- Daily - CERT.at

Tageszusammenfassung - 01.10.2019
by Daily end-of-shift report 01 Oct '19

01 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 30-09-2019 18:00 − Dienstag 01-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Free Ouroboros Ransomware (Zeropadypt NextGen) Decryption Available ∗∗∗ --------------------------------------------- Victims of the Ouroboros Ransomware, otherwise known as Zeropadypt NextGen, can get their files decrypted for free with the help of a security researcher and a decryptor that has been made for different variants. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-ouroboros-ransomware-ze… ∗∗∗ Beyond the SISSDEN event horizon ∗∗∗ --------------------------------------------- Between May 2016 and April 2019, The Shadowserver Foundation participated in the SISSDEN EU Horizon 2020 project. The main goal of the project was to improve the cybersecurity posture of EU entities and end users through the development of situational awareness and sharing of actionable information. It exceeded KPIs, with 257 sensors in 59 countries, using 974 IP addresses across 119 ASNs and 383 unique /24 (Class C) networks, and collected 31TB of threat data. --------------------------------------------- https://www.shadowserver.org/news/beyond-the-sissden-event-horizon/ ∗∗∗ Decades-Old Code Is Putting Millions of Critical Devices at Risk ∗∗∗ --------------------------------------------- Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light. --------------------------------------------- https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices ∗∗∗ Vorsicht bei zu günstigen Technik-Angeboten ∗∗∗ --------------------------------------------- sgt-sonic.store, alpha-tech.store, omega-tech.store, grand-elec.store und beta-elec.store bieten ein breites Technik-Sortiment mit unschlagbaren Angeboten. Sehen Sie jedoch von einer Bestellung ab, denn es handelt sich um Fake-Shops. Die Ware wird trotz Vorab-Zahlung nie geliefert. Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-technik-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Noch ein Update für iOS, iPadOS und watchOS ∗∗∗ --------------------------------------------- Bei Apple kommen die Aktualisierungen Schlag auf Schlag. iOS 13.1.2, iPadOS 13.1.2 und watchOS 6.0.1 beheben erneut Fehler. --------------------------------------------- https://heise.de/-4543459 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, linux-4.9, netty, phpbb3, and poppler), openSUSE (chromium, djvulibre, ghostscript, python-numpy, SDL2, and varnish), Oracle (nodejs:10), Red Hat (httpd24-httpd and httpd24-nghttp2, kpatch-patch, and rh-nodejs10-nodejs), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and SDL 2.0). --------------------------------------------- https://lwn.net/Articles/801010/ ∗∗∗ Red Hat Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0860 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0862 ∗∗∗ Theme Editor <= 2.1 - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9894 ∗∗∗ Cisco Webex Meetings Enumeration Attack ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities have been addressed in IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 and LCM8 & LCM16 KVM Switch Firmware (CVE-2018-0732 CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op… ∗∗∗ HPESBHF03955 rev.1 - HPE Simplivity Omnistack, Local and Remote File Modification and Deletion ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03956 rev.1 - HPE Simplivity Omnistack, Local and Remote Arbitrary Command Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03954 rev.1 - HPE UioT, Remote Unauthorized Access and Access to sensitive Data ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2019
by Daily end-of-shift report 30 Sep '19

30 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-09-2019 18:00 − Montag 30-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Angreifer können verschlüsselte PDF-Daten leaken ∗∗∗ --------------------------------------------- Passwortgeschützte PDF-Dateien bieten wenig Sicherheit. Ein Angreifer, der die Dateien manipulieren kann, kann dafür sorgen, dass deren Inhalt geleakt wird. Abhilfe gibt es nicht, dafür müsste das Dateiformat geändert werden. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-angreifer-koennen-verschluessel… ∗∗∗ Kriminelle nützen Thomas Cook Insolvenz für Phishing-Attacken ∗∗∗ --------------------------------------------- Die Insolvenz von Thomas Cook und Neckermann Reisen ist momentan in aller Munde. Betroffene KonsumentInnen gelangten nun ins Visier Krimineller. In betrügerischen Phishing-Mails werden sie aufgefordert, Kreditkartendaten und Ausweise zu übermitteln, um ihr Geld zurückzuerhalten. Die E-Mails stammen nicht von Thomas Cook und müssen ignoriert werden! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nuetzen-thomas-cook-insol… ∗∗∗ Masad Spyware Uses Telegram Bots for Command-and-Control ∗∗∗ --------------------------------------------- The malware harvests data, steals cryptocurrency and drops additional malware, while masquerading as a Fortnite aimbot and more. --------------------------------------------- https://threatpost.com/masad-spyware-telegram-bots/148759/ ∗∗∗ European Cybersecurity Month 2019 is launched ∗∗∗ --------------------------------------------- October marks the kick-off of the European Cybersecurity Month (ECSM), coordinated by the European Union Agency for Cybersecurity (ENISA), the European Commission and supported by the Member States. This campaign will focus on expanding awareness about cybersecurity to citizens across Europe. --------------------------------------------- https://www.enisa.europa.eu/news/european-cybersecurity-month-2019-is-launc… ∗∗∗ Malvertiser eGobbler Exploits Chrome & WebKit Bugs, Infects Over 1 Billion Ads ∗∗∗ --------------------------------------------- We have written about the threat actor eGobbler extensively on our blog over the last year as they’ve continued to emerge as a prolific source of malvertising. [...] Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections. --------------------------------------------- https://blog.confiant.com/malvertiser-egobbler-exploits-chrome-webkit-bugs-… ∗∗∗ Cisco führt halbjährlichen Patchday ein ∗∗∗ --------------------------------------------- Ab sofort will Cisco alle sechs Monate gesammelte Sicherheitsupdates für sein Netzwerkbetriebssysteme IOS und IOS XE veröffentlichen. --------------------------------------------- https://heise.de/-4542793 ===================== = Vulnerabilities = ===================== ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerability ∗∗∗ --------------------------------------------- Original release date: September 27, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Hypertext Preprocessor (PHP). An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/27/ms-isac-releases-a… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot, kernel, and qemu-kvm), Debian (cimg, cups, e2fsprogs, exim4, file-roller, golang-1.11, httpie, and wpa), Fedora (curl, ghostscript, ibus, krb5, mod_md, and nbdkit), Mageia (chromium-browser-stable, libheif, and nghttp2), openSUSE (djvulibre, expat, libopenmpt, mosquitto, phpMyAdmin, and webkit2gtk3), Red Hat (nodejs:10), SUSE (gpg2), and Ubuntu (e2fsprogs and exim4). --------------------------------------------- https://lwn.net/Articles/800915/ ∗∗∗ Exim 4.92.3 security release ∗∗∗ --------------------------------------------- Exim 4.92.3 has been released with a fix for CVE-2019-16928, a heap-basedbuffer overflow in string_vformat that could lead to remote codeexecution. "The currently known exploit uses a extraordinary longEHLO string to crash the Exim process that is receiving the message. Whileat this mode of operation Exim already dropped its privileges, other paths toreach the vulnerable code may exist." --------------------------------------------- https://lwn.net/Articles/800917/ ∗∗∗ xpdf: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0857 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0856 ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190930-… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service (CVE-2019-4494, CVE-2019-4495, CVE-2019-4497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Vulnerabilities in kernel affect Power Hardware Management Console (CVE-2019-11479,CVE-2019-11477 and CVE-2019-11478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ke… ∗∗∗ IBM Security Bulletin: Potential denial of service vulnerability in WebSphere Application Server can affect IBM SPSS Analytic Server (CVE-2019-4046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect Rational Build Forge (CVE-2019-9517, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Build Forge (CVE-2019-4473; CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Daeja ViewONE Virtual may expose internal IP addresses (CVE-2019-4246) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-daeja-viewone-virtual… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2019
by Daily end-of-shift report 27 Sep '19

27 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-09-2019 18:00 − Freitag 27-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe and Google Open Redirects Abused by Phishing Campaigns ∗∗∗ --------------------------------------------- Google and Adobe open redirects are being used by phishing campaigns in order to add legitimacy to the URLs used in the spam emails. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-and-google-open-redire… ∗∗∗ Digital Canaries in a Coal Mine: Detecting Enumeration with DNS and AD ∗∗∗ --------------------------------------------- A fundamental part of any network is the Domain Name Service (DNS). Adversaries will likely want to enumerate computers in Active Directory and connect to them, and at some point, they will likely interact with DNS doing so. A simple example is attempting to access a remote share and the resulting DNS query. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/digital-can… ∗∗∗ Researchers Disclose Another SIM Card Attack Possibly Impacting Millions ∗∗∗ --------------------------------------------- A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned. --------------------------------------------- https://www.securityweek.com/researchers-disclose-another-sim-card-attack-p… ∗∗∗ So schützen Sie sich effektiv vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails oder in scheinbar harmlosen Chat-Nachrichten kann sich Schadsoftware verstecken. Diese verseuchten Dateien dürfen nicht ausgeführt werden, da sie ansonsten das Smartphone, den Computer oder das Netzwerk infizieren. Kriminelle können so beispielsweise sensible Daten auslesen und stehlen, Rechenleistung abzweigen oder ganze Systeme lahmlegen bis eine Kaution bezahlt wird. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-effektiv-vor-s… ∗∗∗ Microsoft: New Nodersok malware has infected thousands of PCs ∗∗∗ --------------------------------------------- New Nodersok malware installs Node.js to turn systems into proxies, perform click-fraud. --------------------------------------------- https://www.zdnet.com/article/microsoft-new-nodersok-malware-has-infected-t… ∗∗∗ Hit by ransomware? Victims of these four types of file-encrypting malware can now retrieve their files for free ∗∗∗ --------------------------------------------- Cybersecurity researchers crack the codes of FortuneCrypt, Yatron, WannaCryFake and Avest ransomware, allowing victims to get their files back without paying cyber criminals. --------------------------------------------- https://www.zdnet.com/article/hit-by-ransomware-victims-of-these-four-types… ∗∗∗ New WhiteShadow downloader uses Microsoft SQL to retrieve malware ∗∗∗ --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloade… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 27, 2019Apple has released security updates to address a vulnerability in multiple products. A remote attacker could exploit this vulnerability to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, and [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/27/apple-releases-sec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dcmtk), openSUSE (rust), Red Hat (redhat-virtualization-host), and SUSE (ghostscript, nghttp2, and u-boot). --------------------------------------------- https://lwn.net/Articles/800699/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling File Gateway (CVE-2019-4423, CVE-2019-4280) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling File Gateway (CVE-2019-4423, CVE-2019-4280) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 KVM Switch Firmware (CVE-2018-0734, CVE-2018-0737, CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op… ∗∗∗ HPESBGN03957 rev.1 - HPE Oneview for VMware vCenter, Remote Cross-Site Scripting ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2019
by Daily end-of-shift report 26 Sep '19

26 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-09-2019 18:00 − Donnerstag 26-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forensoftware vBulletin: Patch schließt kritische Zero-Day-Lücke ∗∗∗ --------------------------------------------- Die Entwickler von vBulletin haben Patches bereitgestellt, die eine als kritisch eingestufte Sicherheitslücke schließen. Forenbetreiber sollten jetzt handeln. --------------------------------------------- https://heise.de/-4539833 ∗∗∗ BSI stellt Service-Paket "IT-Notfall" für kleine und mittlere Unternehmen vor ∗∗∗ --------------------------------------------- Eine Notfallkarte zum Aushängen und ein neuer Maßnahmenkatalog für Sicherheitsverantwortliche sollen KMU helfen, mit Cyber-Bedrohungen besser umzugehen. --------------------------------------------- https://heise.de/-4540075 ∗∗∗ Hackers Replace Windows Narrator to Get SYSTEM Level Access ∗∗∗ --------------------------------------------- Chinese hackers are replacing the legitimate Narrator app on targeted Windows systems with a trojanized version that gives them remote access with privileges of the most powerful account on the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-replace-windows-narr… ∗∗∗ Ransomware Decryptors Released for Yatron, WannaCryFake, & FortuneCrypt ∗∗∗ --------------------------------------------- Security vendors released decryptors for three ransomware infections today that allow victims to recover their files for free. These decryptors are for the WannaCryFake, Yatron, and FortuneCrypt Ransomware infections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-decryptors-releas… ∗∗∗ Windows‌ ‌Exploitation‌ ‌Tricks:‌ ‌Spoofing‌ ‌Named‌ ‌Pipe‌ ‌Client‌ ‌PID‌ ∗∗∗ --------------------------------------------- Posted by James Forshaw, Project ZeroWhile researching the Access Mode Mismatch in IO Manager bug class I came across an interesting feature in named pipes which allows a server to query the connected clients PID. This feature was introduced in Vista and is exposed to servers through the GetNamedPipeClientProcessId API, pass the API a handle to the pipe server and you’ll get back the PID of the connected client. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/09/windows-exploitation-tricks-… ∗∗∗ Joomla! Security Best Practices: 12 Ways to Keep Joomla! Secure ∗∗∗ --------------------------------------------- At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, most advice can often be too broad; different content management systems (CMS) exist in this ecosystem, and each requires a unique security configuration. --------------------------------------------- https://blog.sucuri.net/2019/09/joomla-security-best-practices.html ∗∗∗ Hackers looking into injecting card stealing code on routers, rather than websites ∗∗∗ --------------------------------------------- Magecart (web skimming) attacks are evolving into a direction where theyre gonna be harder and harder to detect. --------------------------------------------- https://www.zdnet.com/article/hackers-looking-into-injecting-card-stealing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Releases Security Advisories ∗∗∗ --------------------------------------------- Original release date: September 26, 2019Cisco has released security updates to address vulnerabilities affecting multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/26/cisco-releases-sec… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot), Debian (lemonldap-ng, openssl, and ruby-nokogiri), openSUSE (fish3, ibus, nmap, and openssl-1_1), Slackware (mozilla), SUSE (mariadb, python-numpy, and SDL2), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/800647/ ∗∗∗ Multiple Vulnerabilities in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- CTX261963 NewApplicable Products : LicensingMultiple Denial-of-Service vulnerabilities have been identified in Citrix License Server for Windows and VPX that, when exploited, could result in an attacker being able to force the vendor service to shutdown. --------------------------------------------- https://support.citrix.com/article/CTX261963 ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-069 ∗∗∗ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-068 ∗∗∗ IBM Security Bulletin: Linux kernel as used by IBM QRadar SIEM is vulnerable to privilege escalation(Publicly disclosed vulnerability) (CVE-2019-3896) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack caused by a memory leak in the clustering code. (CVE-2019-4141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. These issues were disclosed as part of the IBM Java SDK updates in October 2018 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-there-are-multiple-vu… ∗∗∗ Multiple SQL Injection Vulnerabilities in eBrigade ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-sql-injection-vulnerabi… ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0840 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0838 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2019
by Daily end-of-shift report 25 Sep '19

25 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-09-2019 18:00 − Mittwoch 25-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ vBulletin Zero-Day Exploited for Years, Gets Unofficial Patch ∗∗∗ --------------------------------------------- A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vbulletin-zero-day-exploited… ∗∗∗ Free Decryptors Released for Two Ransomware Families ∗∗∗ --------------------------------------------- Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free. On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 25, 2019Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to obtain access to sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/25/apple-releases-sec… ∗∗∗ Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2019-0015 ∗∗∗ --------------------------------------------- VMware Cloud Foundation and VMware Harbor Container Registry for PCF address remote escalation of privilege vulnerability (CVE-2019-16097) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0015.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libgcrypt20, and spip), Fedora (compat-openssl10, expat, ghostscript, ibus, java-1.8.0-openjdk-aarch32, and SDL2_image), openSUSE (bird, chromium, kernel, libreoffice, links, and varnish), Oracle (httpd:2.4 and qemu-kvm), Red Hat (kernel), Scientific Linux (qemu-kvm), SUSE (djvulibre, dovecot22, ghostscript, kernel, libxml2, and python-Twisted), and Ubuntu (file-roller and libreoffice). --------------------------------------------- https://lwn.net/Articles/800553/ ∗∗∗ [20190901] - Core - XSS in logo parameter of default templates ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/PO-TPPu7rQ0/791-20190901-c… ∗∗∗ SBA-ADV-20190911-01: Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS) ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/9000d9bfd120a1b8f5f1643e5f… ∗∗∗ Security Advisory - Two Integer overflow Vulnerabilities in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Gauss100 OLTP Database of Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Improper Validation Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Linux Kernel as used in IBM QRadar Network Packet Capture is vulnerable to denial of service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance command server is vulnerable to a denial of service attack caused by specially crafted PCF messages (CVE-2019-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2019-10241, CVE-2019-10246 & CVE-2019-10247) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty Admin Center in IBM Cloud (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (CVE-2019-4262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin:IBM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-security-identity-… ∗∗∗ BIG-IQ services for stats vulnerability CVE-2019-6652 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23101430 ∗∗∗ BIG-IP APM Edge Client logging vulnerability CVE-2019-6656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23876153 ∗∗∗ BIG-IP Analytics vulnerability CVE-2019-6655 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31152411 ∗∗∗ Martian address filtering vulnerability CVE-2019-6654 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45644893 ∗∗∗ BIG-IQ vulnerability CVE-2019-6653 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71712132 ∗∗∗ REST Framework vulnerability CVE-2019-6651 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K89509323 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2019
by Daily end-of-shift report 24 Sep '19

24 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2019 18:00 − Dienstag 24-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE ATT&CK vulnerability spotlight: Access token manipulation ∗∗∗ --------------------------------------------- MITRE is a U.S. government federally-funded research and development center (FFRDC) which performs a large amount of research and assessment as a trusted third party for the government. One of their research areas is cybersecurity, and they have developed the MITRE ATT&CK matrix to help with research and education about cybersecurity threats. --------------------------------------------- https://resources.infosecinstitute.com/mitre-attck-access-token-manipulatio… ∗∗∗ Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs ∗∗∗ --------------------------------------------- Im keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain remotewebaccess.com. --------------------------------------------- https://isc.sans.edu/forums/diary/Huge+Amount+of+remotewebaccesscom+Sites+F… ∗∗∗ E-Mail der Chaos-Hacking-Gruppe ignorieren ∗∗∗ --------------------------------------------- Angeblich hat sich die Chaos-Hacking-Gruppe in Ihr E-Mail-Konto und Betriebssystem gehackt und Ihr Surfverhalten drei Monate lang beobachtet. Die Kriminellen behaupten, Sie beim Surfen auf Porno-Seiten erwischt und bei intimen Handlungen gefilmt zu haben. Damit das Video über Sie nicht an all Ihre Kontakte gesendet wird, fordern die Hacker eine Überweisung von 2.000 Euro in Form von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-der-chaos-hacking-gruppe-igno… ∗∗∗ No summer vacations for Zebrocy ∗∗∗ --------------------------------------------- ESET researchers describe the latest components used in a recent Sednit campaign The post No summer vacations for Zebrocy appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates Available for ColdFusion (APSB19-47) ∗∗∗ --------------------------------------------- Adobe has published a Security Bulletin (APSB19-47) for ColdFusion versions 2018 and 2016. These updates resolve two critical and one moderate vulnerability that could lead to arbitrary code execution and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1789 ∗∗∗ Notfallpatch: Attacken gegen Internet Explorer ∗∗∗ --------------------------------------------- Ein Update schließt eine kritische Lücke im Internet Explorer – es ist aber noch nicht über Windows Update verfügbar. Auch Windows Defender bekommt einen Patch. --------------------------------------------- https://heise.de/-4537525 ∗∗∗ Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild ∗∗∗ --------------------------------------------- Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: [...] --------------------------------------------- https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-ex… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php5), Fedora (blis, kernel, and kernel-headers), openSUSE (bird, curl, fish3, ghostscript, ibus, kernel, libgcrypt, openldap2, openssl-1_1, skopeo, and util-linux and shadow), Oracle (dovecot and kernel), Red Hat (dovecot, httpd:2.4, qemu-kvm, and redhat-virtualization-host), Scientific Linux (dovecot), SUSE (djvulibre, expat, firefox, libopenmpt, and rust), and Ubuntu (ibus and Mosquitto). --------------------------------------------- https://lwn.net/Articles/800448/ ∗∗∗ IBM Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: IBM Cloud Private for Data is affected by a vulnerability in Go Language (CVE-2019-6486) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-for… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2019
by Daily end-of-shift report 23 Sep '19

23 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2019 18:00 − Montag 23-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zunahme von erfolgreichen Cyber-Angriffen mit Emotet – BSI rät zu Schutzmaßnahmen ∗∗∗ --------------------------------------------- Cyber-Angriffe mit der Schadsoftware Emotet haben in den vergangenen Tagen erhebliche Schäden in der deutschen Wirtschaft, aber auch bei Behörden und Organisationen verursacht. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt daher erneut eindringlich vor dieser Schadsoftware und gibt ausführliche Hinweise zum Schutz vor Emotet. Auch Privatanwender stehen im Fokus der Angreifer. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Emotet-Warn… ∗∗∗ Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About ∗∗∗ --------------------------------------------- Have you ever heard of the STOP Ransomware? Probably not, as few write about it, most researchers dont cover it, and for the most part it targets consumers through cracked software, adware bundles, and shady sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-mos… ∗∗∗ What you should know about Ryuk ransomware ∗∗∗ --------------------------------------------- The ransomware called Ryuk has established ransomware as a lucrative enterprise product. This sentence may sound provocative, as it is treating cybercriminals like businesspeople, but this is what Ryuk is about - making money. This strain of ransomware is estimated by Crowdstrike to have made the gang behind it over $3.7 million USD since [...] --------------------------------------------- https://resources.infosecinstitute.com/what-you-should-know-about-ryuk-rans… ∗∗∗ Hello! My name is Dtrack ∗∗∗ --------------------------------------------- When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family. Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. --------------------------------------------- https://securelist.com/my-name-is-dtrack/93338/ ∗∗∗ YARA XOR Strings: an Update, (Sun, Sep 22nd) ∗∗∗ --------------------------------------------- Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key. --------------------------------------------- https://isc.sans.edu/diary/rss/25346 ∗∗∗ Bereit für NISG & NISV? – Anforderungen an den Umgang mit Sicherheitsvorfällen ∗∗∗ --------------------------------------------- Es ist so weit - Österreich hat mit dem Beschluss der Netz- und Informationssystemsicherheitsverordnung (NISV) nun konkrete Netzwerk- und Informationssicherheitsanforderungen für Anbietern wesentlicher Dienste i.S.d. Netz- und Informationssystemsicherheitsgesetz (NISG) festgelegt. --------------------------------------------- https://www.sec-consult.com/blog/2019/09/bereit-fuer-nisg-nisv-anforderunge… ∗∗∗ Dear network operators, please use the existing tools to fix security ∗∗∗ --------------------------------------------- The internets security and stability would be significantly improved if network operators implemented protocols that were already written into technical standards and if vendors provided better tools for fixing security. --------------------------------------------- https://www.zdnet.com/article/dear-network-operators-please-use-the-existin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Jira Server und Data Center vor Schadcode-Attacken gefährdet ∗∗∗ --------------------------------------------- Verschiedene Software von Jira ist über kritische Sicherheitslücken attackierbar. Angreifer könnten die Kontrolle über Server übernehmen. --------------------------------------------- https://heise.de/-4536050 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, php-pecl-http, and php7.0), Fedora (ImageMagick, jackson-annotations, jackson-bom, jackson-core, jackson-databind, and rubygem-rmagick), Mageia (chromium-browser-stable, ibus, kernel, samba, and thunderbird), openSUSE (chromium), Oracle (dovecot and kernel), Red Hat (dbus, kernel, kernel-alt, and kpatch-patch), Scientific Linux (dovecot and kernel), and SUSE (expat, ibus, kernel, kernel-source-rt, nmap, openssl, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/800377/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190921-… ∗∗∗ Security Advisory - Race Condition Vulnerability on Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190911-… ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager stores password in clear text (CVE-2019-4566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Apache Commons Compress vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-commons-compre… ∗∗∗ IBM Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-vulnerabiliti… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-2684, CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2019
by Daily end-of-shift report 20 Sep '19

20 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2019 18:00 − Freitag 20-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forcepoint Fixes Privilege Escalation Bug in Windows VPN Client ∗∗∗ --------------------------------------------- A vulnerability affecting all versions of Forcepoint VPN Client for Windows, save the latest release, can be used to achieve persistence and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/forcepoint-fixes-privilege-e… ∗∗∗ Fake SSO Used In Multi-Email Provider Phishing ∗∗∗ --------------------------------------------- Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a separate username and password. This feature also extends to third party services such as the popular Dropbox file sharing application, which offers users the option to access their account using Google’s authentication from their sign in page. Malicious Pages Mimic Popular Login Workflows [...] --------------------------------------------- https://blog.sucuri.net/2019/09/fake-sso-used-in-multi-email-provider-phish… ∗∗∗ Blacklisting or Whitelisting in the Right Way ∗∗∗ --------------------------------------------- Its Friday today, Id like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different: --------------------------------------------- https://isc.sans.edu/forums/diary/Blacklisting+or+Whitelisting+in+the+Right… ∗∗∗ Wenn Instagram- und Facebook-Freunde nach der Handynummer fragen ∗∗∗ --------------------------------------------- Zahlreiche NutzerInnen berichten derzeit, dass sie von FreundInnen über den Instagram-Chat oder den Facebook-Messenger nach ihrer Handynummer gefragt werden. Anschließend wird noch nach einem 4-stelligen PIN Code gefragt. Achtung! Hier schreiben nicht die FreundInnen. Deren Zugang wurde gehackt. Kriminelle versuchen so, ein kostenpflichtiges Abo abzuschließen. --------------------------------------------- https://www.watchlist-internet.at/news/wenn-instagram-und-facebook-freunde-… ===================== = Vulnerabilities = ===================== ∗∗∗ Tridium Niagara ∗∗∗ --------------------------------------------- This advisory contains mitigations for information exposure and improper authorization vulnerabilities in Tridiums Niagara business application framework software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-262-01 ∗∗∗ WECON LeviStudioU (Update A) ∗∗∗ --------------------------------------------- WECON has produced Version 1.8.69 to fix the reported vulnerabilities in Version 1.8.56; however, exploits are still successful against this updated version. --------------------------------------------- https://www.us-cert.gov/ics/advisories/ICSA-19-036-03 ∗∗∗ VMSA-2019-0014 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0014.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug). --------------------------------------------- https://lwn.net/Articles/800149/ ∗∗∗ Western Digital My Book World II NAS 1.02.12 Hardcoded Credential ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019090130 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Cross-Site Request Forgery (CVE-2019-4515 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4 is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag… ∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4.x is affected by multiple vulnerabilities of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2019
by Daily end-of-shift report 19 Sep '19

19 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2019 18:00 − Donnerstag 19-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Human Verification Spam ∗∗∗ --------------------------------------------- We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin. --------------------------------------------- https://blog.sucuri.net/2019/09/fake-human-verification-spam.html ∗∗∗ Agent Tesla Trojan Abusing Corporate Email Accounts ∗∗∗ --------------------------------------------- The trojan Agent Tesla is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1]. --------------------------------------------- https://isc.sans.edu/forums/diary/Agent+Tesla+Trojan+Abusing+Corporate+Emai… ∗∗∗ Shhmon — Silencing Sysmon via Driver Unload ∗∗∗ --------------------------------------------- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke erlaubt Root-Zugriff auf D-Link-NAS DNS-320 ∗∗∗ --------------------------------------------- Ein Update schließt eine Schwachstelle mit Höchstwertung im Netzwerkspeicher DNS-320 von D-Link. --------------------------------------------- https://heise.de/-4533707 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, [...] --------------------------------------------- https://lwn.net/Articles/799971/ ∗∗∗ Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097) ∗∗∗ --------------------------------------------- Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole. --------------------------------------------- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enable… ∗∗∗ TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-067 ∗∗∗ Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-066 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0826 ∗∗∗ Cisco HyperFlex Software Counter Value Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco HyperFlex Software Cross-Frame Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei CloudEngine Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190918-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Security QRadar Packet Capture is vulnerable to Denial of Service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-3896) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-qradar-p… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system and Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs CVE-2019-4473 and CVE-2019-11771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-eclipse-openj9-could-… ∗∗∗ IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE’s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-as-used-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2019
by Daily end-of-shift report 18 Sep '19

18 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2019 18:00 − Mittwoch 18-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions ∗∗∗ --------------------------------------------- A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases. --------------------------------------------- https://thehackernews.com/2019/09/phpmyadmin-csrf-exploit.html ∗∗∗ Clever New DDoS Attack Gets a Lot of Bang for a Hackers Buck ∗∗∗ --------------------------------------------- By exploiting the WS-Discovery protocol, a new breed of DDoS attack can get a huge rate of return. --------------------------------------------- https://www.wired.com/story/ddos-attack-ws-discovery ∗∗∗ FAQ: Emotet (bei Heise) ∗∗∗ --------------------------------------------- Seit die Heise Gruppe von einer Emotet-Infektion betroffen war, erreichen uns immer wieder Rückfragen. Hier die Antworten auf die häufigsten davon. --------------------------------------------- https://heise.de/-4517354 ∗∗∗ SMS von "PostInfo" führt in Abo-Falle ∗∗∗ --------------------------------------------- Zahlreiche HandynutzerInnen erhalten momentan eine SMS von PostInfo. Sie haben angeblich etwas bei einer Verlosung gewonnen. Um den Gewinn einzulösen, müssen sie einem Link folgen. Dieser führt zu einer Umfrage auf einer gefälschten Post-Seite. Achtung: dieses SMS stammt nicht von der Post, sondern von Kriminellen. Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-postinfo-fuehrt-in-abo-falle/ ∗∗∗ Daily Emotet IoCs and Notes for 09/16/19 ∗∗∗ --------------------------------------------- Emotet Malware Document links/IOCs for 09/16/19 as of 09/17/19 02:30 EDTNotes and Credits at the bottom Follow us on twitter @cryptolaemus1 for more updates. --------------------------------------------- https://paste.cryptolaemus.com/emotet/2019/09/16/emotet-malware-IoCs_09-16-… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for code injection, command injection, stack-based buffer overflow, and improper authorization vulnerabilities in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-260-01 ∗∗∗ Honeywell Performance IP Cameras and Performance NVRs ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure vulnerability in the Honeywell Performance IP Cameras and Performance NVRs product. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-260-03 ∗∗∗ HPESBHF03844 rev.3 - HPE Integrated Lights-Out 4, 5 (iLO 4, 5) iLO Moonshot and Moonshot iLO Chassis Manager, Remote or Local Code Execution ∗∗∗ --------------------------------------------- Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03866 rev.3 - HPE Integrated Lights-Out 3,4,5 iLO Moonshot and Moonshot iLO Chassis Manager, using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security update available in Foxit Studio Photo 3.6.6.913 ∗∗∗ --------------------------------------------- Foxit has released Foxit Studio Photo 3.6.6.913, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ Kritisches Update für AMD-Grafikkarten löst spezielles Sicherheitsproblem ∗∗∗ --------------------------------------------- Die Kombination von VMware Workstation Pro und AMD-GPUs könnte die Computersicherheit gefährden. --------------------------------------------- https://heise.de/-4533148 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa). --------------------------------------------- https://lwn.net/Articles/799765/ ∗∗∗ WAGO Series PFC100/PCF200 Information Disclosure ∗∗∗ --------------------------------------------- The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-017 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager uses Weak password policy (CVE-2019-4565) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2019 – Includes Oracle Jul 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ IBM Security Bulletin: Vulnerability in Eclipse Jetty affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ecli… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been identified in bundled libraries of IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2019-12086, CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects… ∗∗∗ Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-x… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2019
by Daily end-of-shift report 17 Sep '19

17 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2019 18:00 − Dienstag 17-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet Revived with Large Spam Campaigns Around the World ∗∗∗ --------------------------------------------- Less than a month after reactivating its command and control (C2) servers, the Emotet botnet has come to like by spewing spam messages to countries around the globe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-sp… ∗∗∗ Misuse of WordPress update_option() function Leads to Website Infections ∗∗∗ --------------------------------------------- In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website. Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code. --------------------------------------------- https://blog.sucuri.net/2019/09/misuse-of-wordpress-update_option-function-… ∗∗∗ Explaining Server Side Template Injections ∗∗∗ --------------------------------------------- [...] Exploiting SSTI in strange cases will be the next post I make. Any and all feedback is appreciated --------------------------------------------- https://0x00sec.org/t/explaining-server-side-template-injections/16297 ∗∗∗ 2019 CWE Top 25 Most Dangerous Software Errors ∗∗∗ --------------------------------------------- The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. --------------------------------------------- https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html ∗∗∗ Investigating Gaps in your Windows Event Logs ∗∗∗ --------------------------------------------- I recently TAd the SANS SEC 504 class (Hacker Tools, Techniques, Exploits, and Incident Handling) , and one of the topics we covered was attackers "editing" windows event logs to cover their tracks, especially the Windows Security Event Log. --------------------------------------------- https://isc.sans.edu/forums/diary/Investigating+Gaps+in+your+Windows+Event+… ∗∗∗ Phishing: BAWAG PSK fordert keine Datenbestätigung per E-Mail ∗∗∗ --------------------------------------------- Kriminelle geben sich als BAWAG PSK Bank aus und behaupten, dass Online-Banking-NutzerInnen aufgrund der EU-Zahlungsrichtlinie ihre Daten bestätigen müssen. Angeblich sei auch das Konto gesperrt. Es handelt sich jedoch um einen Vorwand, um an Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den Button, Sie gelangen zu einer gefälschten Login-Seite! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-bawag-psk-fordert-keine-dat… ∗∗∗ MISP 2.4.116 released (aka the new decaying feature) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.116) has been release, including a long awaited major new feature that deals with decaying indicators in addition to a new ATT&CK sightings export and a new sync priority capability. --------------------------------------------- https://www.misp-project.org/2019/09/17/MISP.2.4.116.released.html ∗∗∗ Gootkit malware crew left their database exposed online without a password ∗∗∗ --------------------------------------------- Even cyber-criminal gangs cant secure their MongoDB servers properly. --------------------------------------------- https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-expo… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira ∗∗∗ --------------------------------------------- Ben Taylor of Cisco ASIG discovered these vulnerabilities.Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and [...] --------------------------------------------- https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/799509/ ∗∗∗ SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices ∗∗∗ --------------------------------------------- Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0. --------------------------------------------- https://www.securityweek.com/sohopelessly-broken-20-125-vulnerabilities-fou… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Apache HTTPD vulnerability CVE-2019-10098 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25126370 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2019
by Daily end-of-shift report 16 Sep '19

16 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2019 18:00 − Montag 16-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefährliche Sicherheitslücken in Überwachungskameras von Dahua ∗∗∗ --------------------------------------------- Angreifer könnten einige Dahua-Überwachungskameras attackieren und in ein Botnetz zwingen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-4523355 ∗∗∗ Fake-Bewerbung von "Eva Richter" hat Erpressungstrojaner Ordinypt im Gepäck ∗∗∗ --------------------------------------------- Vorsicht: Derzeit sind wieder gefälschte Bewerbungen mit gefährlichem Dateianhang in Umlauf. Wer darauf reinfällt, steht vor einem digitalen Scherbenhaufen. --------------------------------------------- https://heise.de/-4523365 ∗∗∗ How to Enable Ransomware Protection in Windows 10 ∗∗∗ --------------------------------------------- Windows Defender includes a security feature called "Ransomware Protection" that allows you to enable various protections against ransomware infections. This feature is disabled by default in Windows 10, but with ransomware running rampant, it is important to enable this feature in order to get the most protection on your computer. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/how-to-enable-ransomware-pr… ∗∗∗ iPhone: PIN-Sperre in iOS 13 umgangen ∗∗∗ --------------------------------------------- Der Sperrbildschirm in iOS 13 kann mit einem einfachen Trick umgangen werden. So kann auf das Adressbuch des Besitzers zugegriffen werden. iOS 13 soll am 19. September veröffentlicht werden - die Lücke will Apple bis dahin nicht schließen. --------------------------------------------- https://www.golem.de/news/iphone-pin-sperre-in-ios-13-umgangen-1909-143860-… ∗∗∗ WordPress XSS Bug Allows Drive-By Code Execution ∗∗∗ --------------------------------------------- Sites that use the Gutenberg (found in WordPress 5.0 to 5.2.2) are open to complete takeover. --------------------------------------------- https://threatpost.com/wordpress-xss-drive-by-code-execution/148324/ ∗∗∗ Dissecting the WordPress 5.2.3 Update ∗∗∗ --------------------------------------------- Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing. --------------------------------------------- https://blog.sucuri.net/2019/09/dissecting-the-wordpress-5-2-3-update.html ∗∗∗ Smishing Explained: What It Is and How to Prevent It ∗∗∗ --------------------------------------------- Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late? It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around [...] --------------------------------------------- https://www.webroot.com/blog/2019/09/16/smishing-explained-what-it-is-and-h… ∗∗∗ You Can Run, But You Can't Hide - Detecting Process Reimaging Behavior ∗∗∗ --------------------------------------------- Around 3 months ago, a new attack technique was introduced to the InfoSec community known as "Process Reimaging." This technique was released by the McAfee Security team in a blog titled — "In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass." A few days after this attack technique was released, a co-worker and friend of mine - Dwight Hohnstein - came out with proof of concept code demonstrating this technique, [...] --------------------------------------------- https://posts.specterops.io/you-can-run-but-you-cant-hide-detecting-process… ∗∗∗ Open source breach and attack simulation tool Infection Monkey gets new features ∗∗∗ --------------------------------------------- Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool. Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks. --------------------------------------------- https://www.helpnetsecurity.com/2019/09/16/infection-monkey-tool/ ∗∗∗ LastPass Patches Bug Leaking Last-Used Credentials ∗∗∗ --------------------------------------------- A vulnerability recently addressed in LastPass could be abused by attackers to expose the last site credentials filled by LastPass. A freemium password manager, LastPass stores encrypted passwords online and provides users with a web interface to access them, as well as with plugins for web browsers and apps for smartphones. --------------------------------------------- https://www.securityweek.com/lastpass-patches-bug-leaking-last-used-credent… ∗∗∗ Sophos open-sources Sandboxie, a utility for sandboxing any application ∗∗∗ --------------------------------------------- Sandboxie is now a free download. Source code to be open-sourced at a later date. --------------------------------------------- https://www.zdnet.com/article/sophos-open-sources-sandboxie-a-utility-for-s… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2019-0013 ∗∗∗ --------------------------------------------- VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0013.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark). --------------------------------------------- https://lwn.net/Articles/799324/ ∗∗∗ [remote] Inteno IOPSYS Gateway - Improper Access Restrictions ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47390 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2019
by Daily end-of-shift report 13 Sep '19

13 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2019 18:00 − Freitag 13-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Rig Exploit Kit Delivering VBScript, (Thu, Sep 12th) ∗∗∗ --------------------------------------------- I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the web, you can spot malicious scripts that will try to infect your computer (Exploit Kits). --------------------------------------------- https://isc.sans.edu/diary/rss/25318 ∗∗∗ Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics ∗∗∗ --------------------------------------------- We’re always eager for new research and learning opportunities, but this time, serendipitously, the opportunity found us. At the closing party of the Hack In The Box Amsterdam conference — where we presented our industrial radio research and ran a CTS contest — we were given LED wristbands to wear. They’re flashing wristbands meant to enhance the experience of an event, party, or show. At the beginning, we were not interested in the security impact; we just wanted to [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MzmWyorokxA/ ∗∗∗ InnfiRAT: A new RAT aiming for your cryptocurrency and more ∗∗∗ --------------------------------------------- Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals. --------------------------------------------- https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptoc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat). --------------------------------------------- https://lwn.net/Articles/799127/ ∗∗∗ Philips IntelliVue WLAN ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for use of hard-coded password, and download of code without integrity check vulnerabilities in Philips IntelliVue WLAN firmware. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-255-01 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Web Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal and stack-based buffer overflow vulnerabilities in 3S-Smart Software Solutions CODESYS V3 runtime systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-01 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in 3S-Smart Software Solutions CODESYS V3 library manager software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-02 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in 3S-Smart Software Solutions CODESYS Control V3 online user management software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-03 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a NULL pointer dereference vulnerability in 3S-Smart Software Solutions CODESYS Control V3 OPC UA Server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-04 ∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in 3S-Smart Software Solutions CODESYS V3 runtime systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-255-05 ∗∗∗ Multiple buffer overflow vulnerabilities in multiple Ricoh printers and Multifunction Printers (MFPs) ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11708203/ ∗∗∗ libssh2 vulnerability CVE-2019-13115 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13322484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2019
by Daily end-of-shift report 12 Sep '19

12 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2019 18:00 − Donnerstag 12-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 1B Mobile Users Vulnerable to Ongoing 'SimJacker' Surveillance Attack ∗∗∗ --------------------------------------------- More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn. --------------------------------------------- https://threatpost.com/1b-mobile-users-vulnerable-to-ongoing-simjacker-surv… ∗∗∗ Attacking the VM Worker Process ∗∗∗ --------------------------------------------- In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components. --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/09/11/attacking-the-vm-worker-proc… ∗∗∗ From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer ∗∗∗ --------------------------------------------- Last June, I disclosed a use-after-free (UAF) vulnerability in Internet Explorer (IE) to Microsoft. It was rated as critical, designated as CVE-2019-1208, and then addressed in Microsoft’s September Patch Tuesday. I discovered this flaw through BinDiff (a binary code analysis tool) and wrote a proof of concept (PoC) showing how it can be fully and consistently exploited in Windows 10 RS5.A more in-depth analysis of this vulnerability is in this technical brief. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/NkmJvxTNnHM/ ∗∗∗ Phishing & Co: Betrüger nutzen Start der PSD2-Richtlinie aus ∗∗∗ --------------------------------------------- Die neue Zahlungsdienste-Richtlinie der EU steht vor der Umsetzung. Das sorgt für Verwirrung, die Betrüger schamlos ausnutzen. --------------------------------------------- https://heise.de/-4522179 ∗∗∗ Five years later, Heartbleed vulnerability still unpatched ∗∗∗ --------------------------------------------- The Heartbleed vulnerability was discovered and fixed in 2014, yet today—five years later—there are still unpatched systems. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2019/09/everything-you-need… ∗∗∗ Sind meine persönlichen Daten im Internet bekannt? ∗∗∗ --------------------------------------------- Wenn es Kriminellen gelingt, in Datenbanken von Unternehmen zu gelangen, können sie KundInnendaten stehlen. Mit den erbeuteten Informationen ist es ihnen möglich, dass sie Verbrechen unter fremden Namen begehen. KonsumentInnen sollten deshalb regelmäßig überprüfen, ob sie von einem Datendiebstahl betroffen sind, um geeignete Gegenmaßnahmen ergreifen zu können. --------------------------------------------- https://www.watchlist-internet.at/news/sind-meine-persoenlichen-daten-im-in… ∗∗∗ Warnung vor Ron Inkasso-Mahnungen ∗∗∗ --------------------------------------------- KonsumentInnen erhalten eine Mahnung, die angeblich von der Ron Adams Ltd stammt. Darin heißt es, dass sie sich auf grindplay.com registriert haben. Sie sollen dem Anbieter für ein Premium–Jahresabo 395,88 Euro zuzüglich Mahnspesen und Verzugszinsen gesamt 516,24 Euro bezahlen. KonsumentInnen müssen den Betrag nicht an ron-inkasso.eu bezahlen, denn das Schreiben ist betrügerisch. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-ron-inkasso-mahnungen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, firefox, and webkit2gtk), Debian (libonig and opensc), Fedora (cobbler), Oracle (firefox and kernel), Red Hat (flash-plugin, kernel, kernel-rt, rh-maven35-jackson-databind, rh-nginx110-nginx, and rh-nginx112-nginx), Scientific Linux (kernel), Slackware (curl, mozilla, and openssl), SUSE (ceph, libvirt, and python-Werkzeug), and Ubuntu (vlc and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/799052/ ∗∗∗ Cisco Enterprise Network Functions Virtualization Infrastructure Software File Enumeration Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Linux Kernel vulnerabilities affect IBM Spectrum Protect Plus CVE-2019-10140, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-13233, CVE-2019-13272, CVE-2019-14283, CVE-2019-14284, CVE-2019-15090, CVE-2019-15807, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-vulnerab… ∗∗∗ IBM Security Bulletin: SQL Injection Vulnerability Affects IBM Sterling File Gateway (CVE-2019-4147) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-vulnera… ∗∗∗ Stored and reflected XSS vulnerabilities in LimeSurvey (CVE-2019-16172, CVE-2019-16173) ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/stored-and-reflected-xss-vulnera… ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0813 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2019
by Daily end-of-shift report 11 Sep '19

11 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2019 18:00 − Mittwoch 11-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ OpenDMARC: Aktiv ausgenutzte DMARC-Sicherheitslücke ohne Fix ∗∗∗ --------------------------------------------- Mitarbeiter von Protonmail haben in OpenDMARC eine Sicherheitslücke entdeckt, mit der sich die Signaturprüfung austricksen lässt. Angreifer haben die Lücke bereits für Phishingangriffe gegen Journalisten genutzt. OpenDMARC wird offenbar nicht weiterentwickelt und es gibt kein Update. --------------------------------------------- https://www.golem.de/news/opendmarc-aktiv-ausgenutzte-dmarc-sicherheitsluec… ∗∗∗ Office 365: prone to security breaches? ∗∗∗ --------------------------------------------- Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often. Office 365 breach investigations are common at our department. You'll find that this blog post actually doesn't make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office [...] --------------------------------------------- https://blog.fox-it.com/2019/09/11/office-365-prone-to-security-breaches/ ∗∗∗ NetCAT ∗∗∗ --------------------------------------------- NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. --------------------------------------------- https://www.vusec.net/projects/netcat/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Angreifer attackieren Windows und machen sich zum Admin ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für Office, Windows & Co. veröffentlicht. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4519699 ∗∗∗ Patchday: SAP behebt unter anderem kritische Lücke in NetWeaver ∗∗∗ --------------------------------------------- Am September-Patchday hat SAP zahlreiche Lücken geschlossen und überdies einige ältere Security Advisories aktualisiert. --------------------------------------------- https://heise.de/-4519758 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, and out-of-bounds write vulnerabilities in Delta Electronics TPEditor, a programming software for Delta text panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-253-01 ∗∗∗ OSIsoft PI SQL Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for an integer overflow or wraparound vulnerability in OSIsofts PI SQL Client component interface. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-253-06 ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 10, 2019Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to gain an escalation of privileges on a previously infected machine. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/10/intel-releases-sec… ∗∗∗ OpenSSL Security Advisory [10 September 2019] ∗∗∗ --------------------------------------------- ECDSA remote timing attack (CVE-2019-1547) Fork Protection (CVE-2019-1549) Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) --------------------------------------------- https://openssl.org/news/secadv/20190910.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python38), openSUSE (nginx, nodejs10, nodejs8, python-Twisted, python-Werkzeug, SDL2_image, SDL_image, and util-linux and shadow), Oracle (firefox and nghttp2), Red Hat (.NET Core, firefox, kernel, libwmf, pki-deps:10.6, and poppler), Scientific Linux (firefox), SUSE (ghostscript, libgcrypt, podman, python-SQLAlchemy, qemu, and webkit2gtk3), and Ubuntu (curl, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, systemd, and tomcat8). --------------------------------------------- https://lwn.net/Articles/798966/ ∗∗∗ Citrix SD-WAN Security Update ∗∗∗ --------------------------------------------- CTX256918 NewApplicable Products : Citrix SD-WANMultiple denial of service vulnerabilities have been identified in the Citrix SD-WAN Appliance and Citrix SD-WAN Center Management Console. --------------------------------------------- https://support.citrix.com/article/CTX256918 ∗∗∗ IBM Security Bulletin: Spectrum Protect Operations Center vulnerable to Logjam (CVE-2015-4000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-spectrum-protect-oper… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2019
by Daily end-of-shift report 10 Sep '19

10 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2019 18:00 − Dienstag 10-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ How to Audit & Cleanup WordPress Plugins & Themes ∗∗∗ --------------------------------------------- In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question. What Makes WordPress Vulnerable? "Here's the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS' popularity, with the end user thrown into the mix, make for a vulnerable website." --------------------------------------------- https://blog.sucuri.net/2019/09/wordpress-plugin-audit.html ∗∗∗ IoT Attack Opportunities Seen in the Cybercrime Underground ∗∗∗ --------------------------------------------- We looked into IoT-related discussions from several cybercrime underground communities. We found discussions ranging from tutorials to actual monetization schemes for IoT-related attacks. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/i588EjgxMnI/ ∗∗∗ When corporate communications look like a phish ∗∗∗ --------------------------------------------- Before organizations engage in gnashing of teeth over the "ignorant user" and the cost of training, think about how much email users encounter and whether corporate communications look like phishes themselves. --------------------------------------------- https://blog.malwarebytes.com/business-2/2019/09/when-corporate-communicati… ∗∗∗ Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study ∗∗∗ --------------------------------------------- Executive Summary Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-ma… ∗∗∗ Achung Phishing: betrügerische Raiffeisen E-Mails im Umlauf ∗∗∗ --------------------------------------------- Kriminelle behaupten Ihre Kreditkarte wäre gesperrt: Mit der neuen EU-Richtlinie als Vorwand, erhalten momentan zahlreiche Bank-Kundinnen und Kunden Phishing-Mails. Laut den E-Mails schreibt die Richtlinie angeblich die Bestätigung Ihrer persönlichen Daten vor. Der angeführte Link führt Sie jedoch auf eine gefälschte Login-Seite. Kriminelle erspähen Ihre Daten. --------------------------------------------- https://www.watchlist-internet.at/news/achung-phishing-betruegerische-raiff… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Application Manager (APSB19-45) and Adobe Flash Player (APSB19-46). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1785 ∗∗∗ Multiple Vulnerabilities in Comba and D-Link Routers ∗∗∗ --------------------------------------------- There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-vu… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, icedtea-web, and trafficserver), openSUSE (opera), Red Hat (bind, firefox, go-toolset:rhel8, kernel, nghttp2, and polkit), SUSE (buildah, curl, java-1_7_1-ibm, and skopeo), and Ubuntu (freetype, memcached, python2.7, python3.4, and python2.7, python3.5, python3.6, python3.7). --------------------------------------------- https://lwn.net/Articles/798883/ ∗∗∗ MISP 2.4.115 released (aka CVE-2019-16202 and sync speed improvement) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.115) with a major security fix (CVE-2019-16202) and various small improvements has been released. We strongly recommend all MISP users update to this version. --------------------------------------------- https://www.misp-project.org/2019/09/10/MISP.2.4.115.released.html ∗∗∗ SSA-187667 (Last Update: 2019-09-10): DejaBlue Vulnerabilities - Siemens Healthineers Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-187667.pdf ∗∗∗ SSA-189842 (Last Update: 2019-09-10): TCP URGENT/11 Vulnerabilities in RUGGEDCOM Win ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf ∗∗∗ SSA-191683 (Last Update: 2019-09-10): Cross-Site Scripting Vulnerability in IE/WSN-PA Link WirelessHART Gateway ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-191683.pdf ∗∗∗ SSA-250618 (Last Update: 2019-09-10): Denial-of-Service Vulnerability in SIMATIC TDC CP51M1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-250618.pdf ∗∗∗ SSA-462066 (Last Update: 2019-09-10): Vulnerability known as TCP SACK PANIC in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf ∗∗∗ SSA-834884 (Last Update: 2019-09-10): Vulnerability in SINETPLAN ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf ∗∗∗ SSA-884497 (Last Update: 2019-09-10): Multiple Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf ∗∗∗ GnuPG vulnerability CVE-2019-13050 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08654551 ∗∗∗ Wireshark vulnerability CVE-2019-12295 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06725231 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2019
by Daily end-of-shift report 09 Sep '19

09 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2019 18:00 − Montag 09-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 7 most common application backdoors ∗∗∗ --------------------------------------------- The popular adage "we often get in quicker by the back door than the front" has withstood the test of time even in our advanced, modern world. Application backdoors have become rampant in today's business environment, making it mandatory for us to take the same level of precaution we'd do to safeguard the backdoor [...] --------------------------------------------- https://resources.infosecinstitute.com/7-most-common-application-backdoors/ ∗∗∗ 'Purple Fox' Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell ∗∗∗ --------------------------------------------- This new iteration of Purple Fox that we came across, also being delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It now also eschews its use of NSIS in favor of abusing PowerShell, making Purple Fox capable of fileless infection. It also incorporated additional exploits to its infection chain, most likely as a foolproof mechanism to ensure that it can still infect the system. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rRfjdvF4DOI/ ∗∗∗ Open Sourcing StringSifter ∗∗∗ --------------------------------------------- Malware analysts routinely use the Strings program during static analysis in order to inspect a binarys printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke analyst fatigue, relevant strings occur less often than irrelevant ones, and the definition of "relevant" can vary significantly among analysts. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/09/open-sourcing-stringsif… ∗∗∗ BlueKeep Exploit Added to Metasploit ∗∗∗ --------------------------------------------- An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7's Metasploit framework. --------------------------------------------- https://www.securityweek.com/bluekeep-exploit-added-metasploit ∗∗∗ Kriminelle nützen Promis und Medien für Bitcoin-Betrug ∗∗∗ --------------------------------------------- Die Schadensummen reichen von etwa 200 Euro bis weit über 100.000 Euro: KonsumentInnen werden durch erfundene News-Artikel auf gefälschten Nachrichten-Websites zu Investments bei unseriösen Plattformen wie "Bitcoin Code", "Bitcoin Profit" oder "The News Spy" bewegt. Bekannte Persönlichkeiten wie Christoph Waltz oder Bill Gates und einflussreiche Medien wie orf.at oder Der Spiegel werden dabei von Kriminellen missbraucht, um Opfer [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nuetzen-promis-und-medien… ∗∗∗ Sicherheitsforscher warnen vor GPS-Uhren für Kinder: Sofort wegwerfen ∗∗∗ --------------------------------------------- Smartwatches für Kids mit horrender Sicherheit - Angreifer können mit Leichtigkeit, Heranwachsende und Eltern ausspionieren --------------------------------------------- https://www.derstandard.at/story/2000108423850/sicherheitsforscher-warnen-v… ∗∗∗ Telnet backdoor vulnerabilities impact over a million IoT radio devices ∗∗∗ --------------------------------------------- Devices can be remotely exploited as root without any need for user interaction. --------------------------------------------- https://www.zdnet.com/article/critical-vulnerabilities-impact-over-a-millio… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers ∗∗∗ --------------------------------------------- The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely. --------------------------------------------- https://blog.talosintelligence.com/2019/09/vuln-spotlight-Netgear-N300-rout… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, ghostscript, libreoffice, and memcached), Fedora (chromium, grafana, kea, nsd, pdfbox, roundcubemail, and SDL), Gentoo (apache, dbus, exim, libsdl2, pango, perl, vlc, and webkit-gtk), Mageia (dovecot, giflib, golang, icedtea-web, irssi, java-1.8.0-openjdk, libgcrypt, libmspack, mercurial, monit, php, poppler, python-urllib3, rdesktop, SDL12, sdl2, sigil, sqlite3, subversion, tomcat, and zstd), openSUSE (chromium, exim, go1.12, httpie, [...] --------------------------------------------- https://lwn.net/Articles/798826/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/09/warn… ∗∗∗ Instagram - Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019090061 ∗∗∗ Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9872 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics and Watson Explorer Content Analytics Studio (CVE-2018-1890, CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2019
by Daily end-of-shift report 06 Sep '19

06 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2019 18:00 − Freitag 06-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GootKit Malware Bypasses Windows Defender by Setting Path Exclusions ∗∗∗ --------------------------------------------- As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-win… ∗∗∗ [SANS ISC] PowerShell Script with a builtin DLL ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution [...] --------------------------------------------- https://blog.rootshell.be/2019/09/06/sans-isc-powershell-script-with-a-buil… ∗∗∗ Thousands of servers infected with new Lilocked (Lilu) ransomware ∗∗∗ --------------------------------------------- Researchers spot new ransomware targeting Linux-based servers. --------------------------------------------- https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilock… ===================== = Vulnerabilities = ===================== ∗∗∗ Buffer Overflow: Exim-Sicherheitslücke beim Verarbeiten von TLS-Namen ∗∗∗ --------------------------------------------- Im Mailserver Exim wurde eine Sicherheitslücke gefunden, die Angreifern das Ausführen von Code ermöglicht. Ein Update steht bereit. --------------------------------------------- https://www.golem.de/news/buffer-overflow-exim-sicherheitsluecke-beim-verar… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for a session fixation vulnerability reported in BD’s Pyxis medication management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-248-01 ∗∗∗ Red Lion Controls Crimson ∗∗∗ --------------------------------------------- This advisory includes mitigations for use after free, improper restriction of operations within the bounds of a memory buffer, pointer issues, and use of hard-coded cryptographic key vulnerabilities in the Red Lion Controls Crimson software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-248-01 ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: September 5, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/05/ms-isac-releases-a… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow). --------------------------------------------- https://lwn.net/Articles/798600/ ∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0790 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2019
by Daily end-of-shift report 05 Sep '19

05 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2019 18:00 − Donnerstag 05-09-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Android Zero-Day Bug Does Not Make It on Google's Fix List ∗∗∗ --------------------------------------------- Google yesterday rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-zero-day-bug-does-no… ∗∗∗ WordPress 5.2.3 Released with Security and Bug Fixes ∗∗∗ --------------------------------------------- WordPress 5.2.3 has been released and includes fixes for six vulnerabilities and 29 bugs or enhancements. As WordPress is a common target for threat actors looking to host their malicious campaigns, it is important that all WordPress users upgrade to the latest release as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-523-released-with-… ∗∗∗ Unifying: Sicherheitsupdate für Logitech-Tastaturen umgangen ∗∗∗ --------------------------------------------- Mit einem einfachen Trick kann ein Sicherheitsupdate von Logitech umgangen werden. Damit lassen sich weiterhin Eingaben von kabellosen Tastaturen abgreifen - oder Schadcode eintippen. Dabei hatte Logitech nicht einmal alle Sicherheitslücken behoben. --------------------------------------------- https://www.golem.de/news/unifying-sicherheitsupdate-fuer-logitech-tastatur… ∗∗∗ Das Smart‑Ding‑Dilemma ∗∗∗ --------------------------------------------- Vom 6.-11. September 2019 öffnet die Internationale Funkausstellung (IFA) in Berlin wieder ihre Pforten. Auch diesjährig wird das Thema "Vollvernetzung" die Messehallen beherrschen. Doch wie steht es nun, ein Jahr weiter, um die Sicherheit? --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/09/05/das-smart-ding-dilemma/ ∗∗∗ henrikson-research.de: Umfrage führt zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen einer HENRIKSON Research GmbH. Schon bei der Registrierung verlangt man Ihre Ausweiskopie sowie Selfies mit Pass oder Personalausweis. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. --------------------------------------------- https://www.watchlist-internet.at/news/henrikson-researchde-umfrage-fuehrt-… ∗∗∗ Betrügerische Angebote für Cineplexx-Gutscheine locken in die Abo-Falle ∗∗∗ --------------------------------------------- Mit Facebook-Anzeigen und über Facebook-Messenger werben Kriminelle für ein Gewinnspiel. Angeblich können Cineplexx-Geschenkgutscheine gewonnen werden. Das Gewinnspiel gibt es nicht. Die Kriminellen locken in eine Abofalle und sind auf Kreditkartendaten aus! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-angebote-fuer-cineple… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Cisco sichert macOS- und Windows-Software ab – und noch mehr ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Cisco-Produkte. Angreifer könnten Schadcode auf Systemen ausführen. --------------------------------------------- https://heise.de/-4514009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream). --------------------------------------------- https://lwn.net/Articles/798487/ ∗∗∗ Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-cisc… ∗∗∗ Various 3rd Party Vulnerabilities - PSA-2019-09-04 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2019-09-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2019
by Daily end-of-shift report 04 Sep '19

04 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2019 18:00 − Mittwoch 04-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacked SharePoint Sites Used to Bypass Secure Email Gateways ∗∗∗ --------------------------------------------- Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sharepoint-sites-used… ∗∗∗ Half of Android Handsets Susceptible to Clever SMS Phishing Attack ∗∗∗ --------------------------------------------- Researchers say an attacker could send a rogue over-the-air provisioning message to susceptible phones and route all internet traffic through a hacker-controlled proxy. --------------------------------------------- https://threatpost.com/half-of-android-handsets-susceptible-to-clever-sms-p… ∗∗∗ BRATA Android RAT Steals Banking Info in Real Time ∗∗∗ --------------------------------------------- The RAT targets users via fake WhatsApp updates in Google Play. --------------------------------------------- https://threatpost.com/brata-android-rat-steals-banking-info/148003/ ∗∗∗ ENISA: Secure Group Communications for incident response and operational communities ∗∗∗ --------------------------------------------- This document serves as a starting point for incident response communities to conduct their own evaluation and see how the various communication tools can fit their sizes and needs. --------------------------------------------- https://www.enisa.europa.eu/publications/secure-group-communications ∗∗∗ Spam In your Calendar? Here’s What to Do. ∗∗∗ --------------------------------------------- Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Heres a brief primer on what you can do about it. --------------------------------------------- https://krebsonsecurity.com/2019/09/spam-in-your-calendar-heres-what-to-do/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 4, 2019 The Samba Team has released security updates to address a vulnerability in all versions of Samba from 4.9.0 onward. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/04/samba-releases-sec… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t. These releases will be made available on 10th September 2019 between approximately 1200-1600 UTC. These are security fix releases. The highest severity security issue fixed by these releases is rated as LOW. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-September/000156.ht… ∗∗∗ Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-09-01.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (grafana, irssi, and jenkins), Debian (freetype, samba, and varnish), Fedora (community-mysql, kernel, kernel-headers, kernel-tools, and python-mitogen), openSUSE (postgresql10 and python-SQLAlchemy), Oracle (kdelibs and kde-settings and squid:4), Red Hat (kdelibs and kde-settings, kernel, kernel-rt, openstack-nova, qemu-kvm, and redis), Scientific Linux (kdelibs and kde-settings, kernel, and qemu-kvm), SUSE (ansible, java-1_7_1-ibm, libosinfo, [...] --------------------------------------------- https://lwn.net/Articles/798357/ ∗∗∗ Security Advisory - Version Downgrade Vulnerabilities on Smartphones and HiSuite ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190904-… ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4149) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2019
by Daily end-of-shift report 03 Sep '19

03 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2019 18:00 − Dienstag 03-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nemty Ransomware Gets Distribution from RIG Exploit Kit ∗∗∗ --------------------------------------------- The operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology that can still be infected by exploit kits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distri… ∗∗∗ Fake BleachBit Website Built to Distribute AZORult Info Stealer ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the popularity of the BleachBit disk cleaning tool to spread Azorult information stealer. For this purpose, they created a static web page that purports to be the official website for the utility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-bleachbit-website-built… ∗∗∗ Credential Management and Enforcement for ICS/SCADA environments ∗∗∗ --------------------------------------------- In the world of Operational Technology (OT), Industrial Control Systems (ICS) comprise the majority of the segment. Where ICS assets are dispersed and require centralized data acquisition and control, Supervisory Control and Data Acquisition (SCADA) systems are used. --------------------------------------------- https://resources.infosecinstitute.com/credential-management-and-enforcemen… ∗∗∗ Ratgeber vom Hersteller: So erkennt man gehackte Cisco-Geräte ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat vier Guides für verschiedene Software veröffentlicht, die helfen sollen, Hinweise auf mögliche Kompromittierungen zu finden. --------------------------------------------- https://heise.de/-4512704 ∗∗∗ Meet Domen, a New and Sophisticated Social Engineering Toolkit ∗∗∗ --------------------------------------------- A new social engineering toolkit has been discovered. The operational premise has been used many times, but the execution of that premise is new and described by security researchers "a beautiful piece of work". --------------------------------------------- https://www.securityweek.com/meet-domen-new-and-sophisticated-social-engine… https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2019… ∗∗∗ Diese Kleinanzeigen-Betrugsmasche sollten Sie kennen ∗∗∗ --------------------------------------------- BetrügerInnen versuchen auf Online-Marktplätzen wie willhaben, shpock und Co, ohne Bezahlung an Ihre Ware zu kommen. Sie geben sich als vermeintliche Zahlungsdienstleister und Zwischenvermittler aus und senden Ihnen eine gefälschte Zahlungsbestätigung. Das Geld wird angeblich erst für Sie freigegeben, wenn Sie den zu viel überwiesenen Betrag für das Speditionsunternehmen oder eine Versandbestätigung des Paketes übermitteln. --------------------------------------------- https://www.watchlist-internet.at/news/diese-kleinanzeigen-betrugsmasche-so… ===================== = Vulnerabilities = ===================== ∗∗∗ 'USBAnywhere' Bugs Open Supermicro Servers to Remote Attackers ∗∗∗ --------------------------------------------- Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker omnipotent control over a server and its contents. --------------------------------------------- https://threatpost.com/usbanywhere-bugs-supermicro-remote-attack/147899/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (ansible and wavpack), openSUSE (apache-commons-beanutils, apache2, go1.12, httpie, libreoffice, qemu, and slurm), Oracle (ghostscript), Scientific Linux (ghostscript), SUSE (ardana-ansible, ardana-barbican, ardana-cinder, ardana-cluster, ardana-cobbler, ardana-db, ardana-designate, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-horizon, ardana-input-model, ardana-installer-ui, ardana-ironic, ardana-keystone, ardana-logging, [...] --------------------------------------------- https://lwn.net/Articles/798225/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2019
by Daily end-of-shift report 02 Sep '19

02 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2019 18:00 − Montag 02-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sodinokibi Ransomware Spreads via Fake Forums on Hacked Sites ∗∗∗ --------------------------------------------- A distributor for the Sodinokibi Ransomware is hacking into WordPress sites and injecting JavaScript that displays a fake Q & A forum post over the content of the original site. This fake post contains an "answer" from the sites "admin" that contains a link to the ransomware installer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spread… ∗∗∗ Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps ∗∗∗ --------------------------------------------- Walled-garden Android platform security easily copied Facebook has insisted that losing control of the private key used to sign its Facebook Basics app is no biggie despite totally unrelated apps from other vendors, signed with the same key, popping up in unofficial repositories. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/09/02/facebook_ba… ∗∗∗ Analyse: Was bedeutet der iPhone-Massen-Hack? ∗∗∗ --------------------------------------------- Tausende iPhones wurden beim Besuch scheinbar harmloser Web-Sites gehackt. Wer steckt dahinter und wie schütze ich mich? --------------------------------------------- https://heise.de/-4511921 ∗∗∗ TrickBot Tricks U.S. Users into Sharing their PIN Codes ∗∗∗ --------------------------------------------- The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports. --------------------------------------------- https://www.securityweek.com/trickbot-tricks-us-users-sharing-their-pin-cod… ∗∗∗ WordPress sites under attack as hacker group tries to create rogue admin accounts ∗∗∗ --------------------------------------------- Hackers exploit vulnerabilities in more than ten WordPress plugins to plant backdoor accounts on unpatched sites. --------------------------------------------- https://www.zdnet.com/article/wordpress-sites-under-attack-as-hacker-group-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gosa, libav, libextractor, nghttp2, pump, and python2.7), Fedora (dovecot, mod_http2, and pango), Gentoo (dovecot, gnome-desktop, libofx, and nautilus), Mageia (ansible, ghostscript, graphicsmagick, memcached, mpg123, pango, vlc, wavpack, webmin, wireshark, and wpa_supplicant, hostapd), openSUSE (flatpak, libmirage, podman, slirp4netns and libcontainers-common, python-SQLAlchemy, and qemu), Red Hat (ghostscript, java-1.8.0-ibm, and squid:4), and SUSE [...] --------------------------------------------- https://lwn.net/Articles/798143/ ∗∗∗ Panasonic Video Insight VMS vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN93833849/ ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Local File inclusion ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47340 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47339 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47338 ∗∗∗ IBM Security Bulletin: Password vulnerability in IBM® Intelligent Operations Center (CVE-2019-4321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2019
by Daily end-of-shift report 30 Aug '19

30 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2019 18:00 − Freitag 30-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 7: Update-Blockade für Symantec-Nutzer aufgehoben ∗∗∗ --------------------------------------------- Microsoft hat Windows-Updates wieder für Nutzer von Symantec Endpoint Protection freigegeben. --------------------------------------------- https://heise.de/-4509981 ∗∗∗ CERT-Bund warnt vor offenen Smarthome-Systemen ∗∗∗ --------------------------------------------- Fast 3000 Homematic-Systeme sind offenbar aus dem Internet erreichbar -- die meisten davon lassen sich beliebig fernsteuern. --------------------------------------------- https://heise.de/-4509977 ∗∗∗ It Saved Our Community: 16 Realistic Ransomware Defenses for Cities ∗∗∗ --------------------------------------------- Practical steps municipal governments can take to better prevent and respond to ransomware infections. --------------------------------------------- https://www.darkreading.com/edge/theedge/it-saved-our-community-16-realisti… ∗∗∗ A very deep dive into iOS Exploit chains found in the wild ∗∗∗ --------------------------------------------- Posted by Ian Beer, Project ZeroProject Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier this year Googles Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-ex… ∗∗∗ Scalable infrastructure for investigations and incident response ∗∗∗ --------------------------------------------- Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/08/30/scalable-infrastructure-for-… ∗∗∗ [SANS ISC] Malware Dropping a Local Node.js Instance ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. --------------------------------------------- https://blog.rootshell.be/2019/08/30/sans-isc-malware-dropping-a-local-node… ∗∗∗ Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware ∗∗∗ --------------------------------------------- Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Change Healthcare McKesson and Horizon Cardiology ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect default permissions vulnerability in Change Healthcares cardiology devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-01 ∗∗∗ Philips HDI 4000 Ultrasound ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Philips HDI 4000 Ultrasound Systems diagnostic tool. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-02 ∗∗∗ Cisco Firepower 4100 and 9300 Security Appliance Local Management Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the process for creating default IP blocks during device initialization for Cisco Firepower 4100 Series and Firepower 9300 Security Appliances running Cisco FXOS Software could allow an unauthenticated, remote attacker to send traffic to the local IP address of the device, bypassing any filters that are configured to deny local IP management traffic. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/797938/ ∗∗∗ Linux kernel vulnerability CVE-2019-10639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32804955 ∗∗∗ Avira Optimizer Local Privilege Escalation ∗∗∗ --------------------------------------------- https://posts.specterops.io/avira-optimizer-local-privilege-escalation-af10… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-cast-ir… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2019
by Daily end-of-shift report 29 Aug '19

29 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2019 18:00 − Donnerstag 29-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Samples Compiling Their Next Stage on Premise, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim's computer. At a first point, it seems weird but, after all, its an interesting approach to bypass low-level detection mechanisms that look for PE files. --------------------------------------------- https://isc.sans.edu/diary/rss/25278 ∗∗∗ ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information ∗∗∗ --------------------------------------------- Despite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and theyre not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hQZwZfgZ7U/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Buffer Overflow in Dovecot-Mailserver ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Dovecot-Mailserver könnte es Angreifern erlauben, Code auszuführen. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-buffer-overflow-in-dovecot-mail… ∗∗∗ Kritische Lücke mit Höchstwertung in Ciscos Betriebssystem ISO EX ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für verschiedene Betriebssystem-Versionen für Netzwerkgeräte von Cisco. --------------------------------------------- https://heise.de/-4509454 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript). --------------------------------------------- https://lwn.net/Articles/797775/ ∗∗∗ Nextgen Gallery < 3.2.11 - SQL Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9816 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/external-dns-requests-in-zyxel-u… ∗∗∗ Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/hardcoded-ftp-credentials-in-zyx… ∗∗∗ A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50375550 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0004.html ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0768 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0769 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2019
by Daily end-of-shift report 28 Aug '19

28 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2019 18:00 − Mittwoch 28-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs ∗∗∗ --------------------------------------------- Law enforcement takedown causes Retadup malware to eat itself. --------------------------------------------- https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/ ∗∗∗ [Guest Diary] Open Redirect: A Small But Very Common Vulnerability, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- This is a guest diary submitted by Jan Kopriva. Jan is working for Alef Nula (http://www.alef.com) and you can follow him on Twitter at @jk0pr --------------------------------------------- https://isc.sans.edu/diary/rss/25276 ∗∗∗ Extracting Certificates From the Windows Registry ∗∗∗ --------------------------------------------- I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. --------------------------------------------- https://blog.nviso.be/2019/08/28/extracting-certificates-from-the-windows-r… ∗∗∗ RAT Ratatouille: Backdooring PCs with leaked RATs ∗∗∗ --------------------------------------------- Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. --------------------------------------------- https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html ∗∗∗ Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Achtung: Kriminelle versenden erfundene Mails im Namen von Airbnb an zahlreiche Kundinnen und Kunden. Darin behaupten sie, dass das Konto gesperrt wurde und nun Kopien des Personalausweises, Selfies mit dem Ausweis neben dem Gesicht sowie eine handschriftliche Notiz zur Freischaltung notwendig wären. Die Nachricht muss ignoriert werden, andernfalls kommt es zu Identitätsmissbrauch! --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-mit-gefaelschte… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Controls enteliBUS Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a buffer overflow vulnerability in Delta Controllers enteliBUS Controllers industrial control systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-01 ∗∗∗ Datalogic AV7000 Linear Barcode Scanner ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass using an alternate path vulnerability in Datalogics AV7000 Linear Barcode Scanners. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/797579/ ∗∗∗ DLL Hijacking Flaw Patched in Check Point Endpoint Security ∗∗∗ --------------------------------------------- Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes. read more --------------------------------------------- https://www.securityweek.com/dll-hijacking-flaw-patched-check-point-endpoin… ∗∗∗ CVE-2019-13609 - CRLF Vulnerability in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- A Carriage Return Line Feed (CRLF) injection vulnerability has been identified in Citrix License Server for Windows and VPX that could allow an unauthenticated attacker to bypass authentication and allow a malicious website to read or modify license server [...] --------------------------------------------- https://support.citrix.com/article/CTX257644 ∗∗∗ Realtek Managed Switch Controller RTL83xx Stack Overflow ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080138 ∗∗∗ Security Advisory - Key Negotiation of Bluetooth (KNOB) Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190828-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a insecure Content-Security-Policy header vulnerability CVE-2019-4133 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily