- Daily - CERT.at

Tageszusammenfassung - 20.04.2020
by Daily end-of-shift report 20 Apr '20

20 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-04-2020 18:00 − Montag 20-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft helped stop a botnet controlled via an LED light console ∗∗∗ --------------------------------------------- Microsoft says that its Digital Crimes Unit (DCU) discovered and helped take down a botnet of 400,000 compromised devices controlled with the help of an LED light control console. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-helped-stop-a-botn… ∗∗∗ KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26014 ∗∗∗ KPOT AutoIt Script: Analysis, (Mon, Apr 20th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26012 ∗∗∗ Finding Zoom Meeting Details in the Wild ∗∗∗ --------------------------------------------- The popular web conference platform Zoom has been in the storm for a few weeks. With the COVID19 pandemic, more and more people are working from home and the demand for web conference tools has been growing. --------------------------------------------- https://blog.rootshell.be/2020/04/18/finding-zoom-meeting-details-in-the-wi… ∗∗∗ Clipboard hijacking malware found in 725 Ruby libraries ∗∗∗ --------------------------------------------- Security researchers from ReversingLabs say theyve discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users clipboards. The malicious packages were uploaded on RubyGems between February 16 and 25 by two accounts [...] --------------------------------------------- https://www.zdnet.com/article/clipboard-hijacking-malware-found-in-725-ruby… ∗∗∗ PayPal über Google Pay: Lücke von Februar anscheinend klammheimlich behoben ∗∗∗ --------------------------------------------- Die Lücke, die unautorisierte PayPal-Abbuchungen via Google Pay erlaubte, wurde anscheinend – erst kürzlich – von PayPal gefixt. --------------------------------------------- https://heise.de/-4704339 ∗∗∗ Warten auf Patches: Schwachstellen in Nagios XI gefährden Netzwerke ∗∗∗ --------------------------------------------- Die Monitoring-Software für komplexe IT-Infrastrukturen Nagios XI ist verwundbar. Abhilfe gibt es noch nicht. --------------------------------------------- https://heise.de/-4704444 ∗∗∗ Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers ∗∗∗ --------------------------------------------- Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn. --------------------------------------------- https://www.securityweek.com/several-botnets-using-zero-day-vulnerability-t… ∗∗∗ In eigener Sache: CERT.at/nic.at sucht Verstärkung (Research Engineer Internet, Vollzeit) ∗∗∗ --------------------------------------------- Unser Research- & Developmentteam sucht für ein Projekt mit CERT.at und Security-Bezug eine/n Research Engineer (m/w, Vollzeit mit 38,5 Stunden) zum ehestmöglichen Einstieg. Dienstort ist Wien. Details finden sich auf der nic.at Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2020/4/in-eigener-sache-certatnicat-sucht-verstarku… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability ∗∗∗ --------------------------------------------- The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-224 ∗∗∗ Kritische Sicherheitslücke in mehreren Xilinx-FPGAs ∗∗∗ --------------------------------------------- Bei Xilinx-FPGAs der Serie 7 (Spartan-7, Artix-7, Kintex-7, Virtex-7) und Virtex-6 lässt sich die Verschlüsselung der Bitstream-Konfigurationsdaten aushebeln. --------------------------------------------- https://heise.de/-4706002 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openvpn), Debian (awl, file-roller, jackson-databind, and shiro), Fedora (chromium, git, and libssh), Mageia (php, python-bleach, and webkit2), openSUSE (chromium, gstreamer-rtsp-server, and mp3gain), Oracle (thunderbird and tigervnc), SUSE (thunderbird), and Ubuntu (file-roller and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/817987/ ∗∗∗ Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020040108 ∗∗∗ Toshiba Electronic Devices & Storage software registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13467854/ ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server shipped with Jazz for Service Management (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Nimbus-JOSE-JWT affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0347 ∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX270837 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2020
by Daily end-of-shift report 17 Apr '20

17 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-04-2020 18:00 − Freitag 17-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fehlerhaftes Update legt Virenschutz in Windows 10 lahm ∗∗∗ --------------------------------------------- Die MS-Virenwächter fielen nach einem Update aus. Die betroffenen Programme können manuell aktualisiert werden. --------------------------------------------- https://futurezone.at/produkte/fehlerhaftes-update-legt-virenschutz-in-wind… ∗∗∗ Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th) ∗∗∗ --------------------------------------------- STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run. --------------------------------------------- https://isc.sans.edu/diary/rss/26032 ∗∗∗ Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) ∗∗∗ --------------------------------------------- Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/26030 ∗∗∗ Excel Malspam: Password Protected ... Not! ∗∗∗ --------------------------------------------- Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/excel-malsp… ∗∗∗ Web Skimmer with a Domain Name Generator ∗∗∗ --------------------------------------------- Our security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a Magento database. The malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to hxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed one interesting feature of the script — instead of using one predefined domain, it generates domain names based on the current date. --------------------------------------------- https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.ht… ∗∗∗ Continued Threat Actor Exploitation Post Pulse Secure VPN Patching ∗∗∗ --------------------------------------------- [...] This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/aa20-107a ∗∗∗ Sophos zieht problematisches Firmware-Update 9.703 für UTM zurück ∗∗∗ --------------------------------------------- Achtung, nicht installieren: Das Firmware-Update 9.703 für Sophos UTM-Appliances wurde vom Hersteller wegen gravierender Probleme wieder zurückgezogen. --------------------------------------------- https://heise.de/-4704634 ∗∗∗ New AgentTesla variant steals WiFi credentials ∗∗∗ --------------------------------------------- The popular infostealer AgentTesla recently added a new feature that can steal WiFi usernames and passwords, which can potentially be used to spread the malware. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-varian… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Update for Xcode ∗∗∗ --------------------------------------------- Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 11.4.1 and apply the necessary update. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/17/apple-releases-sec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache and chromium), Debian (webkit2gtk), Fedora (firefox, nss, and thunderbird), Mageia (chromium-browser-stable and git), openSUSE (gnuhealth), Oracle (thunderbird), Red Hat (kernel-alt, thunderbird, and tigervnc), Scientific Linux (thunderbird), Slackware (openvpn), and SUSE (freeradius-server and libqt4). --------------------------------------------- https://lwn.net/Articles/817720/ ∗∗∗ Foxit Reader und Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0344 ∗∗∗ Security Bulletin: IBM TRIRIGA Application Platform discloses error messages that could aid an attacker formulate future attacks (CVE-2020-4277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-application-p… ∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server and Liberty affects IBM Cloud App Management (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Insecure Permissions (CVE-2019-4446) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct FTP+ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4749) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4644) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2020
by Daily end-of-shift report 16 Apr '20

16 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-04-2020 18:00 − Donnerstag 16-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Polizei warnt vor Fake-Mail von Gesundheitsministerium ∗∗∗ --------------------------------------------- Das gefälschte E-Mail enthält einen Trojaner, der die Daten am Computer verschlüsselt und Lösegeld fordert. --------------------------------------------- https://futurezone.at/digital-life/polizei-warnt-vor-fake-mail-von-gesundhe… ∗∗∗ Sicherheitsupdates: Root-Lücken gefährden IP-Telefone von Cisco ∗∗∗ --------------------------------------------- Verschiedene Produkte des Netzwerkausrüsters Cisco sind verwundbar. Mehrere Lücken gelten als "kritisch". --------------------------------------------- https://heise.de/-4703471 ===================== = Vulnerabilities = ===================== ∗∗∗ JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010 ∗∗∗ --------------------------------------------- Project: JSON:API Version: 8.x-1.26 Date: 2020-April-15 Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Unsupported Description: This module provides a JSON API standards-compliant API for accessing andmanipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2020-010 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git), Fedora (cacti, cacti-spine, chromium, golang-github-buger-jsonparser, kernel, kernel-headers, and kernel-tools), openSUSE (ansible, git, and mp3gain), Oracle (container-tools:ol8, nodejs:10, and virt:ol), Red Hat (chromium-browser, ipmitool, and thunderbird), Slackware (bind), SUSE (quartz), and Ubuntu (php5, php7.0, php7.2, php7.3). --------------------------------------------- https://lwn.net/Articles/817649/ ∗∗∗ CA API Developer Portal 4.2.x / 4.3.1 Access Bypass / Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020040090 ∗∗∗ Cisco IP Phones Web Application Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller 802.11 Generic Advertisement Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller CAPWAP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Mobility Express Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Aironet Series Access Points Client Packet Processing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack due to an error in the Channel processing function. (CVE-2019-4762) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server may be vulnerable to attacks based on privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2020-4338) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: CVE-2020-4260 Secure properties can be revealed using a generic process ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4260-secure-prop… ∗∗∗ Security Bulletin: OpenSSL Vulnerability Affects IBM Sterling Connect:Express for UNIX (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within cURL libcurl (CVE-2019-15601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: Multiple Apache CXF vulnerabilities identified in IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-cxf-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2020
by Daily end-of-shift report 15 Apr '20

15 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-04-2020 18:00 − Mittwoch 15-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Microsoft schließt über 100 Lücken, drei Windows-Lücken unter Beschuss ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schützen Windows & Co. 17 Schwachstellen sind mit dem Angriffsrisiko "kritisch" eingestuft. --------------------------------------------- https://heise.de/-4702540 ∗∗∗ Sicherheitswarnungen für Git und GitHub ∗∗∗ --------------------------------------------- Eine Schwachstelle in Git ermöglicht das Umleiten von Credentials, und GitHub warnt vor einer Welle von Phishing-Mails. --------------------------------------------- https://heise.de/-4702519 ∗∗∗ Medikamente sicher und legal online kaufen ∗∗∗ --------------------------------------------- Apotheken sind in Österreich trotz Corona-Krise geöffnet. Dennoch wollen Menschen die Ansteckungsgefahr in den Apotheken vermeiden und kaufen rezeptfreie Medikamente online. Es gibt jedoch zahlreiche Fake-Apotheken im Internet, die mit scheinbar rezeptfreien Medikamenten werben. Mit dem EU-Sicherheitslogo erkennen Sie legale Apotheken und können Medikamente ohne Risiko legal online kaufen. --------------------------------------------- https://www.watchlist-internet.at/news/medikamente-sicher-und-legal-online-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Office April security updates fix critical RCE bugs ∗∗∗ --------------------------------------------- Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-april-secur… ∗∗∗ Eaton HMiSoft VU3 ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in Eatons HMiSoft VU3 human-machine interface (HMI). --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-01 ∗∗∗ Triangle MicroWorks DNP3 Outstation Libraries ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Triangle MicroWorks DNP3 components and source code libraries. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-02 ∗∗∗ Triangle MicroWorks SCADA Data Gateway ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, out-of-bounds read, and type confusion vulnerabilities in the Triangle MicroWorks SCADA Data Gateway. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-03 ∗∗∗ VMSA-2020-0007 ∗∗∗ --------------------------------------------- VMware vRealize Log Insight addresses Cross Site Scripting (XSS) and Open Redirect vulnerabilities (CVE-2020-3953, CVE-2020-3954) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0007.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, graphicsmagick, php-horde-data, and php-horde-trean), Mageia (apache, gnutls, golang, krb5-appl, libssh, libvncserver, mediawiki, thunderbird, tor, and wireshark), openSUSE (chromium, nagios, and thunderbird), Oracle (kernel and krb5-appl), Red Hat (elfutils, kernel, nss-softokn, ntp, procps-ng, and python), Scientific Linux (firefox), Slackware (git), SUSE (git and ruby2.5), and Ubuntu (git). --------------------------------------------- https://lwn.net/Articles/817565/ ∗∗∗ IPAS: Security Advisories for April 2020 ∗∗∗ --------------------------------------------- Hello, Today, in addition to the 6 security advisories we are releasing, we want to call your attention to a new whitepaper we have just published addressing CVE-2019-0090, a vulnerability in the Intel® Converged Security Management Engine (CSME) that we first disclosed in May of last year. You can read the whitepaper HERE. --------------------------------------------- https://blogs.intel.com/technology/2020/04/ipas-security-advisories-for-apr… ∗∗∗ BSRT-2020-001 Local File Inclusion Vulnerability in Apache Tomcat Impacts BlackBerry Workspaces Server and BlackBerry Good Control ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Advisory - Denial of Service Vulnerability on Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2020-4270) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Websphere Application Server affects the IBM Performance Management product (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in jQuery affects the IBM Performance Management product (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jquery… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to PHP object injection (CVE-2020-4271) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure (CVE-2019-4593) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to instantiation of arbitrary objects (CVE-2020-4272) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server-Side Request Forgery (SSRF) (CVE-2020-4294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Überschreiben von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0325 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2020
by Daily end-of-shift report 14 Apr '20

14 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-04-2020 18:00 − Dienstag 14-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Think Fast: Time Between Disclosure, Patch Release and VulnerabilityExploitation — Intelligence for Vulnerability Management, Part Two ∗∗∗ --------------------------------------------- One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure… ∗∗∗ WhatsApp-Nachricht: Billa verlost keinen 250 € Gutschein ∗∗∗ --------------------------------------------- Sie haben von einem WhatsApp-Kontakt einen Link zu einem Billa-Gutschein erhalten und fragen sich was dahintersteckt? Die Watchlist Internet hat sich diesen sogenannten Kettenbrief näher angesehen! Unser Fazit: Sie erhalten weder einen Gutschein, noch stammt diese Verlosung von Billa. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-billa-verlost-kei… ∗∗∗ APT41 Using New Speculoos Backdoor to Target Organizations Globally ∗∗∗ --------------------------------------------- Unit 42 identifies new payload, named Speculoos, exploiting CVE-2019-19781 to target organizations around the world, including state government in the United States. --------------------------------------------- https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-t… ∗∗∗ Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns ∗∗∗ --------------------------------------------- New research shows COVID-19 themed phishing campaigns are targeting healthcare organizations and medical research facilities around the world. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-go… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe ColdFusion (APSB20-18), Adobe After Effects (APSB20-21) and Adobe Digital Editions (APSB20-23). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1859 ∗∗∗ Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update ∗∗∗ --------------------------------------------- Oracle will detail 405 new security vulnerabilities Tuesday, part of its quarterly Critical Patch Update Advisory. --------------------------------------------- https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-up… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (haproxy), Gentoo (chromium and libssh), openSUSE (ansible, chromium, gmp, gnutls, libnettle, libssh, mgetty, nagios, permissions, and python-PyYAML), and Oracle (firefox, kernel, qemu-kvm, and telnet). --------------------------------------------- https://lwn.net/Articles/817399/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (thunderbird), Debian (thunderbird), Fedora (drupal7-ckeditor, nrpe, and php-robrichards-xmlseclibs1), Red Hat (firefox and kernel), SUSE (quartz), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/817471/ ∗∗∗ SSA-102233: SegmentSmack in VxWorks-based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-102233.txt ∗∗∗ SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162506.txt ∗∗∗ SSA-359303: Debug Port in TIM 3V-IE and 4R-IE Family Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-359303.txt ∗∗∗ SSA-377115: SegmentSmack in Linux IP-Stack based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-377115.txt ∗∗∗ SSA-593272: SegmentSmack in Interniche IP-Stack based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-593272.txt ∗∗∗ SSA-886514: Persistent XSS Vulnerabilities in the Web Interface of Climatix POL908 and POL909 Modules ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-886514.txt ∗∗∗ Security Bulletin: A vulnerability in IBM Java affect IBM Decision Optimization Center (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services v2.1.1 (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10209, 10211, 10210, 10208) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ XSA-318 - Bad continuation handling in GNTTABOP_copy ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-318.html ∗∗∗ XSA-316 - Bad error path in GNTTABOP_map_grant ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-316.html ∗∗∗ XSA-314 - Missing memory barriers in read-write unlock paths ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-314.html ∗∗∗ XSA-313 - multiple xenoprof issues ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-313.html ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0303 ∗∗∗ SAP Patchday April 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0300 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2020
by Daily end-of-shift report 10 Apr '20

10 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-04-2020 18:00 − Freitag 10-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DNS: Gehackte Router zeigen Coronavirus-Warnung mit Schadsoftware ∗∗∗ --------------------------------------------- Gehackte Router leiten bekannte Domains auf eine gefälschte Warnung der WHO um und versuchen, ihren Opfern eine Schadsoftware unterzujubeln. --------------------------------------------- https://www.golem.de/news/dns-gehackte-router-zeigen-coronavirus-warnung-mi… ∗∗∗ Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th) ∗∗∗ --------------------------------------------- How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified. --------------------------------------------- https://isc.sans.edu/diary/rss/25960 ∗∗∗ PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th) ∗∗∗ --------------------------------------------- Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified. --------------------------------------------- https://isc.sans.edu/diary/rss/26004 ∗∗∗ Analysis of a WordPress Credit Card Swiper ∗∗∗ --------------------------------------------- While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in the past). With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing [...] --------------------------------------------- https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.… ∗∗∗ Sophos Releases Sandboxie in Open Source ∗∗∗ --------------------------------------------- Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available. --------------------------------------------- https://www.securityweek.com/sophos-releases-sandboxie-open-source ∗∗∗ Gefälschte Mails von Sebastian Kurz im Umlauf ∗∗∗ --------------------------------------------- Viele Menschen benötigen derzeit aufgrund geschlossener Betriebe oder fehlender Aufträge finanzielle Unterstützung. Kriminelle nützen diese Ausnahmesituation aus und verschicken E-Mails im Namen von Sebastian Kurz, in denen sie rasche Soforthilfe anbieten. Der Link in diesen E-Mails führt jedoch zu einer unseriösen Trading-Plattform, bei der den Internet-NutzerInnen durch das Investment in Bitcoins schnelles Geld versprochen wird. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mails-von-sebastian-kurz… ∗∗∗ CVE-2020-0688: Verwundbare Microsoft Exchange Server in Österreich ∗∗∗ --------------------------------------------- Mit CVE-2020-0688 wurde im Februar eine Lücke in Microsoft Exchange Servern gepatched, die AngreiferInnen ermöglicht, beliebigen Code über das Netzwerk auszuführen -- und das mit NT Authority\SYSTEM also der Windows-Entsprechung von root. Für eine erfolgreiche Attacke werden zwar gültige Zugangsdaten für einen Mailaccount benötigt, da es bei CVE-2020-0688 aber auch zu einer Privilegieneskaltion kommt, können diese auch unpriviligiert sein. --------------------------------------------- https://cert.at/de/blog/2020/4/cve-2020-0688-verwundbare-microsoft-exchange… ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in the Rockwell Automation RSLinx Classic PLC communications software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-100-01 ∗∗∗ VMSA-2020-0006 ∗∗∗ --------------------------------------------- VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0006.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox). --------------------------------------------- https://lwn.net/Articles/817233/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-remote-code-exec… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2020
by Daily end-of-shift report 09 Apr '20

09 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-04-2020 18:00 − Donnerstag 09-04-2020 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Visa urges merchants to migrate e-commerce sites to Magento 2.x ∗∗∗ --------------------------------------------- Payments processor Visa is urging merchants to migrate their online stores to Magento 2.x before the Magento 1.x e-commerce platform reaches end-of-life (EoL) in June 2020 to avoid exposing their stores to Magecart attacks and to remain PCI compliant. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visa-urges-merchants-to-migr… ∗∗∗ Data Center Migration Deadline Extended Due To COVID-19 ∗∗∗ --------------------------------------------- The original deadline for Shadowserver to move our data center has been extended from May 26th to August 31st 2020, due to the worsening COVID-19 pandemic and Silicon Valley Shelter in Place lockdowns. This extension provides us with some much needed additional time to continue raising funding for our 2020 operations, such as the recently received donation from cryptocurrency exchange BitMEX. --------------------------------------------- https://www.shadowserver.org/news/data-center-migration-deadline-extended-d… ∗∗∗ BGP Hijacking and BGP Security ∗∗∗ --------------------------------------------- BGP Hijacking is a long-standing problem and is a constant possibility in today’s BGP environment. These news stories will continue for some time to come, but there are things the community can do to limit the impact of these events. --------------------------------------------- https://blog.team-cymru.com/2020/04/08/bgp-hijacking-and-bgp-security/ ∗∗∗ Viele Meldungen zu mimty.de und evenlife.de ∗∗∗ --------------------------------------------- Egal ob Atemschutzmasken, Desinfektionsmittel oder Schutzausrüstung - auf mimty.de und evenlife.de finden Sie Produkte, die momentan äußerst schwer zu bekommen sind. Zahlreiche InternetuserInnen melden diese Online-Shops jedoch an die Watchlist Internet und klagen über ausbleibende Lieferungen. Auch auf Bewertungsportalen wird den beiden Shops kein gutes Zeugnis ausgestellt. --------------------------------------------- https://www.watchlist-internet.at/news/viele-meldungen-zu-mimtyde-und-evenl… ∗∗∗ Jahresbericht 2019 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- Das Mandat als nationales Computer-Notfallteam nach NISG, Emotet, Ransomware, Sextortion, ein Projektabschluss und CyberExchanges – das Jahr 2019 war für CERT.at und GovCERT Austria ein ereignisreiches, das wir in Form unseres Jahresberichts Revue passieren lassen. --------------------------------------------- https://cert.at/de/blog/2020/4/jahresbericht-2019-von-certat-und-govcert-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Networks Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: April 9, 2020 Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates or workarounds. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/09/juniper-networks-r… ∗∗∗ Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009 ∗∗∗ --------------------------------------------- Project: Spamicide Date: 2020-April-08 Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesnt require appropriate permissions for administrative pages leading to an Access Bypass. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2020-009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipmitool, krb5-appl, and telnet), Debian (ceph and firefox-esr), Mageia (firefox), openSUSE (bluez and exiv2), Red Hat (firefox), SUSE (ceph, libssh, mgetty, permissions, python-PyYAML, rubygem-actionview-4_2, and vino), and Ubuntu (libiberty and libssh). --------------------------------------------- https://lwn.net/Articles/817128/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: IBM Resilient OnPrem does not properly limit the number or frequency of pssword reset interactions ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-onprem-does… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) ( CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2020
by Daily end-of-shift report 08 Apr '20

08 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-04-2020 18:00 − Mittwoch 08-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Infrastructure components ∗∗∗ --------------------------------------------- Cybercriminals understand that your website is not only the face of your organization, but often also its weakest link. With just one misconfigured port, malicious spearphishing email or unpatched vulnerability, an attacker can deploy a range of techniques and tools to enter and then move undetected throughout a network to find a valuable target. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-infrastructure-c… ∗∗∗ FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks ∗∗∗ --------------------------------------------- FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware. --------------------------------------------- https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/1… ∗∗∗ Microsoft shares new threat intelligence, security guidance during global crisis ∗∗∗ --------------------------------------------- Our threat intelligence shows that COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to the pandemic. We’re seeing a changing of lures, not a surge in attacks. These attacks are settling into the normal ebb and flow of the threat environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-thr… ∗∗∗ DDG botnet, round X, is there an ending? ∗∗∗ --------------------------------------------- DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), [...] --------------------------------------------- https://blog.netlab.360.com/an-update-on-the-ddg-botnet/ ∗∗∗ COVID-19 Exploited by Malicious Cyber Actors ∗∗∗ --------------------------------------------- This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/aa20-099a ∗∗∗ New dark_nexus IoT Botnet Puts Others to Shame ∗∗∗ --------------------------------------------- Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen. --------------------------------------------- https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-… ∗∗∗ Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation ∗∗∗ --------------------------------------------- This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack… ∗∗∗ These hackers have been quietly targeting Linux servers for years ∗∗∗ --------------------------------------------- Researchers at Blackberry detail a newly uncovered hacking campaign that has been operating successfully against unpatched open-source servers for the best part of a decade. --------------------------------------------- https://www.zdnet.com/article/these-hackers-have-been-quietly-targeting-lin… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess/NMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in Advantechs WebAccess/NMS network management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-01 ∗∗∗ GE Digital CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigations for a privilege escalation vulnerability in GE Digital CIMPLICITY HMI/SCADA products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-02 ∗∗∗ HMS Networks eWON Flexy and Cosy ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in HMS Networks eWON Flexy and Cosy Industrial VPN routers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-03 ∗∗∗ Fuji Electric V-Server Lite ∗∗∗ --------------------------------------------- This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server Lite data collection and management service. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-04 ∗∗∗ KUKA.Sim Pro ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-05 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Debian (chromium and firefox-esr), Oracle (ipmitool and telnet), Red Hat (firefox and qemu-kvm), Scientific Linux (firefox, krb5-appl, and qemu-kvm), Slackware (firefox), SUSE (gmp, gnutls, libnettle and runc), and Ubuntu (firefox, gnutls28, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, [...] --------------------------------------------- https://lwn.net/Articles/817059/ ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0294 ∗∗∗ Security Advisory - Information Disclosure Vulnerability about SWAPGS Instruction ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200408-… ∗∗∗ Security Bulletin: IBM Security Information Queue could reveal sensitive data in application error messages (CVE-2020-4164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Insufficient command validation in IBM Security Information Queue (CVE-2020-4282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-command-vali… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities affect IBM DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Quality Manager (RQM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2019-19925, CVE-2019-19645, CVE-2019-19924, CVE-2019-19923, CVE-2019-19880, CVE-2019-19646, CVE-2019-19926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-sqlite… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2020
by Daily end-of-shift report 07 Apr '20

07 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 06-04-2020 18:00 − Dienstag 07-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ corp.com: Microsoft kauft gefährliche Domain ∗∗∗ --------------------------------------------- Alte, fehlerhaft konfigurierte Windowsversionen verbinden sich häufig zur Domain corp.com und geben Daten preis. --------------------------------------------- https://www.golem.de/news/corp-com-microsoft-kauft-gefaehrliche-domain-2004… ∗∗∗ Web server protection: Web application firewalls for web server protection ∗∗∗ --------------------------------------------- Firewalls are an integral part of the tools necessary in securing web servers. In this article, we will discuss all relevant aspects of web application firewalls. We’ll explore a few concepts that touch on these firewalls, both from a compliance and technical point of view, as well as examine a few examples of how [...] --------------------------------------------- https://resources.infosecinstitute.com/web-server-protection-web-applicatio… ∗∗∗ Unkillable xHelper and a Trojan matryoshka ∗∗∗ --------------------------------------------- It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. --------------------------------------------- https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ ∗∗∗ ENISA publishes a Tool for the Mapping of Dependencies to International Standards ∗∗∗ --------------------------------------------- The web tool presents the mapping of the indicators demonstrated in the report Good practices on interdependencies between OES and DSPs to international information security standards. This report analysed the dependencies and interdependencies between Operators of Essential Services (OES) and Digital Service Providers (DSPs) and identified a number of indicators to assess them. These indicators are mapped to international standards and frameworks, namely ISO IEC 27002, COBIT5, the NIS [...] --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-a-tool-for-the-… ∗∗∗ Jetzt patchen! Über 350.000 Microsoft Exchange Server immer noch attackierbar ∗∗∗ --------------------------------------------- Auch wenn Angreifer schon seit Ende Februar Ausschau nach verwundbaren Exchange Servern halten, haben viele Admins offensichtlich noch nicht gepatcht. --------------------------------------------- https://heise.de/-4698421 ∗∗∗ Google Patches Critical RCE Vulnerabilities in Androids System Component ∗∗∗ --------------------------------------------- Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component. --------------------------------------------- https://www.securityweek.com/google-patches-critical-rce-vulnerabilities-an… ∗∗∗ Vorsicht Phishing: Amazon führt keine 3-Stufen-Authentifizierung ein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Amazon aus und behaupten, eine „neue 3-Stufen-Authentifizierung für alle Kunden verbindlich einzuführen“. Angeblich in Zusammenarbeit mit Ihrer Bank und Ihrem E-Mail-Provider. Klicken Sie keinesfalls auf den Link in der E-Mail. Sie gelangen auf eine gefälschte Amazon Login-Seite. Kriminelle stehlen Ihre Zugangsdaten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-amazon-fuehrt-kein… ∗∗∗ More Medical Record Security Flaws ∗∗∗ --------------------------------------------- Tenable Research recently disclosed a number of security-related bugs in a popular open-source medical records application - OpenMRS. This blog details our findings. --------------------------------------------- https://medium.com/tenable-techblog/more-medical-record-security-flaws-8175… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin ∗∗∗ --------------------------------------------- On March 3, 2020, our Threat intelligence team discovered a number of vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations designed to allow site owners to create landing and squeeze pages on their sites. These vulnerabilities allowed an authenticated attacker with minimal permissions, such as a subscriber, to create or [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-l… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/817003/ ∗∗∗ Joomla! plugin "AcyMailing" vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56890693/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Log Analysis is vulnerable to Injection Attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log-analysis-is-vulnerabl… ∗∗∗ Multiple XSS vulnerabilities in TAO Open Source Assessment Platform ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-xss-vulnerabilities-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2020
by Daily end-of-shift report 06 Apr '20

06 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-04-2020 18:00 − Montag 06-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Command line-fu for web server protection ∗∗∗ --------------------------------------------- Adequate web server security requires proper understanding, implementation and use of a variety of different tools. In this article, we will take a look at some command line tools that can be used to manage the security of web servers. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-command-line-fu-… ∗∗∗ Analyzing & Decrypting L4NC34’s Simple Ransomware ∗∗∗ --------------------------------------------- We’re constantly seeing news about computers being infected by ransomware, but very little do we hear about it affecting websites. That being said, the impact can be serious if the affected website is the webmaster’s only source of income or a business relies entirely on it’s website and online presence. --------------------------------------------- https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomw… ∗∗∗ Kinsing Linux Malware Deploys Crypto-Miner in Container Environments ∗∗∗ --------------------------------------------- A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments. --------------------------------------------- https://www.securityweek.com/kinsing-linux-malware-deploys-crypto-miner-con… ∗∗∗ 8,000 Unprotected Redis Instances Accessible From Internet ∗∗∗ --------------------------------------------- Trend Micro’s security researchers discovered roughly 8,000 unsecured Redis instances that were exposed to anyone with an Internet connection. Spread all over the world, the unsecured instances were found to lack Transport Layer Security (TLS) encryption and without any password protection. Some of these instances were even deployed in public clouds. --------------------------------------------- https://www.securityweek.com/8000-unprotected-redis-instances-accessible-in… ∗∗∗ Userdir URLs like https://example.org/~username/ are dangerous ∗∗∗ --------------------------------------------- I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly. Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). --------------------------------------------- https://blog.hboeck.de/archives/899-Userdir-URLs-like-httpsexample.orgusern… ∗∗∗ MISP 2.4.124 released (aka the dashboard, auditing improvements) ∗∗∗ --------------------------------------------- MISP 2.4.124 releasedA new version of MISP (2.4.124) has been released. This version includes various improvements including a new multiline widgets in the dashboard, auditing improvements and many bugs fixed. --------------------------------------------- https://www.misp-project.org/2020/04/06/MISP.2.4.124.released.html ∗∗∗ Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2020-8515 that was made publicly available in March is found being employed by a new DDoS botnet called hoaxcalls. --------------------------------------------- https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#660597: Periscope BuySpeed is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to store arbitrary JavaScript within the application. --------------------------------------------- https://kb.cert.org/vuls/id/660597 ∗∗∗ Gefährliche Sicherheitslücken in HP Support Assistant immer noch offen ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher rügt HP, weil die Entwickler seit Monaten im standardmäßig installierten HP Support Assistant diverse Schwachstellen nicht schließen. --------------------------------------------- https://heise.de/-4697583 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/816886/ ∗∗∗ XSS vulnerability in the Dashboard name parameter of FortiADC. ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-012 ∗∗∗ Improper Authorization vulnerability in FortiADC ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-013 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Bouncy Castle API affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2020
by Daily end-of-shift report 03 Apr '20

03 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-04-2020 18:00 − Freitag 03-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln ∗∗∗ --------------------------------------------- I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-y… ∗∗∗ Progress In 2020 Funding Challenge - Thanks To Fantastic Global Supporters, But More Help Still Needed! ∗∗∗ --------------------------------------------- Our first status update on the critical initial milestone in Shadowservers urgent 2020 funding challenge. Great progress from our awesome community, with particular thanks to philanthropist Craig Newmark, but more help still needed to fully secure our data center operations in 2020. Join with us to continue protecting victims of cybercrime and help protect the Internet. --------------------------------------------- https://www.shadowserver.org/news/progress-in-2020-funding-challenge-thanks… ∗∗∗ Contact Form 7 Datepicker: Gefährliches WordPress-Plugin ohne Support ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites attackieren und Admin-Sessions übernehmen. --------------------------------------------- https://heise.de/-4696045 ∗∗∗ Researchers Discover Hidden Behavior in Thousands of Android Apps ∗∗∗ --------------------------------------------- Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered. With smartphones being part of our every-day lives, millions of applications are being used for a broad variety of activities, yet many of these engage in behaviors that are never disclosed to their users. --------------------------------------------- https://www.securityweek.com/researchers-discover-hidden-behavior-thousands… ∗∗∗ Mahnungen und Zahlungsaufforderungen von Flirthub.de ungerechtfertigt ∗∗∗ --------------------------------------------- Zahlreiche InternetuserInnen wenden sich momentan an uns, da sie plötzlich Zahlungsaufforderungen von Flirthub.de erhalten. Angeblich hätten sie sich auf der Website der MD Service GmbH angemeldet und eine Testphase sei nun in ein Premium-Abo übergelaufen. Wir haben uns die Websites und Zahlungsaufforderungen genauer angesehen. Unser Urteil: Betroffene müssen die geforderten 265,62 Euro nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-und-zahlungsaufforderungen… ∗∗∗ Vorsicht bei gefälschten Nachrichten von SMSinfo zu Paketlieferungen ∗∗∗ --------------------------------------------- Aufgrund der Corona-Krise müssen Fachgeschäfte in Österreich geschlossen sein. Viele Menschen greifen daher auf Online-Bestellungen zurück und warten auf ihr bestelltes Paket. Das nutzen derzeit vermehrt Kriminelle aus und versenden SMS unter den Namen „SMSinfo“. Der mitgeschickte Link in dieser SMS führt zu einer gefälschten Post-Webseite auf der Sie aufgefordert werden zwei Euro zu zahlen. Geben Sie Ihre Daten hier nicht ein, denn die Nachricht stammt [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-gefaelschten-nachrichte… ∗∗∗ GuLoader: Malspam Campaign Installing NetWire RAT ∗∗∗ --------------------------------------------- NetWire, a publicly-available RAT, was found being distributed through a file downloader called GuLoader. We explain how its infection chain works and how to defend against it. --------------------------------------------- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ ∗∗∗ Microsoft: How one Emotet infection took out this organizations entire network ∗∗∗ --------------------------------------------- An Emotet victims IT disaster shows why organizations should filter internal emails and use two-factor authentication. --------------------------------------------- https://www.zdnet.com/article/microsoft-how-one-emotet-infection-took-out-t… ===================== = Vulnerabilities = ===================== ∗∗∗ B&R Automation Studio ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper privilege management, missing required cryptographic step, and path traversal vulnerabilities in B&R Automation Studio software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-093-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2). --------------------------------------------- https://lwn.net/Articles/816757/ ∗∗∗ Security Bulletin: IBM Agile Lifecycle Manager is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-agile-lifecycle-manag… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Agile Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2020
by Daily end-of-shift report 02 Apr '20

02 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-04-2020 18:00 − Donnerstag 02-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways ∗∗∗ --------------------------------------------- A phishing campaign using Office 365 voicemail lures to trick them into visiting landing pages designed to steal their personal information or infect their computers with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-uses-css… ∗∗∗ Pekraut - German RAT starts gnawing ∗∗∗ --------------------------------------------- Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-… ∗∗∗ Cyber-Kriminelle nutzen Corona-Krise vermehrt aus ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet aktuell eine Zunahme von Cyber-Angriffen mit Bezug zum Corona-Virus auf Unternehmen und Bürger. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/Cyber-Krimi… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache HTTP Server 2.4 vulnerabilities, Fixed in Apache httpd 2.4.42 ∗∗∗ --------------------------------------------- low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934): mod_proxy_ftp use of uninitialized value with maliciosu FTP backend. low: mod_rewrite CWE-601 open redirect (CVE-2020-1927): Some mod_rewrite configurations vulnerable to open redirect. --------------------------------------------- https://httpd.apache.org/security/vulnerabilities_24.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/816633/ ∗∗∗ 2020-04-02: Vulnerabilities in Telephone Gateway TG/S 3.2 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A3921&Lan… ∗∗∗ 2020-04-02: SECURITY System 800xA Information Manager - Remote Code Execution ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&Language… ∗∗∗ 2020-04-02: SECURITY System 800xA Weak Registry Permissions ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121221&Language… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.5.0 ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-2989 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2989-vulnerabili… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: IBM Process Federation Server REST API is subject to DoS attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-federation-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2020
by Daily end-of-shift report 01 Apr '20

01 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-03-2020 18:00 − Mittwoch 01-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom Lets Attackers Steal Windows Credentials via UNC Links ∗∗∗ --------------------------------------------- The Zoom Windows client is vulnerable to UNC path injection in the clients chat feature that could allow attackers to steal the Windows credentials of users who click on the link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-wi… ∗∗∗ WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers ∗∗∗ --------------------------------------------- [...] Named "Vollgar" after the Vollar cryptocurrency it mines and its offensive "vulgar" modus operandi, researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/04/backdoor-.html ∗∗∗ WordPress-SEO-Plugin Rank Math: Admin-Lücke gefährdet Websites ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke mit Höchstwertung im WordPress-Plugin Rank Math kann Angreifer zu Admins machen. Ein Update ist verfügbar. --------------------------------------------- https://heise.de/-4694641 ∗∗∗ Kleinanzeigenbetrug: So funktioniert der Dreiecksbetrug ∗∗∗ --------------------------------------------- Ebay, Willhaben, Shpock und Co. sind beliebt, um günstige und gebrauchte Ware zu kaufen oder nicht mehr gebrauchte Gegenstände zu verkaufen. Doch auch Kriminelle fühlen sich auf diesen Kleinanzeigenportalen wohl, da sie die Anonymität im Internet gezielt nutzen können. Eine besonders perfide Betrugsfalle in diesem Bereich ist der „Dreiecksbetrug“. Hier werden sowohl KäuferInnen als auch VerkäuferInnen abgezockt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-so-funktioniert-… ===================== = Vulnerabilities = ===================== ∗∗∗ BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System ∗∗∗ --------------------------------------------- This advisory contains mitigations for a protection mechanism failure vulnerability in BD Pyxis medical devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-091-01 ∗∗∗ Hirschmann Automation and Control HiOS and HiSecOS Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a classic buffer overflow vulnerability in Hirschmann Automation and Control HiOS and HiSecOS software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-01 ∗∗∗ Mitsubishi Electric MELSEC ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in Mitsubishi Electric MELSEC programmable controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, [...] --------------------------------------------- https://lwn.net/Articles/816511/ ∗∗∗ Cisco NX-OS Software Anycast Gateway Invalid ARP Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200401-… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data returning decrypted credentials ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2020-2604) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Possible denial of service vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-denial-of-servic… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Tririga Application Platform (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by multiple vulnerabilities in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerabilities in Java runtime environment that IBM provides affect WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-r… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server (CVE-2019-4057, CVE-2019-4101, CVE-2019-4154, CVE-2019-4386, CVE-2019-4322) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-vulnerabilit… ∗∗∗ Security Bulletin: Security vulnerability in IBM Java SDK affect Rational Build Forge (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ HPESBHF03994 rev.1 - HPE Superdome Flex with iLO4, Remote or Local Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03940 rev.1 - HPE MSA 1040, HPE MSA 2040, HPE MSA 2042, HPE MSA 1050, HPE MSA 2050, and HPE MSA 2052 Multiple Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03993 rev.1 - HPE Superdome X servers with iLO4, Remote Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03995 rev.1 - HPE Superdome X servers with iLO4, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03986 rev.1 - HPE Superdome X servers with iLO4, Remote Code Execution and Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2020
by Daily end-of-shift report 31 Mar '20

31 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-03-2020 18:00 − Dienstag 31-03-2020 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Networking Basics for Reverse Engineers ∗∗∗ --------------------------------------------- This article will define network reverse engineering, list tools used by reverse engineers for reverse engineering and then highlight the network basics required by such engineers. The article will illustrate, through the lens of an attacker, how to expose the vulnerability of a network protocol and exploit the vulnerability, and then discuss how to [...] --------------------------------------------- https://resources.infosecinstitute.com/networking-basics-for-reverse-engine… ∗∗∗ OWASP Firmware Security Testing Methodology ∗∗∗ --------------------------------------------- FSTM is composed of nine stages tailored to enable security researchers, software developers, hobbyists, and Information Security professionals with conducting firmware security assessments. --------------------------------------------- https://scriptingxss.gitbook.io/firmware-security-testing-methodology/ ∗∗∗ They told me I could be anything, so I became a Kubernetes node - Using K3s for command and control on compromised Linux hosts ∗∗∗ --------------------------------------------- In their RSA 2020 talk Advanced Persistence Threats: The Future of Kubernetes Attacks, Ian Coldwater and Brad Geesaman demonstrated that K3s, a lightweight version of Kubernetes, can be used to backdoor compromised Kubernetes clusters. This post describes how K3s can also serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines. --------------------------------------------- https://blog.christophetd.fr/using-k3s-for-command-and-control-on-compromis… ∗∗∗ Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit ∗∗∗ --------------------------------------------- While following reports on these infections, we stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, we found ourselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service. --------------------------------------------- https://www.perimeterx.com/resources/blog/2020/skimming-as-a-service-anatom… ∗∗∗ Microsoft fixt Windows 10 VPN-Bug mit optionalen Sonderupdates ∗∗∗ --------------------------------------------- Microsoft bringt Windows-10-Updates, die einen Fehler beim Internetzugang beheben sollen, speziell wenn VPN-Software mit Proxy-Konfigurationen verwendet wird. --------------------------------------------- https://heise.de/-4694177 ∗∗∗ Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks ∗∗∗ --------------------------------------------- Researchers demonstrated recently that hackers could launch a Stuxnet-style attack against Schneider Electric’s Modicon programmable logic controllers (PLCs), but it’s believed that products from other vendors could also be vulnerable to the same type of attack. --------------------------------------------- https://www.securityweek.com/industrial-controllers-still-vulnerable-stuxne… ∗∗∗ FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries ∗∗∗ --------------------------------------------- A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns. --------------------------------------------- https://www.securityweek.com/fbi-warns-ongoing-kwampirs-attacks-targeting-g… ∗∗∗ Vorsicht vor Gewinnspielen, die Kreditkartendaten erfordern ∗∗∗ --------------------------------------------- Kriminelle geben sich als bekannte Unternehmen aus und verbreiten über unterschiedliche Kanäle gefälschte Gewinnspiele. Sie täuschen den TeilnehmerInnen vor, ein iPhone 11 Pro, einen E-Scooter oder Weber Grill gewonnen zu haben. Für den Versand des Gewinnes werden jedoch 1-3 Euro, die per Kreditkarte bezahlt werden müssen, verlangt. Vorsicht: Es handelt sich um eine Abo-Falle. Kriminelle buchen monatlich bis zu 90 Euro ab. Ihren angeblichen Gewinn erhalten Sie [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gewinnspielen-die-kredi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin ∗∗∗ --------------------------------------------- On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. --------------------------------------------- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-o… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift). --------------------------------------------- https://lwn.net/Articles/816368/ ∗∗∗ VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/962085 ∗∗∗ VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/944837 ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ PEPPERL+FUCHS Kr00k vulnerabilities in Broadcom Wi-Fi chipsets ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-014 ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Denial of service vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in TLS (CVE-2019-6485) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Potential information disclosure vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4239) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-information-dis… ∗∗∗ Security Bulletin: Directory Traversal vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4240, CVE-2020-4209) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-vulne… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Protect Plus (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605, CVE-2019-9511, CVE-2019-9516, CVE-2019-9512, CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9513, CVE-2019-9514) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2020
by Daily end-of-shift report 30 Mar '20

30 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-03-2020 18:00 − Montag 30-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances von F5 angreifbar ∗∗∗ --------------------------------------------- Die Entwickler von F5 haben mehrere Sicherheitslücken in verschiedenen Produkten geschlossen. --------------------------------------------- https://heise.de/-4693455 ∗∗∗ A mysterious hacker group is eavesdropping on corporate email and FTP traffic ∗∗∗ --------------------------------------------- Hacker group uses zero-day in DrayTek Vigor enterprise routers and VPN gateways to record network traffic. --------------------------------------------- https://www.zdnet.com/article/a-mysterious-hacker-group-is-eavesdropping-on… ∗∗∗ Source code of Dharma ransomware pops up for sale on hacking forums ∗∗∗ --------------------------------------------- The source code of one of todays most profitable and advanced ransomware strains is up for sale on two Russian-language hacking forums. --------------------------------------------- https://www.zdnet.com/article/source-code-of-dharma-ransomware-pops-up-for-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/816267/ ∗∗∗ Synology-SA-20:04 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_04_Drupal ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0272 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2020
by Daily end-of-shift report 27 Mar '20

27 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-03-2020 18:00 − Freitag 27-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Bug: Kein durchgängiges VPN unter iOS ∗∗∗ --------------------------------------------- Alte Verbindungen werden unter iOS derzeit am VPN vorbeigeleitet. --------------------------------------------- https://www.golem.de/news/bug-kein-durchgaengiges-vpn-unter-ios-2003-147552… ∗∗∗ Corona-Malware-Kampagne im Namen der WHO über manipulierte Routereinstellungen ∗∗∗ --------------------------------------------- Manipulierte DNS-Settings von D-Link- und Linksys-Routern leiten auf angebliche Warnhinweise der World Health Organization, hinter denen sich Malware verbirgt. --------------------------------------------- https://heise.de/-4692092 ∗∗∗ Micropatching Unknown 0days in Windows Type 1 Font Parsing ∗∗∗ --------------------------------------------- Three days ago, Microsoft published a security advisory alerting about two vulnerabilities in Windows font parsing, which were noticed as being exploited in "limited targeted Windows 7 based attacks." These vulnerabilities currently dont have an official vendor fix. As weve done before in a similar situation, we decided to provide our users with a micropatch to protect [...] --------------------------------------------- https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html ∗∗∗ Unseriöser Online-Shop: silahmall.com ∗∗∗ --------------------------------------------- Antiquitäten, Kleidung, Schmuck und Uhren, Möbel oder Computer-Zubehör. Der Online-Shop silahmall.com bietet eine breite Produktpalette an und verspricht hochwertige Qualität. Die Seite verlockt zum Einkaufen. Doch seien Sie vorsichtig! Wir raten von einer Bestellung ab, da es kein Impressum auf der Seite gibt und die einzige angegebene Kontaktmöglichkeit unseriös ist. --------------------------------------------- https://www.watchlist-internet.at/news/unserioeser-online-shop-silahmallcom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-086-01 ∗∗∗ VISAM Automation Base (VBASE) ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in VISAMs VBASE automation platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-01 ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal and missing authentication for critical function vulnerabilities in the Schneider Electric ICSS SCADA software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-02 ∗∗∗ Critical CODESYS Bug Allows Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2020-10245, a heap-based buffer overflow that rates 10 out of 10 in severity, exists in the CODESYS web server and takes little skill to exploit. --------------------------------------------- https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/ ∗∗∗ [Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1) ∗∗∗ --------------------------------------------- With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: [...] --------------------------------------------- https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093245.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6). --------------------------------------------- https://lwn.net/Articles/816130/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0268 ∗∗∗ MediaWiki: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0271 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in PC WORX SRT ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-012 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in Portico Remote desktop control software ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-013 ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IP TMM Ram Cache vulnerability CVE-2020-5861 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22113131 ∗∗∗ BIG-IP HTTP profile vulnerability CVE-2020-5857 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70275209 ∗∗∗ BIG-IP HTTP/3 QUIC vulnerability CVE-2020-5859 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61367237 ∗∗∗ BIG-IP AWS vulnerability CVE-2020-5862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01054113 ∗∗∗ BIG-IP tmsh vulnerability CVE-2020-5858 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36814487 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2020
by Daily end-of-shift report 26 Mar '20

26 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-03-2020 18:00 − Donnerstag 26-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angespannter Arbeitsmarkt sorgt für betrügerische Job-Angebote ∗∗∗ --------------------------------------------- Aufgrund der durch das Coronavirus bedingten Arbeitsmarktsituation, suchen viele InternetuserInnen momentan online nach Jobs oder einer zusätzlichen Verdienstmöglichkeit. Dies nützen Kriminelle gezielt aus, indem Sie betrügerische Job-Angebote im Internet inserieren. Die Fake-Berufe können zu Geldwäsche führen, Pyramidensysteme sein oder zu gefährlichen Investments verleiten. --------------------------------------------- https://www.watchlist-internet.at/news/angespannter-arbeitsmarkt-sorgt-fuer… ∗∗∗ WordPress Malware Distributed via Pirated Coronavirus Plugins ∗∗∗ --------------------------------------------- The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-malware-distribute… ∗∗∗ Malware spotlight: Nemty ∗∗∗ --------------------------------------------- If the last five years or so have proven anything, it is that ransomware is here to stay as a threat in the cybersecurity wild. This should not be used as rationale to simply ignore the deluge of new types of malware that are discovered weekly, as the recently discovered malware family Nemty has [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-spotlight-nemty/ ∗∗∗ As Zoom Booms Incidents of ‘ZoomBombing’ Become a Growing Nuisance ∗∗∗ --------------------------------------------- Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools. --------------------------------------------- https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-grow… ∗∗∗ Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios ∗∗∗ --------------------------------------------- Increased remote work has many organizations rethinking network and security strategies. In this post we share guidance on how to manage security in this changing environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/26/alternative-security-pro… ∗∗∗ Assemble the Cookies ∗∗∗ --------------------------------------------- When we investigate compromised websites, it’s not unusual to find malicious files that have been obfuscated through forms of encoding or encryption — however, these are not the only methods that attackers use to obfuscate code. Obfuscation via Predefined PHP Variables Here’s an example of obfuscation that doesn’t use encoding or encryption in any way: [...] --------------------------------------------- https://blog.sucuri.net/2020/03/assemble-the-cookies.html ∗∗∗ Apple iOS users served mobile malware in Poisoned News campaign ∗∗∗ --------------------------------------------- As we all devour online news sources in the current climate, cyberattackers are waiting to spring. --------------------------------------------- https://www.zdnet.com/article/apple-ios-users-served-mobile-malware-in-oper… ∗∗∗ 4G networks vulnerable to denial of service attacks, subscriber tracking ∗∗∗ --------------------------------------------- Don’t think you’re protected on upcoming 5G networks, either. --------------------------------------------- https://www.zdnet.com/article/100-of-4g-networks-vulnerable-to-denial-of-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr). --------------------------------------------- https://lwn.net/Articles/816039/ ∗∗∗ Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-008 ∗∗∗ Security Advisory - Use-after-free Vulnerability in Some Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Vulnerabilities Patched in IMPress for IDX Broker ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-f… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0264 ∗∗∗ Security Bulletin: Security: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-a-vulnerability-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2020
by Daily end-of-shift report 25 Mar '20

25 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-03-2020 18:00 − Mittwoch 25-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ginp Mobile Banker Targets Spain with "Coronavirus Finder" Lure ∗∗∗ --------------------------------------------- In todays deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ginp-mobile-banker-targets-s… ∗∗∗ Three More Ransomware Families Create Sites to Leak Stolen Data ∗∗∗ --------------------------------------------- Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-more-ransomware-famili… ∗∗∗ Firmware-Bug zerstört SSDs nach genau 40.000 Stunden ∗∗∗ --------------------------------------------- Hewlett Packard warnt davor, dass alle Daten nach Ablauf der Zeit unwiederbringlich gelöscht werden. --------------------------------------------- https://futurezone.at/produkte/firmware-bug-zerstoert-ssds-nach-genau-40000… ∗∗∗ Traffic to Malicious Websites Spiking as more Employees Take Up Work from Home ∗∗∗ --------------------------------------------- Heimdal™ Security’s Incident Response and Research team has recently uncovered evidence of what a potentially dangerous campaign directed at employees working from home. With many cities under lockdown due to the COVID-19 pandemic, companies were mandated to allow the employees to work from home, in a bid to stop the spread of the virus. Since [...] --------------------------------------------- https://heimdalsecurity.com/blog/malicious-websites-work-from-home/ ∗∗∗ TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services ∗∗∗ --------------------------------------------- The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users [...] --------------------------------------------- https://thehackernews.com/2020/03/trickbot-two-factor-mobile-malware.html ∗∗∗ Microsoft Defender: "Scan-Skip-Bug" mit Update KB4052623 anscheinend beseitigt ∗∗∗ --------------------------------------------- Das von Microsoft für den Windows Defender veröffentlichte Update KB4052623 scheint die Meldung, dass Elemente beim Scan übersprungen wurden, zu eliminieren. --------------------------------------------- https://heise.de/-4690575 ∗∗∗ VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion ∗∗∗ --------------------------------------------- VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. However, one of the researchers who found it says the patch is "still bad". --------------------------------------------- https://www.securityweek.com/vmware-again-fails-patch-privilege-escalation-… ∗∗∗ Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library ∗∗∗ --------------------------------------------- Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn. --------------------------------------------- https://www.securityweek.com/videolabs-patches-code-execution-dos-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Affects Millions of OpenWrt-based Network Devices ∗∗∗ --------------------------------------------- A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the [...] --------------------------------------------- https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: iTunes 12.10.5 for Windows iOS 13.4 and iPadOS 13.4 Safari 13.1 watchOS 6.2 tvOS 13.4 macOS [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/25/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived). --------------------------------------------- https://lwn.net/Articles/815937/ ∗∗∗ BlackBerry Powered by Android Security Bulletin – March 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0262 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Security vulnerability is identified in Apache POI server where Rational Asset Manager is deployed (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-is… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2020
by Daily end-of-shift report 24 Mar '20

24 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 23-03-2020 18:00 − Dienstag 24-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps ∗∗∗ --------------------------------------------- A new cyber attack is hijacking routers DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Vidar information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-t… ∗∗∗ Unknown Hackers Use New Milum RAT in WildPressure Campaign ∗∗∗ --------------------------------------------- A new piece of malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the threat Milum and dubbed the operation WildPressure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unknown-hackers-use-new-milu… ∗∗∗ Tekya Malware Threatens Millions of Android Users via Google Play ∗∗∗ --------------------------------------------- The ad-fraud malware lurks in dozens of childrens and utilities apps. --------------------------------------------- https://threatpost.com/tekya-malware-android-google-play/154064/ ∗∗∗ Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it ∗∗∗ --------------------------------------------- Yes, you may have detected some sarcasm An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/memcache… ∗∗∗ Betrügerische Raiffeisen-E-Mails im Umlauf ∗∗∗ --------------------------------------------- Aktuell erhalten Raiffeisen-KundInnen eine Benachrichtigung, dass die smsTAN deaktiviert wird und ELBA-NutzerInnen z. B. auf pushTAN umsteigen können. Für weitere Informationen zur Umstellung werden sie aufgefordert, sich ins Online Banking einzuloggen. Seien Sie bei E-Mails der Raiffeisen Bank zum Thema smsTAN und pushTAN besonders vorsichtig und kontrollieren Sie sorgfältig, ob die Aufforderung tatsächlich von der Raiffeisen Bank stammt. Es sind auch betrügerische [...] --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-raiffeisen-e-mails-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch für Adobe Creative Cloud Application ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Creative Cloud Application von Adobe macht Windows-Computer angreifbar. --------------------------------------------- https://heise.de/-4689478 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim). --------------------------------------------- https://lwn.net/Articles/815882/ ∗∗∗ Kritische Sicherheitslücke in Microsoft Windows (Adobe Type Manager Library) - Workarounds verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory für eine kritische Sicherheitslücke in der Adobe Type Manager Library veröffentlicht. Laut Microsoft und CERT/CC wird die Schwachstelle bereits aktiv ausgenutzt, [...] --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ systemd-journald vulnerability CVE-2019-3815 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22040951 ∗∗∗ Apache vulnerability CVE-2020-8840 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15320518 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0256 ∗∗∗ Kubernetes: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0253 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Arbitrary Script Injection vulnerability (CVE-2019-4681) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to a session management vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Content Navigator includes the host IP address in an HTTP response. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-inc… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM API Connect is impacted by weak cryptographic algorithms (CVE-2019-4553) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is potentially impacted by vulnerabilities in MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-potent… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by a denial of service vulnerability in MySQL (CVE-2019-2805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A security vulnerability has been disclosed in Expat, which is installed as part of IBM Tivoli Network Manager (CVE-2019-15903). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2020
by Daily end-of-shift report 23 Mar '20

23 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-03-2020 18:00 − Montag 23-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware ∗∗∗ --------------------------------------------- PwndLocker has rebranded as the ProLock Ransomware after fixing a crypto bug that allowed a free decryptor to be created. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-… ∗∗∗ Netwalker Ransomware Infecting Users via Coronavirus Phishing ∗∗∗ --------------------------------------------- As if people did not have enough to worry about, attackers are now targeting them with Coronavirus (COVID-19) phishing emails that install ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecti… ∗∗∗ Latest Astaroth living-off-the-land attacks are even more invisible but not less observable ∗∗∗ --------------------------------------------- Astaroth is back sporting significant changes. The updated attack chain maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-o… ∗∗∗ Zero-Day Vulnerabilities in LILIN DVRs Exploited by Several Botnets ∗∗∗ --------------------------------------------- Cybercrime groups have been exploiting vulnerabilities in digital video recorders (DVRs) made by Taiwan-based surveillance solutions provider LILIN to increase the size of their botnets. --------------------------------------------- https://www.securityweek.com/zero-day-vulnerabilities-lilin-dvrs-exploited-… ∗∗∗ Achtung bei Einkäufen auf mimty.de und evenlife.de ∗∗∗ --------------------------------------------- Unzählige InternetuserInnen melden die Online-Shops mimty.de und evenlife.de momentan an die Watchlist Internet. Die Webseiten sind exakt gleich aufgebaut und bieten Atemschutzmasken, Desinfektionssprays und ähnliches an. Die Shopiago GmbH, die hinter den Shops steckt, gibt einen Sitz in Deutschland an, der Versand erfolgt aber stark verzögert aus dem weit entfernten Ausland oder bleibt längerfristig aus. Die Watchlist Internet rät zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bei-einkaeufen-auf-mimtyde-u… ∗∗∗ How to prevent your Zoom meetings being Zoom-bombed (gate-crashed) by trolls ∗∗∗ --------------------------------------------- The coronavirus outbreak has seen an unprecedented number of people working and learning from home, and one of the tools that is making that possible is Zoom. But if you dont take care, you could find your meetings being gate-crashed or Zoom-bombed, potentially causing havoc and mayhem. --------------------------------------------- https://www.zdnet.com/article/how-to-prevent-your-zoom-meetings-being-zoom-… ===================== = Vulnerabilities = ===================== ∗∗∗ Insulet Omnipod ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper access control vulnerability in Insulets Omnipod insulin management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-079-01 ∗∗∗ Systech NDS-5000 Terminal Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in Systechs NDS-5000 network server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-079-01 ∗∗∗ FIBARO System Home Center v5.021 Remote File Include XSS ∗∗∗ --------------------------------------------- The smart home solution is vulnerable to a remote Cross-Site Scripting triggered via a Remote File Inclusion issue by including arbitrary client-side dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its url GET parameter. This allows hijacking the current session of the user or changing the look of the page by changing the HTML. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php ∗∗∗ PMASA-2020-4 ∗∗∗ --------------------------------------------- SQL injection relating to data displayAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected. We believe the flaw was introduced with phpMyAdmin 3.4.CVE IDCVE-2020-10803 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-4/ ∗∗∗ PMASA-2020-3 ∗∗∗ --------------------------------------------- SQL injection relating to searchingAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.CVE IDCVE-2020-10802 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-3/ ∗∗∗ PMASA-2020-2 ∗∗∗ --------------------------------------------- SQL injection with processing usernameAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.CVE IDCVE-2020-10804 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-2/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, chromium, graphicsmagick, jackson-databind, phpmyadmin, python-bleach, and tor), Gentoo (exim and nodejs), openSUSE (chromium and thunderbird), Oracle (tomcat), Red Hat (devtoolset-8-gcc, libvncserver, runc, samba, thunderbird, and tomcat6), and SUSE (ruby2.5). --------------------------------------------- https://lwn.net/Articles/815798/ ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0250 ∗∗∗ Security Bulletin: Jan 2020 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jan-2020-multiple-vulnera… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI ( CVE-2019-4717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Few vulnerabilities affecting IBM Cloud Object Storage Systems (March 2020v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-few-vulnerabilities-affec… ∗∗∗ Security Bulletin: Vulnerabilities affecting IBM Cloud Object Storage Systems (March 2020v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affecting… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2020
by Daily end-of-shift report 20 Mar '20

20 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-03-2020 18:00 − Freitag 20-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ WHO Chief Impersonated in Phishing to Deliver HawkEye Malware ∗∗∗ --------------------------------------------- An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/who-chief-impersonated-in-ph… ∗∗∗ Firefox Reenables Insecure TLS to Improve Access to COVID19 Info ∗∗∗ --------------------------------------------- Mozilla says that the support for the insecure TLS 1.0 and TLS 1.1 will be reenabled in the latest version of Firefox to maintain access to government sites with COVID19 information that havent yet upgraded to TLS 1.2 or TLS 1.3. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firefox-reenables-insecure-t… ∗∗∗ PrivEsc in Lenovo Vantage. Two minutes later ∗∗∗ --------------------------------------------- TL;DR The latest and greatest Lenovo Vantage software which ships with the most recent Lenovo devices is affected by a privilege escalation vulnerability. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-vantage-two… ∗∗∗ New Mirai Variant Targets Zyxel Network-Attached Storage Devices ∗∗∗ --------------------------------------------- Unit 42 researchers discovered a new Mirai variant, dubbed Mukashi, exploiting CVE-2020-9054 to infect vulnerable versions of Zyxel network-attached storage (NAS) devices. --------------------------------------------- https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/ ∗∗∗ Security flaws found in popular password managers ∗∗∗ --------------------------------------------- Not all they’re cracked up to be? Several password vaults have been found to contain vulnerabilities, both new and previously disclosed but never patched, a study says --------------------------------------------- https://www.welivesecurity.com/2020/03/19/security-flaws-found-in-popular-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted). --------------------------------------------- https://lwn.net/Articles/815591/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0246 ∗∗∗ Symantec Veritas NetBackup: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0244 ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by vulnerabilities in WebSphere Application Server Liberty (CVE-2019-9515, CVE-2019-9518, CVE-2019-9517, CVE-2019-9512, CVE-2019-9514, CVE-2019-9513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Information Disclosure in Cognos Business Intelligence (Cognos BI) shipped with Tivoli Common Reporting (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2020
by Daily end-of-shift report 19 Mar '20

19 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-03-2020 18:00 − Donnerstag 19-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Shadowserver Foundation: Gemeinnütziges IT-Security-Team benötigt Spenden ∗∗∗ --------------------------------------------- Das Shadowserver-Team unterstützt Strafverfolgungsbehörden dabei, Cybergangstern das Handwerk zu legen. Jetzt braucht es selbst zeitnah (finanzielle) Hilfe. --------------------------------------------- https://heise.de/-4686211 ∗∗∗ RedLine Info-Stealing Malware Spread by Folding@home Phishing ∗∗∗ --------------------------------------------- A new phishing email is trying to take advantage of the Coronavirus pandemic and the race to develop medications by promoting a fake Folding@home app that installs an information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-info-stealing-malwar… ∗∗∗ InfoSec Conferences Canceled? We’ve Hours Of Recordings! ∗∗∗ --------------------------------------------- If you planned to attend some security conferences in the coming weeks, there are risks to have them canceled… Normally, I should be now in Germany to attend TROOPERS… Canceled! SAS2020 (“Security Analyst Summit”)… Canceled! FIRST TC Amsterdam… Canceled! And more will probably be added to the long list. --------------------------------------------- https://blog.rootshell.be/2020/03/19/infosec-conferences-canceled-weve-hour… ∗∗∗ Achtung vor dem Fake-Shop hausmasters.net ∗∗∗ --------------------------------------------- Hausmasters.net bietet unzählige Haushaltswaren zu Bestpreisen mit kostenlosem Versand nach Österreich, Deutschland und in die Schweiz an. Das breite Sortiment bestehend aus Kühlschränken, Staubsaugern, Waschmaschinen und der moderne Webauftritt laden zu einem schnellen Kauf ein. Doch Vorsicht: Hier zahlen Sie per Vorkasse, erhalten dafür aber nie eine Lieferung. Es handelt sich um einen Fake-Shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-dem-fake-shop-hausmaster… ∗∗∗ France warns of new ransomware gang targeting local governments ∗∗∗ --------------------------------------------- CERT France says some local governments have been infected with a new version of the Pysa (Mespinoza) ransomware. --------------------------------------------- https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe: Weitere teils kritische Updates unter anderem für Photoshop und Bridge ∗∗∗ --------------------------------------------- Nicht nur bei Acrobat und Reader hat Adobe nachgebessert, sondern auch bei Bridge, ColdFusion, Experience Manager, Photoshop und Genuine Integrity Service. --------------------------------------------- https://heise.de/-4686418 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/815442/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Check Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerabilities affect the IBM Spectrum Protect Backup-Archive Client and web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2019-4732, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to a DoS issue when processing regular expressions (CVE-2017-16231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2019-4304, CVE-2019-4305, CVE-2019-4441, CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563, CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Potential exposure of sensitive data in IBM DataPower Gateway (CVE-2020-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-exposure-of-sen… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems (Oct2019 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0241 ∗∗∗ Drupal: Mehrere Schwachstelle ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0240 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2020
by Daily end-of-shift report 18 Mar '20

18 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-03-2020 18:00 − Mittwoch 18-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks ∗∗∗ --------------------------------------------- A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/03/trickbot-malware-rdp-bruteforce.html ∗∗∗ Home-Office? – Aber sicher! ∗∗∗ --------------------------------------------- Eine empfohlene Maßnahme im Kontext der Corona-Prävention ist die intensivere Nutzung von Home-Office und mobilem Arbeiten. Dafür gilt es, pragmatische Lösungen zu finden, die einerseits die Arbeitsfähigkeit einer Organisation erhalten, gleichzeitig jedoch Vertraulichkeit, Verfügbarkeit und Integrität gewährleisten. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/Empfehlungen_mobi… ∗∗∗ Sicher arbeiten im Homeoffice! ∗∗∗ --------------------------------------------- Unzählige Unternehmen haben ihren Betrieb als Reaktion auf das Coronavirus und entsprechende Regierungsvorgaben mittlerweile auf Arbeit im Homeoffice umgestellt. Da dies einige Änderungen in alltäglichen Arbeitsprozessen bedeutet, gibt es Empfehlungen für Unternehmen und deren MitarbeiterInnen, die Schäden durch Kriminelle in der momentanen Ausnahmesituation vermeiden können. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-arbeiten-im-homeoffice/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Genuine Integrity Service (APSB20-12), Adobe Acrobat and Reader (APSB20-13), Adobe Photoshop (APSB20-14), Adobe Experience Manager (APSB20-15), Adobe ColdFusion (APSB20-16) and Adobe Bridge (APSB20-17). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1847 ∗∗∗ Severe Flaws Patched in Responsive Ready Sites Importer Plugin ∗∗∗ --------------------------------------------- On March 2nd, our Threat Intelligence team discovered several vulnerable endpoints in Responsive Ready Sites Importer, a WordPress plugin installed on over 40,000 sites. These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions. ... We highly recommend updating to the latest version available, 2.2.7, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/03/severe-flaws-patched-in-responsive-r… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im). --------------------------------------------- https://lwn.net/Articles/815309/ ∗∗∗ FreeRADIUS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- FreeRADIUS ist ein Open Source Server zur Authentisierung entfernter Benutzer auf Basis des RADIUS-Protokolls (Remote Access Dial-In User Service). Ein entfernter, anonymer Angreifer kann eine Schwachstelle in FreeRADIUS ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0235 ∗∗∗ Delta Electronics Industrial Automation CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-077-01 ∗∗∗ Cisco SD-WAN Solution vManage SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution vManage Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Double Free Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud January 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Vulnerability in Apache Log4j affects IBM LKS ART & Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Cross-Site Request Forgery (CSRF) vulnerabilities were identified on Tivoli Netcool/OMNIbus WebGUI Relationship admin page (CVE-2020-4199) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects Liberty for Java for IBM Cloud(CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2020
by Daily end-of-shift report 17 Mar '20

17 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 16-03-2020 18:00 − Dienstag 17-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails zum Thema Corona ∗∗∗ --------------------------------------------- Kriminelle nutzen das Corona-Virus für ihre Betrugsmaschen und versenden Phishings-Mails im Namen von Unternehmen. Aktuell sind uns gefälschte E-Mails, die angeblich von A1 und DHL stammen, bekannt. Seien Sie also bei E-Mails zum Thema Corona sehr vorsichtig und klicken keinesfalls auf einen Link oder loggen sich über einen Button am Ende der E-Mail in Ihr Kundenkonto ein. Laden Sie auch keine Anhänge herunter, es könnte sich um Schadsoftware handeln. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-zum-them… ∗∗∗ Die Shadowserver Foundation braucht dringend finanzielle Hilfe ∗∗∗ --------------------------------------------- Die Shadowserver Foundation ist nicht nur weltweit die größte Quelle von Threat Intelligence, sie ist auch bei weitem die wichtigste Informationsquelle für CERT.at zu Themen wie Malwareinfektionen, verwundbaren Systeme, etc. in Österreich (siehe die Liste der Feeds, die wir von Shadowserver erhalten). Insgesamt versorgt die Shadowserver Foundation 107 nationale CERTs/CSIRTs in 136 Ländern mit wertvollen Informationen über Probleme in ihrem jeweiligen [...] --------------------------------------------- https://cert.at/de/blog/2020/3/die-shadowserver-foundation-braucht-dringend… ∗∗∗ Slack fixes account-stealing bug ∗∗∗ --------------------------------------------- Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. --------------------------------------------- https://nakedsecurity.sophos.com/2020/03/17/slack-fixes-account-stealing-bu… ∗∗∗ A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th) ∗∗∗ --------------------------------------------- DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/25916 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, [...] --------------------------------------------- https://lwn.net/Articles/815202/ ∗∗∗ Intel CPUs vulnerable to new Snoop attack ∗∗∗ --------------------------------------------- Applying the the patches for the Foreshadow (L1TF) attack disclosed in 2018 also blocks Snoop attacks. --------------------------------------------- https://www.zdnet.com/article/intel-cpus-vulnerable-to-new-snoop-attack/ ∗∗∗ Trend Micro Produkte: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0230 ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM Operations Analytics Predictive Insights (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2020
by Daily end-of-shift report 16 Mar '20

16 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-03-2020 18:00 − Montag 16-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kritische Lücke: Angreifer könnten aus VMware Fusion und Workstation ausbrechen ∗∗∗ --------------------------------------------- Wer virtuelle Maschinen mit Fusion, Horizon, Remote Console (VMRC) und Workstation betreibt, sollte sich aus Sicherheitsgründen die aktualisierten Versionen herunterladen und installieren. Andernfalls könnten Angreifer im schlimmsten Fall aus einer VM ausbrechen und Schadcode im Host-System ausführen. --------------------------------------------- https://www.heise.de/security/meldung/Kritische-Luecke-Angreifer-koennten-a… ∗∗∗ Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help ∗∗∗ --------------------------------------------- Shadowserver has unexpectedly lost the financial support of our largest sponsor. We need to transition the impacted operations staff and move our data center by May 26th 2020. This is an extremely aggressive timeline. We urgently appeal to our constituents and the community to rally together, help save Shadowserver and help secure the Internet. This is the initial announcement and the index page to more detailed supporting content. --------------------------------------------- https://www.shadowserver.org/news/saving-shadowserver-and-securing-the-inte… ∗∗∗ BlackWater Malware Abuses Cloudflare Workers for C2 Communication ∗∗∗ --------------------------------------------- A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malwares command and control (C2) server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cl… ∗∗∗ MonitorMinor: vicious stalkerware ∗∗∗ --------------------------------------------- The other day, our Android traps ensnared an interesting specimen of stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. --------------------------------------------- https://securelist.com/monitorminor-vicious-stalkerware/95575/?utm_source=r… ∗∗∗ Phishing PDF With Incremental Updates., (Sat, Mar 14th) ∗∗∗ --------------------------------------------- Someone asked me for help with this phishing PDF. --------------------------------------------- https://isc.sans.edu/diary/rss/25904 ∗∗∗ Desktop.ini as a post-exploitation tool, (Mon, Mar 16th) ∗∗∗ --------------------------------------------- Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however. --------------------------------------------- https://isc.sans.edu/diary/rss/25912 ∗∗∗ Open MQTT Report - Expanding the Hunt for Vulnerable IoT devices ∗∗∗ --------------------------------------------- New MQTT IPv4 scans are now carried out daily as part of our efforts to expand our capability to enable the mapping of exposed IoT devices on the Internet. A new report - Open MQTT - is now shared in our free daily victim remediation reports to 107 National CSIRTs and 4600+ network owners. In particular, the report identifies accessible MQTT broker service that enable anonymous access. The work is being carried out as part of the EU CEF VARIoT (Vulnerability and Attack Repository for IoT) --------------------------------------------- https://www.shadowserver.org/news/open-mqtt-report-expanding-the-hunt-for-v… ∗∗∗ Has The Sun Set On The Necurs Botnet? ∗∗∗ --------------------------------------------- Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and [...] --------------------------------------------- https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/ ∗∗∗ COVID-19 Themed Phishing Campaigns Continue ∗∗∗ --------------------------------------------- Another COVID-19 (Coronavirus) phishing campaign has been discovered -- this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. --------------------------------------------- https://www.securityweek.com/covid-19-themed-phishing-campaigns-continue ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), [...] --------------------------------------------- https://lwn.net/Articles/815097/ ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing error messages. (CVE-2019-4656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Cloud Automation Manager Session Fixation Vulnerability (CVE-2019-4617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-automation-mana… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services v2.1.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-a-loca… ∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily