- Daily - CERT.at

Tageszusammenfassung - 11.09.2019
by Daily end-of-shift report 11 Sep '19

11 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2019 18:00 − Mittwoch 11-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ OpenDMARC: Aktiv ausgenutzte DMARC-Sicherheitslücke ohne Fix ∗∗∗ --------------------------------------------- Mitarbeiter von Protonmail haben in OpenDMARC eine Sicherheitslücke entdeckt, mit der sich die Signaturprüfung austricksen lässt. Angreifer haben die Lücke bereits für Phishingangriffe gegen Journalisten genutzt. OpenDMARC wird offenbar nicht weiterentwickelt und es gibt kein Update. --------------------------------------------- https://www.golem.de/news/opendmarc-aktiv-ausgenutzte-dmarc-sicherheitsluec… ∗∗∗ Office 365: prone to security breaches? ∗∗∗ --------------------------------------------- Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often. Office 365 breach investigations are common at our department. You'll find that this blog post actually doesn't make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office [...] --------------------------------------------- https://blog.fox-it.com/2019/09/11/office-365-prone-to-security-breaches/ ∗∗∗ NetCAT ∗∗∗ --------------------------------------------- NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. --------------------------------------------- https://www.vusec.net/projects/netcat/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Angreifer attackieren Windows und machen sich zum Admin ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für Office, Windows & Co. veröffentlicht. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4519699 ∗∗∗ Patchday: SAP behebt unter anderem kritische Lücke in NetWeaver ∗∗∗ --------------------------------------------- Am September-Patchday hat SAP zahlreiche Lücken geschlossen und überdies einige ältere Security Advisories aktualisiert. --------------------------------------------- https://heise.de/-4519758 ∗∗∗ Delta Electronics TPEditor ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, and out-of-bounds write vulnerabilities in Delta Electronics TPEditor, a programming software for Delta text panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-253-01 ∗∗∗ OSIsoft PI SQL Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for an integer overflow or wraparound vulnerability in OSIsofts PI SQL Client component interface. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-253-06 ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 10, 2019Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to gain an escalation of privileges on a previously infected machine. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/10/intel-releases-sec… ∗∗∗ OpenSSL Security Advisory [10 September 2019] ∗∗∗ --------------------------------------------- ECDSA remote timing attack (CVE-2019-1547) Fork Protection (CVE-2019-1549) Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) --------------------------------------------- https://openssl.org/news/secadv/20190910.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python38), openSUSE (nginx, nodejs10, nodejs8, python-Twisted, python-Werkzeug, SDL2_image, SDL_image, and util-linux and shadow), Oracle (firefox and nghttp2), Red Hat (.NET Core, firefox, kernel, libwmf, pki-deps:10.6, and poppler), Scientific Linux (firefox), SUSE (ghostscript, libgcrypt, podman, python-SQLAlchemy, qemu, and webkit2gtk3), and Ubuntu (curl, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, systemd, and tomcat8). --------------------------------------------- https://lwn.net/Articles/798966/ ∗∗∗ Citrix SD-WAN Security Update ∗∗∗ --------------------------------------------- CTX256918 NewApplicable Products : Citrix SD-WANMultiple denial of service vulnerabilities have been identified in the Citrix SD-WAN Appliance and Citrix SD-WAN Center Management Console. --------------------------------------------- https://support.citrix.com/article/CTX256918 ∗∗∗ IBM Security Bulletin: Spectrum Protect Operations Center vulnerable to Logjam (CVE-2015-4000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-spectrum-protect-oper… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2019
by Daily end-of-shift report 10 Sep '19

10 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2019 18:00 − Dienstag 10-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ How to Audit & Cleanup WordPress Plugins & Themes ∗∗∗ --------------------------------------------- In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question. What Makes WordPress Vulnerable? "Here's the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS' popularity, with the end user thrown into the mix, make for a vulnerable website." --------------------------------------------- https://blog.sucuri.net/2019/09/wordpress-plugin-audit.html ∗∗∗ IoT Attack Opportunities Seen in the Cybercrime Underground ∗∗∗ --------------------------------------------- We looked into IoT-related discussions from several cybercrime underground communities. We found discussions ranging from tutorials to actual monetization schemes for IoT-related attacks. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/i588EjgxMnI/ ∗∗∗ When corporate communications look like a phish ∗∗∗ --------------------------------------------- Before organizations engage in gnashing of teeth over the "ignorant user" and the cost of training, think about how much email users encounter and whether corporate communications look like phishes themselves. --------------------------------------------- https://blog.malwarebytes.com/business-2/2019/09/when-corporate-communicati… ∗∗∗ Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study ∗∗∗ --------------------------------------------- Executive Summary Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-ma… ∗∗∗ Achung Phishing: betrügerische Raiffeisen E-Mails im Umlauf ∗∗∗ --------------------------------------------- Kriminelle behaupten Ihre Kreditkarte wäre gesperrt: Mit der neuen EU-Richtlinie als Vorwand, erhalten momentan zahlreiche Bank-Kundinnen und Kunden Phishing-Mails. Laut den E-Mails schreibt die Richtlinie angeblich die Bestätigung Ihrer persönlichen Daten vor. Der angeführte Link führt Sie jedoch auf eine gefälschte Login-Seite. Kriminelle erspähen Ihre Daten. --------------------------------------------- https://www.watchlist-internet.at/news/achung-phishing-betruegerische-raiff… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Application Manager (APSB19-45) and Adobe Flash Player (APSB19-46). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1785 ∗∗∗ Multiple Vulnerabilities in Comba and D-Link Routers ∗∗∗ --------------------------------------------- There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-vu… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, icedtea-web, and trafficserver), openSUSE (opera), Red Hat (bind, firefox, go-toolset:rhel8, kernel, nghttp2, and polkit), SUSE (buildah, curl, java-1_7_1-ibm, and skopeo), and Ubuntu (freetype, memcached, python2.7, python3.4, and python2.7, python3.5, python3.6, python3.7). --------------------------------------------- https://lwn.net/Articles/798883/ ∗∗∗ MISP 2.4.115 released (aka CVE-2019-16202 and sync speed improvement) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.115) with a major security fix (CVE-2019-16202) and various small improvements has been released. We strongly recommend all MISP users update to this version. --------------------------------------------- https://www.misp-project.org/2019/09/10/MISP.2.4.115.released.html ∗∗∗ SSA-187667 (Last Update: 2019-09-10): DejaBlue Vulnerabilities - Siemens Healthineers Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-187667.pdf ∗∗∗ SSA-189842 (Last Update: 2019-09-10): TCP URGENT/11 Vulnerabilities in RUGGEDCOM Win ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-189842.pdf ∗∗∗ SSA-191683 (Last Update: 2019-09-10): Cross-Site Scripting Vulnerability in IE/WSN-PA Link WirelessHART Gateway ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-191683.pdf ∗∗∗ SSA-250618 (Last Update: 2019-09-10): Denial-of-Service Vulnerability in SIMATIC TDC CP51M1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-250618.pdf ∗∗∗ SSA-462066 (Last Update: 2019-09-10): Vulnerability known as TCP SACK PANIC in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf ∗∗∗ SSA-834884 (Last Update: 2019-09-10): Vulnerability in SINETPLAN ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-834884.pdf ∗∗∗ SSA-884497 (Last Update: 2019-09-10): Multiple Vulnerabilities in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf ∗∗∗ GnuPG vulnerability CVE-2019-13050 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08654551 ∗∗∗ Wireshark vulnerability CVE-2019-12295 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06725231 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2019
by Daily end-of-shift report 09 Sep '19

09 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2019 18:00 − Montag 09-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 7 most common application backdoors ∗∗∗ --------------------------------------------- The popular adage "we often get in quicker by the back door than the front" has withstood the test of time even in our advanced, modern world. Application backdoors have become rampant in today's business environment, making it mandatory for us to take the same level of precaution we'd do to safeguard the backdoor [...] --------------------------------------------- https://resources.infosecinstitute.com/7-most-common-application-backdoors/ ∗∗∗ 'Purple Fox' Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell ∗∗∗ --------------------------------------------- This new iteration of Purple Fox that we came across, also being delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It now also eschews its use of NSIS in favor of abusing PowerShell, making Purple Fox capable of fileless infection. It also incorporated additional exploits to its infection chain, most likely as a foolproof mechanism to ensure that it can still infect the system. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/rRfjdvF4DOI/ ∗∗∗ Open Sourcing StringSifter ∗∗∗ --------------------------------------------- Malware analysts routinely use the Strings program during static analysis in order to inspect a binarys printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke analyst fatigue, relevant strings occur less often than irrelevant ones, and the definition of "relevant" can vary significantly among analysts. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/09/open-sourcing-stringsif… ∗∗∗ BlueKeep Exploit Added to Metasploit ∗∗∗ --------------------------------------------- An initial public exploit targeting the recently addressed BlueKeep vulnerability in Microsoft Windows has been added to Rapid7's Metasploit framework. --------------------------------------------- https://www.securityweek.com/bluekeep-exploit-added-metasploit ∗∗∗ Kriminelle nützen Promis und Medien für Bitcoin-Betrug ∗∗∗ --------------------------------------------- Die Schadensummen reichen von etwa 200 Euro bis weit über 100.000 Euro: KonsumentInnen werden durch erfundene News-Artikel auf gefälschten Nachrichten-Websites zu Investments bei unseriösen Plattformen wie "Bitcoin Code", "Bitcoin Profit" oder "The News Spy" bewegt. Bekannte Persönlichkeiten wie Christoph Waltz oder Bill Gates und einflussreiche Medien wie orf.at oder Der Spiegel werden dabei von Kriminellen missbraucht, um Opfer [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nuetzen-promis-und-medien… ∗∗∗ Sicherheitsforscher warnen vor GPS-Uhren für Kinder: Sofort wegwerfen ∗∗∗ --------------------------------------------- Smartwatches für Kids mit horrender Sicherheit - Angreifer können mit Leichtigkeit, Heranwachsende und Eltern ausspionieren --------------------------------------------- https://www.derstandard.at/story/2000108423850/sicherheitsforscher-warnen-v… ∗∗∗ Telnet backdoor vulnerabilities impact over a million IoT radio devices ∗∗∗ --------------------------------------------- Devices can be remotely exploited as root without any need for user interaction. --------------------------------------------- https://www.zdnet.com/article/critical-vulnerabilities-impact-over-a-millio… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers ∗∗∗ --------------------------------------------- The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely. --------------------------------------------- https://blog.talosintelligence.com/2019/09/vuln-spotlight-Netgear-N300-rout… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, ghostscript, libreoffice, and memcached), Fedora (chromium, grafana, kea, nsd, pdfbox, roundcubemail, and SDL), Gentoo (apache, dbus, exim, libsdl2, pango, perl, vlc, and webkit-gtk), Mageia (dovecot, giflib, golang, icedtea-web, irssi, java-1.8.0-openjdk, libgcrypt, libmspack, mercurial, monit, php, poppler, python-urllib3, rdesktop, SDL12, sdl2, sigil, sqlite3, subversion, tomcat, and zstd), openSUSE (chromium, exim, go1.12, httpie, [...] --------------------------------------------- https://lwn.net/Articles/798826/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/09/warn… ∗∗∗ Instagram - Open Redirect Vulnerability ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019090061 ∗∗∗ Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9872 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics and Watson Explorer Content Analytics Studio (CVE-2018-1890, CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2019
by Daily end-of-shift report 06 Sep '19

06 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2019 18:00 − Freitag 06-09-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GootKit Malware Bypasses Windows Defender by Setting Path Exclusions ∗∗∗ --------------------------------------------- As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-win… ∗∗∗ [SANS ISC] PowerShell Script with a builtin DLL ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution [...] --------------------------------------------- https://blog.rootshell.be/2019/09/06/sans-isc-powershell-script-with-a-buil… ∗∗∗ Thousands of servers infected with new Lilocked (Lilu) ransomware ∗∗∗ --------------------------------------------- Researchers spot new ransomware targeting Linux-based servers. --------------------------------------------- https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilock… ===================== = Vulnerabilities = ===================== ∗∗∗ Buffer Overflow: Exim-Sicherheitslücke beim Verarbeiten von TLS-Namen ∗∗∗ --------------------------------------------- Im Mailserver Exim wurde eine Sicherheitslücke gefunden, die Angreifern das Ausführen von Code ermöglicht. Ein Update steht bereit. --------------------------------------------- https://www.golem.de/news/buffer-overflow-exim-sicherheitsluecke-beim-verar… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for a session fixation vulnerability reported in BD’s Pyxis medication management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-248-01 ∗∗∗ Red Lion Controls Crimson ∗∗∗ --------------------------------------------- This advisory includes mitigations for use after free, improper restriction of operations within the bounds of a memory buffer, pointer issues, and use of hard-coded cryptographic key vulnerabilities in the Red Lion Controls Crimson software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-248-01 ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: September 5, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/05/ms-isac-releases-a… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow). --------------------------------------------- https://lwn.net/Articles/798600/ ∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0790 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2019
by Daily end-of-shift report 05 Sep '19

05 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2019 18:00 − Donnerstag 05-09-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Android Zero-Day Bug Does Not Make It on Google's Fix List ∗∗∗ --------------------------------------------- Google yesterday rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-zero-day-bug-does-no… ∗∗∗ WordPress 5.2.3 Released with Security and Bug Fixes ∗∗∗ --------------------------------------------- WordPress 5.2.3 has been released and includes fixes for six vulnerabilities and 29 bugs or enhancements. As WordPress is a common target for threat actors looking to host their malicious campaigns, it is important that all WordPress users upgrade to the latest release as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-523-released-with-… ∗∗∗ Unifying: Sicherheitsupdate für Logitech-Tastaturen umgangen ∗∗∗ --------------------------------------------- Mit einem einfachen Trick kann ein Sicherheitsupdate von Logitech umgangen werden. Damit lassen sich weiterhin Eingaben von kabellosen Tastaturen abgreifen - oder Schadcode eintippen. Dabei hatte Logitech nicht einmal alle Sicherheitslücken behoben. --------------------------------------------- https://www.golem.de/news/unifying-sicherheitsupdate-fuer-logitech-tastatur… ∗∗∗ Das Smart‑Ding‑Dilemma ∗∗∗ --------------------------------------------- Vom 6.-11. September 2019 öffnet die Internationale Funkausstellung (IFA) in Berlin wieder ihre Pforten. Auch diesjährig wird das Thema "Vollvernetzung" die Messehallen beherrschen. Doch wie steht es nun, ein Jahr weiter, um die Sicherheit? --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/09/05/das-smart-ding-dilemma/ ∗∗∗ henrikson-research.de: Umfrage führt zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen einer HENRIKSON Research GmbH. Schon bei der Registrierung verlangt man Ihre Ausweiskopie sowie Selfies mit Pass oder Personalausweis. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. --------------------------------------------- https://www.watchlist-internet.at/news/henrikson-researchde-umfrage-fuehrt-… ∗∗∗ Betrügerische Angebote für Cineplexx-Gutscheine locken in die Abo-Falle ∗∗∗ --------------------------------------------- Mit Facebook-Anzeigen und über Facebook-Messenger werben Kriminelle für ein Gewinnspiel. Angeblich können Cineplexx-Geschenkgutscheine gewonnen werden. Das Gewinnspiel gibt es nicht. Die Kriminellen locken in eine Abofalle und sind auf Kreditkartendaten aus! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-angebote-fuer-cineple… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Cisco sichert macOS- und Windows-Software ab – und noch mehr ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Cisco-Produkte. Angreifer könnten Schadcode auf Systemen ausführen. --------------------------------------------- https://heise.de/-4514009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream). --------------------------------------------- https://lwn.net/Articles/798487/ ∗∗∗ Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-cisc… ∗∗∗ Various 3rd Party Vulnerabilities - PSA-2019-09-04 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2019-09-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2019
by Daily end-of-shift report 04 Sep '19

04 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2019 18:00 − Mittwoch 04-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacked SharePoint Sites Used to Bypass Secure Email Gateways ∗∗∗ --------------------------------------------- Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sharepoint-sites-used… ∗∗∗ Half of Android Handsets Susceptible to Clever SMS Phishing Attack ∗∗∗ --------------------------------------------- Researchers say an attacker could send a rogue over-the-air provisioning message to susceptible phones and route all internet traffic through a hacker-controlled proxy. --------------------------------------------- https://threatpost.com/half-of-android-handsets-susceptible-to-clever-sms-p… ∗∗∗ BRATA Android RAT Steals Banking Info in Real Time ∗∗∗ --------------------------------------------- The RAT targets users via fake WhatsApp updates in Google Play. --------------------------------------------- https://threatpost.com/brata-android-rat-steals-banking-info/148003/ ∗∗∗ ENISA: Secure Group Communications for incident response and operational communities ∗∗∗ --------------------------------------------- This document serves as a starting point for incident response communities to conduct their own evaluation and see how the various communication tools can fit their sizes and needs. --------------------------------------------- https://www.enisa.europa.eu/publications/secure-group-communications ∗∗∗ Spam In your Calendar? Here’s What to Do. ∗∗∗ --------------------------------------------- Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Heres a brief primer on what you can do about it. --------------------------------------------- https://krebsonsecurity.com/2019/09/spam-in-your-calendar-heres-what-to-do/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 4, 2019 The Samba Team has released security updates to address a vulnerability in all versions of Samba from 4.9.0 onward. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/04/samba-releases-sec… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t. These releases will be made available on 10th September 2019 between approximately 1200-1600 UTC. These are security fix releases. The highest severity security issue fixed by these releases is rated as LOW. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-September/000156.ht… ∗∗∗ Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-09-01.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (grafana, irssi, and jenkins), Debian (freetype, samba, and varnish), Fedora (community-mysql, kernel, kernel-headers, kernel-tools, and python-mitogen), openSUSE (postgresql10 and python-SQLAlchemy), Oracle (kdelibs and kde-settings and squid:4), Red Hat (kdelibs and kde-settings, kernel, kernel-rt, openstack-nova, qemu-kvm, and redis), Scientific Linux (kdelibs and kde-settings, kernel, and qemu-kvm), SUSE (ansible, java-1_7_1-ibm, libosinfo, [...] --------------------------------------------- https://lwn.net/Articles/798357/ ∗∗∗ Security Advisory - Version Downgrade Vulnerabilities on Smartphones and HiSuite ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190904-… ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4149) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2019
by Daily end-of-shift report 03 Sep '19

03 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2019 18:00 − Dienstag 03-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nemty Ransomware Gets Distribution from RIG Exploit Kit ∗∗∗ --------------------------------------------- The operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology that can still be infected by exploit kits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distri… ∗∗∗ Fake BleachBit Website Built to Distribute AZORult Info Stealer ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the popularity of the BleachBit disk cleaning tool to spread Azorult information stealer. For this purpose, they created a static web page that purports to be the official website for the utility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-bleachbit-website-built… ∗∗∗ Credential Management and Enforcement for ICS/SCADA environments ∗∗∗ --------------------------------------------- In the world of Operational Technology (OT), Industrial Control Systems (ICS) comprise the majority of the segment. Where ICS assets are dispersed and require centralized data acquisition and control, Supervisory Control and Data Acquisition (SCADA) systems are used. --------------------------------------------- https://resources.infosecinstitute.com/credential-management-and-enforcemen… ∗∗∗ Ratgeber vom Hersteller: So erkennt man gehackte Cisco-Geräte ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat vier Guides für verschiedene Software veröffentlicht, die helfen sollen, Hinweise auf mögliche Kompromittierungen zu finden. --------------------------------------------- https://heise.de/-4512704 ∗∗∗ Meet Domen, a New and Sophisticated Social Engineering Toolkit ∗∗∗ --------------------------------------------- A new social engineering toolkit has been discovered. The operational premise has been used many times, but the execution of that premise is new and described by security researchers "a beautiful piece of work". --------------------------------------------- https://www.securityweek.com/meet-domen-new-and-sophisticated-social-engine… https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2019… ∗∗∗ Diese Kleinanzeigen-Betrugsmasche sollten Sie kennen ∗∗∗ --------------------------------------------- BetrügerInnen versuchen auf Online-Marktplätzen wie willhaben, shpock und Co, ohne Bezahlung an Ihre Ware zu kommen. Sie geben sich als vermeintliche Zahlungsdienstleister und Zwischenvermittler aus und senden Ihnen eine gefälschte Zahlungsbestätigung. Das Geld wird angeblich erst für Sie freigegeben, wenn Sie den zu viel überwiesenen Betrag für das Speditionsunternehmen oder eine Versandbestätigung des Paketes übermitteln. --------------------------------------------- https://www.watchlist-internet.at/news/diese-kleinanzeigen-betrugsmasche-so… ===================== = Vulnerabilities = ===================== ∗∗∗ 'USBAnywhere' Bugs Open Supermicro Servers to Remote Attackers ∗∗∗ --------------------------------------------- Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker omnipotent control over a server and its contents. --------------------------------------------- https://threatpost.com/usbanywhere-bugs-supermicro-remote-attack/147899/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (ansible and wavpack), openSUSE (apache-commons-beanutils, apache2, go1.12, httpie, libreoffice, qemu, and slurm), Oracle (ghostscript), Scientific Linux (ghostscript), SUSE (ardana-ansible, ardana-barbican, ardana-cinder, ardana-cluster, ardana-cobbler, ardana-db, ardana-designate, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-horizon, ardana-input-model, ardana-installer-ui, ardana-ironic, ardana-keystone, ardana-logging, [...] --------------------------------------------- https://lwn.net/Articles/798225/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2019
by Daily end-of-shift report 02 Sep '19

02 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2019 18:00 − Montag 02-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sodinokibi Ransomware Spreads via Fake Forums on Hacked Sites ∗∗∗ --------------------------------------------- A distributor for the Sodinokibi Ransomware is hacking into WordPress sites and injecting JavaScript that displays a fake Q & A forum post over the content of the original site. This fake post contains an "answer" from the sites "admin" that contains a link to the ransomware installer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spread… ∗∗∗ Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps ∗∗∗ --------------------------------------------- Walled-garden Android platform security easily copied Facebook has insisted that losing control of the private key used to sign its Facebook Basics app is no biggie despite totally unrelated apps from other vendors, signed with the same key, popping up in unofficial repositories. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/09/02/facebook_ba… ∗∗∗ Analyse: Was bedeutet der iPhone-Massen-Hack? ∗∗∗ --------------------------------------------- Tausende iPhones wurden beim Besuch scheinbar harmloser Web-Sites gehackt. Wer steckt dahinter und wie schütze ich mich? --------------------------------------------- https://heise.de/-4511921 ∗∗∗ TrickBot Tricks U.S. Users into Sharing their PIN Codes ∗∗∗ --------------------------------------------- The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports. --------------------------------------------- https://www.securityweek.com/trickbot-tricks-us-users-sharing-their-pin-cod… ∗∗∗ WordPress sites under attack as hacker group tries to create rogue admin accounts ∗∗∗ --------------------------------------------- Hackers exploit vulnerabilities in more than ten WordPress plugins to plant backdoor accounts on unpatched sites. --------------------------------------------- https://www.zdnet.com/article/wordpress-sites-under-attack-as-hacker-group-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gosa, libav, libextractor, nghttp2, pump, and python2.7), Fedora (dovecot, mod_http2, and pango), Gentoo (dovecot, gnome-desktop, libofx, and nautilus), Mageia (ansible, ghostscript, graphicsmagick, memcached, mpg123, pango, vlc, wavpack, webmin, wireshark, and wpa_supplicant, hostapd), openSUSE (flatpak, libmirage, podman, slirp4netns and libcontainers-common, python-SQLAlchemy, and qemu), Red Hat (ghostscript, java-1.8.0-ibm, and squid:4), and SUSE [...] --------------------------------------------- https://lwn.net/Articles/798143/ ∗∗∗ Panasonic Video Insight VMS vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN93833849/ ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Local File inclusion ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47340 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47339 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47338 ∗∗∗ IBM Security Bulletin: Password vulnerability in IBM® Intelligent Operations Center (CVE-2019-4321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2019
by Daily end-of-shift report 30 Aug '19

30 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2019 18:00 − Freitag 30-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 7: Update-Blockade für Symantec-Nutzer aufgehoben ∗∗∗ --------------------------------------------- Microsoft hat Windows-Updates wieder für Nutzer von Symantec Endpoint Protection freigegeben. --------------------------------------------- https://heise.de/-4509981 ∗∗∗ CERT-Bund warnt vor offenen Smarthome-Systemen ∗∗∗ --------------------------------------------- Fast 3000 Homematic-Systeme sind offenbar aus dem Internet erreichbar -- die meisten davon lassen sich beliebig fernsteuern. --------------------------------------------- https://heise.de/-4509977 ∗∗∗ It Saved Our Community: 16 Realistic Ransomware Defenses for Cities ∗∗∗ --------------------------------------------- Practical steps municipal governments can take to better prevent and respond to ransomware infections. --------------------------------------------- https://www.darkreading.com/edge/theedge/it-saved-our-community-16-realisti… ∗∗∗ A very deep dive into iOS Exploit chains found in the wild ∗∗∗ --------------------------------------------- Posted by Ian Beer, Project ZeroProject Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier this year Googles Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-ex… ∗∗∗ Scalable infrastructure for investigations and incident response ∗∗∗ --------------------------------------------- Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/08/30/scalable-infrastructure-for-… ∗∗∗ [SANS ISC] Malware Dropping a Local Node.js Instance ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. --------------------------------------------- https://blog.rootshell.be/2019/08/30/sans-isc-malware-dropping-a-local-node… ∗∗∗ Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware ∗∗∗ --------------------------------------------- Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Change Healthcare McKesson and Horizon Cardiology ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect default permissions vulnerability in Change Healthcares cardiology devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-01 ∗∗∗ Philips HDI 4000 Ultrasound ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Philips HDI 4000 Ultrasound Systems diagnostic tool. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-02 ∗∗∗ Cisco Firepower 4100 and 9300 Security Appliance Local Management Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the process for creating default IP blocks during device initialization for Cisco Firepower 4100 Series and Firepower 9300 Security Appliances running Cisco FXOS Software could allow an unauthenticated, remote attacker to send traffic to the local IP address of the device, bypassing any filters that are configured to deny local IP management traffic. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/797938/ ∗∗∗ Linux kernel vulnerability CVE-2019-10639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32804955 ∗∗∗ Avira Optimizer Local Privilege Escalation ∗∗∗ --------------------------------------------- https://posts.specterops.io/avira-optimizer-local-privilege-escalation-af10… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-cast-ir… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2019
by Daily end-of-shift report 29 Aug '19

29 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2019 18:00 − Donnerstag 29-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Samples Compiling Their Next Stage on Premise, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim's computer. At a first point, it seems weird but, after all, its an interesting approach to bypass low-level detection mechanisms that look for PE files. --------------------------------------------- https://isc.sans.edu/diary/rss/25278 ∗∗∗ ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information ∗∗∗ --------------------------------------------- Despite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and theyre not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hQZwZfgZ7U/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Buffer Overflow in Dovecot-Mailserver ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Dovecot-Mailserver könnte es Angreifern erlauben, Code auszuführen. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-buffer-overflow-in-dovecot-mail… ∗∗∗ Kritische Lücke mit Höchstwertung in Ciscos Betriebssystem ISO EX ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für verschiedene Betriebssystem-Versionen für Netzwerkgeräte von Cisco. --------------------------------------------- https://heise.de/-4509454 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript). --------------------------------------------- https://lwn.net/Articles/797775/ ∗∗∗ Nextgen Gallery < 3.2.11 - SQL Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9816 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/external-dns-requests-in-zyxel-u… ∗∗∗ Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/hardcoded-ftp-credentials-in-zyx… ∗∗∗ A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50375550 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0004.html ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0768 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0769 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2019
by Daily end-of-shift report 28 Aug '19

28 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2019 18:00 − Mittwoch 28-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs ∗∗∗ --------------------------------------------- Law enforcement takedown causes Retadup malware to eat itself. --------------------------------------------- https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/ ∗∗∗ [Guest Diary] Open Redirect: A Small But Very Common Vulnerability, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- This is a guest diary submitted by Jan Kopriva. Jan is working for Alef Nula (http://www.alef.com) and you can follow him on Twitter at @jk0pr --------------------------------------------- https://isc.sans.edu/diary/rss/25276 ∗∗∗ Extracting Certificates From the Windows Registry ∗∗∗ --------------------------------------------- I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. --------------------------------------------- https://blog.nviso.be/2019/08/28/extracting-certificates-from-the-windows-r… ∗∗∗ RAT Ratatouille: Backdooring PCs with leaked RATs ∗∗∗ --------------------------------------------- Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. --------------------------------------------- https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html ∗∗∗ Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Achtung: Kriminelle versenden erfundene Mails im Namen von Airbnb an zahlreiche Kundinnen und Kunden. Darin behaupten sie, dass das Konto gesperrt wurde und nun Kopien des Personalausweises, Selfies mit dem Ausweis neben dem Gesicht sowie eine handschriftliche Notiz zur Freischaltung notwendig wären. Die Nachricht muss ignoriert werden, andernfalls kommt es zu Identitätsmissbrauch! --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-mit-gefaelschte… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Controls enteliBUS Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a buffer overflow vulnerability in Delta Controllers enteliBUS Controllers industrial control systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-01 ∗∗∗ Datalogic AV7000 Linear Barcode Scanner ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass using an alternate path vulnerability in Datalogics AV7000 Linear Barcode Scanners. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/797579/ ∗∗∗ DLL Hijacking Flaw Patched in Check Point Endpoint Security ∗∗∗ --------------------------------------------- Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes. read more --------------------------------------------- https://www.securityweek.com/dll-hijacking-flaw-patched-check-point-endpoin… ∗∗∗ CVE-2019-13609 - CRLF Vulnerability in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- A Carriage Return Line Feed (CRLF) injection vulnerability has been identified in Citrix License Server for Windows and VPX that could allow an unauthenticated attacker to bypass authentication and allow a malicious website to read or modify license server [...] --------------------------------------------- https://support.citrix.com/article/CTX257644 ∗∗∗ Realtek Managed Switch Controller RTL83xx Stack Overflow ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080138 ∗∗∗ Security Advisory - Key Negotiation of Bluetooth (KNOB) Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190828-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a insecure Content-Security-Policy header vulnerability CVE-2019-4133 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2019
by Daily end-of-shift report 27 Aug '19

27 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2019 18:00 − Dienstag 27-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ macOS: Zurückgelassene Helper-Tools als Sicherheitsproblem ∗∗∗ --------------------------------------------- "Privileged Helper Tools" können es Mac-Malware erlauben, Root-Rechte zu erlangen, warnt ein Entwickler. Nutzer sollten zum Schutz selbst aktiv werden. --------------------------------------------- https://heise.de/-4507656 ∗∗∗ Mobile Menace Monday: Android Trojan raises xHelper ∗∗∗ --------------------------------------------- Since its introduction in May 2019, the xHelper dropper, an Android Trojan, has climbed to our top 10 list of most detected mobile malware. --------------------------------------------- https://blog.malwarebytes.com/android/2019/08/mobile-menace-monday-android-… ∗∗∗ New 4CAN tool helps identify vulnerabilities in on-board car computers ∗∗∗ --------------------------------------------- Modern automobiles contain hundreds of sensors and mechanics that communicate via computers to understand their surrounding environment. Those components provide real-time information to drivers, connect the vehicle to a global network, and in some cases use that telemetry to automatically drive the vehicle. Like any computer, those in vehicles are susceptible to threats, such as vulnerabilities in software ... --------------------------------------------- https://blog.talosintelligence.com/2019/08/new-4can-tool-helps-identify.html ∗∗∗ Free Decryption Tool Released for Syrk Ransomware ∗∗∗ --------------------------------------------- Security researchers have released a decryption tool which victims of Syrk ransomware can use to recover their files for free. Emsisoft found that Syrk arrived with its own decryptor, but the security firm decided to release its own utility for three reasons. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ∗∗∗ Lojack’d: Pwning Smart vehicle trackers ∗∗∗ --------------------------------------------- This research is by @evstykas with help from @Yekki_1 and @TheKenMunroShow. Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered. Probably the most well-known is LoJack, also known as Tracker in Europe. --------------------------------------------- https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-… ∗∗∗ Aufgepasst: Es kursieren gefährliche Raiffeisen-Phishing-Mails ∗∗∗ --------------------------------------------- Aktuell sind wieder Phishing-Mails im Namen der Raiffeisen Bank unterwegs. Angeblich ist eine Nachricht für Sie eingegangen. Um diese zu lesen, werden Sie aufgefordert, einem Link zu folgen. Sie landen auf einem Nachbau der Raiffeisen-Login-Seite. Kriminelle versuchen so, an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/aufgepasst-es-kursieren-gefaehrliche… ===================== = Vulnerabilities = ===================== ∗∗∗ Betriebssystem: Apple patcht WatchOS und iOS ∗∗∗ --------------------------------------------- Nutzer von Apples mobilen Betriebssystemen haben gegebenenfalls eine Update-Benachrichtigung auf ihren Geräten. Apple hat sowohl für die Apple Watch als auch für iPhone, iPod Touch und iPad ein neues Betriebssystem freigegeben. Unter iOS wird dabei auch eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.golem.de/news/betriebssystem-apple-patcht-watchos-und-ios-1908-… ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 76.0.3809.132 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/27/google-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and xymon), openSUSE (putty and vlc), Red Hat (kernel and ruby), Scientific Linux (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, keycloak-httpd-client-install, libarchive, libcgroup, libguestfs-winsupport, libjpeg-turbo, libmspack, libreoffice, libsolv, libssh2, libtiff, libvirt, ... --------------------------------------------- https://lwn.net/Articles/797442/ ∗∗∗ IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to a denial of service (CVE-2019-10072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-tomcat-as-used… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2019
by Daily end-of-shift report 26 Aug '19

26 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2019 18:00 − Montag 26-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing-Mail: Keine 1.957,05 Euro Rückzahlung vom Finanzministerium! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische Phishing-Mails im Namen des Bundesministeriums für Finanzen (BMF), in denen sie Konsument/innen über eine angebliche Rückzahlung über 1957 Euro informieren. Empfänger/innen dürfen den Links in der Nachricht nicht folgen und keine Daten bekanntgeben. Sie landen in den Händen Krimineller und können für weitere Verbrechen missbraucht werden. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-keine-195705-euro-ruec… ∗∗∗ Lenovo Crapware: Vorinstallierte Systemsoftware macht Laptops angreifbar ∗∗∗ --------------------------------------------- Wer noch das Lenovo Solution Center auf seinem System hat, sollte es schnellstmöglich deinstallieren. --------------------------------------------- https://heise.de/-4505088 ∗∗∗ Jetzt patchen! Exploit-Code für Cisco-Switches in Umlauf ∗∗∗ --------------------------------------------- Es könnten Angriffe auf Switches von Cisco bevorstehen. Sicherheitsupdates gibt es bereits seit Anfang August. --------------------------------------------- https://heise.de/-4505182 ∗∗∗ Attackers are targeting vulnerable Fortigate and Pulse Secure SSL VPNs ∗∗∗ --------------------------------------------- Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations. About the vulnerabilities Attackers have been scanning for and targeting two vulnerabilities: CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal. --------------------------------------------- https://www.helpnetsecurity.com/2019/08/26/vulnerable-fortigate-pulse-secur… ∗∗∗ Malicious WordPress Redirect Campaign Attacking Several Plugins ∗∗∗ --------------------------------------------- Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations. --------------------------------------------- https://www.wordfence.com/blog/2019/08/malicious-wordpress-redirect-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, libreoffice-still, nginx, nginx-mainline, and subversion), Debian (commons-beanutils, h2o, libapache2-mod-auth-openidc, libmspack, qemu, squid, and tiff), Fedora (kubernetes, libmodbus, nfdump, and nodejs), openSUSE (dkgpg, libTMCG, go1.12, neovim, python, qbittorrent, schismtracker, teeworlds, thunderbird, and zstd), and SUSE (go1.11, go1.12, python-SQLAlchemy, and python-Twisted). --------------------------------------------- https://lwn.net/Articles/797286/ ∗∗∗ IBM Security Bulletin: IBM Db2 Mirror for i is affected by CVE-2019-4536 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-mirror-for-i-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a forbidden resouce redirect for bad API path CVE-2019-4132 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2019
by Daily end-of-shift report 23 Aug '19

23 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2019 18:00 − Freitag 23-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Many Possibilities of CVE-2019-8646 ∗∗∗ --------------------------------------------- CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-many-possibilities-of-cv… ∗∗∗ Instagram phishing uses 2FA as a lure ∗∗∗ --------------------------------------------- If the phishing page looks OK, and it has an HTTPS padlock, how are you supposed to spot phishes these days? --------------------------------------------- https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-… ∗∗∗ Simple Mimikatz & RDPWrapper Dropper, (Thu, Aug 22nd) ∗∗∗ --------------------------------------------- Let's review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25262 ∗∗∗ Sommerferien vorbei – Emotet ist zurück ∗∗∗ --------------------------------------------- Seit Freitag früh sind die Server der wohl gefährlichsten Cybercrime-Bande wieder aktiv. --------------------------------------------- https://heise.de/-4503467 ∗∗∗ Hackers Target Vulnerabilities in Fortinet, Pulse Secure Products ∗∗∗ --------------------------------------------- Recently disclosed vulnerabilities affecting enterprise virtual private network (VPN) products from Fortinet and Pulse Secure have been exploited in the wild, a researcher reported on Thursday. --------------------------------------------- https://www.securityweek.com/hackers-target-vulnerabilities-fortinet-pulse-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, nginx, and openjdk-7), Fedora (httpd, mod_md, nghttp2, and patch), and SUSE (rubygem-loofah). --------------------------------------------- https://lwn.net/Articles/797049/ ∗∗∗ PrivEsc in Lenovo Solution Centre, 10 minutes later ∗∗∗ --------------------------------------------- CVE-2019-6177 – Lenovo Solution Centre Privilege Escalation. Slow, but sure. TL;DR We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices. Lenovo say LSC has been shipped since 2011, but haven’t been clear about when they stopped shipping it by default with new devices. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-ce… ∗∗∗ IBM Security Bulletin: Remote Execution Vulnerability Affects Red Hat Linux Used By IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter (CVE-2019-12735) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-remote-execution-vuln… ∗∗∗ Spectre SWAPGS gadget vulnerability CVE-2019-1125 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31085564 ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2019
by Daily end-of-shift report 22 Aug '19

22 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2019 18:00 − Donnerstag 22-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ICS Protocols ∗∗∗ --------------------------------------------- ICS stands for Industrial Control Systems. ICS is a generic term used to describe various control systems and their instrumentation, used for controlling and monitoring industrial processes. ICS basically integrates hardware, software and their network connectivity for running and supporting critical infrastructure. ICS systems get data from remote sensors and send commands to the [...] --------------------------------------------- https://resources.infosecinstitute.com/ics-protocols/ ∗∗∗ Nach dem Datenleck: Mastercard benachrichtigt Kunden ∗∗∗ --------------------------------------------- Nachdem in den vergangenen Tagen Daten von Mastercard-Kunden im Internet auftauchten, hat das Unternehmen nun weitere Informationen per Mail verschickt. --------------------------------------------- https://heise.de/-4502408 ∗∗∗ KNOB-Attacke: Apple liefert Patch gegen Bluetooth-Schwachstelle ∗∗∗ --------------------------------------------- In der jüngsten Version der Betriebssysteme hat Apple eine grundlegende Schwachstelle ausgeräumt, die ein Knacken der Bluetooth-Verschlüsselung ermöglicht. --------------------------------------------- https://heise.de/-4503139 ∗∗∗ Android‑Spyware im Google Play Store aufgetaucht ∗∗∗ --------------------------------------------- ESET-Forscher entdeckten gleich zweimal Android-Spyware im Google Play Store. Die erste ihrer Art, die auf der Open-Source RAT-Software AhMyth aufbaut. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/08/22/android-spyware-google-pl… ∗∗∗ Hinter modellbau-billiger.de steckt Betrug ∗∗∗ --------------------------------------------- Modellbau-Fans stoßen auf der Suche nach Modelleisenbahnen, ferngesteuerten Autos, Flugzeugen oder Drohnen womöglich auf den Fake-Shop modellbau-billiger.de. Die Kriminellen nutzen dabei die Impressumsdaten eines seriösen Unternehmens, um Vertrauen zu stiften. Hier darf nichts bestellt werden. Die Zahlungen per Vorkasse sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/hinter-modellbau-billigerde-steckt-b… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt updaten: Cisco schließt 27 Sicherheitslücken in diversen Produkten ∗∗∗ --------------------------------------------- Vor allem Nutzer von Ciscos IMC Supervisor und UCS Director sollten einen Blick auf die aktuellen Sicherheitshinweise werfen. Kritische Lücken wurden gefixt. --------------------------------------------- https://heise.de/-4502617 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2). --------------------------------------------- https://lwn.net/Articles/796949/ ∗∗∗ IBM Security Bulletin: IBM Security Access Manager for Enterprise Single-Sign On is affected by an XML External Entity Injection (XXE) vulnerability (CVE-2019-4513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-access-m… ∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE-2019-4169 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd… ∗∗∗ IBM Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2018 – Includes Oracle Oct.2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-sdk-java-technolog… ∗∗∗ Multiple Vulnerabilities in OpenPGP.js ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-open… ∗∗∗ HPESBST03951 rev.1 - HPE Command View Advanced EditionCVAE (Virtual Appliance only), Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03952 rev.1 - HPE Command View Advanced Edition (CVAE) Products using JAVA, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03953 rev.1 - HPE Command View Advanced Edition (CVAE), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabiities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Drupal: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0746 ∗∗∗ Red Hat Ceph Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0751 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2019
by Daily end-of-shift report 21 Aug '19

21 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2019 18:00 − Mittwoch 21-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortnite Ransomware Masquerades as an Aimbot Game Hack ∗∗∗ --------------------------------------------- Attackers are taking aim at Fortnites global community of 250 million gamers. --------------------------------------------- https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-ha… ∗∗∗ KAPE: Kroll Artifact Parser and Extractor, (Wed, Aug 21st) ∗∗∗ --------------------------------------------- KAPE vs Commando, another Red vs Blue vignette --------------------------------------------- https://isc.sans.edu/diary/rss/25258 ∗∗∗ CERT-Bund warnt vor öffentlich erreichbaren Sphinx-Suchservern ∗∗∗ --------------------------------------------- In der Standardkonfiguration sind Sphinx-Server aus dem Internet erreichbar. Dieses Sicherheitsrisiko sollten Admins eindämmen. --------------------------------------------- https://heise.de/-4501757 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ghostscript, pango, and squirrelmail), openSUSE (libcryptopp, squid, tcpdump, and wireshark), SUSE (flatpak), and Ubuntu (giflib and NLTK). --------------------------------------------- https://lwn.net/Articles/796834/ ∗∗∗ Zebra Industrial Printers ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-232-01 ∗∗∗ ZDI-19-764: (0Day) WECON LeviStudioU ShortMessage_Module SMtext Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-764/ ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Libvirt affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-op… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Open Source Libreswan affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Netezza Host Management is affected by the vulnerabilities known as Intel Microarchitectural Data Sampling (MDS) and other Kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-netezza-host-mana… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Spring Framework affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-enterprise-content-ma… ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-op… ∗∗∗ IBM Security Bulletin: Privilege escalation in IBM DB2 HPU debug binary via trusted PATH ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-privilege-escalation-… ∗∗∗ Unauthenticated sensitive information leakage in ZOHO ServiceDesk Software ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/unauthenticated-sensitive-inform… ∗∗∗ FreeBSD Project FreeBSD OS: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0743 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2019
by Daily end-of-shift report 20 Aug '19

20 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2019 18:00 − Dienstag 20-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kernel: Defekte Dateisysteme bringen Linux zum Stolpern ∗∗∗ --------------------------------------------- In einer Diskussion um die Aufnahme eines neuen Dateisystems in den Linux-Kernel wird klar, dass viele Dateisystemtreiber mit defekten Daten nicht klarkommen. Das kann nicht nur zu Abstürzen führen, sondern auch zu Sicherheitslücken. ... Das Mounten von fremden Dateisystemen ist aber unter den gegebenen Umständen riskant. Wie die Diskussion zeigt, kann man sich nicht darauf verlassen, dass Linux-Dateisystemtreiber mit bösartigen Eingabedaten klarkommen. --------------------------------------------- https://www.golem.de/news/kernel-defekte-dateisysteme-bringen-linux-zum-sto… ∗∗∗ Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th) ∗∗∗ --------------------------------------------- A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals. --------------------------------------------- https://isc.sans.edu/diary/rss/25222 ∗∗∗ GitHub Token Scanning—one billion tokens identified and five new partners ∗∗∗ --------------------------------------------- If you’ve ever accidentally shared a token or credentials in a GitHub repository, or read about someone who has, you know how damaging it could be if a malicious user finds and exploits it. About a year ago, we introduced token scanning to help scan pushed commits and prevent fraudulent use of any credentials that are shared accidentally. --------------------------------------------- https://github.blog/2019-08-19-github-token-scanning-one-billion-tokens-ide… ∗∗∗ GAME OVER: Detecting and Stopping an APT41 Operation ∗∗∗ --------------------------------------------- In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and… ∗∗∗ Falsche Versionsangaben: Mehrere Security Bulletins zu Apache Struts korrigiert ∗∗∗ --------------------------------------------- Struts-2-Anwender, die sich beim Updaten an offizielle Advisories halten, sollten erneut draufschauen – oder gleich zu Versionen ab 2.3.35 / 2.5.17 wechseln. --------------------------------------------- https://heise.de/-4500834 ∗∗∗ Erpressung mit Pädophilie per E-Mail ignorieren ∗∗∗ --------------------------------------------- Angeblich wurde Ihr Computer gehackt und Sie wurden beim Masturbieren gefilmt. Damit das Video nicht veröffentlicht wird, muss ein Schweigegeld bezahlt werden. Es besteht jedoch kein Grund zur Sorge, es handelt sich um eine Betrugsmasche. Weder wurde Ihre Webcam gehackt, noch wurden intime Videos über Sie angefertigt! Verschieben Sie dieses Mail in den Spam-Ordner. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-mit-paedophilie-per-e-mai… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Flaws in Kubernetes Expose All Servers to DoS Attacks ∗∗∗ --------------------------------------------- Two high severity security flaws impacting the Kubernetes open-source system for handling containerized apps can allow an unauthorized attacker to trigger a denial of services state remotely, without user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-e… ∗∗∗ Remote Code Execution: Doppelte Hintertür in Webmin ∗∗∗ --------------------------------------------- In der Systemkonfigurationssoftware Webmin waren offenbar für über ein Jahr Hintertüren, mit denen sich übers Netz Code ausführen lässt. Den Angreifern gelang es dabei offenbar, die Release-Dateien des Projekts zu manipulieren. --------------------------------------------- https://www.golem.de/news/remote-code-execution-doppelte-hintertuer-in-webm… ∗∗∗ iOS 12.4 jailbreak released after Apple ‘accidentally un-patches’ an old flaw ∗∗∗ --------------------------------------------- A fully functional jailbreak has been released for the latest iOS 12.4 on the Internet, making it the first public jailbreak in a long time—thanks to Apple. Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4. --------------------------------------------- https://thehackernews.com/2019/08/ios-iphone-jailbreak.html ∗∗∗ SphinxSearch 0.0.0.0:9306 (CVE-2019-14511) ∗∗∗ --------------------------------------------- TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible. --------------------------------------------- https://blog.wirhabenstil.de/2019/08/19/sphinxsearch-0-0-0-09306-cve-2019-1… ∗∗∗ Security Bulletin VLC 3.0.8 ∗∗∗ --------------------------------------------- If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed. We have not seen exploits performing code execution through these vulnerabilities --------------------------------------------- https://www.videolan.org/security/sb-vlc308.html ∗∗∗ Ruby rest-client 1.6.13 ∗∗∗ --------------------------------------------- It seems that rest-client 1.6.13 is uploaded to rubygems.org. I did review between 1.6.9 and 1.6.13 and it seems that latest version evaluate remote code from pastebin.com and sends information to mironanoru.zzz.com.ua --------------------------------------------- https://github.com/rest-client/rest-client/issues/713 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs ∗∗∗ --------------------------------------------- Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. --------------------------------------------- https://blog.talosintelligence.com/2019/08/aspose-APIs-RCE-vulns-aug-2019.h… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap). --------------------------------------------- https://lwn.net/Articles/796759/ ∗∗∗ IBM Security Bulletin: IBM MQ is vulnerable to a denial of service attack within the error logging function (CVE-2019-4049) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-is-vulnerable-… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM License Metric Tool v9 (CVE-2019-4046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM License Key Server Administration & Reporting Tool and Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance affected by an OpenSSH vulnerability (CVE-2019-6110) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-affe… ∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Global Name Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Information disclosure for IBM Infosphere Identity Insight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Error Message Vulnerabilities Affect IBM Emptoris Sourcing, IBM Emptoris Contract Management and IBM Emptoris Spend Analysis. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-error-message-vulnera… ∗∗∗ IBM Security Bulletin: Cross-site Scripting Affects IBM Emptoris Spend Analysis (CVE-2019-4482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… ∗∗∗ IBM Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis and IBM Emptoris Contract Management (CVE-2019-4481, CVE-2019-4483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-affects… ∗∗∗ IBM Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-ibm-mq-secur… ∗∗∗ IBM Security Bulletin: API Connect V2018 (ova) is impacted by vulnerabilities in Ubuntu OS (CVE-2019-4504) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-ova… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a Kubernetes vulnerability(CVE-2019-11246) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal is impacted by a path traversal vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2019-6471. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by a information disclosure vulnerability (CVE-2019-4437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by Linux Kernel security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ IBM Security Bulletin: XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-i… ∗∗∗ IBM Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-reverse-tabnabbing-vu… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Docker (CVE-2018-15664) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-privileg… ∗∗∗ IBM Security Bulletin: Vulnerability in NTP affects AIX (CVE-2019-8936) Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ntp-… ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46011592 ∗∗∗ HTTP/2 Settings Flood vulnerability CVE-2019-9515 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50233772 ∗∗∗ HTTP/2 Ping Flood vulnerability CVE-2019-9512 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K98053339 ∗∗∗ HTTP/2 Reset Flood vulnerability CVE-2019-9514 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01988340 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2019
by Daily end-of-shift report 19 Aug '19

19 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2019 18:00 − Montag 19-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Router Network Isolation Broken By Covert Data Exfiltration ∗∗∗ --------------------------------------------- Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration. --------------------------------------------- https://www.bleepingcomputer.com/news/security/router-network-isolation-bro… ∗∗∗ IT threat evolution Q2 2019 ∗∗∗ --------------------------------------------- Targeted attacks, malware campaigns and other security news in Q2 2019. --------------------------------------------- https://securelist.com/it-threat-evolution-q2-2019/91994/ ∗∗∗ The DAA File Format, (Fri, Aug 16th) ∗∗∗ --------------------------------------------- In diary entry "Malicious .DAA Attachments", we extracted a malicious executable from a Direct Access Archive file. --------------------------------------------- https://isc.sans.edu/diary/rss/25246 ∗∗∗ What Hackers Do after Gaining Access to a Website ∗∗∗ --------------------------------------------- A hack or cyber attack is the act of maliciously entering, taking control over, or manipulating by force a web application, server, or file that belongs to someone else. --------------------------------------------- https://blog.sucuri.net/2019/08/what-hackers-do-after-gaining-access-to-a-w… ∗∗∗ Sicherheitspanne: Kernel-Schwachstelle zurück in iOS 12.4, Jailbreak verfügbar ∗∗∗ --------------------------------------------- Zum ersten Mal seit Langem lassen sich Apples Sicherheitsfunktionen in der aktuellen iOS-Version durch einen öffentlich verfügbaren Jailbreak aushebeln. --------------------------------------------- https://heise.de/-4500038 ∗∗∗ QxSearch hijacker fakes failed installs ∗∗∗ --------------------------------------------- QxSearch is a group of search hijackers that try to make the user think the install failed or was incomplete. Is it that they dont want to be found and removed? Or just bad programming? --------------------------------------------- https://blog.malwarebytes.com/pups/2019/08/qxsearch-hijacker-fakes-failed-i… ∗∗∗ Gefälschte "Ihr Jahresabonnemеnt Whatsapp"-Mail im Umlauf ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine angebliche WhatsApp-E-Mail. Darin heißt es, dass sie ihr Abonnement verlängern müssen. Über einen Link in der Nachricht gelangen Nutzer/innen auf eine gefälschte WhatsApp-Website. Darauf sollen sie ihr Jahresabonnement unter Bekanntgabe ihrer Zahlungsdaten verlängern. Kommen Konsument/innen der Aufforderung nach, werden sie Opfer eines Datendiebstahls und verlieren ihr Geld an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-ihr-jahresabonnement-wha… ∗∗∗ Offensive Lateral Movement ∗∗∗ --------------------------------------------- Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell is not a new concept anymore and even moderately mature shops will detect on it and shut it down quickly, or any half decent AV product will kill it before a malicious command is ran. --------------------------------------------- https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder Sicherheitsmechanismen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K19-0726 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, [...] --------------------------------------------- https://lwn.net/Articles/796640/ ∗∗∗ Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper handling of HTTP requests, including those communicated over a secure HTTPS connection, that contain maliciously crafted headers. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the stream reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper reassembly of traffic streams. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the normalization functionality of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to insufficient normalization of a text-based payload. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper detection of the initial use of a protocol on a nonstandard port. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Four Remote Code Execution Vulnerabilities in Some Microsoft Windows Systems ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190819-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2019
by Daily end-of-shift report 16 Aug '19

16 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2019 18:00 − Freitag 16-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Warns of Phishing Attacks Using Custom 404 Pages ∗∗∗ --------------------------------------------- Microsoft security researchers discovered an unusual phishing campaign which employs custom 404 error pages to trick potential victims into handing out their Microsoft credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-… ∗∗∗ Energy Sector Phish Swims Past Microsoft Email Security via Google Drive ∗∗∗ --------------------------------------------- The savvy technique of avoiding malicious links in the email allowed the phishing attack to reach its targets. --------------------------------------------- https://threatpost.com/energy-phish-microsoft-security-google-drive/147397/ ∗∗∗ Analysis of a Spearphishing Maldoc, (Thu, Aug 15th) ∗∗∗ --------------------------------------------- A spearphishing attack with a VBA maldoc on US utility companies was mentioned in SANS NewsBites Vol. 21, Num. 61. I always like to take a look at malicious documents mentioned in the news. Luckily for me, Proofpoint's analysis includes the hashes of the maldocs, and one maldoc can be found on VirusTotal. --------------------------------------------- https://isc.sans.edu/diary/rss/25242 ∗∗∗ VoIP-Sicherheitslücken: Viele Büro-Telefonanlagen grundlegend unsicher ∗∗∗ --------------------------------------------- 33 Geräte von 25 Herstellern lassen sich kapern. Angreifer können spionieren, andere Systeme angreifen oder die Organisation durch einen Totalausfall schwächen. --------------------------------------------- https://heise.de/-4499202 ∗∗∗ MITRE ATT&CK July 2019 Update ∗∗∗ --------------------------------------------- On the last day of July, MITRE released its most recent update to the ATT&CK framework. The ATT&CK framework is a curated knowledge base of tactics, techniques, software, that adversarial groups have leveraged when compromising enterprise systems. The July 2019 update is relatively minor compared to the April 2019 update, which saw a new tactic [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/mitre-a… ∗∗∗ Many Apache Struts Security Advisories Updated Following Review ∗∗∗ --------------------------------------------- Two dozen security advisories for the Apache Struts open source development framework have been updated after researchers determined that they contained incorrect information regarding which versions of the software were impacted by a vulnerability. --------------------------------------------- https://www.securityweek.com/many-apache-struts-security-advisories-updated… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo Warns of ThinkPad Bugs, One Unpatched ∗∗∗ --------------------------------------------- The notebook maker is warning users of three separate vulnerabilities. --------------------------------------------- https://threatpost.com/lenovo-warns-bugs-thinkpads/147338/ ∗∗∗ Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again ∗∗∗ --------------------------------------------- If you are using LibreOffice, you need to update it once again. LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities. --------------------------------------------- https://thehackernews.com/2019/08/libreoffice-patch-update.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (irssi, ledger, libheimdal, libmediainfo, libqb, and libsass) and Slackware (mozilla). --------------------------------------------- https://lwn.net/Articles/796311/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freetype, libreoffice, and openjdk-7), Fedora (edk2, mariadb, mariadb-connector-c, mariadb-connector-odbc, python-django, and squirrelmail), Gentoo (chromium, cups, firefox, glibc, kconfig, libarchive, libreoffice, oracle-jdk-bin, polkit, proftpd, sqlite, wget, zeromq, and znc), openSUSE (bzip2, chromium, dosbox, evince, gpg2, icedtea-web, java-11-openjdk, java-1_8_0-openjdk, kconfig, kdelibs4, mariadb, mariadb-connector-c, nodejs8, pdns, polkit, [...] --------------------------------------------- https://lwn.net/Articles/796455/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2019
by Daily end-of-shift report 14 Aug '19

14 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-08-2019 18:00 − Mittwoch 14-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic ∗∗∗ --------------------------------------------- A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bluetooth-knob-flaw-lets… ∗∗∗ Dejablue: Erneut Sicherheitslücken im Windows-Remote-Desktop ∗∗∗ --------------------------------------------- Microsoft warnt vor zwei Remote-Code-Execution-Bugs im Remote Desktop Service. Damit lassen sich Windows-Rechner übers Netz kapern, wenn sie die Remoteadministration aktiviert haben. Alle aktuellen Windows-Versionen sind betroffen. --------------------------------------------- https://www.golem.de/news/dejablue-erneut-sicherheitsluecken-im-windows-rem… ∗∗∗ Project Zero: Windows-Texteingabesystem bietet viele Angriffsmöglichkeiten ∗∗∗ --------------------------------------------- Ein Systemdienst für Texteingabemethoden, das es seit Windows XP gibt, wurde offenbar mit wenig Sicherheitsbewusstsein entwickelt. Tavis Ormandy von Google gelang es damit, als Nutzer Systemrechte zu erlangen. Es gibt ein Update von Microsoft, doch das behebt wohl nicht alle Probleme. --------------------------------------------- https://www.golem.de/news/project-zero-windows-texteingabesystem-bietet-vie… ∗∗∗ Debugging for Malware Analysis ∗∗∗ --------------------------------------------- This article provides an overview of debugging and how to use some of the most commonly used debuggers. We will begin by discussing OllyDbg; using it, we will explore topics such as setting up breakpoints, stepping through the instructions and modifying the flow of execution. We will then discuss WinDbg, which can be used [...] --------------------------------------------- https://resources.infosecinstitute.com/debugging-for-malware-analysis/ ∗∗∗ Nehmen Sie sich vor gefälschten Zahlungsanweisungen in Acht! ∗∗∗ --------------------------------------------- Zahlreiche Unternehmen wenden sich mit erfundenen Überweisungs-Aufforderungen im Namen der Geschäftsführung oder anderer Führungspersonen an uns. Die E-Mails stammen von Kriminellen, die die Mail-Adressen durch „Spoofing“ imitieren und dadurch nichtsahnende Mitarbeiter/innen zu Überweisungen auf fremde Konten bringen wollen. --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-sich-vor-gefaelschten-zah… ∗∗∗ This new cryptojacking malware uses a sneaky trick to remain hidden ∗∗∗ --------------------------------------------- Norman cryptomining malware was found to have infected almost every system in one organisation during an investigation by security researchers. --------------------------------------------- https://www.zdnet.com/article/this-new-cryptojacking-malware-uses-a-sneaky-… ===================== = Vulnerabilities = ===================== ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to gain an escalation of privileges on a previously infected machine.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following Intel advisories and apply the necessary updates: RAID Web Console 2 Advisory INTEL-SA-00246 NUC Advisory INTEL-SA-00272 [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/13/intel-releases-sec… ∗∗∗ Trend Micro Password Manager - Privilege Escalation to SYSTEM ∗∗∗ --------------------------------------------- SafeBreach Labs discovered a new vulnerability in Trend Micro Password Manager software. In this post, we will demonstrate how this vulnerability could have been used in order to achieve privilege escalation and persistence by loading an arbitrary unsigned DLL into a service that runs as NT AUTHORITY\SYSTEM. --------------------------------------------- https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalati… ∗∗∗ DoS-Attacken: Viele Web-Server mit HTTP/2 angreifbar ∗∗∗ --------------------------------------------- Forschern zufolge ist ein Großteil von Web-Servern mit HTTP/2 nicht optimal konfiguriert, sodass die Sicherheit gefährdet ist. Patches sind verfügbar. --------------------------------------------- https://heise.de/-4496647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.9, otrs2, and tomcat8), Fedora (igraph and jhead), openSUSE (ansible, GraphicsMagick, kconfig, kdelibs4, live555, mumble, phpMyAdmin, proftpd, python-Django, and znc), Oracle (kernel and openssl), Red Hat (kernel, openssl, and rh-mysql80-mysql), Scientific Linux (kernel and openssl), Slackware (kernel), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork and mariadb-100), and Ubuntu (linux, linux-aws, linux-kvm, [...] --------------------------------------------- https://lwn.net/Articles/796193/ ∗∗∗ SAP Patches Highest Number of Critical Flaws Since 2014 ∗∗∗ --------------------------------------------- SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014. --------------------------------------------- https://www.securityweek.com/sap-patches-highest-number-critical-flaws-2014 ∗∗∗ Mitsubishi Electric smartRTU and INEA ME-RTU ∗∗∗ --------------------------------------------- CISA is aware of a public report of a proof-of-concept (PoC) exploit code vulnerability affecting Mitsubishi Electric smartRTU devices. According to this report, there are multiple vulnerabilities that could result in remote code execution with root privileges. CISA is issuing this alert to provide early notice of the report. --------------------------------------------- https://www.us-cert.gov/ics/alerts/ics-alert-19-255-01 ∗∗∗ Delta Industrial Automation DOPSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for out-of-bounds read and use after free vulnerabilities reported in Delta Electronics’ Delta Industrial Automation DOPSoft HMI editing software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-225-01 ∗∗∗ OSIsoft PI Web API ∗∗∗ --------------------------------------------- This advisory includes mitigations for inclusion of sensitive information in log files and protection mechanism failure vulnerabilities reported in OSIsoft LLC’s OSIsoft PI Web API. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-225-02 ∗∗∗ Key Negotiation of Bluetooth Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Two Denial of Service Vulnerabilities on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190814-… ∗∗∗ August 13, 2019 TNS-2019-05 [R1] Nessus 8.6.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2019-05 ∗∗∗ Synology-SA-19:33 HTTP/2 DoS Attacks ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_33 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2019
by Daily end-of-shift report 13 Aug '19

13 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 12-08-2019 18:00 − Dienstag 13-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Steam Security Vulnerability Fixed, Researchers Dont Agree ∗∗∗ --------------------------------------------- Valve has pushed out a fix for a zero-day Steam Client local privilege escalation (LPE) vulnerability, but researchers say there are still other LPE vulnerabilities that are being ignored. --------------------------------------------- https://www.bleepingcomputer.com/news/security/steam-security-vulnerability… ∗∗∗ Troldesh Ransomware Dropper ∗∗∗ --------------------------------------------- Over the past few weeks, we’ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors. The malware often uses a PHP file that acts as a delivery tool for downloading the host malware dropper: hxxp://doolaekhun[.]com/cgi-bin/[redacted].php --------------------------------------------- https://blog.sucuri.net/2019/08/troldesh-ransomware-dropper.html ∗∗∗ Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices ∗∗∗ --------------------------------------------- Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself "Asher" [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/jgzb2S8LB8M/ ∗∗∗ MANRS Observatory: Monitoring the State of Internet Routing Security ∗∗∗ --------------------------------------------- Routing security is vital to the future and stability of the Internet, but it’s under constant threat. Which is why we’ve launched a free online tool so that network operators can see how they’re doing, and what they can improve, while anyone can see the health of the Internet at a glance. --------------------------------------------- https://www.internetsociety.org/blog/2019/08/manrs-observatory-monitoring-t… ∗∗∗ The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? ∗∗∗ --------------------------------------------- In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/the-twin-journe… ∗∗∗ CEO Cyber Quiz: What’s Your IT Security IQ? ∗∗∗ --------------------------------------------- Every business leader understands that, when it comes to cybersecurity, the stakes are extraordinarily high. CEOs tend to take notice when they read headlines about yet another big-name company being victimized by a massive data breach or about industry forecasts suggesting that the annual cost of crime losses and damage will hit $6 trillion by [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-awareness/ceo-cyber-sec… ∗∗∗ Datingfalle.at: Kostenlose Hilfe bei Online-Dating-Fallen! ∗∗∗ --------------------------------------------- Auf www.datingfalle.at bietet der Internet Ombudsmann kostenlose Hilfe bei rechtlichen Problemen mit Online-Dating-Plattformen, Erotik-Portalen und Singlebörsen. Neben Infos und Tipps steht eine außergerichtliche Streitschlichtung zur Verfügung. Hier gibt es Hilfestellung bei Abo-Fallen, automatischer Vertragsverlängerung, Kündigungsschwierigkeiten oder Inkasso-Schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/datingfalleat-kostenlose-hilfe-bei-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe After Effects CC (APSB19-31), Adobe Character Animator CC (APSB19-32), Adobe Premiere Pro CC (APSB19-33), Adobe Prelude CC (APSB19-35), Adobe Creative Cloud Desktop Application (APSB19-39), Adobe Acrobat and Reader (APSB19-41), Adobe Experience Manager (APSB19-42) and Adobe Photoshop CC (APSB19-44). Adobe recommends users update their product installations to the latest versions using the instructions referenced [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1773 ∗∗∗ [20190801] - Core - Hardening com_contact contact form ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.6.2 - 3.9.10 Exploit type: Incorrect Access Control Reported Date: 2019-April-09 Fixed Date: 2019-August-13 CVE Number: CVE-2019-XXXXX Description Inadequate checks in com_contact could allowed mail submission in disabled forms. Affected Installs Joomla! CMS versions 1.6.2 - 3.9.10 Solution Upgrade to version 3.9.11 --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/H1jmq28mUAw/789-20190801-c… ∗∗∗ # SSA-671286: Multiple Vulnerabilities in SCALANCE Products ∗∗∗ --------------------------------------------- The latest update for SCALANCE SC-600 fixes multiple vulnerabilities. The most severe could allow authenticated local users with physical access to the device to execute arbitrary commands on the device under certain conditions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-671286.txt ∗∗∗ # SSA-530931: Denial-of-Service in Webserver of Industrial Products ∗∗∗ --------------------------------------------- A vulnerability in the affected products could allow an unauthorized attacker with network access to the webserver of an affected device to perform a denial-of-service attack. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-530931.txt ∗∗∗ # SSA-232418: Vulnerabilities in SIMATIC S7-1200 and SIMATIC S7-1500 CPU families ∗∗∗ --------------------------------------------- Two vulnerabilities have been identified in the SIMATIC S7-1200 and the SIMATIC S7-1500 CPU families. One vulnerability could allow an attacker with network access to affected devices to modify the user program stored on these devices such that the source code differs from the actual running code. The other vulnerability could allow an attacker in a Man-in-the-Middle position to modify network traffic exchanged on port 102/tcp. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-232418.txt ∗∗∗ # SSA-100232: Denial-of-Service vulnerability in SCALANCE X switches ∗∗∗ --------------------------------------------- A vulnerability in the affected devices could allow an unauthenticated attacker with network access to an affected device to perform a denial-of-service. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-100232.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, postgresql, and postgresql-libs), Debian (atril, chromium, evince, ghostscript, jackson-databind, kernel, and php5), Fedora (kf5-kconfig, mingw-sqlite, pam-u2f, and poppler), Mageia (kernel), openSUSE (aubio, chromium, kconfig, kdelibs4, nodejs10, osc, and zstd), Red Hat (ghostscript), and Ubuntu (ghostscript and MariaDB). --------------------------------------------- https://lwn.net/Articles/796075/ ∗∗∗ [remote] Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47230 ∗∗∗ [remote] ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47229 ∗∗∗ [remote] ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47228 ∗∗∗ [remote] ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47227 ∗∗∗ Linux kernel vulnerability CVE-2016-7097 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31603170 ∗∗∗ SAP Patchday August: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0714 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2019
by Daily end-of-shift report 12 Aug '19

12 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-08-2019 18:00 − Montag 12-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Beware of Fake Microsoft Account Unusual Sign-in Activity Emails ∗∗∗ --------------------------------------------- In this article we take a look at a phishing campaign that pretends to be an "Unusual sign-in activity" alertfrom Microsoft that could easily trick someone into clicking on the enclosed link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beware-of-fake-microsoft-acc… ∗∗∗ Malware Analysis and Reverse Engineering ∗∗∗ --------------------------------------------- Introduction This article provides a high-level overview of malware analysis and reverse engineering. If you are planning to get started with malware analysis and reverse engineering, this article can be a good starting point, as it covers a high-level overview of what you need to know before you download that debugger and get your hands [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-analysis-and-reverse-enginee… ∗∗∗ DEF CON 2019: Delta ICS Flaw Allows Total Industrial Takeover ∗∗∗ --------------------------------------------- The bug exists in a controller that oversees HVAC, lighting, sensor and alarm systems, to name a few. --------------------------------------------- https://threatpost.com/def-con-2019-delta-ics-flaw-allows-total-industrial-… ∗∗∗ Inside the Hidden World of Elevator Phone Phreaking ∗∗∗ --------------------------------------------- Eavesdropping, reprogramming, talking to strangers: Welcome to the harmless and not-so-harmless fun of hacking elevator call boxes. --------------------------------------------- https://www.wired.com/story/elevator-phone-phreaking-defcon ∗∗∗ Amazon Web Services: Tausende virtuelle Festplatten frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Forscher fand tausendfach offen zugängliche Elastic Block Store-Volumes mit vertraulichen Daten im Netz, wo sie sich beliebig durchsuchen lassen. --------------------------------------------- https://heise.de/-4493402 ∗∗∗ Windows-Treiber von Intel, AMD, Nvidia und vielen Mainboard-Herstellern unsicher ∗∗∗ --------------------------------------------- Über mehr als 40 weit verbreitete Hardware-Treiber können Angreifer sich Kernel-Rechte auf einem System verschaffen. --------------------------------------------- https://heise.de/-4494929 ∗∗∗ Cruise Releases Automated Firmware Security Analyzer to Open Source ∗∗∗ --------------------------------------------- The growth of IoT devices has highlighted the difficulties in ensuring firmware security -- especially where the device and software are initially sourced from third parties, or developed under time pressures in-house. Now a new firmware analyzer has been released to open source on GitHub. --------------------------------------------- https://www.securityweek.com/gm-cruise-releases-automated-firmware-security… ∗∗∗ Hotellerie-Betriebe: Vorsicht vor kriminellen Buchungs- & Stornierungsversuchen! ∗∗∗ --------------------------------------------- Vermeintliche Interessent/innen kontaktieren gezielt Hotels, Pensionen, Apartments und sonstige Unterkünfte für eine Buchung. Kurz nach einer (ungültigen) Zahlung per Kreditkarte folgen schreckliche Nachrichten: Aufgrund tragischer Ereignisse bei den geplanten Gästen muss die Buchung storniert und das Geld zurücküberwiesen werden. Hotellerie-Betriebe dürfen den Aufforderungen nicht nachkommen! --------------------------------------------- https://www.watchlist-internet.at/news/hotellerie-betriebe-vorsicht-vor-kri… ∗∗∗ Hunting the Public Cloud for Exposed Hosts and Misconfigurations ∗∗∗ --------------------------------------------- This research explores the security landscape of the Internet-facing services hosted in Amazon AWS, Microsoft Azure and Google Cloud Platform. --------------------------------------------- https://unit42.paloaltonetworks.com/hunting-the-public-cloud-for-exposed-ho… ∗∗∗ Clever attack uses SQLite databases to hack other apps, malware servers ∗∗∗ --------------------------------------------- Tainted SQLite database can run malicious code inside other apps, such as web apps or Apples iMessage. --------------------------------------------- https://www.zdnet.com/article/clever-attack-uses-sqlite-databases-to-hack-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fusiondirectory, gosa, kconfig, kernel, pango1.0, and python-django), Fedora (aubio, icedtea-web, java-1.8.0-openjdk, kernel, kernel-headers, kernel-tools, libslirp, openqa, os-autoinst, and upx), Gentoo (JasPer, libvncserver, and redis), Mageia (cyrus-imapd and php), Oracle (kernel), Red Hat (chromium-browser, cockpit-ovirt, Red Hat Virtualization, and rhvm-appliance), SUSE (ImageMagick, libvirt, python, and wireshark), and Ubuntu (poppler). --------------------------------------------- https://lwn.net/Articles/795963/ ∗∗∗ PPOM for WooCommerce <= 18.3 - Authenticated Stored XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9502 ∗∗∗ ZDI-19-701: (0Day) EZAutomation EZPLC EZC File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-701/ ∗∗∗ ZDI-19-700: (0Day) EZAutomation EZTouch Editor EZP File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-700/ ∗∗∗ iControl REST and tmsh vulnerability CVE-2019-6621 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20541896 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2019
by Daily end-of-shift report 09 Aug '19

09 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2019 18:00 − Freitag 09-08-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackerone: Sicherheitslücke in Steam bleibt vorerst ungefixt ∗∗∗ --------------------------------------------- Auf Windows-Systemen, auf denen der Spiele-Launcher Steam installiert ist, können einfache Nutzer Programme mit Systemrechten ausführen. Der Entdecker der Lücke meldete diese über die Plattform Hackerone, dort erklärte man den Bug für ungültig und wollte eine Veröffentlichung verhindern. --------------------------------------------- https://www.golem.de/news/hackerone-sicherheitsluecke-in-steam-bleibt-vorer… ∗∗∗ Protect against BlueKeep ∗∗∗ --------------------------------------------- DART offers steps you can take to protect your network from BlueKeep, the “wormable” vulnerability that can create a large-scale outbreak due to its ability to replicate and propagate. --------------------------------------------- https://www.microsoft.com/security/blog/2019/08/08/protect-against-bluekeep/ ∗∗∗ Hidden Algorithm Flaws Expose Websites to DoS Attacks ∗∗∗ --------------------------------------------- Why throw a bunch of junk traffic at a service, when all it takes to stall it out is just a few bytes? --------------------------------------------- https://www.wired.com/story/algorithm-dos-attack ∗∗∗ How Safecrackers Can Unlock an ATM in Minutes—Without Leaving a Trace ∗∗∗ --------------------------------------------- At Defcon this week, security researcher Mike Davis will show how he can pick the lock of an ATM safe in no time, thanks to its electric leaks. --------------------------------------------- https://www.wired.com/story/atm-lock-hack-electric-leaks ∗∗∗ Saefko: A new multi-layered RAT ∗∗∗ --------------------------------------------- Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module. --------------------------------------------- https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat ∗∗∗ Are Your Out-of-Office Replies Revealing Too Much? ∗∗∗ --------------------------------------------- Whether you’re traveling for business or pleasure, it’s common practice to create an automatic out-of-office reply for incoming emails. While business continuity is important, it’s critical to remember that some emails that arrive in your inbox will come from people you don’t know - and, in some cases, cybercriminals who wish to do you harm. The details you provide could be used for malicious purposes and expose your organization to attack. --------------------------------------------- https://www.proofpoint.com/us/security-awareness/post/are-your-out-office-r… ∗∗∗ New Windows Process Injection Can Be Useful for Stealthy Malware ∗∗∗ --------------------------------------------- Researchers at SafeBreach, a cybersecurity firm that specializes in breach and attack simulations, have catalogued most known Windows process injection techniques. They also discovered a new method, which they claim is stealthy and can bypass all protections implemented by Microsoft. --------------------------------------------- https://www.securityweek.com/new-windows-process-injection-can-be-useful-st… ∗∗∗ Analyse: Ransomware-Angriffe auf Firmen fast vervierfacht ∗∗∗ --------------------------------------------- Die Zahl der Infektionen mit Ransomware bei Firmen hat im Vergleich zum Vorjahr um 365 Prozent zugenommen. Groß im Geschäft: das Trio Emotet/Trickbot/Ryuk. --------------------------------------------- https://heise.de/-4492497 ∗∗∗ Skype, Slack, VS Code, Atom: Electron-Apps haben eine gefährliche Achilles-Ferse ∗∗∗ --------------------------------------------- Programme, die auf dem Electron Framework basieren, können von lokalen Angreifern trojanisiert und als Angriffsplattform missbraucht werden. --------------------------------------------- https://heise.de/-4493195 ∗∗∗ Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs ∗∗∗ --------------------------------------------- Malicious actors could use rogue engineering workstations to take control of Siemens programmable logic controllers (PLCs), and they can hide the attack from the engineer monitoring the system, researchers from two universities in Israel have demonstrated. --------------------------------------------- https://www.securityweek.com/hackers-can-use-rogue-engineering-stations-tar… ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Big-IP-Produkten von F5 Networks ∗∗∗ --------------------------------------------- Der finnische Sicherheitsspezialist F-Secure warnt vor einer Sicherheitslücke, die möglicherweise zahlreiche Unternehmen zu Zielen für Cyberangriffe macht. Betroffen sind Big-IP-Produkte von F5 Networks. Der Anbieter dementiert. --------------------------------------------- https://www.it-business.de/schwerwiegende-sicherheitsluecke-in-big-ip-produ… ∗∗∗ Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware ∗∗∗ --------------------------------------------- Avaya is the second largest VOIP solution provider (source) with an install base covering 90% of the Fortune 100 companies (source), with products targeting a wide spectrum of customers, from small business and midmarket, to large corporations. As part of the ongoing McAfee Advanced Threat Research effort into researching critical vulnerabilities in widely deployed software [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/avaya-deskphone… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11, postgresql-9.4, and postgresql-9.6), Fedora (exiv2), openSUSE (python-Django and vlc), Oracle (kernel), Red Hat (qemu-kvm-rhev), SUSE (evince, nodejs10, python, and squid), and Ubuntu (postgresql-10, postgresql-11, postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/795821/ ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0708 ∗∗∗ BlackBerry Powered by Android Security Bulletin - August 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Notice - Statement on Brute Forcing Encrypted Backup Data for Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2019/huawei-sn-20190809-01-… ∗∗∗ BIG-IP DHCPv6 vulnerability CVE-2019-6643 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36228121 ∗∗∗ iControl REST vulnerability CVE-2019-6646 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53990093 ∗∗∗ F5 Container Ingress Service vulnerability CVE-2019-6648 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74327432 ∗∗∗ iRulesLX debug NodeJS vulnerability CVE-2019-6644 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K75532331 ∗∗∗ BIG-IP mcpd vulnerability CVE-2019-6647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87920510 ∗∗∗ The BIG-IP DNS Configuration utility may erroneously display the TSIG key secret in plain text form ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03332436 ∗∗∗ BIG-IP SSL connection security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41515225 ∗∗∗ BIG-IP FTP profile vulnerability CVE-2019-6645 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15759349 ∗∗∗ F5 Container Ingress Services vulnerability CVE-2019-6648 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74327432 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2019
by Daily end-of-shift report 08 Aug '19

08 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2019 18:00 − Donnerstag 08-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Fully Remote Attack Surface of the iPhone ∗∗∗ --------------------------------------------- While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as the underlying attack surface they occur in. I investigated the remote, interaction-less attack surface of the iPhone, and found several serious vulnerabilities. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surf… ∗∗∗ [Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign", (Thu, Aug 8th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/25218 ∗∗∗ Magento Skimmers: From Atob to Alibaba ∗∗∗ --------------------------------------------- Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this: It uses the JavaScript atob function to decode base64-encoded domain names and URL patterns. In the sample above, it’s hxxps://livegetpay[.]com/pay.js?v=2.2.9 and “onepage”, respectively. The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report. --------------------------------------------- https://blog.sucuri.net/2019/08/magento-skimmers-from-atob-to-alibaba.html ∗∗∗ Reverse RDP Attack Also Enables Guest-to-Host Escape in Microsoft Hyper-V ∗∗∗ --------------------------------------------- Remember the Reverse RDP Attack? Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsofts Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely. --------------------------------------------- https://thehackernews.com/2019/08/reverse-rdp-windows-hyper-v.html ∗∗∗ ACSC Releases Advisory on Password Spraying Attacks ∗∗∗ --------------------------------------------- Original release date: August 8, 2019The Australian Cyber Security Centre (ACSC) has released an advisory on password spraying attacks. Password spraying is a type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. The ACSC provides recommendations for organizations to detect and --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/08/acsc-releases-advi… ∗∗∗ Erpressungsversuche mit Masturbations-Video! ∗∗∗ --------------------------------------------- Die Wahrscheinlichkeit betrügerische Erpressungs-E-Mails im eigenen Posteingang zu finden, ist momentan äußerst hoch. Kriminelle behaupten, die Systeme ihrer Opfer mit Schadsoftware infiziert, Zugriff auf Webcam und Kontakte erhalten zu haben und nun in Besitz eines Masturbations-Videos zu sein. Betroffene dürfen nichts bezahlen. Die Nachrichten von „Anonymer Hacker“ sind erfunden! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsversuche-mit-masturbation… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet FortiRecorder 2.7.3 Hardcoded Password ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080028 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim, python-django, python2-django, and sdl2), Debian (proftpd-dfsg), Fedora (php and sqlite), openSUSE (proftpd), Red Hat (kernel), Slackware (kdelibs), SUSE (nodejs10, squid, and tcpdump), and Ubuntu (php5 and ruby-rack). --------------------------------------------- https://lwn.net/Articles/795725/ ∗∗∗ Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack ∗∗∗ --------------------------------------------- The vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_32 ∗∗∗ Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Server Open Redirection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SPA112 2-Port Phone Adapter Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software VNC Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Web-Based Management Interface Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Arbitrary File Read Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Password Recovery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Web Portal Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise NFV Infrastructure Software Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Intermediate System–to–Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Intermediate System–to–Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Threat Defense Software File Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director TLS Renegotiation Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Header Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Software Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2019
by Daily end-of-shift report 07 Aug '19

07 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2019 18:00 − Mittwoch 07-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Smominru Cryptominer Scrapes Credentials for Half-Million Machines ∗∗∗ --------------------------------------------- The adversaries have retooled with EternalBlue and credential theft to add a new "access mining" revenue stream. --------------------------------------------- https://threatpost.com/smominru-cryptominer-scrapes-credentials-half-millio… ∗∗∗ Autoloaded Server-Side Swiper ∗∗∗ --------------------------------------------- Front-end JavaScript-based credit card stealing malware has garnered a lot of attention within the security community. This makes sense, since the “swipers” can be easily detected by simply scanning the web pages of e-commerce sites. However, this isn’t the only way to steal payment details and sensitive user information from compromised sites. Server-side swipers are almost as prevalent as client-side ones, and [...] --------------------------------------------- https://blog.sucuri.net/2019/08/autoloaded-server-side-swiper.html ∗∗∗ Vorsicht bei zu günstigen Angeboten auf Amazon ∗∗∗ --------------------------------------------- Vermehrt erreichen uns Meldungen von Konsument/innen, die auf unseriöse Amazon Marketplace Shops gestoßen sind. Die extrem günstigen Angebote locken zu einem schnellen Kauf. Im späteren Nachrichtenverlauf werden die Opfer über „Fehler 2045“ informiert und aufgefordert, das Geld auf externe Konten zu überweisen. Wer dies tut, verliert den Betrag und erhält keine Waren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-zu-guenstigen-angeboten… ===================== = Vulnerabilities = ===================== ∗∗∗ SWAPGSAttack: Seitenkanal-Schwachstelle trifft wieder nur Intel ∗∗∗ --------------------------------------------- Mit der Spectre-ähnlichen SWAPGSAttack kann auf eigentlich geschützte Speicherbereiche zugegriffen werden, indem die spekulative Ausführung des Befehls ausgenutzt wird. Betroffen sind alle Intel-CPUs seit Ivy Bridge von 2012, von Microsoft gibt es bereits Patches für Windows 10. --------------------------------------------- https://www.golem.de/news/swapgsattack-seitenkanal-schwachstelle-trifft-wie… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (hostapd), openSUSE (aubio and spamassassin), Oracle (kernel), Red Hat (augeas, kernel-rt, libssh2, perl, procps-ng, redis:5, and systemd), SUSE (bzip2, evince, kernel, linux-azure, nodejs4, nodejs8, osc, python, python-Twisted, and python3), and Ubuntu (BWA and Mercurial). --------------------------------------------- https://lwn.net/Articles/795626/ ∗∗∗ Security Advisory - Double Free Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190807-… ∗∗∗ Security Advisory - Information Leak Vulnerability on Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190807-… ∗∗∗ HPESBST03938 rev.1 - Command View Advanced Edition (CVAE) Products, Local and Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily