- Daily - CERT.at

Tageszusammenfassung - 11.09.2020
by Daily end-of-shift report 11 Sep '20

11 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-09-2020 18:00 − Freitag 11-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom adds two-factor authentication (2FA) support to all accounts ∗∗∗ --------------------------------------------- Zoom has announced that starting today it has added two-factor authentication (2FA) support to all user accounts to make it simpler to secure them against security breaches and identity theft. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zoom-adds-two-factor-authent… ∗∗∗ Whats in Your Clipboard? Pillaging and Protecting the Clipboard, (Fri, Sep 11th) ∗∗∗ --------------------------------------------- Recently I happened to notice that the Cisco AnyConnect VPN client clears the clipboard if you paste a password into it. (Note - if you know and can type any of your passwords in 2020, you should at least partially examine your life choices). Several password managers also do this "right thing" - retaining passwords in the clipboard is a great way for folks to accidentally paste that information into the worst [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26556 ∗∗∗ WordPress Malware Disables Security Plugins to Avoid Detection ∗∗∗ --------------------------------------------- An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it? --------------------------------------------- https://blog.sucuri.net/2020/09/wordpress-malware-disables-security-to-avoi… ∗∗∗ Bluetooth anfällig für Angriffe auf Schlüssel – irgendwie ∗∗∗ --------------------------------------------- Das CERT/CC und die Bluetooth-Standardisierer warnen vor Blurtooth – knausern aber mit Informationen zur entdeckten Schwachstelle. --------------------------------------------- https://heise.de/-4891764 ∗∗∗ Sichere Passwörter schützen vor Verlust und Missbrauch ∗∗∗ --------------------------------------------- Sichere Passwörter schützen nicht nur private Informationen vor Fremden. Sie schützen vor allem vor finanziellem Schaden und Identitätsmissbrauch. Daher ist auf die Passwort-Sicherheit besonderen Wert zu legen. --------------------------------------------- https://www.watchlist-internet.at/news/sichere-passwoerter-schuetzen-vor-ve… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pip), Fedora (kernel, libX11, and xen), openSUSE (go1.14), Oracle (libcroco, php:7.3, and postgresql:10), Red Hat (chromium-browser and httpd:2.4), and SUSE (gimp, golang-github-prometheus-prometheus, kernel, libxml2, pdsh, slurm_20_02, slurm, slurm_18_08, and tomcat). --------------------------------------------- https://lwn.net/Articles/831283/ ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java for IBM Cloud (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-may-affec… ∗∗∗ Security Bulletin: IBM® Db2® on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-on-aix-and-linux-… ∗∗∗ Security Bulletin: IBM® SDK, Java™ Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability affects Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM® Db2® on AIX and Linux Affected by a Vulnerability in IBM® Spectrum Scale (CVE-2020-4412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-on-aix-and-linux-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime related to the Kerberos component affect IBM® Db2®. (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java for IBM Cloud (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-may-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2020
by Daily end-of-shift report 10 Sep '20

10 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-09-2020 18:00 − Donnerstag 10-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProLock ransomware increases payment demand and victim count ∗∗∗ --------------------------------------------- Using standard tactics, the operators of ProLock ransomware were able to deploy a large number of attacks over the past six months, averaging close to one target every day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/prolock-ransomware-increases… ∗∗∗ An overview of targeted attacks and APTs on Linux ∗∗∗ --------------------------------------------- Perhaps unsurprisingly, a lot has been written about targeted attacks on Windows systems. Windows is, due to its popularity, the platform for which we discover most APT attack tools. At the same time, there’s a widely held opinion that Linux [...] --------------------------------------------- https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98… ∗∗∗ Zeppelin Ransomware Returns with New Trojan on Board ∗∗∗ --------------------------------------------- The malware has popped up in a targeted campaign and a new infection routine. --------------------------------------------- https://threatpost.com/zeppelin-ransomware-returns-trojan/159092/ ∗∗∗ O365 Phishing Attack Used Real-Time Validation against Active Directory ∗∗∗ --------------------------------------------- A phishing attack used real-time validation against an organization’s Active Directory in order to steal users’ Office 365 credentials. According to Armorblox, the phishing attack targeted an executive working at an American brand that was named one of the world’s Top 50 most innovative companies for 2019 on a Friday evening. The email used spoofing [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/o365-ph… ∗∗∗ BLURtooth Vulnerability Can Allow Bluetooth MITM Attacks ∗∗∗ --------------------------------------------- A security vulnerability in the Cross-Transport Key Derivation (CTKD) of devices supporting both Bluetooth BR/EDR and LE could allow an attacker to overwrite encryption keys, researchers have discovered. --------------------------------------------- https://www.securityweek.com/blurtooth-vulnerability-can-allow-bluetooth-mi… ∗∗∗ Fake Gewinnspiel mit Cineplexx-Gutschein lockt in Abo-Falle ∗∗∗ --------------------------------------------- Auf Facebook wird über Anzeigen und den Facebook-Messenger ein Gewinnspiel beworben. Sie wurden angeblich, ausgewählt Gutscheine für Cineplexx-Kinos zu erhalten. Dafür sollen Sie 2 Euro für die Versandkosten mit Ihrer Kreditkarte bezahlen. Achtung: Das Gewinnspiel ist fake, die Gutscheine gibt es nicht und Sie landen in einer Abo-Falle! Cineplexx selbst hat nichts mit diesen Gewinnspielen zu tun. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-mit-cineplexx-gutsc… ∗∗∗ New CDRThief malware targets VoIP softswitches to steal call detail records ∗∗∗ --------------------------------------------- Malware targets only two very specific softswitches (software switches): Linknat VOS2009 and VOS3000. --------------------------------------------- https://www.zdnet.com/article/new-cdrthief-malware-targets-voip-softswitche… ∗∗∗ Ransomware-Attacken vervielfacht ∗∗∗ --------------------------------------------- Die Zahl der Ransomware-Angriffe ist im ersten Halbjahr im Vergleich zum Vorjahr um 715% gestiegen. Die Lösegelderpresser werden immer gefährlicher und sorgen für hohe Schäden. --------------------------------------------- https://www.zdnet.de/88382645/ransomware-attacken-vervielfacht/ ∗∗∗ Recent Dridex activity, (Thu, Sep 10th) ∗∗∗ --------------------------------------------- For the past month or so, I hadn't had any luck finding active malspam campaigns pushing Dridex malware. That changed starting this week, and I've since found several examples. Today's diary reviews an infection from Wednesday September 9th, 2020. --------------------------------------------- https://isc.sans.edu/diary/rss/26550 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ark, gnupg, go, opendmarc, and python-django), Debian (libxml2), Gentoo (chromium), Oracle (librepo and thunderbird), Red Hat (dovecot and httpd:2.4), SUSE (avahi, kernel, and openldap2), and Ubuntu (xorg-server). --------------------------------------------- https://lwn.net/Articles/831178/ ∗∗∗ Palo Alto Networks Patches Serious DoS, Code Execution Flaws in PAN-OS ∗∗∗ --------------------------------------------- Palo Alto Networks this week announced that it has patched critical and high-severity denial-of-service (DoS) and arbitrary code execution vulnerabilities in its PAN-OS firewall software. read more --------------------------------------------- https://www.securityweek.com/palo-alto-networks-patches-serious-dos-code-ex… ∗∗∗ PEPPERL+FUCHS/VMT Bildverarbeitungssysteme GmbH: VMT MSS and VMT IS - Several vulnerabilities in products utilizing WIBU SYSTEMS CodeMeter components ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-034 ∗∗∗ PILZ: Multiple products prone to WIBU CodeMeter vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-033 ∗∗∗ avahi: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0892 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0891 ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200909-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind shipped with IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ Security Bulletin: WebSphere Application Server Admin Console is vulnerable to cross-site scripting (CVE-2020-4578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Vulnerabilities in IBM HTTP Server affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ht… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Cloud Orchestrator (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2020
by Daily end-of-shift report 09 Sep '20

09 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-09-2020 18:00 − Mittwoch 09-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers use legit tool to take over Docker, Kubernetes platforms ∗∗∗ --------------------------------------------- In a recent attack, cybercrime group TeamTNT relied on a legitimate tool to avoid deploying malicious code on compromised cloud infrastructure and still have a good grip on it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-legit-tool-to-ta… ∗∗∗ Diffie-Hellman-Seitenkanal: Raccoon-Angriff auf TLS betrifft nur Wenige ∗∗∗ --------------------------------------------- Forscher zeigen eine bislang unbekannte Schwäche im TLS-Protokoll, die praktischen Risiken sind aber sehr gering. --------------------------------------------- https://www.golem.de/news/diffie-hellman-seitenkanal-raccoon-angriff-auf-tl… ∗∗∗ Attacking the Qualcomm Adreno GPU ∗∗∗ --------------------------------------------- When writing an Android exploit, breaking out of the application sandbox is often a key step. There are a wide range of remote attacks that give you code execution with the privileges of an application (like the browser or a messaging application), but a sandbox escape is still required to gain full system access. This blog post focuses on an interesting attack surface that is accessible from the Android application sandbox: the graphics processing unit (GPU) --------------------------------------------- https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gp… ∗∗∗ Adobe behebt Schwachstellen ∗∗∗ --------------------------------------------- Adobes neueste Runde von Sicherheitsupdates behebt schwerwiegende Fehler in Experience Manager, InDesign und Framemaker. Der Grafikspezialist verabschiedet sich zudem von Flash. --------------------------------------------- https://www.zdnet.de/88382613/adobe-behebt-schwachstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Von Angreifern präparierte Websites könnten Windows gefährlich werden ∗∗∗ --------------------------------------------- Microsoft hat Sicherheitsupdates für mehrere Produkte veröffentlicht und über 120 Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-4888876 ∗∗∗ IPAS: Security Advisories for September 2020 ∗∗∗ --------------------------------------------- Hi everyone, Today we are releasing four security advisories addressing 9 vulnerabilities that were all internally found by Intel except for INTEL-SA-00405 which was reported through our bug bounty program. --------------------------------------------- https://blogs.intel.com/technology/2020/09/intel-september-2020-security-ad… ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um Schadcode auszuführen, um seine Privilegien zu erhöhen, um Informationen auszuspähen und um Sicherheitsmechanismen zu umgehen. Letztlich kann der Angreifer so die Kontrolle über das Gerät übernehmen. Zur Ausnutzung genügt es, eine bösartige App zu installieren bzw. zu nutzen. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/09/warn… ∗∗∗ Reflected XSS in WordPress Plugin Admin Pages ∗∗∗ --------------------------------------------- The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause. While this is usually true, there are a number of techniques bad actors are using to trick an administrator into performing actions they would not expect, such as Cross Site Request Forgery (CSRF) or [...] --------------------------------------------- https://blog.sucuri.net/2020/09/reflected-xss-in-wordpress-plugin-admin-pag… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grunt), Fedora (ansible and geary), openSUSE (firefox, gettext-runtime, python-Flask-Cors, and thunderbird), Oracle (firefox and thunderbird), Red Hat (.NET Core 3.1), SUSE (kernel and libjpeg-turbo), and Ubuntu (gnutls28 and libx11). --------------------------------------------- https://lwn.net/Articles/831069/ ∗∗∗ PHOENIX CONTACT: Products utilizing WIBU SYSTEMS CodeMeter components ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in WIBU SYSTEMS CodeMeter Runtime. --------------------------------------------- https://cert.vde.com/de-de/advisories/copy_of_vde-2020-030 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT ∗∗∗ --------------------------------------------- Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-032 ∗∗∗ Security Advisory - Privilege Elevation Vulnerability in Microsoft Windows Kerberos Key Distribution Center ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20200909-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability on Several Mobile Broadband Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200909-… ∗∗∗ Security Advisory - MITM Vulnerability on Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200909-… ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting and server-side request forgery. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2020
by Daily end-of-shift report 08 Sep '20

08 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 07-09-2020 18:00 − Dienstag 08-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 10 themes can be abused to steal Windows accounts ∗∗∗ --------------------------------------------- Specially crafted Windows 10 themes and theme packs can be used in Pass-the-Hash attacks to steal Windows account credentials from unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-themes-can-be-ab… ∗∗∗ Office: About OLE and ZIP Files, (Mon, Sep 7th) ∗∗∗ --------------------------------------------- A reader asked if a particular Emotet sample was a malformed ZIP file. It is not, and I will explain why you might think it is in this diary entry. --------------------------------------------- https://isc.sans.edu/diary/rss/26540 ∗∗∗ Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks ∗∗∗ --------------------------------------------- Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand. --------------------------------------------- https://thehackernews.com/2020/09/emotet-malware-attack.html ∗∗∗ Was sind Tech-Support Scams? Und: Wie Sie sich davor schützen! ∗∗∗ --------------------------------------------- Ein Tech-Support Scam ist eine Betrugsmasche, wo sich Kriminelle als Service-MitarbeiterInnen von Microsoft oder Apple ausgeben und ein Computerproblem vortäuschen. Die Kontaktaufnahme erfolgt entweder durch die Kriminellen per Telefon oder die Opfer rufen aufgrund eines Pop-Ups selbst bei einer vermeintlichen Service-Stelle an. In beiden Fällen wird eine Fernwartungssoftware installiert, um Zugangsdaten zu erspähen, Schadsoftware zu installieren oder Daten zu löschen oder [...] --------------------------------------------- https://www.watchlist-internet.at/news/was-sind-tech-support-scams-und-wie-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe InDesign (APSB20-52), Adobe Framemaker (APSB20-54) and Adobe Experience Manager (APSB20-56). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1916 ∗∗∗ Windows 10 Sandbox activation enables zero-day vulnerability ∗∗∗ --------------------------------------------- A reverse engineer discovered a new zero-day vulnerability in most Windows 10 editions that allows creating files in restricted areas of the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-sandbox-activatio… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, lemonldap-ng, and zeromq3), Fedora (ark, cryptsetup, gnutls, kernel, kernel-headers, and kernel-tools), openSUSE (firefox, kernel, and thunderbird), Red Hat (cloud-init, go-toolset:rhel8, libcroco, librepo, php:7.3, postgresql:10, and thunderbird), SUSE (firefox and go1.14), and Ubuntu (linux, linux-aws, linux-aws-5.3, linux-aws-5.4, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, [...] --------------------------------------------- https://lwn.net/Articles/830941/ ∗∗∗ SAP Patchday September 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0870 ∗∗∗ Citrix StoreFront Security Update ∗∗∗ --------------------------------------------- An issue has been discovered in Citrix StoreFront that, if exploited, would allow an attacker who is authenticated on the same Microsoft Active Directory domain as a Citrix StoreFront server to read arbitrary files from that server. --------------------------------------------- https://support.citrix.com/article/CTX277455 ∗∗∗ SSA-770698: User Information Disclosure Vulnerability in Siveillance Video Client ∗∗∗ --------------------------------------------- The Siveillance Video Client contains an information disclosure vulnerability that could allow an attacker to obtain valid adminstrator login names and use this information to launch further attacks. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-770698.txt ∗∗∗ SSA-709003: Privilege Escalation Vulnerability in License Management Utility (LMU) ∗∗∗ --------------------------------------------- The latest update for the License Management Utility (LMU), which is used by multiple Siemens building technology products, fixes a vulnerability that could allow local users to escalate privileges and execute code as local SYSTEM user. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-709003.txt ∗∗∗ SSA-568969: Insecure Storage of Sensitive Information in Spectrum Power™ 4 ∗∗∗ --------------------------------------------- Vulnerabilities in Spectrum Power™ 4 could allow an unauthorized attacker to retrieve a list of software users, or in certain cases to list the contents of a directory. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-568969.txt ∗∗∗ SSA-542525: Authentication Vulnerabilities in SIMATIC HMI Products ∗∗∗ --------------------------------------------- SIMATIC HMI Products are affected by two vulnerabilities that could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-542525.txt ∗∗∗ SSA-534763: Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products ∗∗∗ --------------------------------------------- Security researchers published information on a vulnerability known as Crosstalk (INTEL-SA-00320). This vulnerability affects modern Intel processors to a varying degree. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-534763.txt ∗∗∗ SSA-455843: WIBU Systems CodeMeter Runtime Vulnerabilities in Siemens and Siemens Energy Products ∗∗∗ --------------------------------------------- CISA and WIBU Systems disclosed six vulnerabilities in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens and Siemens Energy products for license management. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-455843.txt ∗∗∗ SSA-436520: XSS and CSRF Vulnerabilities in Polarion Subversion Webclient ∗∗∗ --------------------------------------------- Multiple cross-site scripting (XSS) vulnerabilities were found in the subversion webclient of Polarion. In addition, the webclient doesnt have any cross-site request forgery (CSRF) protection. An attacker could inject client side script to induce the victim to issue an HTTP request that would lead to a state changing operation. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-436520.txt ∗∗∗ SSA-381684: Improper Password Protection during Authentication in SIMATIC S7-300 and S7-400 CPUs ∗∗∗ --------------------------------------------- A vulnerability has been identified in SIMATIC S7-300 and S7-400 CPU families, which could result in credential disclosure. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-381684.txt ∗∗∗ SSA-251935: Multiple Privilege Escalation Vulnerabilities in SIMATIC RTLS Locating Manager ∗∗∗ --------------------------------------------- The latest update for SIMATIC RTLS Locating Manager fixes various vulnerabilities that could allow a low-privileged local user to escalate privileges. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-251935.txt ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0871 ∗∗∗ Security Bulletin: Novalink is impacted by denial of service high vulnerability in WebSphere Application Server Liberty CVE-2019-4720 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-d… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – July 2020 – Includes Oracle July 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Security Bulletin: Novalink is impacted by Publicly disclosed vulnerability in IBM Java SDK/JRE (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-novalin… ∗∗∗ Security Bulletin: Novalink is impacted Apache CXF affects middle vulnerability in WebSphere Application Server Liberty (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-apac… ∗∗∗ Security Bulletin: Novalink is impacted by Apache CXF affects WebSphere Liberty JAX-WS middle vulnerability in WebSphere Application Server Liberty (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-novalink-is-impacted-by-a… ∗∗∗ Security Bulletin: Vulnerability in Apache Ant affects IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2020
by Daily end-of-shift report 07 Sep '20

07 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-09-2020 18:00 − Montag 07-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Visa warns of new Baka credit card JavaScript skimmer ∗∗∗ --------------------------------------------- Visa issued a warning regarding a new JavaScript e-commerce skimmer known as Baka that will remove itself from memory after exfiltrating stolen data and analysis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visa-warns-of-new-baka-credi… ∗∗∗ Threema E2EE chat app to go fully open source within months ∗∗∗ --------------------------------------------- Threema follows in the footsteps of Signal and Wickr and opens its apps codebase. --------------------------------------------- https://www.zdnet.com/article/threema-e2ee-chat-app-to-go-fully-open-source… ∗∗∗ Manipulierte Excel-Dateien in Phishing-Mails ∗∗∗ --------------------------------------------- Eine neu entdeckte Malware-Bande benutzt einen cleveren Trick, um bösartige Excel-Dateien zu erstellen, die eine höhere Chance haben, Sicherheitssysteme zu umgehen. --------------------------------------------- https://www.zdnet.de/88382491/manipulierte-excel-dateien-in-phishing-mails/ ∗∗∗ Angriffe auf WordPress-Plugin ∗∗∗ --------------------------------------------- Millionen von WordPress-Sites wurden diese Woche angegriffen, weil Hacker eine Zero-Day-Schwachstelle in "File Manager", einem beliebten WordPress-Plugin, ausnutzen. --------------------------------------------- https://www.zdnet.de/88382493/angriffe-auf-wordpress-plug-in/ ===================== = Vulnerabilities = ===================== ∗∗∗ Linux: Keine Eile beim Schließen einer Kernel-Sicherheitslücke ∗∗∗ --------------------------------------------- Mit einem Buffer Overflow im Linux-Kernel lässt sich ein System durch lokale Nutzer zum Absturz bringen, eine Rechteausweitung ist wohl möglich. --------------------------------------------- https://www.golem.de/news/linux-keine-eile-beim-schliessen-einer-kernel-sic… ∗∗∗ Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster ∗∗∗ --------------------------------------------- During a routine research audit for our Sucuri Firewall, we discovered a post deletion, arbitrary posting in social networks, and arbitrary plugin settings update affecting over 100,000 users of the WordPress plugin. --------------------------------------------- https://blog.sucuri.net/2020/09/insufficient-privilege-validation-in-nextsc… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ark, netty, netty-3.9, qemu, squid3, and xorg-server), Fedora (chromium), Gentoo (dovecot and gnutls), Mageia (ansible, postgresql, and python-rsa), openSUSE (curl, freerdp, libX11, php7, squid, and xorg-x11-server), Oracle (kernel), Red Hat (thunderbird), Slackware (gnutls), and SUSE (firefox, kernel, and thunderbird). --------------------------------------------- https://lwn.net/Articles/830856/ ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4698 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affects IMS™ Enterprise Suite: Explorer for Development (CVE-2020-14577) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4516 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Aspera Shares 1.9.14 Patch Level 1 and earlier are vulnerable to DOM XSS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-1-9-14-… ∗∗∗ Security Bulletin: Java Quarterly CPU affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-quarterly-cpu-affect… ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0868 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2020
by Daily end-of-shift report 04 Sep '20

04 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-09-2020 18:00 − Freitag 04-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI: Thousands of orgs targeted by RDoS extortion campaign ∗∗∗ --------------------------------------------- The FBI warns US companies that thousands of organizations around the world, from various industry sectors, have been threatened with DDoS attacks within six days unless they pay a Bitcoin ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-thousands-of-orgs-target… ∗∗∗ Phishing adds overlay on official company page to steal logins ∗∗∗ --------------------------------------------- A phishing campaign deployed recently at various businesses uses the companys home page to disguise the attack and trick potential victims into providing login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-adds-overlay-on-off… ∗∗∗ A blast from the past - XXEncoded VB6.0 Trojan, (Fri, Sep 4th) ∗∗∗ --------------------------------------------- While going over what my e-mail malware quarantine caught during this week, I found a message which made me feel rather nostalgic. Among the usual maldocs, ZIPs and ACEs, there was also an e mail carrying an XXE file in its attachment. --------------------------------------------- https://isc.sans.edu/diary/rss/26538 ∗∗∗ Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496 ∗∗∗ --------------------------------------------- We provide an analysis of CVE-2020-17496, proof of concept code to demonstrate the vulnerability and information on attacks we have observed. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2020-17496/ ∗∗∗ Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa ∗∗∗ --------------------------------------------- We observed a variant of the Thanos ransomware that attempted to overwrite the master boot record, a more destructive approach than previous versions. --------------------------------------------- https://unit42.paloaltonetworks.com/thanos-ransomware/ ∗∗∗ Firefox will add a new drive-by-download protection ∗∗∗ --------------------------------------------- Firefox will block automatic downloads initiated from sandboxed iframes -- the technology usually used for web embeds. --------------------------------------------- https://www.zdnet.com/article/firefox-will-add-a-new-drive-by-download-prot… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, dovecot, geary, httpd, lua, mysql-connector-java, and squid), Mageia (lua and lua5.3, sane, and squid), Oracle (dovecot), Scientific Linux (dovecot), SUSE (java-1_7_1-ibm, kernel, php5, and xorg-x11-server), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/830632/ ∗∗∗ Security Bulletin: IBM InfoSphere Metadata Asset Manager is vulnerable to stored cross-site scripting and server-side request forgery. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-metadata-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Apr 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2019 CPU (CVE-2019-2964, CVE-2019-2989 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Netcool Agile Service Manager (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2020
by Daily end-of-shift report 03 Sep '20

03 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-09-2020 18:00 − Donnerstag 03-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Defender can ironically be used to download malware ∗∗∗ --------------------------------------------- A recent update to Windows 10s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-iron… ∗∗∗ Sandbox Evasion Using NTP, (Thu, Sep 3rd) ∗∗∗ --------------------------------------------- I'm still hunting for interesting (read: "malicious") Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread to run a malicious shellcode[1]. But before processing the shellcode, it performs suspicious network traffic: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26534 ∗∗∗ Salfram: Robbing the place without removing your name tag ∗∗∗ --------------------------------------------- By Holger Unterbrink and Edmund Brumaghin. Threat summary Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter. --------------------------------------------- https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-re… ∗∗∗ Inter: The Magecart Skimming Tool Now on More than 1,500 Sites ∗∗∗ --------------------------------------------- Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes. However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common and widely used digital skimming solutions globally. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/inter-skimmer/ ∗∗∗ New Python-scripted trojan malware targets fintech companies ∗∗∗ --------------------------------------------- PyVil RAT is capable of keylogging, taking screenshots and more - and the those behind it have gone to great lengths to keep it as under the radar as possible. --------------------------------------------- https://www.zdnet.com/article/new-python-scripted-trojan-malware-targets-fi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Sicherheitsupdates: Jabber + präparierte Nachricht = Schadcode ∗∗∗ --------------------------------------------- Cisco hat Sicherheitsupdates für unter anderem Jabber, IOS XR und Webex Meetings veröffentlicht. --------------------------------------------- https://heise.de/-4884609 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/830496/ ∗∗∗ Backdoors left unpatched in MoFi routers ∗∗∗ --------------------------------------------- MoFi Network patched only six of ten reported vulnerabilities, leaving three hard-coded undocumented backdoor systems in place. --------------------------------------------- https://www.zdnet.com/article/backdoors-left-unpatched-in-mofi-routers/ ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Hard-coded passwords vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Insufficiently Random Value vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2020
by Daily end-of-shift report 02 Sep '20

02 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-09-2020 18:00 − Mittwoch 02-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Attackers abuse Google DNS over HTTPS to download malware ∗∗∗ --------------------------------------------- More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload. --------------------------------------------- https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-o… ∗∗∗ Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st) ∗∗∗ --------------------------------------------- LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused. --------------------------------------------- https://isc.sans.edu/diary/rss/26526 ∗∗∗ Using assert() to Execute Malware in PHP 7 Environments ∗∗∗ --------------------------------------------- Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language — which is likely why attackers are creating malware to target environments which leverage it. During a recent investigation, our team stumbled across some malicious code which is used to inject a .user.ini file into a PHP 7 environment and add zend.assertions = 1. --------------------------------------------- https://blog.sucuri.net/2020/09/using-assert-to-execute-malware-php-7.html ∗∗∗ Cloud firewall management API SNAFU put 500k SonicWall customers at risk ∗∗∗ --------------------------------------------- TL;DR I found an IDOR in SonicWall’s cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-firewall-management-api… ∗∗∗ Erpressungs-Mail mit Bombendrohung massenhaft versendet ∗∗∗ --------------------------------------------- Vorsicht vor einer betrügerischen Erpressungs-E-Mail: Kriminelle versenden Nachrichten, in denen sie behaupten, dass eine Bombe im Geschäftsgebäude der EmpfängerInnen platziert wurde. Sollten die Unternehmen, die die Nachrichten erhalten haben, nicht binnen 80 Stunden 20.000 Dollar in Bitcoin bezahlen, soll diese explodieren. Die E-Mail ist frei erfunden und es muss nichts bezahlt werden! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungs-mail-mit-bombendrohung-m… ===================== = Vulnerabilities = ===================== ∗∗∗ New Intel microcode updates for Windows 10 fix CPU hardware bugs ∗∗∗ --------------------------------------------- Microsoft has released a new batch of Intel microcode updates for Windows 10 2004, 1909, 1903, and older versions to fix hardware bugs in Intel CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-intel-microcode-updates… ∗∗∗ Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws ∗∗∗ --------------------------------------------- Two flaws - one of them yet to be fixed - are afflicting a third-party plugin used by Magento e-commerce websites. --------------------------------------------- https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-… ∗∗∗ Verschlüsselung: TLS-1.3-Fauxpas gefährdet Embedded-Systeme mit wolfSSL ∗∗∗ --------------------------------------------- Aus Sicherheitsgründen sollten Admins die TLS-Programmbibliothek wolfSSL auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-4883741 ∗∗∗ TYPO3-EXT-SA-2020-017: Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Event management and registration" (sf_event_mgt) is susceptible to Information Disclosure and Broken Access Control. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-017 ∗∗∗ TYPO3-EXT-SA-2020-016: Information Disclosure in extension "Localization Manager" (l10nmgr) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Localization Manager" (l10nmgr) is susceptible to Information Disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-016 ∗∗∗ 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin ∗∗∗ --------------------------------------------- This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released this morning [...] --------------------------------------------- https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-z… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Mageia (mutt and putty), openSUSE (ldb, samba, libqt5-qtbase, opera, and postgresql10), Red Hat (bash, kernel, and libvncserver), SUSE (apache2, curl, and squid), and Ubuntu (ark, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, [...] --------------------------------------------- https://lwn.net/Articles/830392/ ∗∗∗ Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-re… ∗∗∗ Security Advisory - Command Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Advisory - Remote Code Execution vulnerability in Apache Struts 2 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.9.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Spectrum Scale Transparent Cloud Tiering (177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Code injection vulnerability in IBM Spectrum Protect Operations Center (CVE-2020-4693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-code-injection-vulnerabil… ∗∗∗ Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a Java vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2020
by Daily end-of-shift report 01 Sep '20

01 Sep '20

===================== = End-of-Day report = ===================== Timeframe: Montag 31-08-2020 18:00 − Dienstag 01-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers are backdooring QNAP NAS devices with 3-year old RCE bug ∗∗∗ --------------------------------------------- Hackers are scanning for vulnerable network-attached storage (NAS) devices running multiple QNAP firmware versions, trying to exploit a remote code execution (RCE) vulnerability addressed by QNAP in a previous release. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-backdooring-qnap… ∗∗∗ DLL Fixer leads to Cyrat Ransomware ∗∗∗ --------------------------------------------- A new ransomware uses an unusual symmetric encryption method named "Fernet". It is Python based and appends .CYRAT to encrypted files. --------------------------------------------- https://feeds.feedblitz.com/~/634890360/0/gdatasecurityblog-en~DLL-Fixer-le… ∗∗∗ Notarisierte Mac-Malware: Apple beglaubigte offenbar mehrfach Trojaner ∗∗∗ --------------------------------------------- Apples Notarisierungsdienst soll Mac-Nutzer vor Malware schützen. Nun beglaubigte der Hersteller auch den notorischen Schädling "Shlayer". --------------------------------------------- https://heise.de/-4882770 ∗∗∗ New web skimmer steals credit card data, sends to crooks via Telegram ∗∗∗ --------------------------------------------- Criminals steal payment data from online shoppers by abusing the Telegram instant messaging API, inserting credit card skimming code. --------------------------------------------- https://blog.malwarebytes.com/web-threats/2020/09/web-skimmer-steals-credit… ∗∗∗ Quarterly Report: Incident Response trends in Summer 2020 ∗∗∗ --------------------------------------------- By David Liebenberg and Caitlin Huey. For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others. In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. --------------------------------------------- https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.ht… ∗∗∗ Gratis iPhone 11 oder Samsung Galaxy S20 durch Hofer-Umfrage? ∗∗∗ --------------------------------------------- Kriminelle geben sich als Hofer aus und versenden wahllos E-Mails, in denen behauptet wird, Ihre E-Mail- bzw. IP-Adresse sei ausgewählt worden. Sie sollen daher an einer kurzen Umfrage teilnehmen und dadurch ein kostenloses iPhone 11 oder Samsung Galaxy S20 erhalten. Vorsicht: Die E-Mail stammt nicht von Hofer, Sie erhalten kein Smartphone geschenkt und Sie landen in einer teuren Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/gratis-iphone-11-oder-samsung-galaxy… ∗∗∗ Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers ∗∗∗ --------------------------------------------- Our researchers analyzed data on cybersquatting to learn which domains attackers most often mimic and other key details of the practice. --------------------------------------------- https://unit42.paloaltonetworks.com/cybersquatting/ ∗∗∗ "Accessible Ubiquiti Service Discovery": Erster Datenfeed in der Taxonomie "Intrusions" ∗∗∗ --------------------------------------------- Ubiquiti Geräte benutzen ein Discovery Protokoll, um sich gegenseitig automatisch zu erkennen. Während das innerhalb des eigenen Netzwerks nützlich sein kann, machen fehlerhaft konfigurierte Geräte eine Vielzahl an Daten über sich öffentlich abrufbar. Als wäre dieses Problem nicht genug, gab es in älteren Firmware-Versionen eine Schwachstelle, die eine automatisierte Übernahme der betroffenen Systeme ermöglicht(e). --------------------------------------------- https://cert.at/de/blog/2020/9/accessible-ubiquiti-service-discovery-erster… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schutzsoftware von Trend Micro kann PCs gefährden ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitspatches für Trend Micro Apex One und OfficeScan XG. --------------------------------------------- https://heise.de/-4883268 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and libx11), Fedora (batik, ecj, eclipse, eclipse-cdt, eclipse-ecf, eclipse-emf, eclipse-gef, eclipse-m2e-core, eclipse-mpc, eclipse-mylyn, eclipse-remote, eclipse-webtools, firefox, httpd, jetty, lucene, selinux-policy, and univocity-parsers), Mageia (hylafax+), openSUSE (ark and chromium), Red Hat (virt:8.2 and virt-devel:8.2), SUSE (freeradius-server, freerdp, php7, php72, php74, and xorg-x11-server), and Ubuntu (freerdp2, keystone, [...] --------------------------------------------- https://lwn.net/Articles/830278/ ∗∗∗ QNAP NAS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0857 ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Cloud Manager with OpenStack (CVE-2019-2949) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-faster… ∗∗∗ Security Bulletin: Vulnerabilities in Faster-XML jackson-databind affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-faster… ∗∗∗ Security Bulletin: IBM® Java™ SDK Technology Edition, Oct 2019, affects IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-technology-e… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Vulnerabilities in Faster-XML jackson affect IBM Operations Analytics Predictive Insights (CVE-2019-14060, CVE-2019-14661, CVE-2019-14662) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-faster… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Apache Thrift (CVE-2019-0205) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server(Liberty profile) affects IBM Operations Analytics Predictive Insights (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2020
by Daily end-of-shift report 31 Aug '20

31 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-08-2020 18:00 − Montag 31-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet malwares new Red Dawn attachment is just as dangerous ∗∗∗ --------------------------------------------- The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn… ∗∗∗ Finding The Original Maldoc, (Sun, Aug 30th) ∗∗∗ --------------------------------------------- Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV. --------------------------------------------- https://isc.sans.edu/diary/rss/26520 ∗∗∗ Persistent WordPress User Injection ∗∗∗ --------------------------------------------- Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress. The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to “administrator:” --------------------------------------------- https://blog.sucuri.net/2020/08/persistent-wordpress-user-injection.html ∗∗∗ Its Not Just an Unusual Login: Why Pay Attention to Threats Facing SaaS and Cloud? ∗∗∗ --------------------------------------------- There is a whole category of cyber-attacks largely untouched by the media. With breaking threat discoveries usually focused on targeted spear-phishing campaigns or widespread ransomware, cyber-attacks targeting cloud and SaaS are often overlooked. --------------------------------------------- https://www.securityweek.com/its-not-just-unusual-login-why-pay-attention-t… ∗∗∗ Cisco warns of actively exploited IOS XR zero-day ∗∗∗ --------------------------------------------- Cisco said it discovered the attacks last week during a support case the companys support team was called in to investigate. --------------------------------------------- https://www.zdnet.com/article/cisco-warns-of-actively-exploited-ios-xr-zero… ∗∗∗ Malware in Spiele-API ∗∗∗ --------------------------------------------- Eine Javascript-Malware auf dem npm-Portal, einem Teil von Github, täuschte vor, eine Schnittstelle zum Partyspiel "Fallguys: Ultimate Knockout" zu sein. --------------------------------------------- https://www.zdnet.de/88382359/malware-in-spiele-api/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Slack Bug Allows Access to Private Channels, Conversations ∗∗∗ --------------------------------------------- The RCE bug affects versions below 4.4 of the Slack desktop app. --------------------------------------------- https://threatpost.com/critical-slack-bug-access-private-channels-conversat… ∗∗∗ Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- released on 2020-08-28 and 2020-08-29 --------------------------------------------- https://www.ibm.com/blogs/psirt/2020/08/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and squid), Fedora (libX11 and wireshark), Gentoo (libX11 and redis), Mageia (firefox, libx11, qt4 and qt5base, and x11-server), openSUSE (gettext-runtime, inn, and webkit2gtk3), Oracle (firefox), SUSE (libqt5-qtbase, openvpn, openvpn-openssl1, postgresql10, and targetcli-fb), and Ubuntu (chrony, nss, and squid). --------------------------------------------- https://lwn.net/Articles/829847/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bacula, bind9, freerdp, libvncserver, lilypond, mupdf, ndpi, openexr, php-horde, php-horde-core, php-horde-gollem, php-horde-kronolith, ros-actionlib, thunderbird, and xorg-server), Fedora (golang-github-ulikunitz-xz and qt), Gentoo (bind, chrony, ghostscript-gpl, kleopatra, openjdk, and targetcli-fb), Mageia (ark, evolution-data-server, fossil, kernel, kernel-linus, and thunderbird), openSUSE (apache2, graphviz, grub2, inn, librepo, and [...] --------------------------------------------- https://lwn.net/Articles/830137/ ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0854 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2020
by Daily end-of-shift report 28 Aug '20

28 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-08-2020 18:00 − Freitag 28-08-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zahlen ohne PIN – Forscher knacken Visas NFC-Bezahlfunktion ∗∗∗ --------------------------------------------- Kontaktlos und ohne PIN bezahlten Forscher mit einer Visa-Karte quasi beliebig teure Produkte. --------------------------------------------- https://heise.de/-4881555 ∗∗∗ Achtung vor betrügerischen Werbeanzeigen auf Facebook, Instagram und Google! ∗∗∗ --------------------------------------------- Überall lauert Werbung, die uns dazu bringen will, ein bestimmtes Produkt zu kaufen oder eine Dienstleistung in Anspruch zu nehmen. Doch nicht jede Werbung ist seriös. Unter den vielen legitimen Werbetreibenden finden sich auch immer wieder Kriminelle. Das gilt für Soziale Medien genauso wie für Anzeigen, die bei einer Google-Suche ganz oben auftauchen. Wir zeigen Ihnen auf was Sie achten müssen, um unseriöse Werbeanzeigen zu entlarven! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-betruegerischen-werbeanz… ∗∗∗ Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning ∗∗∗ --------------------------------------------- Microsoft Defender ATP leverages AMSI’s visibility into scripts and harnesses the power of machine learning to detect and stop post-exploitation activities that largely rely on scripts. --------------------------------------------- https://www.microsoft.com/security/blog/2020/08/27/stopping-active-director… ∗∗∗ Exploring the Ubiquiti UniFi Cloud Key Gen2 Plus ∗∗∗ --------------------------------------------- Scoping attack surface, setting up debugging for UniFi Protect and UniFi Management Portal APIs, and finding unauthenticated API vulnerabilities --------------------------------------------- https://medium.com/tenable-techblog/exploring-the-ubiquiti-unifi-cloud-key-… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple NETGEAR switching hubs vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- GS716Tv2 and GS724Tv3 provided by NETGEAR contain a cross-site request forgery vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN29903998/ ∗∗∗ Cisco NX-OS Software Call Home Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Call Home feature of Cisco NX-OS Software could allow an authenticated, remote attacker to inject arbitrary commands that could be executed with root privileges on the underlying operating system (OS). The vulnerability is due to insufficient input validation of specific Call Home configuration parameters when the software is configured for transport method HTTP. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ [webapps] Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/48770 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Resilient users may experience a denial of service of the SOAR Platform due to a insufficient input validation (CVE-2019-4579) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-users-may-e… ∗∗∗ Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition for Content Collecor for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: IBM Resilient users may experience a denial of service of the SOAR Platform due to a insufficient input validation (CVE-2019-4533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-users-may-e… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server – Liberty affects IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Vulnerability exposure ( deferred from Oracle Jan 2020 Java CPU ) in IBM Java SDK affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-exposure-de… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2020 – Includes Oracle Jul 2020 CPU plus one additional vulnerability affects Content Collecor for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Denial of Service vulnerability in IBM Spectrum Protect Server (CVE-2020-4559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2020
by Daily end-of-shift report 27 Aug '20

27 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-08-2020 18:00 − Donnerstag 27-08-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Revamped Qbot Trojan Packs New Punch: Hijacks Email Threads ∗∗∗ --------------------------------------------- New version of trojan is spreading fast and already has claimed 100,000 victims globally, Check Point has discovered. --------------------------------------------- https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-t… ∗∗∗ Security.txt - one small file for an admin, one giant help to a security researcher, (Thu, Aug 27th) ∗∗∗ --------------------------------------------- The draft standard "A File Format to Aid in Security Vulnerability Disclosure" covers the creation of a file called "security.txt" in the /.well-known/ path on a web server, or in its root, which contains information relevant to the security of the server. --------------------------------------------- https://isc.sans.edu/diary/rss/26510 ∗∗∗ Cybercrime: Trickbot droht nun ebenfalls mit Veröffentlichung ∗∗∗ --------------------------------------------- Die mit Emotet verbundene Trickbot-Bande setzt eine neue Ransomware ein und betreibt jetzt auch eine eigene Leak-Plattform. --------------------------------------------- https://heise.de/-4879948 ∗∗∗ Mysteriöse Popup-Meldungen verunsichern Android-Nutzer ∗∗∗ --------------------------------------------- "Test" – das ist der lapidare Inhalt von Push-Nachrichten, die derzeit offenbar in großem Umfang auf Android-Handys auf-poppen. --------------------------------------------- https://heise.de/-4880604 ∗∗∗ Microsoft Warns of New Anubis Info-Stealer Distributed in the Wild ∗∗∗ --------------------------------------------- Microsoft warned on Thursday that a recently uncovered piece of malware designed to help cybercriminals steal information from infected systems is now actively distributed in the wild. --------------------------------------------- https://www.securityweek.com/microsoft-warns-new-anubis-info-stealer-distri… ∗∗∗ Cetus: Cryptojacking Worm Targeting Docker Daemons ∗∗∗ --------------------------------------------- Cetus is a new and improved Docker cryptojacking worm mining for Monero, discovered in a Docker daemon honeypot. --------------------------------------------- https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/ ===================== = Vulnerabilities = ===================== ∗∗∗ Foxit Studio Photo für Windows: Neue Version gegen Schwachstellen abgesichert ∗∗∗ --------------------------------------------- Version 3.6.6.928 der Bildbearbeitungssoftware Foxit Studio Photo schließt zwei Schwachstellen, deren Ausnutzung eine Nutzerinteraktion erfordert hätte. --------------------------------------------- https://heise.de/-4879609 ∗∗∗ Angreifer könnten F5 BIG-IP Application Security Manager lahmlegen ∗∗∗ --------------------------------------------- F5 hat wichtige Sicherheitsupdates für verschiedene BIG-IP Appliances veröffentlicht. --------------------------------------------- https://heise.de/-4880348 ∗∗∗ Sicherheitsupdates: Cisco sichert Netzwerksoftware NX-OS gegen DoS-Attacken ab ∗∗∗ --------------------------------------------- Aufgrund von mehreren Sicherheitslücken könnten Angreifer verschiedene Switch-Modelle von Cisco attackieren. --------------------------------------------- https://heise.de/-4880654 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and nginx), Fedora (firefox, firejail, and lua), Gentoo (chromium, docker, firefox and thunderbird, net-snmp, postgresql, and wireshark), openSUSE (chromium, claws-mail, dovecot23, libreoffice, and python3), Oracle (kernel), Scientific Linux (firefox), SUSE (apache2, graphviz, and libxslt), and Ubuntu (firefox, libmysofa, and squid3). --------------------------------------------- https://lwn.net/Articles/829690/ ∗∗∗ Vulnerabilities Expose Popular DVB-T2 Set-Top Boxes to Botnets: Researchers ∗∗∗ --------------------------------------------- Avast security researchers have identified vulnerabilities in DVB-T2 devices that could allow attackers to ensnare them in botnets. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-popular-dvb-t2-set-top-… ∗∗∗ Mozilla Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/08/warn… ∗∗∗ Security Bulletin: Vulnerability in Netty 4.1.x before 4.1.46 affects IBM Operations Analytics Predictive Insights (CVE-2020-11612) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-4-… ∗∗∗ Security Bulletin: CVE-2020-2654 in IBM® Runtime Environment Java™ affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-in-ibm-runt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by IBM SDK, Java Technology Edition Quarterly CPU – Apr 2020 vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere Application Server ND is vulnerable to cross-site scripting (CVE-2020-4575) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Openstack Keystone vulnerabilities affects IBM Spectrum Scale (CVE-2020-12689) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openstack-keystone-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM® Java™ Runtime Environment affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2020
by Daily end-of-shift report 26 Aug '20

26 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-08-2020 18:00 − Mittwoch 26-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SunCrypt Ransomware sheds light on Mazes ransomware cartel ∗∗∗ --------------------------------------------- A new ransomware named SunCrypt has joined the Maze cartel, and with their membership, we get insight into how these groups are working together. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-suncrypt-ransomware-shed… ∗∗∗ Reverse Engineering and observing an IoT botnet ∗∗∗ --------------------------------------------- IoT devices are everywhere around us and some of them are not up to date with todays security standard. A single light bulb exposed to the internet can offer an attacker a variety of possibilities to attack companies or households. The possibilities are endless. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/08/36243-reverse-engineering-and-ob… ∗∗∗ [SANS ISC] Malicious Excel Sheet with a NULL VT Score ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: "Malicious Excel Sheet with a NULL VT Score": Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. --------------------------------------------- https://blog.rootshell.be/2020/08/26/sans-isc-malicious-excel-sheet-with-a-… ∗∗∗ Emulation of Malicious Shellcode With Speakeasy ∗∗∗ --------------------------------------------- In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom plugins to triage difficult malware families. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/08/emulation-of-malicious-… ∗∗∗ Most organizations have no Active Directory cyber disaster recovery plan ∗∗∗ --------------------------------------------- Although 97% of organizations said that Active Directory (AD) is mission-critical, more than half never actually tested their AD cyber disaster recovery process or do not have a plan in place at all, a Semperis survey of over 350 identity-centric security leaders reveals. "The expanded work-from-home environment makes organizational identity a priority and also increases the attack surface relative to Active Directory," said Charles Kolodgy, Principal at Security Mindsets. --------------------------------------------- https://www.helpnetsecurity.com/2020/08/26/active-directory-cyber-disaster-… ∗∗∗ Vorsicht beim privaten Autokauf: Spedition alo-car.com ist Fake! ∗∗∗ --------------------------------------------- Bei der Suche nach günstigen Gebrauchtautos, Wohnmobilen oder Motorrädern, sind Kleinanzeigenplattformen oftmals die beste Option. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich angeblich im Ausland befindet und den Kauf über eine Spedition abwickeln will. In vielen Fällen handelt es sich dabei um erfundene Speditionen und um Kriminelle, die nur an Ihr Geld wollen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-privaten-autokauf-sped… ∗∗∗ Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites ∗∗∗ --------------------------------------------- More and more ransomware gangs are now operating sites where they leak sensitive data from victims who refuse to pay the ransom demand. --------------------------------------------- https://www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gang… ∗∗∗ Söldner starten APT-Attacken ∗∗∗ --------------------------------------------- Eine Hackergruppe, die sich als Söldner für verschiedene Auftraggeber verdingt, hat laut Erkenntnissen von Bitdefender Cyber-Spionageangriffe per Advanced-Persistent-Threat-(APT) mit Zero-Day-Attacken auf Autodesk 3ds Max genutzt, um geistiges Eigentum zu stehlen. --------------------------------------------- https://www.zdnet.de/88382317/soeldner-starten-apt-attacken/ ===================== = Vulnerabilities = ===================== ∗∗∗ Magento Multiversion (1.x/2.x) Backdoor ∗∗∗ --------------------------------------------- The Magento 1 EOL date has already passed, however it’s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also aware that many websites are straggling with their Magento migrations and post compromise tools have been created to support deployment for both Magento 1.x and 2.x versions, making it easier for them to exploit a larger number of sites. --------------------------------------------- https://blog.sucuri.net/2020/08/magento-multiversion-1-x-2-x-backdoor.html ∗∗∗ Extensive file permissions on service executable in Eikon Thomson Reuters (CVE-2019-10679) ∗∗∗ --------------------------------------------- SEC Consult found a vulnerability that allows unprivileged users to escalate their privileges to SYSTEM in Eikon of Thomson Reuters. This is possible due to extensive file permissions that allow standard users to modify executable files. --------------------------------------------- https://sec-consult.com/en/blog/advisories/extensive-file-permissions-on-se… ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- Huawei has published 20 new or updated Security Advisories. --------------------------------------------- https://www.huawei.com/en/psirt/all-bulletins ∗∗∗ WordPress: Sicherheitslücken in millionenfach installiertem Plugin Autoptimize ∗∗∗ --------------------------------------------- Nutzer des Plugins Autoptimize sollten dieses zügig auf 2.7.7 updaten. Für eine von zwei geschlossenen Lücken soll demnächst Demo-Code veröffentlicht werden. --------------------------------------------- https://heise.de/-4879463 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, ghostscript, php7.0, and proftpd-dfsg), Fedora (mod_http2 and thunderbird), Red Hat (chromium-browser and firefox), and SUSE (apache2, grub2, samba, and xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/829609/ ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0843 ∗∗∗ Security Bulletin: August 2020 : CVE-2020-2654 in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-august-2020-cve-2020-2654… ∗∗∗ Security Bulletin: Kerberos vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-kerberos-vulnerability-in… ∗∗∗ Security Bulletin: BEAST security vulnerability in IBM Tivoli Netcool Performance Manager for Wireline( CVE-2011-3389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-beast-security-vulnerabil… ∗∗∗ Security Bulletin: Vulnerability in Apache Batik affects WebSphere Application Server (CVE-2019-17566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-b… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2020
by Daily end-of-shift report 25 Aug '20

25 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 24-08-2020 18:00 − Dienstag 25-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS & MacOS: Apple will Sicherheitslücke erst nach einem Jahr schließen ∗∗∗ --------------------------------------------- Eine Lücke im Safari Browser ermöglicht das ungewollte Teilen lokaler Dateien. Apple will die nun veröffentlichte Lücke erst im Frühjahr 2021 schließen. --------------------------------------------- https://www.golem.de/news/ios-macos-apple-will-sicherheitsluecke-erst-nach-… ∗∗∗ Patch Management Policy: A Practical Guide ∗∗∗ --------------------------------------------- Patching – this highly necessary, yet sometimes neglected practice of resolving security issues related to vulnerabilities – can be a burden for organizations of all sizes. You probably already know that a regular and well-defined patch management routine proactively ensures your systems function as they are supposed to. However, it can seem like an overwhelming [...] --------------------------------------------- https://heimdalsecurity.com/blog/patch-management-policy/ ∗∗∗ RATs and Spam: The Node.JS QRAT ∗∗∗ --------------------------------------------- The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-sp… ∗∗∗ [SANS ISC] Keep An Eye on LOLBins ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Keep An Eye on LOLBins“: Don’t misread, I won’t talk about “lolcats” today but “LOLBins” or “Living Off The Land Binaries”. All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications, [...] --------------------------------------------- https://blog.rootshell.be/2020/08/25/sans-isc-keep-an-eye-on-lolbins/ ∗∗∗ Sicherheitsforscher fürchten infiltrierte App-Store-Anwendungen ∗∗∗ --------------------------------------------- Die XCSSET-Malware kommt über Xcode-Projekte auf den Mac. Das könnte Auswirkungen auf Apples Sicherheitskonzept haben. --------------------------------------------- https://heise.de/-4877855 ∗∗∗ Gerade auf Wohnungssuche? Dann sollten Sie sich vor gefälschten Inseraten in Acht nehmen! ∗∗∗ --------------------------------------------- Sie haben endlich Ihre Traumwohnung zu einem unglaublich günstigen Preis gefunden? Es gibt jedoch einen Haken: Der Vermieter ist gerade im Ausland und möchte, dass Sie bereits vor der Besichtigung die Kaution bezahlen? Dann sind Sie auf ein betrügerisches Wohnungsinserat gestoßen! Diese Wohnung existiert in Wahrheit nicht, Kriminelle versuchen mit einem verlockenden Angebot an Ihr Geld und Ihre Ausweiskopien zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/gerade-auf-wohnungssuche-dann-sollte… ∗∗∗ Browser-based cryptojacking sees sudden spike in activity in Q2 2020 ∗∗∗ --------------------------------------------- However, theres nothing to worry about. Browser-based cryptojacking is not making a comeback. --------------------------------------------- https://www.zdnet.com/article/browser-based-cryptojacking-sees-sudden-spike… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress: Wichtige Sicherheitsupdates für mehrere Plugins verfügbar ∗∗∗ --------------------------------------------- Updates für "Advanced Access Manager", "Discount Rules for WooCommerce" und "Quiz and Survey Master" schließen Lücken mit hoher bis kritischer Einstufung. --------------------------------------------- https://heise.de/-4878220 ∗∗∗ [20200802] - Core - Open redirect in com_content vote feature ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 3.0.0-3.9.20 Exploit type: Open Redirect Reported Date: 2020-July-05 Fixed Date: 2020-August-25 CVE Number: CVE-2020-24598 Description Lack of input validation in com_content leads to an open redirect. Affected Installs Joomla! CMS versions 3.0.0 - 3.9.20 Solution Upgrade to version 3.9.21 Contact The JSST at the Joomla! Security Centre. Reported By: Ahmad Kamaran Jamil --------------------------------------------- https://developer.joomla.org:443/security-centre/825-20200802-core-open-red… ∗∗∗ [20200803] - Core - Directory traversal in com_media ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 2.5.0-3.9.20 Exploit type: Directory Traversal Reported Date: 2020-February-02 Fixed Date: 2020-August-25 CVE Number: CVE-2020-24597 Description Lack of input validation allows com_media root paths outside of the webroot. Affected Installs Joomla! CMS versions 2.5.0 - 3.9.20 Solution Upgrade to version 3.9.21 Contact The JSST at the Joomla! Security Centre. Reported By: Hoang Kien from VSEC --------------------------------------------- https://developer.joomla.org:443/security-centre/827-20200803-core-director… ∗∗∗ [20200801] - Core - XSS in mod_latestactions ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.9.0-3.9.20 Exploit type: XSS Reported Date: 2020-August-21 Fixed Date: 2020-August-25 CVE Number: CVE-2020-24599 Description Lack of escaping in mod_latestactions allows XSS attacks. Affected Installs Joomla! CMS versions 3.9.0 - 3.9.20 Solution Upgrade to version 3.9.21 Contact The JSST at the Joomla! Security Centre. Reported By: Peter Martin --------------------------------------------- https://developer.joomla.org:443/security-centre/824-20200801-core-xss-in-m… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (icingaweb2 and mongodb), Fedora (nss), Gentoo (chromium and shadow), Mageia (ghostscript, kdepim-runtime, kmail-account-wizard, luajit, mysql-connector-python, and python-ipaddress), openSUSE (python, python3, and webkit2gtk3), Red Hat (kernel and kernel-alt), Slackware (firefox), SUSE (squid3), and Ubuntu (bind9, ghostscript, net-snmp, postgresql-10, postgresql-12, postgresql-9.5, and sane-backends). --------------------------------------------- https://lwn.net/Articles/829548/ ∗∗∗ Microsoft Patches Code Execution, Privilege Escalation Flaws in Azure Sphere ∗∗∗ --------------------------------------------- Recently addressed Microsoft Azure Sphere vulnerabilities could lead to the execution of arbitrary code or to elevation of privileges, Cisco Talos’ researchers warn. read more --------------------------------------------- https://www.securityweek.com/microsoft-patches-code-execution-privilege-esc… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by weak crypto algorithm (CVE-2020-4349) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition for Content Collecor for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable for information disclosure that affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 GUI is affected by verbose error message (CVE-2020-4357) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 GUI is affected by weak crypto algorithm (CVE-2020-4379) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2020
by Daily end-of-shift report 24 Aug '20

24 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-08-2020 18:00 − Montag 24-08-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware attackiert VPN und RDP ∗∗∗ --------------------------------------------- Ransomware wird immer gefährlicher. Hacker nutzen vor allem das Remote Desktop Protocol (RDP), und Virtual Private Networks (VPN) als Einfallstore. E-Mail-Phishing verliert dagegen an Bedeutung. --------------------------------------------- https://www.zdnet.de/88382240/ransomware-attackiert-vpn-und-rdp/ ∗∗∗ DarkSide: New targeted ransomware demands million dollar ransoms ∗∗∗ --------------------------------------------- A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransom… ∗∗∗ Lifting the veil on DeathStalker, a mercenary triumvirate ∗∗∗ --------------------------------------------- DeathStalker is a unique threat group that appears to target law firms and companies in the financial sector. They don’t deploy ransomware or steal payment information to resell it, their interest in gathering sensitive business information [...] --------------------------------------------- https://securelist.com/deathstalker-mercenary-triumvirate/98177/ ∗∗∗ Hunting for Risky Rules in Office 365 ∗∗∗ --------------------------------------------- When an attacker compromises an Office 365 mailbox, one of the most common activities that we see is new inbox rules being created - therefore finding these rules is a good way to identify compromised accounts and mailboxes. --------------------------------------------- https://blog.rothe.uk/risky-rules-in-office365/ ∗∗∗ Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach ∗∗∗ --------------------------------------------- The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-a… ∗∗∗ Protect your organization in the age of Magecart ∗∗∗ --------------------------------------------- The continuing wave of attacks by cybercriminal groups known under the umbrella term Magecart perfectly illustrates just how unprepared many e-commerce operations are from a security point of view. It all really boils down to timing. If the e-commerce world was able to detect such Magecart attacks in a matter of seconds (rather than weeks or months), then we could see an end to Magecart stealing all of the cybercrime headlines. --------------------------------------------- https://www.helpnetsecurity.com/2020/08/24/protect-your-organization-in-the… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress WooCommerce stores under attack, patch now ∗∗∗ --------------------------------------------- Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-woocommerce-stores… ∗∗∗ Xen Security Advisory CVE-2020-14364 / XSA-335 ∗∗∗ --------------------------------------------- An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice->setup_len exceeds the USBDevice->data_buf[4096], in do_token_{in,out} routines. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-335.html ∗∗∗ Sicherheitsupdate: VMware App Volumes abgesichert ∗∗∗ --------------------------------------------- Angreifer könnten die Anwendungsmanagement-Software App Volumes von VMware attackieren. --------------------------------------------- https://heise.de/-4876962 ∗∗∗ VMSA-2020-0018 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, and Cloud Foundation updates address a partial denial of service vulnerability (CVE-2020-3976) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0018.html ∗∗∗ Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution ∗∗∗ --------------------------------------------- The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process. --------------------------------------------- https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-a… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firejail, icingaweb2, inetutils, libjackson-json-java, proftpd-dfsg, python2.7, software-properties, and sqlite3), Fedora (chrony), Mageia (chrony), openSUSE (dovecot23, postgresql12, and python), Slackware (bind), SUSE (gettext-runtime and SUSE Manager Server 3.2), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/829486/ ∗∗∗ Synology-SA-20:19 ISC BIND ∗∗∗ --------------------------------------------- CVE-2020-8622 allows remote authenticated users to conduct denial-of-service attacks via a susceptible version of DNS Server. None of Synologys products are affected by CVE-2020-8620, CVE-2020-8621, CVE-2020-8623, or CVE-2020-8624 as these vulnerabilities only affect ISC BIND 9.9.12 and later. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_19 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- Two issues have been identified in Citrix Hypervisor that may, in certain configurations, allow privileged code in an HVM guest VM to execute code in the control domain, potentially compromising the host. --------------------------------------------- https://support.citrix.com/article/CTX280451 ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0838 ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – CVE-2020-2601 affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020 – Includes Oracle Jan 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server where an attacker can cause a denial of service (CVE-2020-4383) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a Components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by a components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by an Open Redirect vulnerabilitiy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to multiple node.js vulnerabilities (CVE-2020-11080, CVE-2020-10531, CVE-2020-8172, CVE-2020-8174) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Multiple Java vulnerabilities affect IBM Spectrum Protect Plus (CVE-2020-2805, CVE-2020-2803, CVE-2020-2830, CVE-2020-2781, CVE-2020-2800. CVE-2020-2757, CVE-2020-2756, CVE-2020-2755, CVE-2020-2754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2020
by Daily end-of-shift report 21 Aug '20

21 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-08-2020 18:00 − Freitag 21-08-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malware can no longer disable Microsoft Defender via the Registry ∗∗∗ --------------------------------------------- Microsoft has removed the ability to disable Microsoft Defender and third-party security software via the Registry to prevent malware from tampering with protection settings. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/malware-can-no-longer-disab… ∗∗∗ Emotet Malware Over the Years: The History of an Active Cyber-Threat ∗∗∗ --------------------------------------------- Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities. But what happens when a Trojan constantly eludes everyone’s best efforts to stop it in its tracks? --------------------------------------------- https://heimdalsecurity.com/blog/emotet-malware-history/ ∗∗∗ From SSRF to Compromise: Case Study ∗∗∗ --------------------------------------------- SSRF is a neat bug because it jumps trust boundaries. You go from being the user of a web application to someone on the inside, someone who can reach out and touch things on behalf of the vulnerable server. Exploiting SSRF beyond a proof-of-concept callback is often tricky because the impact is largely dependent on the environment you’re making that internal request in. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-ssrf-t… ∗∗∗ MISP 2.4.130 released (Various fixes, performance improvements and new features) ∗∗∗ --------------------------------------------- MISP 2.4.130 releasedA new version of MISP (2.4.130) has been released with performance improvements, multiple bugs fixed and new features. --------------------------------------------- https://www.misp-project.org/2020/08/21/MISP.2.4.130.released.html ∗∗∗ Aggressive DDoS-Erpresser von Fancy Bear sind wieder aktiv ∗∗∗ --------------------------------------------- Vor erneuten DDoS-Erpressungen im Namen von Fancy Bear, die von großvolumigen DDoS-Attacken begleitet werden, hat jetzt das Link11 Security Operation Center gewarnt. Laut des IT-Sicherheitsanbieters Link11 zählen zu den angegriffenen Unternehmen auch KRITIS-Betreiber. --------------------------------------------- https://www.zdnet.de/88382211/aggressive-ddos-erpresser-von-fancy-bear-sind… ===================== = Vulnerabilities = ===================== *** BIND Security Advisories *** --------------------------------------------- CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c CVE-2020-8621: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c CVE-2020-8622: A truncated TSIG response can lead to an assertion failure CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly --------------------------------------------- https://kb.isc.org/docs/cve-2020-8620 https://kb.isc.org/docs/cve-2020-8621 https://kb.isc.org/docs/cve-2020-8622 https://kb.isc.org/docs/cve-2020-8623 https://kb.isc.org/docs/cve-2020-8624 ∗∗∗ Sicherheitsupdates: Wieder eine "vergessene" Hintertür in Cisco-Produkten ∗∗∗ --------------------------------------------- Angreifer könnten unter anderem Cisco vWAAS, Smart Software Manager und Video Surveillance 8000 Series attackieren. --------------------------------------------- https://heise.de/-4875646 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript), Fedora (curl and mod_http2), Mageia (ngircd), openSUSE (kernel), SUSE (libreoffice), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/829280/ ∗∗∗ CERT/CC Warns of Vulnerabilities in Diebold Nixdorf, NCR ATMs ∗∗∗ --------------------------------------------- The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has published alerts on several vulnerabilities that impact Diebold Nixdorf ProCash and NCR SelfServ automated teller machines (ATMs). --------------------------------------------- https://www.securityweek.com/certcc-warns-vulnerabilities-diebold-nixdorf-n… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Golang Vulnerabilities in IBM Cloud CLI 1.1.0 or earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-golang-vulnerabilities-in… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by vulnerability CVE-2020-4465 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Control (CVE-2020-8172, CVE-2020-8174, CVE-2020-11080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure and denial of service (CVE-2020-4414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Spectrum Control (CVE-2020-2654, CVE-2020-2781, CVE-2020-2800) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by vulnerability CVE-2020-4375 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ August 20, 2020 TNS-2020-06 [R1] Nessus 8.11.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2020
by Daily end-of-shift report 20 Aug '20

20 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-08-2020 18:00 − Donnerstag 20-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lucifer cryptomining DDoS malware now targets Linux systems ∗∗∗ --------------------------------------------- A hybrid DDoS botnet known for turning vulnerable Windows devices into Monero cryptomining bots is now also scanning for and infecting Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lucifer-cryptomining-ddos-ma… ∗∗∗ Transparent Tribe: Evolution analysis,part 1 ∗∗∗ --------------------------------------------- Transparent Tribe, also known as PROJECTM and MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. Proofpoint published a very good article about them in 2016, and since that day, we have kept an eye on the group. [...] The USBWorm component is real, and it has been detected on hundreds of systems. This is malware whose existence was already speculated about years ago, but as far as we know, it has never been publicly described. --------------------------------------------- https://securelist.com/transparent-tribe-part-1/98127/ ∗∗∗ Office 365 Mail Forwarding Rules (and other Mail Rules too), (Thu, Aug 20th) ∗∗∗ --------------------------------------------- If you haven't heard, SANS suffered a "Data Incident" this summer, the disclosure was released on August 11. Details can be found in several locations: [...] So that being said, how can we look for these things if you have hundreds, thousands or tens-of-thousands of mailboxes to consider? In an Office 365 shop, and especially if I wrote the code, the answer is most likely going to be PowerShell! --------------------------------------------- https://isc.sans.edu/diary/rss/26484 ∗∗∗ IBM Db2 Shared Memory Vulnerability (CVE-2020-4414) ∗∗∗ --------------------------------------------- I’ve recently blogged about a shared memory vulnerability in Cisco WebEx Meetings Client on Windows where any user can read memory dedicated to trace data. It turns out that this is a common problem. IBM Db2 is affected by the exact same type of problem. Developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. This allows any local users read and write access to that memory area. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ibm-db2-sha… ∗∗∗ Kriminelle versuchen Zugangsdaten zum Online-Banking zu klauen! ∗∗∗ --------------------------------------------- Haben Sie in den letzten Tagen auch eine E-Mail der „BawagPSK“ erhalten? Wenn ja, seien Sie vorsichtig! Es sind derzeit wieder vermehrt betrügerische Nachrichten unterwegs, in denen die Kriminellen Ihnen vorgaukeln, dass Sie die neue Sicherheits-App installieren müssen, damit Ihr Online-Banking funktioniert. Tatsächlich geht es aber nur darum, an Ihre Zugangsdaten zu kommen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versuchen-zugangsdaten-zu… ∗∗∗ Google fixes major Gmail bug seven hours after exploit details go public ∗∗∗ --------------------------------------------- Attackers could have sent spoofed emails mimicking any Gmail or G Suite customer. --------------------------------------------- https://www.zdnet.com/article/google-fixes-major-gmail-bug-seven-hours-afte… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2020-08-19 ∗∗∗ --------------------------------------------- Cisco hat 24 Security-Advisories veröffentlicht, davon wurden 1 als Kritisch und 2 als Hoch eingestuft. --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Wichtige Sicherheitsupdates für Windows 8.1/Server 2012 R2 veröffentlicht ∗∗∗ --------------------------------------------- Microsoft sichert Windows 8.1 und Windows Server 2012 R2 außer der Reihe ab. --------------------------------------------- https://heise.de/-4874571 ∗∗∗ High-Severity Vulnerability Patched in Advanced Access Manager ∗∗∗ --------------------------------------------- On August 13, 2020, the Wordfence Threat Intelligence team finished investigating two vulnerabilities in Advanced Access Manager, a WordPress plugin with over 100,000 installations, including a high-severity Authorization Bypass vulnerability that could lead to privilege escalation and site takeover. --------------------------------------------- https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible, libmetalink, roundcubemail, rubygem-kramdown, sqlite, and swtpm), Slackware (curl), SUSE (python and python3), and Ubuntu (qemu). --------------------------------------------- https://lwn.net/Articles/829181/ ∗∗∗ Security Advisory - Integer Overflow Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Advisory - Out Of Bound Read Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Bulletin: IBM Content Navigator is susceptible to a sensitive data exposure. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to buffer overflow leading to a privileged escalation (CVE-2020-4363) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Content Manager is affected by a potential information disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-is-af… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to an Elliptic Curve Key Disclosure. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: Autocomplete not disabled for password field in IBM Content Navigator. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-autocomplete-not-disabled… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to improper input validation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: vulnerability in snakeyaml might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2017-18640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-snakeyam… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2020
by Daily end-of-shift report 19 Aug '20

19 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-08-2020 18:00 − Mittwoch 19-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FritzFrog malware attacks Linux servers over SSH to mine Monero ∗∗∗ --------------------------------------------- A sophisticated botnet campaign named FritzFrog has been discovered breaching SSH servers around the world, since at least January 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-malware-attacks-li… ∗∗∗ Example of Word Document Delivering Qakbot, (Wed, Aug 19th) ∗∗∗ --------------------------------------------- Qakbot is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I'll cover today has been reported by one of our readers (thanks to him) and deserves a quick analysis of the obfuscation used by the attackers. It is not available on VT at this time (SHA256:507312fe58352d75db057aee454dafcdce2cdac59c0317255e30a43bfa5dffbc) --------------------------------------------- https://isc.sans.edu/diary/rss/26482 ∗∗∗ CDN-Filestore Credit Card Stealer for Magento ∗∗∗ --------------------------------------------- During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog post earlier this year. Malware Evolution & Evasive Techniques One primary difference between this new version and theone Luke wrote about in April is that it was not packed. This detail suggests that the attackers updated the malware in an [...] --------------------------------------------- https://blog.sucuri.net/2020/08/cdn-filestore-credit-card-stealer-for-magen… ∗∗∗ Voice Phishers Targeting Corporate VPNs ∗∗∗ --------------------------------------------- The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. --------------------------------------------- https://krebsonsecurity.com/2020/08/voice-phishers-targeting-corporate-vpns/ ∗∗∗ Angriff der Insta‑Klone ∗∗∗ --------------------------------------------- Unser Autor macht den Test: Mit einem geklonten Social-Media-Account und psychologischem Geschick lassen sich seine Kontakte ausnutzen und Betrügen. Vorsicht ist angesagt. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/08/18/angriff-der-insta-klone/ ∗∗∗ 10 WordPress Security Mistakes You Might Be Making ∗∗∗ --------------------------------------------- Yesterday, August 18, 2020, the Wordfence Live team covered 10 WordPress Security Mistakes You Might be Making. This companion blog post reviews the recommendations we provided to avoid these mistakes and better secure your WordPress environment. --------------------------------------------- https://www.wordfence.com/blog/2020/08/10-wordpress-security-mistakes-you-m… ∗∗∗ Ongoing Campaign Uses HTML Smuggling for Malware Delivery ∗∗∗ --------------------------------------------- An ongoing cybercrime campaign is employing a technique known as HTML smuggling to deliver malware onto the victim’s machine, Menlo Security reports. Referred to as Duri, the campaign started in early July and continues to date, attempting to evade network security solutions, including proxies and sandboxes, to deliver malicious code. --------------------------------------------- https://www.securityweek.com/ongoing-campaign-uses-html-smuggling-malware-d… ∗∗∗ Zahlreiche Meldungen zu hilufon.de, applefy.de und coyshop.de ∗∗∗ --------------------------------------------- Auf den unterschiedlichen Websites der appl handels ug werden und wurden diverse iPhone Modelle angeboten. Es handelt sich dabei um gebrauchte Geräte. Zahlreiche InternetuserInnen wenden sich jedoch an die Watchlist Internet und klagen über ausbleibende oder stark verspätete Lieferungen und andere Probleme mit dem Anbieter. Auch auf Bewertungsportalen zeigt sich ein ähnliches Bild. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-meldungen-zu-hilufonde-ap… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick and ruby-websocket-extensions), Fedora (libetpan, LibRaw, and php), Gentoo (nss), Mageia (apache, ark, clamav, claws-mail, dovecot, firefox, firejail, freerdp, golang, jasper, kernel, libssh, libx11, postgresql-jdbc, python-rstlib, radare2, roundcubemail, squid, targetcli, thunderbird, tomcat, and x11-server), Red Hat (rh-mysql80-mysql), SUSE (dovecot22, freerdp, libvirt, and postgresql12), and Ubuntu (curl and linux-hwe, linux-azure-5.3, [...] --------------------------------------------- https://lwn.net/Articles/829102/ ∗∗∗ Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks ∗∗∗ --------------------------------------------- Security researchers at IBM have discovered a potentially serious vulnerability in a communications module made by Thales for IoT devices. Millions of devices could be impacted, but the vendor released a patch six months ago. --------------------------------------------- https://www.securityweek.com/vulnerability-thales-product-could-expose-mill… ∗∗∗ Security Advisory - Denial of Service Vulnerability in SmartPhone Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200819-… ∗∗∗ Security Bulletin: Vulnerability identified in docker for Red Hat Enterprise Linux ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-identified-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server GUI where authorised user can execute unauthorized function (CVE-2020-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – OpenSSL (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-2019-11254) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in GNU gettext affects IBM Spectrum Protect Plus (CVE-2018-18751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gnu-gett… ∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by cross-site scripting (CVE-2020-4358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2020
by Daily end-of-shift report 18 Aug '20

18 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 17-08-2020 18:00 − Dienstag 18-08-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cryptojacking worm steals AWS credentials from Docker systems ∗∗∗ --------------------------------------------- According to researchers at Cado Security this is the first-ever worm that comes with AWS credential theft functionality on top of run-of-the-mill cryptomining modules. This botnet uses already infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs (and Kubernetes systems as later discovered), installing itself in new containers on any misconfigured servers it finds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cryptojacking-worm-steals-aw… ∗∗∗ E-Mail: Gefährliche Mailto-Links können Daten stehlen ∗∗∗ --------------------------------------------- Dieses Feature für Dateianhänge ist nicht Teil der Standardspezifikation für Mailto-Links. Es handelt sich um eine inoffizielle Erweiterung, die von einigen Mailprogrammen genutzt wird. Laut der Veröffentlichung wird das Feature in Kmail und Evolution unterstützt, die Standardmailprogramme der Linux-Desktopumgebungen KDE und Gnome. Auch IBM Notes unterstützen das Feature. Thunderbird ist zwar selbst nicht betroffen, kann aber verwundbar sein, wenn die Verarbeitung der Mailto-Links über das Tool xdg-open erfolgt. --------------------------------------------- https://www.golem.de/news/e-mail-gefaehrliche-mailto-links-koennen-daten-st… ∗∗∗ Pre-announcement of five BIND security issues scheduled for disclosure 20 August 2020 ∗∗∗ --------------------------------------------- We therefore are writing to inform you that the August BIND maintenance releases that will be released on Thursday, 20 August, contain patches for five separate vulnerabilities. Further details about the vulnerabilities will be publicly disclosed at the time the releases are published on Thursday. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2020-August/001161.html ∗∗∗ Online- Anlagen- und Investitionsbetrug floriert ∗∗∗ --------------------------------------------- Laufend treten von Investitionsbetrug betroffene Konsumentinnen und Konsumenten an die Watchlist Internet heran. Die Methoden der Kriminellen sind dabei fast immer die gleichen. Erfundene Werbeschaltungen, hohe Gewinnversprechen und persönliche Betreuung verleiten die Opfer zu großen Investitionen. Im Endergebnis führt dies zu mitunter existenzbedrohenden Schadenssummen. --------------------------------------------- https://www.watchlist-internet.at/news/online-anlagen-und-investitionsbetru… ===================== = Vulnerabilities = ===================== ∗∗∗ Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926 ∗∗∗ --------------------------------------------- A malicious user can send a specially crafted message either to a channel or in a direct message to another user which will result in executing JavaScript in the victim's browser or inside the desktop client when the victim will use the 'Reply in Thread' functionality. In the case of desktop clients cross-site scripting (XSS) vulnerability leads to a remote code execution (RCE) --------------------------------------------- https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sane-backends), Fedora (kernel, LibRaw, and wob), openSUSE (balsa, hylafax+, postgresql, postgresql96, postgresql10, postgresql12, and postgresql96, postgresql10 and postgresql12), Oracle (.NET Core 3.1), Red Hat (bash and bind), SUSE (dovecot23, firefox, fwupd, postgresql10, postgresql12, python-azure-agent, and zabbix), and Ubuntu (ark, gnome-shell, libonig, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-gke-5.0, linux-oem-osp1 and software-properties). --------------------------------------------- https://lwn.net/Articles/829030/ ∗∗∗ Vulnerability Allowing Full Server Takeover Found in Concrete5 CMS ∗∗∗ --------------------------------------------- The issue was identified in Concrete5 version 8.5.2, which essentially allowed an attacker to modify site configuration and upload a PHP file onto the server, thus gaining arbitrary command execution capabilities. --------------------------------------------- https://www.securityweek.com/vulnerability-allowing-full-server-takeover-fo… ∗∗∗ Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in a number of security issues  --------------------------------------------- https://support.citrix.com/article/CTX276688 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Elastic Storage Server is affected by a vulnerability where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Elastic Storage Server GUI is affected by verbose error messages being displayed. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-serve… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Incorrect permissions on IBM Spectrum Protect Plus agent files (CVE-2020-4631) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: A vulnerability in an older version of a Batik plugin that is included in IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-an-old… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Elastic Storage Server GUI where an unauthorised user can execute commands (CVE-2020-4348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2020
by Daily end-of-shift report 17 Aug '20

17 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-08-2020 18:00 − Montag 17-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft fixes actively exploited Windows bug reported 2 years ago ∗∗∗ --------------------------------------------- Microsoft fixed a Windows security vulnerability two years after it was reported. This articles provides greater detail about the bug and how it works.(CVE-2020-1464) --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-actively-exp… ∗∗∗ Potential Apache Struts 2 RCE flaw fixed, PoCs released ∗∗∗ --------------------------------------------- Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability (CVE-2019-0230) and PoC exploits for it have been published. --------------------------------------------- https://www.helpnetsecurity.com/2020/08/17/cve-2019-0230/ ∗∗∗ RevoLTE: Telefonanrufe ließen sich trotz Verschlüsselung abhören ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen grundlegendes Defizit auf – Mobilfunker haben angeblich bereits nachgebessert --------------------------------------------- https://www.derstandard.at/story/2000119401327/revolte-telefonanrufe-liesse… ∗∗∗ Goodbye EmoCrash - Schwachstelle in Emotet gefixed ∗∗∗ --------------------------------------------- Eine Schwachstelle im Code von Emotet ("EmoCrash" genannt) wurde seit geraumer Zeit in der Security Community als Präventionsmaßnahme gegenEmotet Infektionen verteilt. Die bisher einer breiten Öffentlichkeit nicht bekannte Schwachstelle in der Installationsroutine von Emotet konnte wirksamen Schutz vor einer Infektion bieten, in dem ein Buffer Overflow im Code dieser Routine ausgenutzt wurde um Emotet abstürzen zu lassen. --------------------------------------------- https://cert.at/de/aktuelles/2020/8/godbye-emocrash-schwachstelle-in-emotet… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid3), Fedora (lilypond and python3), openSUSE (xen), SUSE (libreoffice, libvirt, webkit2gtk3, xen, and xerces-c), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/828811/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot, htmlunit, jruby, libetpan, lucene-solr, net-snmp, and posgresql-9.6), Fedora (firefox, nss, qt, and thunderbird), Mageia (glib-networking, mumble, webkit2, and znc), openSUSE (balsa, chromium, firejail, hylafax+, libreoffice, libX11, perl-XML-Twig, thunderbird, wireshark, and xrdp), Red Hat (libvncserver), SUSE (libvirt and perl-PlRPC), and Ubuntu (dovecot and salt). --------------------------------------------- https://lwn.net/Articles/828945/ ∗∗∗ Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: LDAP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ldap-vulnerability-affect… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2020
by Daily end-of-shift report 14 Aug '20

14 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-08-2020 18:00 − Freitag 14-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Definition of overkill - using 130 MB executable to hide 24 kB malware, (Fri, Aug 14th) ∗∗∗ --------------------------------------------- One of our readers, Lukas, shared an unusual malicious executable with us earlier this week - one that was 130 MB in size. Making executables extremely large is not an uncommon technique among malware authors[1], as it allows them to easily avoid detection by most AV solutions, since the size of files which AVs will check is usually fairly low (tens of megabytes at most). --------------------------------------------- https://isc.sans.edu/diary/rss/26464 ∗∗∗ XCSSET: Mac-Malware infiziert Xcode-Projekte ∗∗∗ --------------------------------------------- Der Schädling setzt auf 0-day-Exploits, um Nutzerdaten zu klauen. Manipulierte Xcode-Projekte finden über Github Verbreitung, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-4870987 ∗∗∗ Chrome extensions that lie about their permissions ∗∗∗ --------------------------------------------- Users have learned to review the list of permissions Chrome extensions require before installing them from the webstore. But whats the use if they lie to you? --------------------------------------------- https://blog.malwarebytes.com/puppum/2020/08/chrome-extensions-that-lie-abo… ∗∗∗ Vorsicht vor Handwerks-Notdiensten mit der Telefonnummer 06608643901! ∗∗∗ --------------------------------------------- Bei einem Wasserrohrbruch, einem Gasgebrechen oder bei einem Stromausfall, muss meist schnell eine Expertin oder ein Experte her. Für die Überprüfung eines Installations- oder Elektrik-Notdienstes bleibt da oft keine Zeit mehr. Das nützen unseriöse Unternehmen aus: Sie bieten online einen Notdienst an, kommen auch tatsächlich, aber stellen im Nachhinein viel zu überhöhte Kosten in Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-handwerks-notdiensten-m… ∗∗∗ Mekotio: These aren’t the security updates you’re looking for… ∗∗∗ --------------------------------------------- Another in our occasional series demystifying Latin American banking trojans The post Mekotio: These aren’t the security updates you’re looking for… appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Microsofts Multi-Faktor-Authentifizierung umgangen ∗∗∗ --------------------------------------------- Eigentlich sollten Microsofts Onlinedienste mit Fido-Stick und PIN geschützt sein - doch zwei Entwickler konnten die PIN-Abfrage umgehen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-microsofts-multi-faktor-authent… ∗∗∗ Critical Vulnerabilities Patched in Quiz and Survey Master Plugin ∗∗∗ --------------------------------------------- On July 17, 2020, our Threat Intelligence team discovered two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin installed on over 30,000 sites. These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file [...] --------------------------------------------- https://www.wordfence.com/blog/2020/08/critical-vulnerabilities-patched-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime may affect Tivoli Netcool Performance Manager for Wireless,Oracle January 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: jackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight (CVE-2020-8840) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-publicly… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by a International Components for Unicode (ICU) for C/C++ vulnerability (CVE-2020-10531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio July 2020 CPU plus deferred CVE-2019-2590 and CVE-2020-2601 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability exists in the Event Streams 10.0.0 schema registry that allows unauthorised access to create, edit and delete schemas (CVE-2020-4662) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4589) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Apache Struts: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0824 ∗∗∗ PostgreSQL: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0825 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2020
by Daily end-of-shift report 13 Aug '20

13 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-08-2020 18:00 − Donnerstag 13-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Avaddon: The Latest RaaS (Ransomware-as-a-Service) to Jump on the Extortion Bandwagon ∗∗∗ --------------------------------------------- As of August 8th, Avaddon ransomware authors launched an extortion site in an effort to further incentivize victims to pay the ransom. Tarik Saleh dissects this ransomware, analyzes victimology, and provides more details on the extortion site. --------------------------------------------- https://www.domaintools.com/resources/blog/avaddon-the-latest-raas-to-jump-… ∗∗∗ MMS Exploit Part 5: Defeating Android ASLR, Getting RCE ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the fifth and final of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/mms-exploit-part-5-defeating… ∗∗∗ To the Brim at the Gates of Mordor Pt. 1, (Wed, Aug 12th) ∗∗∗ --------------------------------------------- Search & Analyze Mordor APT29 PCAPs with Brim --------------------------------------------- https://isc.sans.edu/diary/rss/26456 ∗∗∗ Color by numbers: inside a Dharma ransomware-as-a-service attack ∗∗∗ --------------------------------------------- Dharma, a family of ransomware first spotted in 2016, continues to be a threat to many organizations—especially small and medium-sized businesses. Part of the reason for its longevity is that its variants have become the basis for ransomware-as-a-service (RaaS) operations. --------------------------------------------- https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-r… ∗∗∗ Attribution: A Puzzle ∗∗∗ --------------------------------------------- The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a court of law. Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. --------------------------------------------- https://blog.talosintelligence.com/2020/08/attribution-puzzle.html ∗∗∗ Kriminelle versuchen durch seriöse Programme Schadsoftware zu verbreiten! ∗∗∗ --------------------------------------------- Die meisten Menschen vertrauen bekannten Softwareherstellerinnen und -herstellern, wenn diese eine App, ein Programm oder ein anderes Produkt aktualisieren oder ein neues Produkt auf den Markt bringen. Doch genau dieses Vertrauen nutzen Kriminelle bei sogenannten „Supply-Chain-Angriffen“ aus. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versuchen-durch-serioese-… ===================== = Vulnerabilities = ===================== ∗∗∗ Amazon: Sicherheitslücke konnte Alexa-Sprachbefehle verraten ∗∗∗ --------------------------------------------- Mit einem präparierten Link konnte eine Sicherheitslücke in Amazons Infrastruktur ausgenutzt und auf fremde Alexa-Daten zugegriffen werden. --------------------------------------------- https://www.golem.de/news/amazon-sicherheitsluecke-konnte-alexa-sprachbefeh… ∗∗∗ Cybercriminals Are Infiltrating Netgear Routers with Ancient Attack Methods ∗∗∗ --------------------------------------------- It would be heartening to think that cybersecurity has advanced since the 1990s, but some things never change. Vulnerabilities that some of us first saw in 1996 are still with us. --------------------------------------------- https://www.tripwire.com/state-of-security/featured/cybercriminals-infiltra… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot and roundcube), Fedora (python36), Gentoo (chromium), openSUSE (ark, firefox, go1.13, java-11-openjdk, libX11, wireshark, and xen), Red Hat (bind and kernel), SUSE (libreoffice and python36), and Ubuntu (dovecot and software-properties). --------------------------------------------- https://lwn.net/Articles/828683/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-4.19, linux-latest-4.19, and openjdk-8) and Fedora (ark and hylafax+). --------------------------------------------- https://lwn.net/Articles/828744/ ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Advisory - Code Execution Vulnerability in Fastjson Affect Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Bulletin: Db2 vulnerabilities affect IBM Spectrum Protect Server (CVE-2020-4230, CVE-2020-4135, CVE-2020-4204, CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-db2-vulnerabilities-affec… ∗∗∗ Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-9327) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-11655, CVE-2020-11656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Apache-Log4j (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-publicly-dis… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Server (CVE-2020-2593, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to path traversal (CVE-2019-4582) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center and Client Management Service (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Faster-XML jackson databind affects IBM Operations Analytics Predictive Insights (CVE-2019-144892, CVE-2019-144893) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-faster… ∗∗∗ Sophos XG Firewall: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0823 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2020
by Daily end-of-shift report 12 Aug '20

12 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-08-2020 18:00 − Mittwoch 12-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ CEO Fraud via WhatsApp und Sprachnachrichten ∗∗∗ --------------------------------------------- CEO Fraud läuft in den meisten bekannten Fällen via E-Mail ab: Kriminelle geben sich gegenüber MitarbeiterInnen mit Überweisungsrecht als CEO/CFO/etc. aus und verlangen, dass unverzüglich und ohne Rücksprache mit anderen eine hohe Summe auf ein Bankkonto (vorzugsweise im Ausland) transferiert werden muss, um einen extrem wichtigen Deal zu fixieren. --------------------------------------------- https://cert.at/de/aktuelles/2020/8/ceo-fraud-via-whatsapp-und-sprachnachri… ∗∗∗ Mobilfunk: LTE-Anrufe ließen sich trotz Verschlüsselung abhören ∗∗∗ --------------------------------------------- Je länger das Opfer in der Leitung bleibt, desto mehr lässt sich von vorherigen Gesprächen rekonstruieren. --------------------------------------------- https://www.golem.de/news/mobilfunk-lte-anrufe-liessen-sich-trotz-verschlue… ∗∗∗ Code Injection Schwachstelle in SAP Application Server ABAP – Solution Tools Plugin ST-PI ∗∗∗ --------------------------------------------- SAP ist einer der größten Anbieter für Unternehmenssoftware weltweit. Schwere Sicherheitslücken in SAP Produkten könnten sich gravierend auf die Sicherheit von Unternehmens-IT-Infrastrukturen auswirken. --------------------------------------------- https://sec-consult.com/blog/2020/08/code-injection-schwachstelle-in-sap-ap… ∗∗∗ FIDO2 for Microsoft Online Accounts / Azure AD ∗∗∗ --------------------------------------------- Nowadays a secure password doesnt necessarily mean your account is safe. --------------------------------------------- https://sec-consult.com/en/blog/2020/08/fido2-for-microsoft-online-accounts… ∗∗∗ Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins ∗∗∗ --------------------------------------------- This is a detailed overview of the bugs found while reviewing the source code of WordPress plugins. I cover 3 reported vulnerabilities (CVE-2020–5766, CVE-2020–5767 and CVE-2020–5768) which can be exploited for information disclosure and sending forged emails. --------------------------------------------- https://medium.com/tenable-techblog/hunting-for-sql-injections-sqlis-and-cr… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft schließt aktiv ausgenutzte Windows- und Browser-Lücken ∗∗∗ --------------------------------------------- Zum Patch Tuesday hat Microsoft unter anderem zwei kritische Sicherheitslücken geschlossen, die bereits für Angriffe missbraucht wurden. --------------------------------------------- https://heise.de/-4868224 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firmware-nonfree, golang-github-seccomp-libseccomp-golang, and ruby-kramdown), Fedora (kernel, libmetalink, and nodejs), openSUSE (go1.13, perl-XML-Twig, and thunderbird), Oracle (kernel, libvncserver, and thunderbird), Red Hat (kernel-rt and python-paunch and openstack-tripleo-heat-templates), SUSE (dpdk, google-compute-engine, libX11, webkit2gtk3, xen, and xorg-x11-libX11), and Ubuntu (nss and samba). --------------------------------------------- https://lwn.net/Articles/828554/ ∗∗∗ QNX-2020-001 Vulnerability in slinger web server Impacts BlackBerry QNX Software Development Platform ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Advisory - Improper Interface Design Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Advisory - Command Injection Vulnerability in FusionCompute ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200812-… ∗∗∗ Security Bulletin: Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerabilities-affe… ∗∗∗ Security Bulletin: A vulnerability in jQuery affects IBM WIoTP MessageGateway (CVE-2020-7656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jquery… ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook and IBM i2 Analysts' Notebook Premium Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openslp-vulnerability-aff… ∗∗∗ Security Bulletin: Incorrect permissions on IBM Spectrum Protect Plus agent files (CVE-2020-4631) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Camel's JMX, Apache Camel RabbitMQ and Apache Camel Netty affects IBM Operations Analytics Predictive Insights (CVE-2020-11971, CVE-2020-11972, CVE-2020-11973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in jQuery affect IBM WIoTP MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-network-security-nss-vuln… ∗∗∗ Security Bulletin: Vulnerabilities in Netty affect IBM Netcool Agile Service Manager (CVE-2020-7238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-netty-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jQuery affect IBM WIoTP MessageGateway (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ IPAS: Security Advisories for August 2020 ∗∗∗ --------------------------------------------- https://blogs.intel.com/technology/2020/08/ipas-security-advisories-for-aug… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2020
by Daily end-of-shift report 11 Aug '20

11 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 10-08-2020 18:00 − Dienstag 11-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Upgraded Agent Tesla malware steals passwords from browsers, VPNs ∗∗∗ --------------------------------------------- New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. --------------------------------------------- https://www.bleepingcomputer.com/news/security/upgraded-agent-tesla-malware… ∗∗∗ SBA phishing scams: from malware to advanced social engineering ∗∗∗ --------------------------------------------- SBA loan scams continue to make the rounds targeting small business owners, CEOS, and CFOs. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware… ∗∗∗ Script-Based Malware: A New Attacker Trend on Internet Explorer ∗∗∗ --------------------------------------------- Script-based malware can be appealing for attackers who want the ability to quickly and easily develop new variants to evade detection. --------------------------------------------- https://unit42.paloaltonetworks.com/script-based-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB20-48) and Adobe Lightroom (APSB20-51). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1908 ∗∗∗ vBulletin fixes ridiculously easy to exploit zero-day RCE bug ∗∗∗ --------------------------------------------- A simple one-line exploit has been published for a zero-day pre-authentication remote code execution (RCE) vulnerability in the vBulletin forum software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vbulletin-fixes-ridiculously… ∗∗∗ Kritische Updates für Citrix Endpoint Management ∗∗∗ --------------------------------------------- Insgesamt 5 Lücken schließt Citrix; wer eine eigene Installation betreibt, sollte schnell patchen. --------------------------------------------- https://heise.de/-4867952 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, ruby-kramdown, wpa, and xrdp), Fedora (ark and rpki-client), Gentoo (apache, ark, global, gthumb, and iproute2), openSUSE (chromium, grub2, java-11-openjdk, libX11, and opera), Red Hat (bind, chromium-browser, java-1.7.1-ibm, java-1.8.0-ibm, and libvncserver), SUSE (LibVNCServer, perl-XML-Twig, thunderbird, and xen), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/828476/ ∗∗∗ iCloud for Windows 11.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211294 ∗∗∗ iCloud for Windows 7.20 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211295 ∗∗∗ SSA-809841: Buffer Overflow Vulnerability in Third-Party Component pppd ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-809841.txt ∗∗∗ SSA-786743: Code Injection Vulnerability in Advanced Reporting for Desigo CC and ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-786743.txt ∗∗∗ SSA-712518: Information Disclosure Vulnerability (Kr00k) in Industrial Wi-Fi ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712518.txt ∗∗∗ SSA-388646: Local Privilege Escalation in Automation License Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388646.txt ∗∗∗ SSA-370042: Cross-Site-Scripting (XSS) in SICAM A8000 RTUs ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-370042.txt ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Java vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in OpenSSL package ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: JQuery as used by IBM QRadar Network Packet Capture is vulnerable to Cross Site Scripting (XSS) (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Java vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Information disclosure in WebSphere Liberty (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Libreswan affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ SAP Patchday August 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0800 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2020
by Daily end-of-shift report 10 Aug '20

10 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-08-2020 18:00 − Montag 10-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ DDoS attacks in Q2 2020 ∗∗∗ --------------------------------------------- The second quarter is normally calmer than the first, but this year is an exception. The long-term downward trend in DDoS-attacks has unfortunately been interrupted, and this time we are witnessing an increase. --------------------------------------------- https://securelist.com/ddos-attacks-in-q2-2020/98077/ ∗∗∗ Scanning Activity Include Netcat Listener, (Sat, Aug 8th) ∗∗∗ --------------------------------------------- This activity started on the 5 July 2020 and has been active to this day only scanning against TCP port 81. The GET command is always the same except for the Netcat IP which has changed a few times since it started. If you have a webserver or a honeypot listening on TCP 81, this activity might be contained in your logs. --------------------------------------------- https://isc.sans.edu/diary/rss/26442 ∗∗∗ Scoping web application and web service penetration tests, (Mon, Aug 10th) ∗∗∗ --------------------------------------------- Before starting any penetration test, the most important part is to correctly scope it - this will ensure that both the clients expectations are fulfilled and that enough time is allocated to make sure that the penetration test is correctly performed. --------------------------------------------- https://isc.sans.edu/diary/rss/26448 ∗∗∗ Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts ∗∗∗ --------------------------------------------- A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of over 1,000 companies across the world since March 2020. The recent campaigns target senior positions in the United States and Canada. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campa… ∗∗∗ DEF CON 28: Introduction to ACARS ∗∗∗ --------------------------------------------- This post is a companion to the DEF CON 28 video available here: https://www.youtube.com/watch?v=NFS6qNAi0B8 What is ACARS? ACARS (Aircraft Communications Addressing and Reporting System, pronounced ‘ay-cars’) [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/introduction-to-acars/ ∗∗∗ Small and medium‑sized businesses: Big targets for ransomware attacks ∗∗∗ --------------------------------------------- Why are SMBs a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion? --------------------------------------------- https://www.welivesecurity.com/2020/08/07/small-medium-sized-businesses-big… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28 ∗∗∗ --------------------------------------------- Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted application. --------------------------------------------- https://thehackernews.com/2020/08/zoom-software-vulnerabilities.html ∗∗∗ TeamViewer: Fernwartungstool wies gefährliche Schwachstelle auf ∗∗∗ --------------------------------------------- Wer TeamViewer unter Windows länger nicht aktualisiert hat, sollte dies zügig nachholen: Eine Schwachstelle erlaubt(e) unter Umständen unbefugte Fernzugriffe. --------------------------------------------- https://heise.de/-4866337 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.8.0-openjdk, java-11-openjdk, libvncserver, postgresql-jdbc, and thunderbird), Debian (firejail and gupnp), Fedora (cutter-re, postgresql-jdbc, radare2, and webkit2gtk3), openSUSE (chromium, firefox, kernel, and python-rtslib-fb), Oracle (container-tools:ol8, kernel, and nss and nspr), Scientific Linux (thunderbird), and SUSE (firefox, kernel, postgresql10 and postgresql12, python-ipaddress, and xen). --------------------------------------------- https://lwn.net/Articles/828309/ ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4541) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerability affects the Lifecycle Query Engine that is shipped with Jazz Reporting Service (CVE-2020-4533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Check Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerability affects the Lifecycle Query Engine that is shipped with Jazz Reporting Service (CVE-2020-4539) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Version 10.19.0 of Node.js included in IBM Netcool Operations Insight 1.6.0.x has several security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-19-0-of-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily