHCP packet. (CVE-2020-1661) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11056 JSA11062 - 2020-10 Security Bulletin: Junos OS: MX series/EX9200 Series: IPv6 DDoS protection does not work as expected. (CVE-2020-1665) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11062 JSA11076 - 2020-10 Security Bulletin: Junos OS: PTX/QFX Series: Kernel Routing Table (KRT) queue stuck after packet sampling a malformed packet when the tunnel-observation mpls-over-udp configuration is enabled. (CVE-2020-1679) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11076 JSA11079 - 2020-10 Security Bulletin: Junos OS: SRX1500, vSRX, SRX4K, NFX150: Denial of service vulnerability executing local CLI command (CVE-2020-1682) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11079 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0992 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernat… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM WebSphere Liberty fixed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14062 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2020
by Daily end-of-shift report 14 Oct '20

14 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-10-2020 18:00 − Mittwoch 14-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Patchday: Aktuelle Updates von Microsoft beugen Angriffen aus der Ferne vor ∗∗∗ --------------------------------------------- Aktive Angriffe auf die zum Patch Tuesday beseitigten, teils kritischen Sicherheitslücken wurden bislang nicht beobachtet. Zügig updaten sollte man dennoch. --------------------------------------------- https://heise.de/-4928145 ∗∗∗ Apples Sicherheitschip T2: Exploit in Aktion gezeigt ∗∗∗ --------------------------------------------- Ein Hackerteam hat demonstriert, wie sich der aktuelle Sicherheitschip im Mac knacken lässt – mit einem simplen manipulierten USB-C-Kabel. --------------------------------------------- https://heise.de/-4928042 ∗∗∗ Vorsicht vor Phishing-Anrufen im Namen von Magenta ∗∗∗ --------------------------------------------- Immer häufiger nutzen Kriminelle das Telefon, um an persönliche Daten zu kommen. Derzeit geben sich BetrügerInnen als Magenta aus und versuchen per Anruf an das Kundenpasswort der Opfer und weitere persönliche Daten zu gelangen. Heben Sie daher bei Anrufen von der Telefonnummer 0800799742 nicht ab! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-anrufen-im-nam… ===================== = Vulnerabilities = ===================== ∗∗∗ For Foxits sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns ∗∗∗ --------------------------------------------- CISA points spotlight at PDF reader n creator suite Windows and Mac users running Foxits popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/10/13/foxit_phanto… ∗∗∗ October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw ∗∗∗ --------------------------------------------- On this October 2020 Patch Tuesday: Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise Adobe has delivered security updates for Adobe Flash Player Intel warns about flaws in BlueZ, the official Linux Bluetooth protocol stack SAP has released 15 security notes and updates to 6 previously released ones. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/13/october-2020-patch-tuesday/ ∗∗∗ SAP-Patchday: Lücke mit Höchstwertung in CA Introscope Enterprise Manager gefixt ∗∗∗ --------------------------------------------- SAP-Admins sollten die verfügbaren Sicherheitsupdates zeitnah unter die Lupe nehmen und wo nötig einspielen. Die Risikoeinstufung "High" ist mehrfach vertreten. --------------------------------------------- https://heise.de/-4928265 ∗∗∗ Vulnerability Spotlight: Information leak vulnerability in Google Chrome WebGL ∗∗∗ --------------------------------------------- Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to carry out a range of malicious actions. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics. --------------------------------------------- https://blog.talosintelligence.com/2020/10/vuln-spotlight-chrome-web-gl-inf… ∗∗∗ SonicWall VPN Portal Critical Flaw (CVE-2020-5135) ∗∗∗ --------------------------------------------- Tripwire VERT has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access. --------------------------------------------- https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critic… ∗∗∗ Kubernetes AWS IAM Integration Issues ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020100083 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0975 ∗∗∗ Trend Micro AntiVirus for Mac: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0977 ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in the Bluetooth Module of Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Advisory - JavaScript Injection Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201014-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Apache Derby as used by IBM QRadar SIEM is vulnerable to Improper Input Validation (CVE-2018-1313) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-as-used-by-i… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Unzip as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-unzip-as-used-by-ibm-qrad… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4528) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2020
by Daily end-of-shift report 13 Oct '20

13 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 12-10-2020 18:00 − Dienstag 13-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Update can be abused to execute malicious programs ∗∗∗ --------------------------------------------- The Windows Update client has just been added to the list of living-off-the-land binaries (LoLBins) attackers can use to execute malicious code on Windows systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-update-can-be-abused… ∗∗∗ Angreifer auf US-Regierungsnetzwerke kombinieren "Zerologon" mit weiteren Lücken ∗∗∗ --------------------------------------------- Sicherheitslücken in FortiOS und MobileIron Core & Connector werden mit Zerologon zu einer Exploit-Chain verwoben, warnen CISA und FBI. --------------------------------------------- https://heise.de/-4927692 ∗∗∗ 55 Sicherheitslücken bei Apple‑Diensten entdeckt ∗∗∗ --------------------------------------------- Fünf Hacker haben in einem Zeitraum von nur 3 Monaten fast 300.000 US-Dollar an Bug-Bounty-Belohnungen erhalten --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/13/55-sicherheitsluecken-bei… ∗∗∗ Anatomy of Ryuk Attack: 29 Hours From Initial Email to Full Compromise ∗∗∗ --------------------------------------------- An attack involving the Ryuk ransomware required 29 hours from an email being sent to the target to full environment compromise and the encryption of systems, according to the DFIR Report, a project that provides threat intelligence from real attacks observed by its honeypots. --------------------------------------------- https://www.securityweek.com/anatomy-ryuk-attack-29-hours-initial-email-ful… ∗∗∗ Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances ∗∗∗ --------------------------------------------- Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security. --------------------------------------------- https://www.securityweek.com/study-finds-400000-vulnerabilities-across-2200… ∗∗∗ Diese Scamming-Maschen sollten Sie kennen ∗∗∗ --------------------------------------------- Scamming, ein Sammelbegriff für zahlreiche Betrugsmaschen. Aber was ist Scamming? Mit Sicherheit kamen auch Sie bereits mit dieser Betrugsmasche in Berührung oder haben zumindest bereits davon gehört! Hier erfahren Sie mehr über die gängigsten Vorschussbetrugsmaschen und wie Sie sich davor schützen! --------------------------------------------- https://www.watchlist-internet.at/news/diese-scamming-maschen-sollten-sie-k… ∗∗∗ Red Team deckt IAM-Schwächen auf ∗∗∗ --------------------------------------------- Ein Red Team von Palo Alto Networks hat aufgezeigt, wie Angreifer gezielt Lücken und Fehlkonfigurationen im Identity und Access Management (IAM) in der Cloud ausnutzen, um an kritische Informationen zu gelangen. --------------------------------------------- https://www.zdnet.de/88388335/red-team-deckt-iam-schwaechen-auf/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates Available for Adobe Flash Player (APSB20-58) ∗∗∗ --------------------------------------------- Adobe has released security updates for Adobe Flash Player (APSB20-58) for Windows, macOS, Linux and Chrome OS. These updates address a vulnerability rated Critical in Adobe Flash Player. Successful exploitation could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1925 ∗∗∗ SSA-384879 (Last Update: 2020-10-13): Authentication Bypass Vulnerability in SIPORT MP ∗∗∗ --------------------------------------------- SIPORT MP version 3.2.1 fixes an authentication bypass vulnerability which could enable an attacker to impersonate other users of the system and perform administrative actions. Siemens recommends to apply the update. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-384879.txt ∗∗∗ SSA-226339 (Last Update: 2020-10-13): Multiple Web Application Vulnerabilities in Desigo Insight ∗∗∗ --------------------------------------------- The latest hotfix for Desigo Insight fixes three vulnerabilities that have been identified in the web server, including SQL injection (CVE-2020-15792), clickjacking (CVE-2020-15793), and full path disclosure (CVE-2020-15794). Siemens recommends updating to the latest version of Desigo Insight and to apply the hotfix. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-226339.txt ∗∗∗ Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions ∗∗∗ --------------------------------------------- Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges. The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals. --------------------------------------------- https://www.securityweek.com/acronis-patches-privilege-escalation-flaws-bac… ∗∗∗ SAP Patchday Oktober 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0972 ∗∗∗ Citrix Gateway Plug-in for Windows Security Update ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in Citrix Gateway Plug-in for Windows that, if exploited, could result in a local user escalating their privilege level to SYSTEM. --------------------------------------------- https://support.citrix.com/article/CTX282684 ∗∗∗ IPAS: Security Advisories for October 2020 ∗∗∗ --------------------------------------------- Hi everyone, For October 2020, we are releasing just one security advisory addressing two vulnerabilities in the BlueZ open-source Bluetooth stack. Affected Linux users are encouraged to update to Linux kernel version 5.9 or later. More information can be found in INTEL-SA-00435 and at www.bluez.org. --------------------------------------------- https://blogs.intel.com/technology/2020/10/ipas-security-advisories-for-oct… ∗∗∗ Remote Desktop Services Remote Code Execution Vulnerability in Rexroth Industrial PCs ∗∗∗ --------------------------------------------- BOSCH-SA-856281: Microsoft has published information [1] for several versions of Microsoft Windows XP Microsoft Windows XP embedded Microsoft Windows 7 and Microsoft Windows 7 Embedded Standard regarding a vulnerability in the Remote Desktop Service. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary code on the target system if the system exposes the service to the network. Rexroth Industrial PCs on these operating systems are affected by this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-856281.html ∗∗∗ Webmin: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0973 ∗∗∗ BSRT-2020-003 Vulnerability in UEM Core Impacts BlackBerry UEM ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4557 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in Docker affects Cloud Pak Sytem (CVE-2020-13401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-docker-a… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Qemu affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2020
by Daily end-of-shift report 12 Oct '20

12 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-10-2020 18:00 − Montag 12-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sophisticated Android Ransomware Executes with the Home Button ∗∗∗ --------------------------------------------- The malware also has a unique machine-learning module. --------------------------------------------- https://threatpost.com/android-ransomware-home-button/160001/ ∗∗∗ Open Packaging Conventions, (Sat, Oct 10th) ∗∗∗ --------------------------------------------- Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types. --------------------------------------------- https://isc.sans.edu/diary/rss/26662 ∗∗∗ Operation TrickBot – ein globaler Schlag gegen das Botnetz ∗∗∗ --------------------------------------------- ESET Forscher unterstützten den erfolgreichen Schlag gegen eines der größten Botnetze und Schadcode-Verbreiter. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/10/12/operation-trickbot-eset-i… ∗∗∗ Deepfake Voice Technology Iterates on Old Phishing Strategies ∗∗∗ --------------------------------------------- As the world of AI and deepfake technology grows more complex, the risk that deepfakes pose to firms and individuals grows increasingly potent. This growing sophistication of the latest software and algorithms has allowed malicious hackers, scammers and cyber criminals who work tirelessly behind the scenes to stay one step ahead of the authorities, making [...] --------------------------------------------- https://www.tripwire.com/state-of-security/featured/deepfake-voice-technolo… ∗∗∗ Vorsicht vor dem Fake-Shop sport-monkey.de! ∗∗∗ --------------------------------------------- Über das Wochenende erreichten die Watchlist Internet unzählige Meldungen zu dem Online-Shop sport-monkey.de. Dieser bietet ein breites Sortiment an Sportausrüstung zu schier unglaublichen Preisen an. Die Preise sind aus einem einzigen Grund so niedrig: Es handelt sich um einen Fake-Shop, der trotz Zahlung per Vorkasse keine Waren liefert. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dem-fake-shop-sport-mon… ∗∗∗ Event Report - A convenient mechanism to edit, visualize and share reports ∗∗∗ --------------------------------------------- MISP is widely known as a powerful tool to gather, correlate and share information. As a response to the growing information-sharing maturity of the community, more features have been introduced over the past few years to meet analyst skills and requirements. --------------------------------------------- https://www.misp-project.org/2020/10/08/Event-Reports.html ∗∗∗ Hacker nutzen Bugs in VPN und Windows Netlogon ∗∗∗ --------------------------------------------- Angreifer verschaffen sich Zugang zu Behördennetzwerken, indem sie gezielt Schwachstellen in VPN-Systemen und Windows Netlogon ausnutzen. --------------------------------------------- https://www.zdnet.de/88383319/hacker-nutzen-bugs-in-vpn-und-windows-netlogo… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- A previous version of this bulletin had links to hotfixes that addressed the security issues but caused stability issues for some deployments that were using the Hypervisor Introspection (HVI) functionality of Citrix Hypervisor. Customers who are not using HVI functionality and who have already applied the earlier updates need take no further action. --------------------------------------------- https://support.citrix.com/article/CTX282314 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0970 ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0969 ∗∗∗ Reflected Cross-Site Scripting and Unauthenticated Malicious File Upload in Sage DPW ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/reflected-cross-site-scripting… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to HTML injection. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to deserialization of untrusted data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4386) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure and denial of service (CVE-2020-4414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure. (CVE-2020-4387) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service attack (CVE-2020-4420) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2020
by Daily end-of-shift report 09 Oct '20

09 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-10-2020 18:00 − Freitag 09-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Phishing kits as far as the eye can see, (Fri, Oct 9th) ∗∗∗ --------------------------------------------- If you've never delved too deep into the topic of phishing kits, you might quite reasonably expect that they would be the sort of tools, which are traded almost exclusively on dark web marketplaces. This is however not the case. --------------------------------------------- https://isc.sans.edu/diary/rss/26660 ∗∗∗ Firebase: Google Cloud’s Evil Twin - Excerpt ∗∗∗ --------------------------------------------- Firebase is the most popular developer tool that security has never heard of. We will bring its numerous flaws to light. --------------------------------------------- https://www.sans.org/blog/firebase-google-cloud-s-evil-twin-condensed ∗∗∗ BSI-Team räumt bei CHES-Challenge alle Preise ab ∗∗∗ --------------------------------------------- Vom 14. bis 18. September 2020 veranstaltete die International Association for Cryptologic Research (IACR) die Conference on Cryptographic Hardware and Embedded Systems (CHES). Die CHES ist die weltweit größte und renommierteste hardwarenahe Kryptographietagung. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/CHES-Challe… ∗∗∗ verbraucherclub.de: Warnung vor unseriösen Werbeschaltungen! ∗∗∗ --------------------------------------------- Haben Sie bereits von der Smartwatch „KoreTrak“ gehört, die ein Lebensretter für SeniorInnen sein soll? Oder von der LiveWave Antenna, die Ihnen gratis Fernsehen ins Wohnzimmer zaubert? Wenn ja, dann sind Sie wohl auf eine unseriöse Werbeschaltung von verbraucherclub.de gestoßen. --------------------------------------------- https://www.watchlist-internet.at/news/verbraucherclubde-warnung-vor-unseri… ∗∗∗ Microsoft Exchange CVE-2020-0688 Revisited -- in zwei Akten ∗∗∗ --------------------------------------------- Im April veröffentlichten wir einen Blogpost über Microsoft Exchange Server, die für die bereits im Februar 2020 gepatchte Lücke CVE-2020-0688 anfällig waren. --------------------------------------------- https://cert.at/de/aktuelles/2020/10/microsoft-exchange-cve-2020-0688-revis… ===================== = Vulnerabilities = ===================== ∗∗∗ Apples T2: Wenn der Sicherheitschip zum Keylogger wird ∗∗∗ --------------------------------------------- Eigentlich soll Apples T2-Chip für Sicherheit sorgen, ein Forscherteam könnte ihn jedoch in einen Keylogger umwandeln. --------------------------------------------- https://www.golem.de/news/apples-t2-wenn-der-sicherheitschip-zum-keylogger-… ∗∗∗ We Hacked Apple for 3 Months: Here’s What We Found ∗∗∗ --------------------------------------------- During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victims iCloud account, retrieve source code for internal Apple projects, [...] --------------------------------------------- https://samcurry.net/hacking-apple/ ∗∗∗ Credit card skimmer targets virtual conference platform ∗∗∗ --------------------------------------------- Criminals have gone after an online conference platform to steal credit card data from virtual attendees. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2020/10/credit-card-skimmer… ∗∗∗ Security Bulletin: An XPath vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4774) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-xpath-vulnerability-ma… ∗∗∗ Security Bulletin: IBM Cúram Social Program Management uses MD5 algorithm (CVE-2020-4778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cram-social-program-m… ∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xs… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: An improper input validation vulnerability may impact IBM Cúram Social Program Management (CVE-2020-4781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-improper-input-validat… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service via Kubernetes (CVE-2020-8557, CVE-2020-8559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in IBM Security Access Manager and IBM Security Verify Access (CVE-2020-4661, CVE-2020-4699, CVE-2020-4660) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2020
by Daily end-of-shift report 08 Oct '20

08 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-10-2020 18:00 − Donnerstag 08-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SiteCheck Malware Report: September Summary ∗∗∗ --------------------------------------------- In September alone, a total of 17,138,086 website scans were performed using SiteCheck. Of those scans, 178,299 infected sites were detected. --------------------------------------------- https://blog.sucuri.net/2020/10/sitecheck-malware-report-september-summary.… ∗∗∗ Researchers Find Vulnerabilities in Microsoft Azure Cloud Service ∗∗∗ --------------------------------------------- Now according to the latest research, two security flaws in Microsoft's Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server. ... Discovered by Paul Litvak of Intezer Labs, the flaws were reported to Microsoft in June, after which the company subsequently addressed them. --------------------------------------------- https://thehackernews.com/2020/10/microsoft-azure-vulnerability.html ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP NAS: Neue Version der Helpdesk-App beseitigt zwei kritische Lücken ∗∗∗ --------------------------------------------- Die Helpdesk-App für Netzwerkspeicher von QNAP wies zwei Sicherheitslücken auf, über die Angreifer die Kontrolle über die Geräte hätten erlangen können. --------------------------------------------- https://heise.de/-4923916 ∗∗∗ Multiple Cross-Site Scripting Vulnerabilities in Confluence Marketplace Plugins ∗∗∗ --------------------------------------------- Multiple Confluence Plugins from different vendors are affected by stored cross-site scripting vulnerabilities which allow attackers to inject malicious JavaScript code into Confluence pages. PlantUML, Refined Toolkit for Confluence, Linking for Confluence, Countdown Timer, Server Status Business recommendation: Update to the latest versions of the plugins. --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-cross-site-scripting-… ∗∗∗ Vulnerability Exposes Over 4 Million Sites Using WPBakery ∗∗∗ --------------------------------------------- On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. [...] a final sufficient patch was released on September 24, 2020. We highly recommend updating to the latest version, 6.4.1 as of today, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/10/vulnerability-exposes-over-4-million… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat eine Reihe von Security Bulletins veröffentlicht: * https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… * https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… * https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Videoüberwachung von Cisco deaktivieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Patches für unter anderem Überwachungskameras und die Online-Meeting-Software Webex veröffentlicht. Liste nach Bedrohungsgrad absteigend sortiert: * Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service * Webex Teams Client for Windows DLL Hijacking * Identity Services Engine Authorization Bypass * Industrial Network Director Denial of Service * Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Memory Leak * Vision Dynamic Signage Director Missing Authentication * SD-WAN vManage Cross-Site Scripting * StarOS Privilege Escalation * Expressway Series and TelePresence Video Communication Server Denial of Service * Email Security Appliance URL Filtering Bypass * Nexus Data Broker Software Path Traversal * Firepower Management Center Cross-Site Scripting * Identity Services Engine Cross-Site Scripting * StarOS Privilege Escalation --------------------------------------------- https://heise.de/-4924026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2020
by Daily end-of-shift report 07 Oct '20

07 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-10-2020 18:00 − Mittwoch 07-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Backdoor Shell Dropper Deploys CMS-Specific Malware ∗∗∗ --------------------------------------------- A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want. --------------------------------------------- https://blog.sucuri.net/2020/10/backdoor-shell-dropper-deploys-cms-specific… ∗∗∗ Alert (AA20-280A): Emotet Malware ∗∗∗ --------------------------------------------- Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa20-280a ∗∗∗ New HEH botnet can wipe routers and IoT devices ∗∗∗ --------------------------------------------- The disk-wiping feature is present in the code but has not been used yet. --------------------------------------------- https://www.zdnet.com/article/new-heh-botnet-can-wipe-routers-and-iot-devic… ∗∗∗ Betrügerische Post-Mail verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Derzeit werden betrügerische E-Mails im Namen der Post willkürlich an zahlreiche EmpfängerInnen versendet. Die Kriminellen drohen den Opfern mit einer Geldstrafe, da bestimmte Kosten noch nicht bezahlt wurden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-post-mail-verbreitet-… ===================== = Vulnerabilities = ===================== ∗∗∗ Enter the Vault: Authentication Issues in HashiCorp Vault ∗∗∗ --------------------------------------------- Posted by Felix Wilhelm, Project Zero: In this blog post I'll discuss two vulnerabilities in HashiCorp Vault and its integration with Amazon Web Services (AWS) and Google Cloud Platform (GCP). --------------------------------------------- https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-… ∗∗∗ 90 days, 16 bugs, and an Azure Sphere Challenge ∗∗∗ --------------------------------------------- Cisco Talos reports 16 vulnerabilities in Microsoft Azure Spheres sponsored research challenge. --------------------------------------------- https://blog.talosintelligence.com/2020/10/Azure-Sphere-Challenge.html ∗∗∗ Security Bulletin: Security vulnerabilities in OpenSSH and OpenSSL shipped with IBM Security Access Manager Appliance (CVE-2018-15473, CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Node.js (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache commons beanutils 1.9.2 library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2020
by Daily end-of-shift report 06 Oct '20

06 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 05-10-2020 18:00 − Dienstag 06-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker group compromises mobile provider to steal credit cards ∗∗∗ --------------------------------------------- Credit card skimming group Fullz House has compromised and injected the website of US mobile virtual network operator (MVNO) Boom! Mobile with a credit card stealer script. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-group-compromises-mob… ∗∗∗ Ransomware threat surge, Ryuk attacks about 20 orgs per week ∗∗∗ --------------------------------------------- Malware researchers monitoring ransomware threats noticed a sharp increase in these attacks over the past months compared to the first six months of 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-threat-surge-ryuk… ∗∗∗ Obfuscation and Repetition, (Mon, Oct 5th) ∗∗∗ --------------------------------------------- The obfuscated payload of a maldoc submitted by a reader can be quickly extracted with the "strings method" I explained in diary entry "Quickie: String Analysis is Still Useful". --------------------------------------------- https://isc.sans.edu/diary/rss/26648 ∗∗∗ Release the Kraken: Fileless APT attack abuses Windows Error Reporting service ∗∗∗ --------------------------------------------- We discovered a new attack that injected its payload—dubbed "Kraken" into the Windows Error Reporting (WER) service as a defense evasion mechanism. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuse… ∗∗∗ Betrug auf Amazon erkennen: So geht‘s ∗∗∗ --------------------------------------------- Auch auf Amazon können Sie auf betrügerische Angebote stoßen. Das Positive jedoch vorweg: Ein betrügerisches Angebot kann schnell entlarvt werden, indem Sie sich das Profil der Marketplace-HändlerInnen genauer ansehen. Werden Sie dort aufgefordert, sich vor einer Bestellung per E-Mail an den Verkäufer/ die Verkäuferin zu wenden, handelt es sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-amazon-erkennen-so-gehts/ ∗∗∗ 5 steps to secure your connected devices ∗∗∗ --------------------------------------------- As we steadily adopt smart devices into our lives, we shouldn’t forget about keeping them secured and our data protected. --------------------------------------------- https://www.welivesecurity.com/2020/10/05/5-steps-secure-connected-devices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Smart male chastity lock cock-up ∗∗∗ --------------------------------------------- TL;DR Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-male-chastity-lock-cock… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Multiple Jackson-Databind CVEs – February 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to a Denial of Service (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway can expose remote credentials to local users (CVE-2020-4528) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-can… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Liberty as shipped in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Cross-Site Scripting (XSS) fixed in IBM Security Access Manager 9.0.7.2 (CVE-2019-4725) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-xss-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM DataPower Gateway may allow a potential DoS when importing malicious ZIP files (CVE-2019-13232) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-may… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Python vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ October 2020 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2020-10-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2020
by Daily end-of-shift report 05 Oct '20

05 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-10-2020 18:00 − Montag 05-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MosaicRegressor: Lurking in the Shadows of UEFI ∗∗∗ --------------------------------------------- We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild. --------------------------------------------- https://securelist.com/mosaicregressor/98849/ ∗∗∗ Egregor Ransomware Threatens ‘Mass-Media’ Release of Corporate Data ∗∗∗ --------------------------------------------- The newly discovered ransomware is hitting companies worldwide, including the GEFCO global logistics company. --------------------------------------------- https://threatpost.com/egregor-ransomware-mass-media-corporate-data/159816/ ∗∗∗ Scanning for SOHO Routers, (Sat, Oct 3rd) ∗∗∗ --------------------------------------------- In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear. --------------------------------------------- https://isc.sans.edu/diary/rss/26638 ∗∗∗ Raccine-Tool soll Schattenkopien von Windows vor Ransomware schützen ∗∗∗ --------------------------------------------- Erpressungstrojaner verschlüsseln Dateien und löschen Daten, die Opfer zur Wiederherstellung nutzen könnten. Das Gratis-Tool Raccine will Hilfe anbieten. --------------------------------------------- https://heise.de/-4920206 ∗∗∗ Attacks Aimed at Disrupting the Trickbot Botnet ∗∗∗ --------------------------------------------- Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations. --------------------------------------------- https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbo… ∗∗∗ Black-T: New Cryptojacking Variant from TeamTnT ∗∗∗ --------------------------------------------- Code within the Black-T malware sample gives evidence of a shift in tactics, techniques and procedures for TeamTnT operations. --------------------------------------------- https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/ ∗∗∗ Shodan Verified Vulns 2020-10-05 ∗∗∗ --------------------------------------------- Wie in unserem Blogpost vom September angekündigt, wollen wir monatlich einen Überblick zu Shodans "Verified Vulnerablilities" in Österreich bieten. --------------------------------------------- https://cert.at/de/aktuelles/2020/10/shodan-verified-vulns-2020-10-05 ===================== = Vulnerabilities = ===================== ∗∗∗ Tenda Router Zero-Days Emerge in Spyware Botnet Campaign ∗∗∗ --------------------------------------------- A variant of the Mirai botnet, called Ttint, has added espionage capabilities to complement its denial-of-service functions. --------------------------------------------- https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/ ∗∗∗ Dringend patchen: Rund eine viertel Million Exchange-Server angreifbar ∗∗∗ --------------------------------------------- Kriminelle nutzen eine Lücke in Microsoft Exchange, um Server zu übernehmen. Dabei gibt es seit Februar einen Patch. --------------------------------------------- https://heise.de/-4920095 ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration Operators affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- Operators for BM Cloud Pak for Integration (CP4I) version 2020.2 are affected by vulnerabilities in Go prior to Go version 1.14.7. --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Multiple critical vulnerabilities in RocketLinx Series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilitie… ∗∗∗ WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-029 ∗∗∗ WAGO: Vulnerability in web-based authentication in WAGO 750-8XX Version <= FW07 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-027 ∗∗∗ WAGO: Authentication Bypass Vulnerability in WAGO 750-36X and WAGO 750-8XX Versions <= FW03 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-028 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2020
by Daily end-of-shift report 02 Oct '20

02 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-10-2020 18:00 − Freitag 02-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sichere Software entwickeln mit OWASP SAMM ∗∗∗ --------------------------------------------- Sicherheit ist im gesamten Entwicklungsprozess wichtig, und OWASP SAMM bietet ein flexibles Rahmenwerk zur Umsetzung. --------------------------------------------- https://heise.de/-4918292 ∗∗∗ Common Ways Attackers Are Stealing Credentials ∗∗∗ --------------------------------------------- A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. --------------------------------------------- https://www.wordfence.com/blog/2020/10/common-ways-attackers-are-stealing-c… ∗∗∗ Massenhaft gefälschte Post-Mails: So entlarven Sie den Betrug! ∗∗∗ --------------------------------------------- Derzeit versenden BetrügerInnen zahlreiche E-Mails im Namen der Post. Die Kriminellen täuschen darin vor, dass Versandkosten fehlen und ein Paket daher nicht zugestellt werden könne. Tatsächlich handelt es sich um einen sogenannten „Phishing-Versuch“. Die Kriminellen versuchen so an Ihre Zugangsdaten zu kommen. Wir erklären Ihnen, wie Sie den Betrug entlarven! --------------------------------------------- https://www.watchlist-internet.at/news/massenhaft-gefaelschte-post-mails-so… ∗∗∗ New service checks if your email was used in Emotet attacks ∗∗∗ --------------------------------------------- A new service has been launched that allows you to check if an email domain or address was in an Emotet spam campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-service-checks-if-your-e… ∗∗∗ QR Codes: A Sneaky Security Threat ∗∗∗ --------------------------------------------- What to watch out for, and how to protect yourself from malicious versions of these mobile shortcuts. --------------------------------------------- https://threatpost.com/qr-codes-sneaky-security-threat/159757/ ∗∗∗ Serious Security: Phishing without links - when phishers bring along their own web pages ∗∗∗ --------------------------------------------- How do you "check the URL before you click" if the web page youre visiting is already on your own computer? --------------------------------------------- https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-witho… ∗∗∗ GFX Xsender Hack Tool: A Spam Mailer ∗∗∗ --------------------------------------------- PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the process of sending predefined HTML emails to a list of email addresses. The tool runs on top of PHPMailer’s library, which handles the connection and sending of the malicious emails. The hack tool also grants the ability to authenticate to an email address on a remote server. --------------------------------------------- https://blog.sucuri.net/2020/10/gfx-xsender-hack-tool-a-spam-mailer.html ∗∗∗ [SANS ISC] Analysis of a Phishing Kit ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Analysis of a Phishing Kit“: Sometimes, attackers make mistakes and allow security researchers to access interesting resources. This time, it’s another phishing kit that was left in the wild on the compromised server. --------------------------------------------- https://blog.rootshell.be/2020/10/02/sans-isc-analysis-of-a-phishing-kit/ ===================== = Vulnerabilities = ===================== ∗∗∗ macOS 10.14.6 Supplemental Update ∗∗∗ --------------------------------------------- macOS 10.14.6 Supplemental Update for macOS Mojave includes the security content of Safari 14.0. --------------------------------------------- https://support.apple.com/kb/HT211872 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jruby and ruby2.3), Fedora (crun, pdns, and podman), openSUSE (go1.14 and kernel), Oracle (qemu-kvm and virt:ol), Red Hat (qemu-kvm-ma and thunderbird), SUSE (nodejs10, nodejs12, perl-DBI, permissions, and xen), and Ubuntu (ntp). --------------------------------------------- https://lwn.net/Articles/833343/ ∗∗∗ Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ruby-o… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2020-8166). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2020-8164). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Pak for Data – Node.js (CVE-2020-8203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to CVE-2019-11324 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-s… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Authentication Bypass (CVE-2020-4493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Cúram Social Program Management (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Multiple IBM DB2 Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-ibm-db2-server-s… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics – Log Analysis (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Multiple Vulnerabilities in SevOne Network Management System (NMS) ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-se… ∗∗∗ PHP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0949 ∗∗∗ Trend Micro AntiVirus for Mac: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0948 ∗∗∗ Bitdefender Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0947 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2020
by Daily end-of-shift report 01 Oct '20

01 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-09-2020 18:00 − Donnerstag 01-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Über die Verantwortung, die mit guter JavaScript-Unterstützung einhergeht ∗∗∗ --------------------------------------------- Warum Websites und Apps nicht zwangsläufig "ohne JavaScript funktionieren" müssen - aber sie und wir JavaScript verantwortungsvoller verwenden könnten. --------------------------------------------- https://heise.de/-4907606 ∗∗∗ Keine WhatsApp-Nachrichten für Emojis und Smileys teilen! ∗∗∗ --------------------------------------------- Gehäuft werden WhatsApp-Nachrichten von Kriminellen verschickt, die kostenlose Angebote bewerben und zur weiteren Verbreitung auffordern. Derzeit kursiert eine Betrugsnachricht, die neue Emojis für WhatsApp verspricht, wenn sie 20 mal geteilt wird. Die Nachricht ist fake und führt zu weiteren unseriösen Angeboten. --------------------------------------------- https://www.watchlist-internet.at/news/keine-whatsapp-nachrichten-fuer-emoj… ∗∗∗ Phishing mit Captchas ∗∗∗ --------------------------------------------- Eine Flut von Phishing-E-Mails mit dem Ziel Microsoft Office 365 setzt Captchas ein, um die Opfer in ein Gefühl der Sicherheit zu wiegen. --------------------------------------------- https://www.zdnet.de/88383103/phishing-mit-captchas/ ∗∗∗ IOCs turning into IOOIs, (Thu, Oct 1st) ∗∗∗ --------------------------------------------- Remember, back in the days, when the anti-virus vendors looked with derision at some of their competition, exclaiming "But they are using just SIGNATURES. Our tool detects BEHAVIOURS". That was like 15 years ago. Fast forward to today, with many of the same vendors now selling "threat intelligence feeds" for good money, and the most frequent attributes pushed over these feeds are MD5/SHA1 hashes and IP addresses. The main thing that changed is that we now call these items [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26624 ∗∗∗ Network Detection for ZeroLogon (CVE-2020-1472) ∗∗∗ --------------------------------------------- ZeroLogon has quickly become popular and well known because of multiple proofs of concept and exploits implemented in Python, .NET, Powershell, and Mimikatz implemented a module for it. So if you are an attacker or need to test your environment then you have plenty of options. As defenders, we also have options for detection on the network. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/network-det… ∗∗∗ Evasive URLs in Spam: Part 2 ∗∗∗ --------------------------------------------- A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-url… ∗∗∗ Detecting Microsoft 365 and Azure Active Directory Backdoors ∗∗∗ --------------------------------------------- Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA). --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365… ∗∗∗ Three immediate steps to take to protect your APIs from security risks ∗∗∗ --------------------------------------------- In one form or another, APIs have been around for years, bringing the benefits of ease of use, efficiency and flexibility to the developer community. The advantage of using APIs for mobile and web apps is that developers can build and deploy functionality and data integrations quickly. API security posture But there is a huge downside to this approach. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/01/api-security-posture/ ∗∗∗ A complete stranger controlled this woman’s home security system, but they’re not the one she’s angry with ∗∗∗ --------------------------------------------- Imagine being contacted by a complete stranger via Facebook, and them telling you that they have complete control over the security system in your new home. --------------------------------------------- https://www.bitdefender.com/box/blog/iot-news/complete-stranger-controlled-… ∗∗∗ IPStorm botnet expands from Windows to Android, Mac, and Linux ∗∗∗ --------------------------------------------- IPStorm botnet quadruples in size to reach 13,500 infected systems. --------------------------------------------- https://www.zdnet.com/article/ipstorm-botnet-expands-from-windows-to-androi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Discovered in Popular Industrial Remote Access Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have found critical security flaws in two popular industrial remote access systems that can be exploited to ban access to industrial production floors, hack into company networks, tamper with data, and even steal sensitive business secrets. The flaws, discovered by Tel Aviv-based OTORIO, were identified in B&R Automations SiteManager and GateManager, and MB Connect [...] --------------------------------------------- https://thehackernews.com/2020/10/industrial-remote-access.html ∗∗∗ Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow ∗∗∗ --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited to cause a stack-based buffer overflow when a user issues a POST request to connect to a malicious FTP server. Successful exploitation could allow execution of arbitrary code on the affected device or cause denial of service scenario. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php ∗∗∗ Vulnerability Spotlight: Remote code execution bugs in NVIDIA D3D10 driver ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple remote code execution vulnerabilities in the NVIDIA D3D10 driver. This driver supports multiple GPUs that NVIDIA produces. An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V [...] --------------------------------------------- https://blog.talosintelligence.com/2020/09/vuln-spotlight-nvidia-d3d10-.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-json-jwt and ruby-rack-cors), Fedora (xen), SUSE (aspell and tar), and Ubuntu (ruby-gon, ruby-kramdown, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/833191/ ∗∗∗ Broken access control in Platinum Mobile ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/broken-access-control-in-plati… ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0946 ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-13935) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: IBM Cloud Pak System is affected by a vulnerability in VMware component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-a… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: A vulnerability in Netty affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec Affects IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2020
by Daily end-of-shift report 30 Sep '20

30 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-09-2020 18:00 − Mittwoch 30-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake software crack sites used to push Exorcist 2.0 Ransomware ∗∗∗ --------------------------------------------- The threat actors behind the Exorcist 2.0 ransomware are using malicious advertising to redirect victims to fake software crack sites that distribute their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-software-crack-sites-us… ∗∗∗ Over 247K Exchange servers unpatched for actively exploited flaw ∗∗∗ --------------------------------------------- More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-247k-exchange-servers-u… ∗∗∗ Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise ∗∗∗ --------------------------------------------- A new report from Microsoft shows it is clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to identify. --------------------------------------------- https://www.microsoft.com/security/blog/2020/09/29/microsoft-digital-defens… ∗∗∗ Its 2020 so not only is your mouse config tool a Node.JS Electron app, its also pwnable by an evil webpage ∗∗∗ --------------------------------------------- Malicious JavaScript can inject commands to execute Earlier this year, peripheral maker Kensington patched its desktop software to close a vulnerability that could have been exploited by malicious websites to quietly hijack victims computers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/09/30/kensingtonwo… ∗∗∗ LodaRAT Update: Alive and Well ∗∗∗ --------------------------------------------- By Chris Neal. During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality. Multiple new versions of LodaRAT have been spotted being used in the wild. These new versions of LodaRAT abandoned their previous obfuscation techniques. Direct interaction with the threat actor was observed during analysis, indicating the actor is actively monitoring infected hosts. --------------------------------------------- https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.ht… ∗∗∗ Achtung! Vermeintliche Gutschein-Codes führen in Abo-Falle ∗∗∗ --------------------------------------------- Derzeit tauchen vermehrt gefälschte Gutschein-Codes für verschiedene Anbieter wie Netflix, Steam, Playstation, Google Play oder Amazon auf. Zu finden sind diese Codes in Kommentaren unter verschiedensten YouTube-Videos. Doch anstatt den versprochenen 50 Euro, tappen die Opfer in die Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermeintliche-gutschein-code… ∗∗∗ This worm phishing campaign is a game-changer in password theft, account takeovers ∗∗∗ --------------------------------------------- The security incident highlights the need for multi-factor authentication in the enterprise. --------------------------------------------- https://www.zdnet.com/article/this-worm-phishing-campaign-is-a-game-changer… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Cisco liefert Sicherheitsupdates für Router nach ∗∗∗ --------------------------------------------- Admins sollten professionelle Router von Cisco aus Sicherheitsgründe auf den aktuellen Stand bringen. Angreifer nutzen die Lücken derzeit aus. --------------------------------------------- https://heise.de/-4916417 ∗∗∗ FYI: If youre running HP Device Manager, anyone on your network can get admin on your server via backdoor ∗∗∗ --------------------------------------------- Hidden database account discovered, patches finally available as well as mitigations HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/09/30/hp_device_ma… ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- Huawei hat 16 Security Advisories für verschiedene Produkte veröffentlicht. --------------------------------------------- https://www.huawei.com/en/psirt/all-bulletins ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, [...] --------------------------------------------- https://lwn.net/Articles/833120/ ∗∗∗ Vulnerabilities in Bosch PRAESIDEO and PRAESENSA ∗∗∗ --------------------------------------------- BOSCH-SA-538331-BT: Two security vulnerabilities have been uncovered in the web based management interface of the PRAESIDEO Network Controller and the PRAESENSA System Controller. The vulnerabilities will allow a Cross-Site Request Forgery (CSRF) attack and a Cross-site Scripting (XSS) attack. For PRAESIDEO a third vulnerability will allow a replay attack with which authentication can be bypassed. This last vulnerability is present in the web server of the PRAESIDEO Network Controller. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-538331-bt.html ∗∗∗ Advisory: Multiple Vulnerabilities in SiteManager and GateManager ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16000031… ∗∗∗ Advisory: Multiple Vulnerabilities in GateManager ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16000031… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0939 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0940 ∗∗∗ Red Hat Enterprise Linux/FreeRDP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0941 ∗∗∗ Red Hat Enterprise Linux/WebKitGTK: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0942 ∗∗∗ Security Bulletin: Security vulnerability in WebSphere Liberty Server shipped with IBM Global Mailbox (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: Version 5.0.5 of Redis included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-5-0-5-of-redis-in… ∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4629) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Version 4.17.15 of Node.js module lodash included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-4-17-15-of-node-j… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-manager-with-op… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2020
by Daily end-of-shift report 29 Sep '20

29 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 28-09-2020 18:00 − Dienstag 29-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 ∗∗∗ --------------------------------------------- The Netlogon Remote Protocol (also called MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel. These updates enforce the specified Netlogon client behavior to use secure RPC with Netlogon secure channel between member computers and Active Directory (AD) domain controllers (DC). This security update addresses the vulnerability by enforcing secure RPC when using the [...] --------------------------------------------- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-… ∗∗∗ Windows 10 is offering a confusing mess of Intel driver updates ∗∗∗ --------------------------------------------- Windows 10 2004 is offering optional updates for Intel drivers that are a confusing mess for users who attempt to install them. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-is-offering-a-co… ∗∗∗ Backdoor Obfuscation: tempnam & URL Encoding ∗∗∗ --------------------------------------------- In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host. This PHP web shell uses the following obfuscation method, where the web shell code is stored in URL encoded format and assigned to the variable $i: [...] --------------------------------------------- https://blog.sucuri.net/2020/09/backdoor-obfuscation-tempnam-url-encoding.h… ∗∗∗ [SANS ISC] Managing Remote Access for Partners & Contractors ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Managing Remote Access for Partners & Contractors": Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some [...] --------------------------------------------- https://blog.rootshell.be/2020/09/29/sans-isc-managing-remote-access-for-pa… ∗∗∗ Cloud-y, with a chance of hacking all the wireless things ∗∗∗ --------------------------------------------- Grandstream are a provider of IP video and voice services, as well as Wi-Fi and other related services and equipment. Their products are sold in over 150 countries and they [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloudy-with-a-chance-of-hacki… ∗∗∗ Playstation 5 nicht bei biogaming.de vorbestellen ∗∗∗ --------------------------------------------- Viele warten schon sehnsüchtig auf die neue Playstation 5. Um zum Verkaufsstart im November auch mit Sicherheit ein Modell zu ergattern, suchen KonsumentInnen nach Onlineshops, die noch eine Vorbestellung annehmen. Vorsicht ist jedoch geboten: Auch Fake-Shop bieten die Playstation 5 an! Wer beispielsweise bei biogaming.de bestellt, erhält trotz Bezahlung keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/playstation-5-nicht-bei-biogamingde-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Information Disclosure on WP Courses plugin exposes private course videos and materials ∗∗∗ --------------------------------------------- Today weve got an interesting story to share. A vulnerability in WP Courses caused our Java course to be publicly disclosed via the WordPress REST API. Let’s dive into the details and see what happened. --------------------------------------------- https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plug… ∗∗∗ Security-Updates für Windows-Versionen von Foxit Reader und PhantomPDF verfügbar ∗∗∗ --------------------------------------------- Das Foxit-Team hat Sicherheitslücken mit überwiegend hoher Risikoeinstufung aus Reader und PhantomPDF für Windows sowie aus dem 3D Plugin (Beta) beseitigt. --------------------------------------------- https://heise.de/-4915016 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and mediawiki), openSUSE (firefox, libqt5-qtbase, and rubygem-actionpack-5_1), Red Hat (qemu-kvm, qemu-kvm-ma, and virt:rhel), SUSE (dpdk, firefox, and go1.15), and Ubuntu (dpdk, imagemagick, italc, libpgf, libuv1, pam-python, squid3, ssvnc, and teeworlds). --------------------------------------------- https://lwn.net/Articles/832958/ ∗∗∗ Trend Micro Security Produkte: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0938 ∗∗∗ Security Bulletin: IBM Security Verify Privilege Vault Remote is vulnerable to local user security bypass (CVE-2020-4607) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-privi… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to (CVE-2020-8244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to an infinite read loop (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Kubernetes vulnerabilities (CVE-2020-8557, CVE-2020-8559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is vulnerable to a regular expression infinite loop (NODE-SECURITY-1488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-ce… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i is affected by CVE-2020-2590 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: Aspera on Cloud CVE-2020-8184 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-on-cloud-cve-2020-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2020-8553) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i is affected by CVE-2020-2601 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2020
by Daily end-of-shift report 28 Sep '20

28 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-09-2020 18:00 − Montag 28-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client, (Mon, Sep 28th) ∗∗∗ --------------------------------------------- One of our readers, a Tyler Technologies's customer, reported to us that he found this morning the Bomgar client[1] (BeyondTrust) installed on one of his servers. There is an ongoing discussion on Reddit with the same kind of reports[2]. --------------------------------------------- https://isc.sans.edu/diary/rss/26610 ∗∗∗ Magento Credit Card Stealing Malware: gstaticapi ∗∗∗ --------------------------------------------- Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information. To obtain sensitive details, the malware loads external javascript whenever the URL contains “checkout” ⁠— this location typically belongs to the step in Magento’s checkout process where users enter their sensitive credit card information and shipping details. --------------------------------------------- https://blog.sucuri.net/2020/09/magento-credit-card-stealing-malware-gstati… ∗∗∗ Kostenloses Entschlüsselungstool für Erpressungstrojaner ThunderX ist da ∗∗∗ --------------------------------------------- Sicherheitsforscher haben einen Fehler in der Verschlüsselung durch die Ransomware ThunderX entdeckt und bieten nun Hilfe an. --------------------------------------------- https://heise.de/-4913470 ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! AgeLocker Ransomware hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Besitzer von Netzwerkspeichern (NAS) der Firma Qnap, sollten ihr Gerät aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-4913513 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, libdbi-perl, linux-4.19, lua5.3, mediawiki, nfdump, openssl1.0, qt4-x11, qtbase-opensource-src, ruby-gon, and yaws), Fedora (f2fs-tools, grub2, libxml2, perl-DBI, singularity, xawtv, and xen), Mageia (cifs-utils, kio-extras, libproxy, mbedtls, nodejs, novnc, and pdns), openSUSE (bcm43xx-firmware, chromium, conmon, fuse-overlayfs, libcontainers-common, podman, firefox, libqt4, libqt5-qtbase, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and [...] --------------------------------------------- https://lwn.net/Articles/832831/ ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder weitere Angriffe mit nicht spezifizierten Auswirkungen durchzuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0923 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0934 ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Apex One ausnutzen, um seine Privilegien zu erhöhen, Code zur Ausführung zu bringen und Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0925 ∗∗∗ F5 BIG-IP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in F5 BIG-IP ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0927 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability BootHole in GRUB2 Secure Boot ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-… ∗∗∗ Security Bulletin: Insecure Use of InnerHTML or OuterHTML in IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insecure-use-of-innerhtml… ∗∗∗ Security Bulletin: Dynamically constructed href attribute in IBM Enterprise Records ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dynamically-constructed-h… ∗∗∗ Security Bulletin: Apache Commons Codec Vulnerability Affects IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-codec-vuln… ∗∗∗ Security Bulletin: Multiple Java Vulnerabilities Impact IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabili… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Node.js lodash vulnerability (CVEID: 183560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – OpenSSL (CVE-2019-1563, CVE-2019-1549, CVE-2019-1547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Node.js http-proxy and lodash module vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a vulnerability in the Go runtime (CVE-2020-16845) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Redis vulnerability (CVE-2020-14147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an Elasticsearch vulnerability (CVE-2019-7614) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from OpenSSH affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Netty vulnerability (CVE-2020-11612) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Logstash (CVE-2019-7620) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15664) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15659) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to Kibana vulnerabilities (CVE-2020-7015, CVE-2020-7013, CVE-2020-7012) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVEID: 182747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – Node.js (CVE-2019-15605, CVE-2019-15606) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2020
by Daily end-of-shift report 25 Sep '20

25 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-09-2020 18:00 − Freitag 25-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Datenleck: Airbnb gibt Gastgebern Zugriff auf fremde Postfächer ∗∗∗ --------------------------------------------- Hosts berichten, dass ihnen die Nachrichten anderer Airbnb-Hosts angezeigt werden - bis hin zur PIN, mit der sich die Tür öffnen lässt. --------------------------------------------- https://www.golem.de/news/datenleck-airbnb-gibt-gastgebern-zugriff-auf-frem… ∗∗∗ Sodinokibi Ransomware 101: Origin, Victims, Prevention Strategies ∗∗∗ --------------------------------------------- Cyberattacks have become a part of our reality, but have you ever wondered what might happen if your company gets targeted? You probably imagine that you would lose some money and a great deal of time, maybe fire an employee or too, lose a few clients and have your reputation tainted or eventually even deal [...] --------------------------------------------- https://heimdalsecurity.com/blog/sodinokibi-ransomware-101/ ∗∗∗ Ghost in action: the Specter botnet ∗∗∗ --------------------------------------------- On August 20, 2020, 360Netlab Threat Detect System captured a suspicious ELF file (22523419f0404d628d02876e69458fbe.css) with 0 VT detection. When we took a close look, we see a new botnet that targets AVTECH IP Camera / NVR / DVR devices, and it has flexible configuration, highly modular / plugin, and uses TLS, [...] --------------------------------------------- https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ ∗∗∗ Securing Exchange Online [Guest Diary], (Fri, Sep 25th) ∗∗∗ --------------------------------------------- [...] The base configuration of Exchange Online is set to allow quick onboarding of customers with minimal barriers to the smooth migration of email into the service. The configuration does require tweaks to in order to make it more secure. I aim to cover some of the more effective tweaks in this document and point the reader to the right documentation to secure their Exchange tenant. --------------------------------------------- https://isc.sans.edu/diary/rss/26600 ∗∗∗ Fortinet VPN with Default Settings Leave 200,000 Businesses Open to Hackers ∗∗∗ --------------------------------------------- As the pandemic continues to accelerate the shift towards working from home, a slew of digital threats have capitalized on the health concern to exploit weaknesses in the remote work infrastructure and carry out malicious attacks. Now according to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution to enable employees to [...] --------------------------------------------- https://thehackernews.com/2020/09/fortigate-vpn-security.html ∗∗∗ Studie: Angreifer wollen ins Homeoffice – millionenfach über RDP-Verbindungen ∗∗∗ --------------------------------------------- In Corona-Zeiten haben Forscher einen signifikanten Anstieg von Attacken auf Remote-Verbindungen registriert. Mit den richtigen Tipps schützt man sich. --------------------------------------------- https://heise.de/-4912452 ∗∗∗ Security-Updatepaket für Ciscos Netzwerkbetriebssysteme IOS und IOS XE ∗∗∗ --------------------------------------------- Admins aufgepasst: Vor dem Start ins Wochenende warten noch Updates für IOS und IOS XE, die insgesamt 34 Schwachstellen mit hoher Risikoeinstufung schließen. --------------------------------------------- https://heise.de/-4912352 ∗∗∗ Handling Incidents in ICS – Getting to the Root of the Problem ∗∗∗ --------------------------------------------- For most organizations, having an incident response plan is a regulatory or even legal requirement these days. Unfortunately just having [...] --------------------------------------------- https://www.dragos.com/blog/industry-news/handling-incidents-in-ics-getting… ===================== = Vulnerabilities = ===================== ∗∗∗ macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave ∗∗∗ --------------------------------------------- This document describes the security content of macOS Catalina 10.15.7, Security Update 2020-005 High Sierra, Security Update 2020-005 Mojave. --------------------------------------------- https://support.apple.com/kb/HT211849 ∗∗∗ iCloud for Windows 11.4 ∗∗∗ --------------------------------------------- This document describes the security content of iCloud for Windows 11.4. --------------------------------------------- https://support.apple.com/kb/HT211846 ∗∗∗ iCloud for Windows 7.21 ∗∗∗ --------------------------------------------- This document describes the security content of iCloud for Windows 7.21. --------------------------------------------- https://support.apple.com/kb/HT211847 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 42 Security Advisories mit folgenden "Security Impact Ratings" veröffentlicht: High: 29 Medium: 13 --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rails), openSUSE (chromium, jasper, ovmf, roundcubemail, samba, and singularity), Oracle (firefox), SUSE (bcm43xx-firmware, firefox, libqt5-qtbase, qemu, and tiff), and Ubuntu (aptdaemon, atftp, awl, packagekit, and spip). --------------------------------------------- https://lwn.net/Articles/832509/ ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-frame scripting ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM® Java SDK July 2020 CPU plus CVE-2020-2590 and CVE-2020-2601 affect multiple IBM Continuous Engineering products based on IBM Jazz Technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4531 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2020
by Daily end-of-shift report 24 Sep '20

24 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-09-2020 18:00 − Donnerstag 24-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security-Checkliste Passwörter & Accounts ∗∗∗ --------------------------------------------- Passwörter sind ein notwendiges Übel. Mit den folgenden Tipps haben Sie so wenig Passwortstress wie nötig, ohne an der Sicherheit zu sparen. --------------------------------------------- https://heise.de/-4886755 ∗∗∗ Vorsicht vor Raiffeisen Phishing SMS ∗∗∗ --------------------------------------------- Momentan werden massenhaft betrügerische Phishing SMS im Namen der Raiffeisen Bank verschickt. Angeblich sollte eine PushTAN Registrierung abgeschlossen werden. Die verlinkte Website sieht der echten dabei zum Verwechseln ähnlich. Achtung: Hier dürfen keinesfalls die eigenen Online Banking Daten eingegeben werden. Diese landen direkt in den Händen Krimineller. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-raiffeisen-phishing-sms/ ∗∗∗ Android-Malware Alien stiehlt Geld ∗∗∗ --------------------------------------------- Ein Android-Trojaner namens Alien ist seit Anfang des Jahres aktiv und wird als Malware-as-a-Service (MaaS) in unterirdischen Hackerforen angeboten. Ziel sind Banking- und Finanz-Apps auch in Deutschland --------------------------------------------- https://www.zdnet.de/88382932/android-malware-alien-stiehlt-geld/ ∗∗∗ Supply Chain bietet Angriffspunkte ∗∗∗ --------------------------------------------- Hacker nutzen zunehmend die Lieferketten im Ökosystem von Unternehmen, um ihre Angriffe vorzutragen. Kleinere Lieferanten mit schwachen Sicherheitsstrukturen bieten Einstiegspunkte für Attacken. --------------------------------------------- https://www.zdnet.de/88382938/supply-chain-bietet-angriffspunkte/ ∗∗∗ Protecting Against PowerShell Attacks: 5 Key Steps ∗∗∗ --------------------------------------------- Admins are already busy maintaining all systems running onsite and remotely, so the extra demand to protect against fileless threats can be overwhelming for manual security operations and inexperienced IT professionals. There are, however, five basic steps you can take to help mitigate the threat --------------------------------------------- https://www.beyondtrust.com/blog/entry/protecting-against-powershell-attack… ∗∗∗ AgeLocker ransomware targets QNAP NAS devices, steals data ∗∗∗ --------------------------------------------- QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the devices data, and in some cases, steal files from the victim. --------------------------------------------- https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets… ∗∗∗ Malicious One-Liner Using Hastebin ∗∗∗ --------------------------------------------- Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image directory on a compromised website, allowing an attacker to execute other malicious commands. --------------------------------------------- https://blog.sucuri.net/2020/09/malicious-one-liner-using-hastebin.html ∗∗∗ [SANS ISC] Party in Ibiza with PowerShell ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Party in Ibiza with PowerShell": Today, I would like to talk about PowerShell ISE or "Integration Scripting Environment". This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: [...] --------------------------------------------- https://blog.rootshell.be/2020/09/24/sans-isc-party-in-ibiza-with-powershel… ∗∗∗ Fuzzing Image Parsing in Windows, Part One: Color Profiles ∗∗∗ --------------------------------------------- Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/09/fuzzing-image-parsing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Zerologon-Lücke in Windows Server ∗∗∗ --------------------------------------------- Microsoft warnt vor Attacken auf eine kritische Sicherheitslücke in verschiedenen Windows-Server-Versionen. Auch Samba ist betroffen. --------------------------------------------- https://heise.de/-4910854 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, libproxy, mbedtls, samba, and zeromq), openSUSE (chromium and virtualbox), Red Hat (firefox and kernel), SUSE (cifs-utils, conmon, fuse-overlayfs, libcontainers-common, podman, libcdio, python-pip, samba, and wavpack), and Ubuntu (rdflib). --------------------------------------------- https://lwn.net/Articles/832405/ ∗∗∗ Synology-SA-20:22 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to bypass security constraints via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_22 ∗∗∗ Wireshark: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0922 ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Manager previously known as IBM Security Privilege Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Verify Privilege Vault previously known as IBM Security Secret Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2020
by Daily end-of-shift report 23 Sep '20

23 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-09-2020 18:00 − Mittwoch 23-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security-Checkliste Webbrowser ∗∗∗ --------------------------------------------- Ihr Browser kommt, auch ohne Surfen auf zwielichtigen Websites, sehr häufig mit Schadcode in Kontakt. Umso wichtiger ist es, ihn maximal sicher einzustellen. --------------------------------------------- https://heise.de/-4886750 ∗∗∗ Aufgepasst: Emotet versteckt sich nun in passwortgeschützten Archiven ∗∗∗ --------------------------------------------- Die Drahtzieher hinter Emotet haben eine neue Kampagne gestartet, um die Malware zu verbreiten. Dieses Mal haben Sie aber bei einer Sache gepennt. --------------------------------------------- https://heise.de/-4909712 ∗∗∗ Betrügerische Kredite von Continental Bank und Eran Finance! ∗∗∗ --------------------------------------------- Durch die Auswirkungen der Corona-Krise sind immer mehr Menschen von Finanzhilfen abhängig. Kein Wunder, dass Kredite und Darlehen beliebter werden und dass auch Cyberkriminelle betrügerischen Kredite anbieten. So zum Beispiel der Kreditvermittler royal-eranfinance.com und die Bank continental-groupe.com. Die beiden vermeintlichen Unternehmen arbeiten zusammen. Doch statt Kredite auszuzahlen, stehlen die Unternehmen die Identität der Opfer und verlangen Vorschusszahlungen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kredite-von-continent… ∗∗∗ Case Study: Emotet Thread Hijacking, an Email Attack Technique ∗∗∗ --------------------------------------------- Thread hijacking, recently used to distribute Emotet, uses stolen copies of messages collected from infected users' email clients to attack others. --------------------------------------------- https://unit42.paloaltonetworks.com/emotet-thread-hijacking/ ∗∗∗ Linux vulnerabilities: How unpatched servers lead to persistent backdoors ∗∗∗ --------------------------------------------- Vulnerability management is a challenge Humans make mistakes, software has bugs and some of these bugs are exploitable vulnerabilities. The existence of vulnerabilities in software is not a new problem, but as the volume of software in existence grows, so does the number of exploitable vulnerabilities. --------------------------------------------- https://resources.infosecinstitute.com/linux-vulnerabilities-how-unpatched-… ∗∗∗ Looking for sophisticated malware in IoT devices ∗∗∗ --------------------------------------------- Let's talk about the structure of the firmware of an IoT device in order to get a better understanding of the different components. --------------------------------------------- https://securelist.com/looking-for-sophisticated-malware-in-iot-devices/985… ∗∗∗ [SANS ISC] Malicious Word Document with Dynamic Content ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Malicious Word Document with Dynamic Content": Here is another malicious Word document that I spotted while hunting. "Another one?" may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze [...] --------------------------------------------- https://blog.rootshell.be/2020/09/23/sans-isc-malicious-word-document-with-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin ∗∗∗ --------------------------------------------- On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on [...] --------------------------------------------- https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (libetpan, libqt4, lilypond, otrs, and perl-DBI), Red Hat (kernel-rt), Slackware (seamonkey), SUSE (grafana, libmspack, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and samba), and Ubuntu (debian-lan-config, ldm, libdbi-perl, and netty-3.9). --------------------------------------------- https://lwn.net/Articles/832276/ ∗∗∗ Samba Issues Patches for Zerologon Vulnerability ∗∗∗ --------------------------------------------- The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). --------------------------------------------- https://www.securityweek.com/samba-issues-patches-zerologon-vulnerability ∗∗∗ CVE-2020-1472/Zerologon. As an IT manager should I worry? ∗∗∗ --------------------------------------------- TL;DR Yes, apply the update from Microsoft. --------------------------------------------- https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an… ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. In addition, unprivileged code in a PV guest VM may be able to [...] --------------------------------------------- https://support.citrix.com/article/CTX282314 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability BootHole in GRUB2 Secure Boot ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to path traversal (CVE-2019-4582) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-15358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0920 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0921 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2020
by Daily end-of-shift report 22 Sep '20

22 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 21-09-2020 18:00 − Dienstag 22-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Cloud Buckets Exposed in Rampant Misconfiguration ∗∗∗ --------------------------------------------- A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis shows. --------------------------------------------- https://threatpost.com/google-cloud-buckets-exposed-misconfiguration/159429/ ∗∗∗ New and improved Security Update Guide! ∗∗∗ --------------------------------------------- We're excited to announce a significant update to the Security Update Guide, our one-stop site for information about all security updates provided by Microsoft. This new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment. --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/09/21/new-and-improved-security-up… ∗∗∗ Cyberbedrohungen: Kostenlose "Adversary Emulation Plans" für Firmen verfügbar ∗∗∗ --------------------------------------------- Ein neues MITRE-Projekt stellt Informationen bereit, die Red Teams Schritt für Schritt beim Nachstellen realitätsnaher Angriffsszenarien unterstützen sollen. --------------------------------------------- https://heise.de/-4907083 ∗∗∗ instructionsweb.com führt in Abo-Falle ∗∗∗ --------------------------------------------- Die Suche nach einer Gebrauchsanleitung für ein elektronisches Gerät führte Sie zu instructionsweb.com? Sie haben dort schnell und unkompliziert die benötigte Anleitung gefunden? Auch der Preis von 95 Cent ist erschwinglich. Vorsicht: Mit Eingabe Ihrer Kreditkartendaten tappen Sie in eine Abo-Falle, die Sie monatlich € 11,95 kostet! Und: Anleitung gibt's trotz Bezahlung keine! --------------------------------------------- https://www.watchlist-internet.at/news/instructionswebcom-fuehrt-in-abo-fal… ∗∗∗ Does your business have a Well-Known URL for changing passwords? It should! ∗∗∗ --------------------------------------------- If you're a business which has a website that customers access via a password, spend a few minutes create your own .well-known/change-password which points users to the correct place. --------------------------------------------- https://businessinsights.bitdefender.com/business-url-changing-password ∗∗∗ Optimizing Away JavaScript Obfuscation. (arXiv:2009.09170v1 [cs.CR]) ∗∗∗ --------------------------------------------- JavaScript is a popular attack vector for releasing malicious payloads on unsuspecting Internet users. Authors of this malicious JavaScript often employ numerous obfuscation techniques in order to prevent the automatic detection by antivirus and hinder manual analysis by professional malware analysts. Consequently, this paper presents SAFE-Deobs, a JavaScript deobfuscation tool that we have built. --------------------------------------------- https://arxiv.org/abs/2009.09170 ∗∗∗ Microsoft sichert ungeschützten Backend-Server seiner Suchmaschine Bing ∗∗∗ --------------------------------------------- Er gibt 6,5 TByte Daten preis. Es handelt sich ausschließlich um Log-Dateien ohne persönliche Informationen. Microsoft spricht von einer Fehlkonfiguration – dem fraglichen Server fehlte ein Passwort. --------------------------------------------- https://www.zdnet.de/88382854/microsoft-sichert-ungeschuetzten-backend-serv… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox: Neue Desktop-Versionen beseitigen mögliche Einfallstore für Angreifer ∗∗∗ --------------------------------------------- Mit den Versionen 81 und ESR 78.3 des Webbrowsers Firefox liefert das Mozilla-Team auch diverse Lücken-Fixes aus. --------------------------------------------- https://heise.de/-4909119 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (mysql-connector-java), openSUSE (chromium, curl, libqt4, and singularity), Red Hat (bash and kernel), SUSE (python-pip and python3), and Ubuntu (busybox, ceph, freeimage, libofx, libpam-tacplus, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-azure, linux-gcp, linux-oracle, novnc, and tnef). --------------------------------------------- https://lwn.net/Articles/832164/ ∗∗∗ VMware Horizon DaaS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in VMware Horizon DaaS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0916 ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- The Xen Project has released 10 Security Advisories on 2020-09-22. --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Security Bulletin: CVE-2020-2590 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2590-deferred-fr… ∗∗∗ Security Bulletin: CVE-2020-2601 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-deferred-fr… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: CVE-2020-2601 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-deferred-fr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache ZooKeeper as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-zookeeper-as-used-… ∗∗∗ Security Bulletin: CVE-2020-2590 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2590-deferred-fr… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2020
by Daily end-of-shift report 21 Sep '20

21 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-09-2020 18:00 − Montag 21-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google App Engine: Redirect-Feature begünstigt Phishing und Malware-Verbreitung ∗∗∗ --------------------------------------------- Googles Cloud-Anwendungsplattform App Engine bietet Kriminellen beim Generieren schädlicher Links viel Freiraum, den diese im Zuge aktiver Angriffe auskosten. --------------------------------------------- https://heise.de/-4906593 ∗∗∗ iOS 14: Private WLAN-Adressen können für Probleme sorgen ∗∗∗ --------------------------------------------- iOS 14 sattelt iPhones automatisch auf zufällige MAC-Adressen um. Das führt in Heim- und Firmennetzen unter Umständen zu Verbindungsstörungen. --------------------------------------------- https://heise.de/-4907542 ∗∗∗ uMatrix wird nicht weiterentwickelt: Repository steht auf "archived" ∗∗∗ --------------------------------------------- Die Browser-Erweiterung uMatrix ist auf GitHub als archiviert markiert worden. Damit endet die Weiterentwicklung der Firewall. --------------------------------------------- https://heise.de/-4906711 ∗∗∗ Windows 10 Health Report: September 2020 issues, Defender fiasco, & more ∗∗∗ --------------------------------------------- This Windows 10 Health Report provides an overview of the problems people are encountering in September 2020 due to new cumulative updates or changes made in the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-health-report-se… ∗∗∗ Slightly broken overlay phishing, (Mon, Sep 21st) ∗∗∗ --------------------------------------------- At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes - sometimes the phishing authors "cut out the middleman" and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt. --------------------------------------------- https://isc.sans.edu/diary/rss/26586 ∗∗∗ The Hidden PHP Malware that Reinfects Cleaned Files ∗∗∗ --------------------------------------------- Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection — especially if you lack access to necessary logs, which is usually the case for shared hosting services. Some of the more common causes of reinfections are issues like cross- site contamination or unpatched website software security vulnerabilities that get re-exploited. --------------------------------------------- https://blog.sucuri.net/2020/09/the-hidden-php-malware-that-reinfects-clean… ∗∗∗ One Part Steganography, Four Redirectors, and a Splash of C2! ∗∗∗ --------------------------------------------- What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine Id like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic web content to proxy traffic over third party image providers, and try to find a valid bi-directional method for sending data between a NATd client and a public server. --------------------------------------------- https://medium.com/@curtbraz/one-part-steganography-four-redirectors-and-a-… ∗∗∗ Is domain name abuse something companies should worry about? ∗∗∗ --------------------------------------------- Should you worry about domain name abuse? For the most part it depends on what kind of company you are and what you expect to encounter. --------------------------------------------- https://blog.malwarebytes.com/business-2/2020/09/is-domain-name-abuse-somet… ∗∗∗ The Return of Raining SYSTEM Shells with Citrix Workspace app ∗∗∗ --------------------------------------------- TL;DR Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/the-return-of-raining-system-… ∗∗∗ Code execution, defense evasion are top tactics used in critical attacks against corporate endpoints ∗∗∗ --------------------------------------------- Cisco examines MITRE ATT&CK data to suggest the threat vectors enterprise security staff should focus their efforts on. --------------------------------------------- https://www.zdnet.com/article/defense-evasion-code-execution-are-the-top-at… ∗∗∗ Rückblick auf das zweite Drittel 2020 ∗∗∗ --------------------------------------------- Anders als das erste Jahresdrittel, begann das zweite wesentlich weniger dramatisch, was IT-Sicherheit angeht. Neben Citrix, dem auch im 2. Jahresdrittel unsere erste anlassbezogene Aussendung zu verdanken war, kam auch eine andere alte Schwachstelle zu neuem "Ruhm". --------------------------------------------- https://cert.at/de/blog/2020/9/ruckblick-auf-das-zweite-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Mobiler Firefox-Browser führte Befehle aus dem WLAN aus ∗∗∗ --------------------------------------------- Im gleichen WLAN konnten Angreifer den mobilen Firefox-Browser unter Android beliebige Webseiten oder andere Apps öffnen lassen - ohne Nutzerinteraktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-mobiler-firefox-browser-fuehrte… ∗∗∗ Micropatch for Zerologon, the "perfect" Windows vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders. --------------------------------------------- https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (inspircd and modsecurity), Fedora (chromium, cryptsetup, gnutls, mingw-libxml2, and seamonkey), openSUSE (ark, chromium, claws-mail, docker-distribution, fossil, hylafax+, inn, knot, libetpan, libjpeg-turbo, libqt4, librepo, libvirt, libxml2, lilypond, mumble, openldap2, otrs, pdns-recursor, perl-DBI, python-Flask-Cors, singularity, slurm_18_08, and virtualbox), SUSE (jasper, less, ovmf, and rubygem-actionview-4_2), and Ubuntu (sa-exim). --------------------------------------------- https://lwn.net/Articles/832080/ ∗∗∗ MISP 2.4.132 released (security fix CVE-2020-25766 and bugs fixed) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.132) has been released with several bugs fixed including an important security fix CVE-2020-25766. --------------------------------------------- https://www.misp-project.org/2020/09/21/MISP.2.4.132.released.html ∗∗∗ B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php ∗∗∗ B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php ∗∗∗ B-swiss 3 Digital Signage System 3.6.5 Database Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php ∗∗∗ Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-ht… ∗∗∗ Security Bulletin: IBM Business Automation Content Analyzer is affected by Insecure Cookie vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-business-automation-c… ∗∗∗ Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4581) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-ht… ∗∗∗ Security Bulletin: Denial of Service in IBM DataPower Gateway (CVE-2020-4580) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2020-8616 and CVE-2020-8617). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Vulnerability in ntp (CVE-2020-11868 and CVE-2020-13817). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ntp-cve-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2020
by Daily end-of-shift report 18 Sep '20

18 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-09-2020 18:00 − Freitag 18-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Maze ransomware now encrypts via virtual machines to evade detection ∗∗∗ --------------------------------------------- The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts… ∗∗∗ Microsoft removes Windows Defender ability after security concerns ∗∗∗ --------------------------------------------- Microsoft has removed the ability to download files using Windows Defender after it was demonstrated how it could be used by attackers to download malware onto a computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-removes-windows-d… ∗∗∗ Mozi Botnet Accounts for Majority of IoT Traffic ∗∗∗ --------------------------------------------- Mozi’s spike comes amid a huge increase in overall IoT botnet activity. --------------------------------------------- https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/ ∗∗∗ Ransomware-Angriffe als Folge von Shitrix ∗∗∗ --------------------------------------------- Monate nach dem Auftauchen der kritischen Sicherheitslücke im Citrix Application Delivery Controller (ADC) und NetScaler Gateway (CVE-2019-19781, auch als “Shitrix“ bekannt) werden nun immer mehr Fälle bekannt, in denen die Lücke sehr früh ausgenutzt, jedoch erst sehr viel später lukrativ verwendet wurde bzw. aktuell wird. --------------------------------------------- https://www.hisolutions.com/detail/ransomware-angriffe-als-folge-von-shitrix ∗∗∗ Identitätsdiebstahl: Das sind die gängigsten Betrugsmaschen ∗∗∗ --------------------------------------------- Ausweiskopien und fremde Identitäten sind im Bereich der Internetkriminalität ein begehrtes Gut. Denn so können Kriminelle unter falschem Namen Straftaten begehen und bleiben selbst unentdeckt. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-das-sind-die-ga… ===================== = Vulnerabilities = ===================== ∗∗∗ Backdoors in Video-Encodern auf Huawei-Chips entdeckt - Ursprung unbekannt ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher ist auf mehrere kritische Sicherheitslücken gestoßen, die Hardware-Video-Encoder angreifbar machen. --------------------------------------------- https://heise.de/-4905641 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and netbeans), Oracle (mysql:8.0 and thunderbird), SUSE (rubygem-rack and samba), and Ubuntu (apng2gif, gnupg2, libemail-address-list-perl, libproxy, pulseaudio, pure-ftpd, samba, and xawtv). --------------------------------------------- https://lwn.net/Articles/831853/ ∗∗∗ Cisco Content Security Management Appliance and Cisco Email Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a Cross-Site Scripting (XSS) vulnerability (CVE-2020-4443) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Digital Payments (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed a reverse tabnabbing vulnerability (CVE-2020-4440) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Pivotal spring-boot: Schwachstelle ermöglicht Umgehung von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0911 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0910 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2020
by Daily end-of-shift report 17 Sep '20

17 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-09-2020 18:00 − Donnerstag 17-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber-Angriff auf Uniklinik Düsseldorf: BSI warnt vor akuter Ausnutzung bekannter Schwachstelle ∗∗∗ --------------------------------------------- Am 10. September 2020 kam es zu einem IT-Sicherheitsvorfall im Universitätsklinikum Düsseldorf (UKD). Gemäß BSI-Gesetz hat das UKD das Bundesamt für Sicherheit in der Informationstechnik (BSI) über diesen Vorfall informiert. [...] In diesem Zusammenhang weist das BSI mit Nachdruck darauf hin, dass derzeit eine seit Januar 2020 bekannte Schwachstelle (CVE-2019-19781) in VPN-Produkten der Firma Citrix für Cyber-Angriffe ausgenutzt wird. Dem BSI werden zunehmend Vorfälle bekannt, bei denen Citrix-Systeme bereits vor der Installation der im Januar 2020 bereitgestellten Sicherheitsupdates kompromittiert wurden. Dadurch haben Angreifer auch nach Schließung der Sicherheitslücke weiterhin Zugriff auf das System und dahinterliegende Netzwerke. Diese Möglichkeit wird aktuell vermehrt ausgenutzt, um Angriffe auf betroffene Organisationen durchzuführen. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldo… ∗∗∗ Evasive URLs in Spam ∗∗∗ --------------------------------------------- Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-url… ∗∗∗ phpbash – A Terminal Emulator Web Shell ∗∗∗ --------------------------------------------- It’s common for hackers to utilize post-compromise tools that contain a graphical user interface (GUI) that can be loaded in the web browser. A GUI generally makes the tool easier to use — and certainly more visually appealing than just raw text. One example of web malware that uses GUIs are PHP webshells like r57. --------------------------------------------- https://blog.sucuri.net/2020/09/phpbash-terminal-editor-web-shell.html ∗∗∗ GuLoaders VM-Exit Instruction Hammering explained ∗∗∗ --------------------------------------------- In Joe Sandbox Cloud Basic, our community version of Joe Sandbox, we often get very interesting and recent malware samples. On the September 16th, 2020 we came across a new GuLoader variant (MD5: 01a54f73856cfb74a3bbba47bcec227b). GuLoader is a malware loader well known for its anti-evasion techniques. --------------------------------------------- http://blog.joesecurity.org/2020/09/guloaders-vm-exit-instruction-hammering… ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode per Word-Datei: Microsoft flickt Office für Mac ∗∗∗ --------------------------------------------- Microsoft hat die macOS-Version seiner Office-Suite aktualisiert. Die Updates schließen Schwachstellen, die das Ausführen von Schadcode ermöglichen. --------------------------------------------- https://heise.de/-4904475 ∗∗∗ Apple iOS & iPadOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apple iOS und Apple iPadOS ausnutzen, um beliebigen Programmcode auszuführen, einen Denial of Service Zustand herbeizuführen, Informationen offenzulegen, einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder sonstige Auswirkungen zu verursachen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0907 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen und Informationen offenzulegen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0906 ∗∗∗ Vulnerability Spotlight: Remote code execution vulnerability Apple Safari ∗∗∗ --------------------------------------------- The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine. --------------------------------------------- https://blog.talosintelligence.com/2020/09/vuln-spotlight-apple-safari-sept… ∗∗∗ High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce ∗∗∗ --------------------------------------------- On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/09/high-severity-vulnerabilities-patche… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet3.1, kernel, mbedtls, and python35), Mageia (libraw), openSUSE (mumble), SUSE (libsolv, libzypp, and perl-DBI), and Ubuntu (libdbi-perl, libphp-phpmailer, mcabber, ncmpc, openssl, openssl1.0, qemu, samba, storebackup, and util-linux). --------------------------------------------- https://lwn.net/Articles/831720/ ∗∗∗ Synology-SA-20:21 Zerologon ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_21 ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. --------------------------------------------- https://support.citrix.com/article/CTX281474 ∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: IBM Aspera Shares 1.9.14 Patch Level 1 and earlier are vulnerable to DOM XSS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-1-9-14-… ∗∗∗ Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty (CVE-2020-4590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2020
by Daily end-of-shift report 16 Sep '20

16 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-09-2020 18:00 − Mittwoch 16-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware greift Microsoft Datenbanken an ∗∗∗ --------------------------------------------- Eine neue Malware-Gang hat sich in den letzten Monaten einen Namen gemacht, indem sie sich in die Datenbank Microsoft SQL Server (MSSQL) gehackt und einen Crypto-Miner installiert hat. --------------------------------------------- https://www.zdnet.de/88382758/malware-greift-microsoft-datenbanken-an/ ∗∗∗ Netflix-KundInnen aufgepasst: Betrügerische E-Mails im Umlauf! ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Netflix stammen. In diesen E-Mails werden die Opfer darum gebeten, ihre Zahlungsinformationen zu aktualisieren, da es Probleme mit der Rechnung gäbe. Die Mails stammen jedoch nicht von Netflix, sondern von Kriminellen, die versuchen an die Kreditkartendaten der EmpfängerInnen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-kundinnen-aufgepasst-betrueg… ∗∗∗ This security awareness training email is actually a phishing scam ∗∗∗ --------------------------------------------- A creative phishing campaign uses an email template that pretends to be a reminder to complete security awareness training from a well-known security company. --------------------------------------------- https://www.bleepingcomputer.com/news/security/this-security-awareness-trai… ∗∗∗ DNS security best practices: Preventing DNS hijacking, poisoning and redirection ∗∗∗ --------------------------------------------- The importance of DNS The Domain Name System (DNS) is one of the fundamental protocols of the Internet. It provides a lookup service that converts domain names (like google.com) into IP addresses (like 192.168.0.0). While DNS has always been an important protocol, the growing use of cloud-based services has made it even more so. --------------------------------------------- https://resources.infosecinstitute.com/dns-security-best-practices-preventi… ∗∗∗ Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version?, (Wed, Sep 16th) ∗∗∗ --------------------------------------------- We always say how network security is changing every day. Take a long lunch, and you may miss a critical exploit. But sometimes, time appears to stand still. We just passed 1.6 Billion seconds in the Unix Epoch. Back when the Unix timestamp still had 9 digits, in the late 90s also known as "pre Y2K", one of the servers you may have used for backups was Amanda (Advanced Maryland Automatic Network Disk Archiver). Still active and alive today, back then Amanda V 2.3 was current. --------------------------------------------- https://isc.sans.edu/diary/rss/26572 ∗∗∗ The Hacker Motive: What Attackers Are Doing with Your Hacked Site ∗∗∗ --------------------------------------------- Yesterday, September 15, 2020, the Wordfence Live team covered The Hacker Motive: What Attackers Are Doing with Your Hacked Site. This companion blog post reviews the motives we discussed live during Wordfence Live and dives deeper into the minds of attackers. --------------------------------------------- https://www.wordfence.com/blog/2020/09/the-hacker-motive-what-attackers-are… ∗∗∗ Billions of devices vulnerable to new BLESA Bluetooth security flaw ∗∗∗ --------------------------------------------- New BLESA attack goes after the often ignored Bluetooth reconnection process, unlike previous vulnerabilities, most found in the pairing operation. --------------------------------------------- https://www.zdnet.com/article/billions-of-devices-vulnerable-to-new-blesa-b… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco Content Security Management Appliance (SMA) and Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to access sensitive information on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Schadcode-Lücken in Nitro Pro PDF geschlossen ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die PDF-Anwendung Nitro Pro erschienen. --------------------------------------------- https://heise.de/-4902752 ∗∗∗ IBM: Sicherheitsupdates für zahlreiche Produkte verfügbar ∗∗∗ --------------------------------------------- Seit Anfang voriger Woche hat IBM eine ganze Reihe von Lücken aus seinem Produktportfolio beseitigt – darunter einige mit hohem bis kritischem Schweregrad. --------------------------------------------- https://heise.de/-4902825 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh, python35, and xen), Oracle (kernel), Red Hat (librepo and mysql:8.0), SUSE (perl-DBI), and Ubuntu (Apache Log4j, Apache XML-RPC, bsdiff, libdbi-perl, luajit, milkytracker, OpenJPEG, ruby-loofah, and ruby-websocket-extensions). --------------------------------------------- https://lwn.net/Articles/831654/ ∗∗∗ Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure ∗∗∗ --------------------------------------------- Multiple vulnerabilities identified in Philips patient monitoring solutions could provide attackers with unauthorized access to patient data. read more --------------------------------------------- https://www.securityweek.com/flaws-philips-patient-monitoring-products-can-… ∗∗∗ Security Advisory - Use-after-free Vulnerability in Some Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200916-… ∗∗∗ Trend Micro ServerProtect for Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0905 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0904 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2020
by Daily end-of-shift report 15 Sep '20

15 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 14-09-2020 18:00 − Dienstag 15-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 10 'Finger' command can be abused to download or steal files ∗∗∗ --------------------------------------------- The list of native executables in Windows that can download or run malicious code keeps growing as another one has been reported recently. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-finger-command-ca… ∗∗∗ Sicherheitslücke: Mit acht Nullen zum Active-Directory-Admin ∗∗∗ --------------------------------------------- Die Sicherheitslücke Zerologon nutzt einen Fehler in Netlogon aus und involviert die Zahl Null auf kreative Weise - um Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-mit-acht-nullen-zum-active-dire… ∗∗∗ Erfolgreiche Angriffskampagne trifft Online-Shops auf Basis von Magento 1 ∗∗∗ --------------------------------------------- Der Support für Version 1.x der Onlineshop-Software Magento endete im Juni 2020. Eine aktuelle "Magecart"-Angriffskampagne zielt nun auf veraltete Shops. --------------------------------------------- https://heise.de/-4894269 ∗∗∗ Shitrix-Nachwehen: Citrix-Systeme mit unbemerkten Backdoors ∗∗∗ --------------------------------------------- Auf Citrix ADC und Netscaler Gateways sind offenbar über die Shitrix-Lücke Anfang des Jahres Backdoors installiert worden, durch die Ransomware gelangen kann. --------------------------------------------- https://heise.de/-4901590 ∗∗∗ Erpressungs-E-Mails: Kriminelle hätten Beweise, dass Sie fremdgehen ∗∗∗ --------------------------------------------- Werden Sie per E-Mail erpresst? Behauptet der Erpresser, einen Virus auf Ihrem Smartphone installiert zu haben, der Ihre Aktivitäten überwacht? Hat er angeblich Beweismaterial, dass Sie beim Fremdgehen zeigt? Fordert man für Stillschweigen die Überweisung von Bitcoins? Dann: Machen Sie sich keine Sorgen! Es handelt sich um ein betrügerisches E-Mail, das aktuell massenhaft versendet wird! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungs-e-mails-kriminelle-haett… ∗∗∗ Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits ∗∗∗ --------------------------------------------- We captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. --------------------------------------------- https://unit42.paloaltonetworks.com/network-attack-trends/ ∗∗∗ MITRE releases emulation plan for FIN6 hacking group, more to follow ∗∗∗ --------------------------------------------- New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders. --------------------------------------------- https://www.zdnet.com/article/mitre-releases-emulation-plan-for-fin6-hackin… ∗∗∗ Hackers are getting more hands-on with their attacks. Thats not a good sign ∗∗∗ --------------------------------------------- Both nation-state backed hackers and cyber criminals asking trying to take advantage of the rise in remote working, and getting more sophisticated in their approach. --------------------------------------------- https://www.zdnet.com/article/hackers-are-getting-more-hands-on-with-their-… ===================== = Vulnerabilities = ===================== ∗∗∗ MFA Bypass Bugs Opened Microsoft 365 to Attack ∗∗∗ --------------------------------------------- Vulnerabilities 'that have existed for years' in WS-Trust could be exploited to attack other services such as Azure and Visual Studio. --------------------------------------------- https://threatpost.com/flaws-in-microsoft-365s-mfa-access-cloud-apps/159240/ ∗∗∗ VMware VMSA-2020-0020 (Sep 14) ∗∗∗ --------------------------------------------- VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0020.html ∗∗∗ Notfallpatch für Adobe Media Encoder verfügbar ∗∗∗ --------------------------------------------- Angreifer könnten Media Encoder von Adobe attackieren und Informationen leaken. --------------------------------------------- https://heise.de/-4901833 ∗∗∗ Vulnerability Spotlight: Memory corruption in Google PDFium ∗∗∗ --------------------------------------------- Google Chromes PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access. --------------------------------------------- https://blog.talosintelligence.com/2020/09/vuln-spotlight-google-pdfium-sep… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp). --------------------------------------------- https://lwn.net/Articles/831592/ ∗∗∗ Synology-SA-20:20 Photo Station ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Photo Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_20 ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Java Deserialization (CVE-2020-4521) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL Injection (CVE-2019-4671) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Docker vulnerability affects IBM Spectrum Protect Plus (CVE-2020-13401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-docker-vulnerability-affe… ∗∗∗ Security Bulletin: Linux Kernel vulnerability affects IBM Spectrum Protect Plus (187206) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site request forgery (CVE-2020-4526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Directory Traversal and Execution of Arbitrary Code vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4711, CVE-2020-4703) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-and-e… ∗∗∗ Security Bulletin: Cacheable HTTPS Response vulnerability in IBM Tivoli Business Service Manager (CVE-2020-4344) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cacheable-https-response-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2020
by Daily end-of-shift report 14 Sep '20

14 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-09-2020 18:00 − Montag 14-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zerologon übernimmt Domain-Controller ∗∗∗ --------------------------------------------- Unbemerkt von vielen hat Microsoft im August letzten Monats einen der schwerwiegendsten Fehler behoben, der dem Unternehmen jemals gemeldet wurde. Dieses Problem könnte dazu missbraucht werden, Windows-Server, die als Domänencontroller in Unternehmensnetzwerken laufen, einfach zu übernehmen. --------------------------------------------- https://www.zdnet.de/88382688/zerologon-uebernimmt-domain-controller/ ∗∗∗ Magento stores hit by largest automated hacking attack since 2015 ∗∗∗ --------------------------------------------- In the largest automated hacking campaign against Magento sites, attackers compromised almost 2,000 online stores this weekend to steal credit cards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-stores-hit-by-larges… ∗∗∗ Creating patched binaries for pentesting purposes, (Sun, Sep 13th) ∗∗∗ --------------------------------------------- When doing pentestings, the establishment of backdoors is vital to be able to carry out lateral movements in the network or to reach the stage of action on objectives. This is usually accomplished by inviting someone to click on a commonly used executable on the computer using social engineering techniques. --------------------------------------------- https://isc.sans.edu/diary/rss/26560 ∗∗∗ ModSecurity, Regular Expressions and Disputed CVE-2020-15598 ∗∗∗ --------------------------------------------- This blog post will discuss that tradeoff in the context of regular expressions in ModSecurity. It will cover an issue raised by a member of the community as a security issue (assigned CVE-2020-15598), which we disputed, and some tips for how to avoid the more problematic aspects of regular expressions in ModSecurity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity… ∗∗∗ New BlindSide attack uses speculative execution to bypass ASLR ∗∗∗ --------------------------------------------- New BlindSide technique abuses the CPUs internal performance-boosting feature to bypass OS security protection. --------------------------------------------- https://www.zdnet.com/article/new-blindside-attack-uses-speculative-executi… ===================== = Vulnerabilities = ===================== ∗∗∗ Hyland OnBase Arbitrary File Upload ∗∗∗ --------------------------------------------- Hyland OnBase allows malicious attackers to directly upload arbitrary files to the OnBase server using file upload methods. The client-side sometimes restricts file types, but the server-side does not allowing attackers with direct server access to upload files of any type including malicious files designed to compromise clients that view the data. OnBase also appears to lack the proper mechanisms to verify that files are of the type claimed and instead relies on file extensions, allowing attackers to upload malicious files whose extensions do not match the actual file type. This allows a second vector for malicious file upload and attacking clients. --------------------------------------------- https://cxsecurity.com/issue/WLB-2020090071 ∗∗∗ WordPress Plugin Flaw Allows Attackers to Forge Emails ∗∗∗ --------------------------------------------- The high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram affects more than 100,000 WordPress websites. --------------------------------------------- https://threatpost.com/wordpress-plugin-flaw/159172/ ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗ --------------------------------------------- Eine kritische Lücke im Betriebssystem PAN-OS gefährdet Firewalls aus dem Hause Palo Alto. --------------------------------------------- https://heise.de/-4892796 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (thunderbird), Debian (libproxy, qemu, and wordpress), Fedora (ansible, chromium, community-mysql, dotnet-build-reference-packages, dotnet3.1, drupal7, grub2, java-1.8.0-openjdk-aarch32, kernel, kernel-headers, kernel-tools, mingw-gnutls, php-symfony4, python-django, and selinux-policy), Gentoo (DBI, file-roller, gnome-shell, gst-rtsp-server, nextcloud-client, php, proftpd, qtgui, and zeromq), openSUSE (gimp, libjpeg-turbo, openldap2, [...] --------------------------------------------- https://lwn.net/Articles/831524/ ∗∗∗ Vulnerabilities Expose Thousands of MobileIron Servers to Remote Attacks ∗∗∗ --------------------------------------------- Researchers have disclosed the details of several potentially serious vulnerabilities affecting MobileIron’s mobile device management (MDM) solutions, including a flaw that can be exploited by an unauthenticated attacker for remote code execution on affected servers. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-thousands-mobileiron-se… ∗∗∗ Multiple vulnerabilities in Buffalo AirStation WHR-G54S ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN09166495/ ∗∗∗ Security Bulletin: IBM Cloud Pak System is affected by a vulnerability in VMware component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-a… ∗∗∗ Security Bulletin: A vulnerability in Apache AvtiveMQ affects IBM Operations Analytics Predictive Insights (CVE-2020-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in libcurl affects the OS image for RedHat Enterprise Linux for IBM Cloud Pak System (CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL library affects OS Pattern Kit used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Kenexa LMS On Premise -IBM SDK, Java Technology Edition Quarterly CPU -Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – [All] jQuery (Publicly disclosed vulnerability) CVEID: 180875 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Vulnerability in side channel in Intel CPUs affect IBM Cloud Pak System (CVE-2019-11135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-side-cha… ∗∗∗ Security Bulletin: IBM Kenexa LCMS Premier On Premise – [All] jQuery (Publicly disclosed vulnerability) CVE-2020-11023, CVE-2020-11022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lcms-premier-o… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK addressed in IBM Cloud Pak System (April 2020 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily