- Daily - CERT.at

Tageszusammenfassung - 08.05.2019
by Daily end-of-shift report 08 May '19

08 May '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-05-2019 18:00 − Mittwoch 08-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker gesucht: "Auch Zehnjährige verstehen, was ein sicheres Passwort ist" ∗∗∗ --------------------------------------------- Ab sofort werden im Rahmen der Cyber Security Challenge wieder die besten Hacker Österreichs gesucht. --------------------------------------------- https://futurezone.at/digital-life/hacker-gesucht-auch-zehnjaehrige-versteh… ∗∗∗ Biometric Authentication Overview, Advantages & Disadvantages [Updated 2019] ∗∗∗ --------------------------------------------- What is biometric authentication? Biometric authentication is simply the process of verifying your identity using your measurements or other unique characteristics of your body, then logging you in a service, an app, a device and so on. What’s complicated is the technology behind it, so let’s see how it works. --------------------------------------------- https://heimdalsecurity.com/blog/biometric-authentication/ ∗∗∗ Researchers’ Evil Clippy cloaks malicious Office macros ∗∗∗ --------------------------------------------- A team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. --------------------------------------------- https://nakedsecurity.sophos.com/2019/05/08/researchers-cloak-malicious-off… ∗∗∗ Unternehmen aufgepasst: Bewerbungen mit Schadsoftware in Umlauf ∗∗∗ --------------------------------------------- Generisch gehaltene Mails mit dem Betreff „Bewerbung für Ihre Stellenausschreibung“ werden momentan von Kriminellen verbreitet. Die Nachrichten enthalten ein passwortgeschütztes und somit verschlüsseltes Word-Dokument. Das dazugehörige Passwort ist in der Mail zu finden. Empfänger/innen dürfen den Anhang nicht öffnen. Er enthält Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-aufgepasst-bewerbungen-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Elastic Services Controller REST API Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API.The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, kernel, linux-zen, munin, nautilus, perl-email-address, and tcpreplay), Debian (atftp), Fedora (perl-YAML and teeworlds), Mageia (java-1.8.0-openjdk, ldb, libsolv, and putty/filezilla/wxgtk), openSUSE (freeradius-server, libjpeg-turbo, pacemaker, rubygem-actionpack-5_1, wpa_supplicant, and yubico-piv-tool), Red Hat (chromium-browser, container-tools:rhel8, edk2, firefox, flatpak, ghostscript, httpd:2.4, mod_auth_mellon, openwsman, [...] --------------------------------------------- https://lwn.net/Articles/787842/ ∗∗∗ [20190502] - Core - By-passing protection of Phar Stream Wrapper Interceptor ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/vyaXtvewK3I/781-20190502-c… ∗∗∗ [20190501] - Core - XSS in com_users ACL debug views ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xio2qb8Db2U/780-20190501-c… ∗∗∗ TYPO3-PSA-2019-008: By-passing protection of Phar Stream Wrapper Interceptor ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2019-008/ ∗∗∗ TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2019-007/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Session Management vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-session-management-vu… ∗∗∗ IBM Security Bulletin: Potential CSV injection threat affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4071) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-csv-injecti… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Potential denial of service in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: IBM MQ Advanced Cloud Pak is vulnerable to a buffer overflow in the curl command (CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-advanced-cloud… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security vulnerabilities have been identified in IBM Java Runtime and the microcode shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2019
by Daily end-of-shift report 07 May '19

07 May '19

===================== = End-of-Day report = ===================== Timeframe: Montag 06-05-2019 18:00 − Dienstag 07-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Confluence Servers Hacked to Install Miners and Rootkits ∗∗∗ --------------------------------------------- After getting pounded with ransomware and malware for deploying distributed denial-of-service (DDoS) attacks, unpatched Confluence servers are now compromised to mine for cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to… ∗∗∗ "7 Tips For Planning ICS Plant Visits" ∗∗∗ --------------------------------------------- As you plan the next visit to your ICS plant(s) with your security team, consider these seven tips. They will maximize time on-site for accurate asset identification, effective cybersecurity awareness that will foster IT and OT relationships for smooth ICS incident response, and highlight new ways to ethically hack your digital and physical security perimeter. --------------------------------------------- http://ics.sans.org/blog/2019/05/06/7-tips-for-planning-ics-plant-visits ∗∗∗ Entschlüsselungstool für Erpressungstrojaner MegaLocker/NamPoHyu verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Gratis-Entschlüsselungstool für eine aktuelle Ransomware veröffentlicht. Der Malware-Entwickler findet das gar nicht witzig. --------------------------------------------- https://heise.de/-4415835 ∗∗∗ Turla LightNeuron: An email too far ∗∗∗ --------------------------------------------- ESET research uncovers Microsoft Exchange malware remotely controlled via steganographic PDF and JPG email attachments --------------------------------------------- https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/ ∗∗∗ WordPress GraphQL plugin exploit ∗∗∗ --------------------------------------------- Third-party plugins are often the security Achilles heel of Content Management Systems (CMS). It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. --------------------------------------------- https://www.pentestpartners.com/security-blog/wordpress-graphql-plugin-expl… ∗∗∗ Surge of MegaCortex ransomware attacks detected ∗∗∗ --------------------------------------------- New MegaCortex ransomware strain detected targeting the enterprise sector. --------------------------------------------- https://www.zdnet.com/article/sudden-surge-of-megacortex-ransomware-infecti… ∗∗∗ WordPress finally gets the security features a third of the Internet deserves ∗∗∗ --------------------------------------------- WordPress 5.2 released with support for cryptographically-signed updates, a modern cryptographic library. --------------------------------------------- https://www.zdnet.com/article/wordpress-finally-gets-the-security-features-… ===================== = Vulnerabilities = ===================== ∗∗∗ [20190501] - Core - XSS in com_users ACL debug views ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.7.0 through 3.9.5 Exploit type: XSS Reported Date: 2019-April-29 Fixed Date: 2019-May-07 CVE Number: CVE-2019-11809 Description The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. Affected Installs Joomla! CMS versions 1.7.0 through 3.9.5 Solution Upgrade to version 3.9.6 Contact The JSST at the Joomla! Security Centre. Reported By: Jose Antonio --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xio2qb8Db2U/780-20190501-c… ∗∗∗ Android Security Bulletin - May 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-05-01.html ∗∗∗ USN-3969-1: wpa_supplicant and hostapd vulnerability ∗∗∗ --------------------------------------------- wpa vulnerabilityA security issue affects these releases of Ubuntu and its derivatives:Ubuntu 19.04Ubuntu 18.10Ubuntu 18.04 LTSUbuntu 16.04 LTSSummarywpa_supplicant and hostapd could be made to crash if they receivedspecially crafted network traffic. --------------------------------------------- https://usn.ubuntu.com/3969-1/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, firefox-esr, and symfony), Fedora (poppler), SUSE (audit, ovmf, and webkit2gtk3), and Ubuntu (aria2, FFmpeg, gnome-shell, and sudo). --------------------------------------------- https://lwn.net/Articles/787732/ ∗∗∗ Security Bulletins for TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms/ ∗∗∗ Security Bulletins for TYPO3 Extensions ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-extensions/ ∗∗∗ Public Services Announcements for TYPO3 ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/public-service-announcements/ ∗∗∗ IBM Security Bulletin: Multiple Java Vulnerabilities Impact IBM Control Center (CVE-2018-3180, CVE-2018-1890) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-java-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2019
by Daily end-of-shift report 06 May '19

06 May '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-05-2019 18:00 − Montag 06-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cronjob Backdoors ∗∗∗ --------------------------------------------- Attackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors. A good example of this is the shell_exec function which allows plain shell commands to be run directly through the web application, providing attackers with an increased level of control over the environment. --------------------------------------------- https://blog.sucuri.net/2019/05/cronjob-backdoors.html ∗∗∗ WLAN-Presenter-Systeme mit kritischen Sicherheitslücken ∗∗∗ --------------------------------------------- WLAN-Gateways, die in vielen Meeting-Räumen das kabellose Anzeigen von Folien ermöglichen, lassen sich kapern und mit Schadcode verseuchen. --------------------------------------------- https://heise.de/-4413258 ∗∗∗ Erpressungswelle zielt auf öffentliche Git-Repositorys ∗∗∗ --------------------------------------------- Seit einigen Tagen haben Erpresser zahlreiche Repositorys bei GitHub, GitLab und BitBucket gelöscht und fordern Bitcoins für die Wiederherstellung. --------------------------------------------- https://heise.de/-4413576 ∗∗∗ Betrügerische Job-Angebote verführen zur Geldwäsche ∗∗∗ --------------------------------------------- Auf der Suche nach dem neuen Job stoßen Konsument/innen häufig auf betrügerische Angebote, bei denen die Aufgabe aus der Weiterleitung von Geldbeträgen besteht. Nicht immer ist dies bereits in der entsprechenden Jobausschreibung erkennbar. So geschehen auch auf der von Kriminellen übernommenen Website bulldozer-sprachschule.at, wo Bewerber/innen zur Geldwäsche aufgefordert wurden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-job-angebote-verfuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity PrinterLogic Flaws Enable Remote Code Execution ∗∗∗ --------------------------------------------- The three flaws enable an unauthenticated attacker to launch remote code execution attacks on printers. --------------------------------------------- https://threatpost.com/printerlogic-remote-code-execution/144383/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jquery, librecad, and phpbb3), Fedora (bubblewrap, java-11-openjdk, libvirt, openssh, and pacemaker), Mageia (virtualbox), openSUSE (chromium, ImageMagick, and java-11-openjdk), and SUSE (openssl-1_1). --------------------------------------------- https://lwn.net/Articles/787599/ ∗∗∗ HPESBHF03769 rev.2 - HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ IBM Security Bulletin: IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data (CVE-2019-4208) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tririga-is-vulner… ∗∗∗ IBM Security Bulletin: IBM TRIRIGA Application Platform may disclose sensitive information (CVE-2019-4207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tririga-applicati… ∗∗∗ IBM Security Bulletin: Vulnerability in Pivotal Spring Framework affects IBM TRIRIGA Application Platform (CVE-2018-15786) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-pivo… ∗∗∗ IBM Security Bulletin: IBM TRIRIGA Application Platform could disclose sensitive information (CVE-2018-2008) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tririga-applicati… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management V2018 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Cúram Social Program Management contains a cross-site request forgery vulnerability in the REST API (CVE-2018-2001) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-curam-social-prog… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2018-1890, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Runtime Environment Java™ Version affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in GNU OpenSSL (1.0.2 series) affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-gn… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2019
by Daily end-of-shift report 03 May '19

03 May '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-05-2019 18:00 − Freitag 03-05-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Decryptor for MegaLocker and NamPoHyu Virus Ransomware Released ∗∗∗ --------------------------------------------- Emsisoft has released a decryptor for the MegaLocker and NamPoHyu Virus ransomware that has been targeting exposed Samba servers. Victims can now use this decryptor to recover their files for free. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-for-megalocker-and… ∗∗∗ Informal Expert Group on EU Member States Incident Response Development ∗∗∗ --------------------------------------------- ENISA launches this Call for Participation to invite experts to participate in its expert group. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/informal-e-xpert-group-on-eu-ms… ∗∗∗ 2019: The Return of Retefe ∗∗∗ --------------------------------------------- Retefe is a banking Trojan that historically has routed online banking traffic intended for targeted banks through a proxy instead of the web injects more typical of other bankers. [...] Although Retefe only appeared infrequently in 2018, the banker returned to more regular attacks on Swiss and German victims in April of 2019 with both a Windows and macOS version. Retefes return to the landscape was marked by several noteworthy changes: [...] --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe ∗∗∗ Abus Funkalarmanlage: Sicherheitslücke erlaubt Klonen von RFID-Schlüsseln ∗∗∗ --------------------------------------------- Erst vergangene Woche enthüllten Sicherheitsforscher drei Sicherheitslücken in Abus Secvest Alarmanlagen. Nun folgt eine weitere. --------------------------------------------- https://heise.de/-4412282 ∗∗∗ D-Link schützt DNS-320 und weitere NAS mit Updates gegen Cr1ptTor-Ransomware ∗∗∗ --------------------------------------------- Die Netzwerkspeicher DNS-320L, DNS-325 und DNS-327L waren anfällig für Angriffe durch den Verschlüsselungstrojaner Cr1ptor. Firmware-Updates sollen das ändern. --------------------------------------------- https://heise.de/-4412656 ∗∗∗ Vulnerabilities Found in Over 100 Jenkins Plugins ∗∗∗ --------------------------------------------- A researcher has discovered vulnerabilities in more than 100 plugins designed for the Jenkins open source software development automation server and many of them have yet to be patched. read more --------------------------------------------- https://www.securityweek.com/vulnerabilities-found-over-100-jenkins-plugins ===================== = Vulnerabilities = ===================== ∗∗∗ Orpak SiteOmat ∗∗∗ --------------------------------------------- This advisory includes mitigations for use of hard-coded credentials, cross-site scripting, SQL injection, missing encryption of sensitive data, code injection, and stack-based buffer overflow vulnerabilities reported in Orpak’s SiteOmat, software for fuel station management. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-01 ∗∗∗ GE Communicator ∗∗∗ --------------------------------------------- This advisory includes mitigations for uncontrolled search path, use of hard-coded credentials, and improper access control vulnerabilities reported in GEs Communicator software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 ∗∗∗ Sierra Wireless AirLink ALEOS ∗∗∗ --------------------------------------------- This advisory includes mitigations for OS command injection, use of hard-coded credentials, unrestricted upload of file with dangerous type, cross-site scripting, cross-site request forgery, information exposure, and missing encryption of sensitive data vulnerabilities reported in the Sierra Wireless AirLink ALEOS products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-4.9 and otrs2), Fedora (gradle, java-1.8.0-openjdk, jetty, kernel, ruby, and runc), openSUSE (dovecot23, jasper, libsoup, ntfs-3g_ntfsprogs, and webkit2gtk3), SUSE (openssl), and Ubuntu (python-gnupg). --------------------------------------------- https://lwn.net/Articles/787413/ ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Releases 1801-w and 1801-y ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2019
by Daily end-of-shift report 02 May '19

02 May '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-04-2019 18:00 − Donnerstag 02-05-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing-Mail hat es auf Ihr Willhaben-Konto abgesehen ∗∗∗ --------------------------------------------- Erneut sind Phishing-Mails Krimineller im Umlauf. Die Mails erwecken den Anschein, von der Kleinanzeigenplattform Willhaben zu stammen und informieren über die Veröffentlichung einer Verkaufsanzeige für eine Samsung Waschmaschine. Empfänger/innen dürfen den Links in der Nachricht nicht folgen und keine Daten eingeben, ansonsten verlieren sie ihr Willhaben-Konto. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-hat-es-auf-ihr-willhab… ∗∗∗ JavaScript card sniffing attacks spread to other e-commerce platforms ∗∗∗ --------------------------------------------- OpenCart, OSCommerce, WooCommerce, Shopify are also being targeted. --------------------------------------------- https://www.zdnet.com/article/javascript-card-sniffer-attacks-spread-to-oth… ∗∗∗ 50,000 enterprise firms running SAP software vulnerable to attack ∗∗∗ --------------------------------------------- 9 out of 10 SAP production systems are believed to be vulnerable to new exploits. --------------------------------------------- https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Treiberinstallation auf Dell-Laptops angreifbar ∗∗∗ --------------------------------------------- Eine auf Dell-Laptops vorinstallierte Windows-Software zur Installation von Treibern öffnet einen lokalen HTTP-Server. Ein Netzwerkangreifer kann das missbrauchen, um Schadsoftware zu installieren. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-treiberinstallation-auf-dell-la… ∗∗∗ Rockwell Automation CompactLogix 5370 ∗∗∗ --------------------------------------------- This advisory includes mitigations for uncontrolled resource consumption and stack-based buffer overflow vulnerabilities reported in Rockwell Automation’s CompactLogix 5370 controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 ∗∗∗ Citrix SD-WAN Security Update ∗∗∗ --------------------------------------------- An information disclosure vulnerability has been identified in the Citrix SD-WAN Appliance. This vulnerability could allow an unauthenticated attacker to perform a man-in-the-middle attack against management traffic. --------------------------------------------- https://support.citrix.com/article/CTX247735 ∗∗∗ Jetzt patchen: Cisco schließt Lücken in zahlreichen Produkten ∗∗∗ --------------------------------------------- Es ist mal wieder so weit: Netzwerkausrüster Cisco hat zahlreiche Aktualisierungen veröffentlicht. Eine der gepatchten Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-4411599 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libmediainfo, php-horde-horde, and php-horde-turba), SUSE (hostinfo, supportutils, libjpeg-turbo, and openssl), and Ubuntu (dovecot, libpng1.6, and memcached). --------------------------------------------- https://lwn.net/Articles/787232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and signing-party), Fedora (php-horde-horde and php-horde-turba), and Ubuntu (php5). --------------------------------------------- https://lwn.net/Articles/787299/ ∗∗∗ Many Vulnerabilities Found in Wireless Presentation Devices ∗∗∗ --------------------------------------------- Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices. read more --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-wireless-presentati… ∗∗∗ Vuln: Microsoft Visual Studio asm Remote Memory Corruption Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/108122 ∗∗∗ Vuln: Apache Archiva CVE-2019-0214 Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/108124 ∗∗∗ IBM Security Advisories ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Appliance mode vulnerability CVE-2019-6614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46524395 ∗∗∗ CGNAT/PPTP vulnerability CVE-2019-6611 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K47527163 ∗∗∗ DNS vulnerability CVE-2019-6612 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24401914 ∗∗∗ Appliance mode tmsh vulnerability CVE-2019-6615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87659521 ∗∗∗ Appliance mode tmsh vulnerability CVE-2019-6616 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82814400 ∗∗∗ SNMP vulnerability CVE-2019-6613 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27400151 ∗∗∗ BIG-IP Resource Administrator vulnerability CVE-2019-6618 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K07702240 ∗∗∗ BIG-IP Resource Administrator vulnerability CVE-2019-6617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K38941195 ∗∗∗ HTTP/2 ALPN vulnerability CVE-2019-6619 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K94563344 ∗∗∗ NodeJS vulnerability CVE-2018-12120 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37111863 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2019
by Daily end-of-shift report 30 Apr '19

30 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 29-04-2019 18:00 − Dienstag 30-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ APT trends report Q1 2019 ∗∗∗ --------------------------------------------- This is our latest summary of APT activity, based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. It aims to highlight the significant events and findings that we feel people should be aware of. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2019/90643/ ∗∗∗ Vorsicht vor Bestellungen auf cragoo.at und cragoo.de ∗∗∗ --------------------------------------------- Bei cragoo.de bzw. cragoo.at handelt es sich um einen Online-Shop der Firma TA Retail UG mit sehr breitem Sortiment. Es werden unter anderem Haushaltsgeräte, Technik, Autozubehör, Bauutensilien, Fahrräder, Möbel und Spielzeug angeboten. Doch Vorsicht: Uns erreichen laufend Meldungen verärgerter Konsument/innen, die einen Einkauf per Vorkasse bezahlt, aber keine Lieferung erhalten haben. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bestellungen-auf-cragoo… ∗∗∗ Oracle Weblogic 0day ∗∗∗ --------------------------------------------- Several days ago, information about new Oracle Weblogic Server 0day vulnerability was published [... CVE-2019-2725]. ... One of the SISSDEN goals is to track such a vulnerabilities and answer following questions: How big was the volume of scanning/exploitation? Who is responsible for scanning/exploitation? How was the exploitation executed? --------------------------------------------- https://sissden.eu/blog/oracle-weblogic-0day ===================== = Vulnerabilities = ===================== ∗∗∗ Vuln: ImageMagick Multiple Heap Buffer Overflow Vulnerabilities ∗∗∗ --------------------------------------------- ImageMagick is prone to multiple heap-based buffer-overflow vulnerabilities. An attacker can exploit this issue to cause denial-of-service condition and obtain sensitive information. --------------------------------------------- http://www.securityfocus.com/bid/108102 ∗∗∗ Insufficient Privilege Validation in WooCommerce Checkout Manager ∗∗∗ --------------------------------------------- Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately. --------------------------------------------- https://blog.sucuri.net/2019/04/insufficient-privilege-validation-in-woocom… ∗∗∗ Schwachstelle in Revive Adserver kann Schadcode-Auslieferung ermöglichen ∗∗∗ --------------------------------------------- Der Werbeanzeigen-Server Revive Adserver ist über zwei Schwachstellen angreifbar; eine davon gilt als kritisch. Version 4.2.0 ist abgesichert. --------------------------------------------- https://heise.de/-4410423 ∗∗∗ Forscher finden Schwachstellen in E-Mail-Signaturprüfung ∗∗∗ --------------------------------------------- Sicherheitsforscher der Fachhochschule Münster und der Ruhr-Universität Bochum haben Schwachstellen in den Implementierungen der weitverbreiteten E-Mail-Verschlüsselungsstandards S/MIME und OpenPGP gefunden --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Signaturfae… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, openwsman, and ovmf), Debian (gst-plugins-base1.0 and libvirt), Fedora (libX11, poppler, python-urllib3, samba, and wpewebkit), openSUSE (GraphicsMagick), SUSE (atftp, glibc, libssh2_org, and wpa_supplicant), and Ubuntu (wavpack). --------------------------------------------- https://lwn.net/Articles/787158/ ∗∗∗ Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen im Foxit Reader und der Foxit Phantom PDF Suite ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, einen Denial of Service Angriff durchzuführen oder vertrauliche Daten einzusehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0359 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2018-1902) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-transformat… ∗∗∗ IBM Security Bulletin: A vulnerability affects the IBM FlashSystem 840 and 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-affec… ∗∗∗ IBM Security Bulletin: Security vulnerability affects Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Planning Analytics (CVE-2018-3180, CVE-2013-1624, CVE-2018-1933, CVE-2015-1832, CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ HPESBHF03929 rev.1 - HPE Superdome Flex Server, Local Denial of Service, Disclosure of Information, and Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2019
by Daily end-of-shift report 29 Apr '19

29 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-04-2019 18:00 − Montag 29-04-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitHub-Hosted Magecart Card Skimmer Found on Hundreds of Stores ∗∗∗ --------------------------------------------- Malicious actors compromised the Magento installations of a few hundred e-commerce websites and injected them with Magecart skimmer scripts hosted on GitHub. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-hosted-magecart-card-… ∗∗∗ Old Vulnerabilities Are Still Good Tricks for Todays Attacks ∗∗∗ --------------------------------------------- The value of a security vulnerability drops significantly the moment it gets patched but the bad guys will keep exploiting it for as long as they can find victims that are worth the effort. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-vulnerabilities-are-stil… ∗∗∗ Typo 3 Spam Infection ∗∗∗ --------------------------------------------- Here at Sucuri most of the malware that we deal with is on CMS platforms like: WordPress, Joomla, Drupal, Magento, and others. But every now and then we come across something a little different. Blackhat SEO Infection in Typo3 Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection: [...] --------------------------------------------- https://blog.sucuri.net/2019/04/typo-3-spam-infection.html ∗∗∗ Schwachstellen in P2P-Komponente: Zwei Millionen IoT-Geräte angreifbar ∗∗∗ --------------------------------------------- Angreifer könnten sich Fernzugriff auf IP-Kameras, smarte Türklingeln und Co. verschaffen. Ein Forscher rät zum Wegwerfen, nennt aber auch einen Workaround. --------------------------------------------- https://heise.de/-4409298 ∗∗∗ A Crash-Course in Card Shops ∗∗∗ --------------------------------------------- The notorious Joker's Stash is perhaps the best-known of many illicit shops in the deep & dark web (DDW) that specialize in, and serve as a primary means through which cybercriminals obtain, stolen payment card data. Commonly referred to as card shops, these shops can also be invaluable resources for those seeking to better understand and combat fraud and cybercrime. read more --------------------------------------------- https://www.securityweek.com/crash-course-card-shops ∗∗∗ So schützen Sie sich vor Phishing-Versuchen ∗∗∗ --------------------------------------------- Beim Phishing versuchen Kriminelle mittels gefälschter E-Mails, Websites und Chat-Nachrichten, sensible Daten von Internetuser/innen abzugreifen. Durch einfach zu treffende Vorkehrungen und ein wachsames Auge kann vermieden werden, auf derartige Betrugsmaschen hereinzufallen. Dies ist wichtig, denn durch falsches Handeln können mitunter hohe finzielle Verluste entstehen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-phishing-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle patcht kritische Lücke in WebLogic Server außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten WebLogic Server mit vergleichsweise wenig Aufwand attackieren und übernehmen. Nun hat Oracle Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-4409153 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, libpng, and openssh), Debian (checkstyle, evolution, gst-plugins-base0.10, gst-plugins-base1.0, imagemagick, libpng1.6, monit, and systemd), Fedora (aria2, php-symfony, php-symfony3, php-symfony4, and python-jinja2), openSUSE (ceph, libssh2_org, libvirt, php7, python3, samba, wget, and xerces-c), Red Hat (rh-python35-python), Slackware (bind), SUSE (libssh2_org), and Ubuntu (evince, gst-plugins-base0.10, gst-plugins-base1.0, and [...] --------------------------------------------- https://lwn.net/Articles/787052/ ∗∗∗ IBM Security Bulletin: IBM StoredIQ is affected by potential Host Header Injection (CVE-2019-4166) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storediq-is-affec… ∗∗∗ IBM Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2018-15756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-spri… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin : IBM Storwize V7000 Unified is affected by denial of service vulnerability in GPFS (CVE-2018-1783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storwize-v7000-un… ∗∗∗ IBM Security Bulletin : IBM Storwize V7000 Unified is affected by arbitry file read vulnerability in GPFS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storwize-v7000-un… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities in IBM® Java SDK affect Rational Method Composer March 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2019
by Daily end-of-shift report 26 Apr '19

26 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-04-2019 18:00 − Freitag 26-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Getting in the Zone: dumping Active Directory DNS using adidnsdump ∗∗∗ --------------------------------------------- Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any [...] --------------------------------------------- https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-direc… ∗∗∗ Service Accounts Redux - Collecting Service Accounts with PowerShell ∗∗∗ --------------------------------------------- Back in 2015 I wrote up a "find the service accounts" story - https://isc.sans.edu/forums/diary/Windows+Service+Accounts+Why+Theyre+Evil+… (yes, it really has been that long). The approach I wrote up then used WMIC. Those scripts saw a lot of use back in the day, but dont reflect the fastest or most efficient way to collect this information - I thought today was a good day to cover how to do this much quicker in PowerShell. --------------------------------------------- https://isc.sans.edu/forums/diary/Service+Accounts+Redux+Collecting+Service… ∗∗∗ Statistik: Deutlich mehr Malware für den Mac ∗∗∗ --------------------------------------------- Laut Angaben des Sicherheitsunternehmens Malwarebytes nehmen die Angriffe auf macOS-User zu. Besonders Adware wird zum Problem. --------------------------------------------- https://heise.de/-4408038 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450 ∗∗∗ --------------------------------------------- Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator's password and expose user credentials, among [...] --------------------------------------------- https://blog.talosintelligence.com/2019/04/vulnerability-sierra-airlink.html ∗∗∗ Vorsicht vor Betrugs-Mails mit vermeintlichen Rechnungen ∗∗∗ --------------------------------------------- Konsument/innen und Unternehmen erhalten E-Mails, die auf Links zu angeblichen Rechnungen verweisen. Die Betroffenen werden beispielsweise aufgefordert die Rechnungen zu bezahlen oder deren Inhalt zu überprüfen. Wer den Links folgt landet auf betrügerischen Websites, die versuchen, Systeme mit Schadsoftware zu infizieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betrugs-mails-mit-verme… ∗∗∗ An inside look at how credential stuffing operations work ∗∗∗ --------------------------------------------- Data breaches, custom software, proxies, IoT botnets, and hacking forums -- all play a role. --------------------------------------------- https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension ∗∗∗ --------------------------------------------- If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company - called "Plugin Vulnerabilities" - that recently gone rogue in order to protest against moderators of the WordPress's official support forum has once [...] --------------------------------------------- https://thehackernews.com/2019/04/wordpress-woocommerce-security.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gpac and mercurial), Fedora (kernel-headers and kernel-tools), openSUSE (GraphicsMagick, kauth, lxc, lxcfs, python, qemu, and xmltooling), SUSE (freeradius-server, ImageMagick, libvirt, samba, and wireshark), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/786884/ ∗∗∗ Synology-SA-19:20 ISC BIND ∗∗∗ --------------------------------------------- CVE-2018-5743 allows remote attackers to conduct denial-of-service attacks via a susceptible version of DNS Server.DNS Server is not affected by CVE-2019-6947 and CVE-2019-6948 as these vulnerabilities only affect ISC BIND 9.10.5 and later. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_20 ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190424-… ∗∗∗ IBM Cognos Business Intelligence: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0354 ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2019 – Includes Oracle Jan 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM® Java Runtime and Liberty affect IBM BigFix Remote Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-20346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulneraqbility-in-s… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability GNU C Library (CVE-2018-16429) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerabilities (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-manager-wit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libtirpc (CVE-2018-14622 CVE-2018-14621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSH ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL (CVE-2018-0732 CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2019
by Daily end-of-shift report 25 Apr '19

25 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-04-2019 18:00 − Donnerstag 25-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ExtraPulsar backdoor based on leaked NSA code – what you need to know ∗∗∗ --------------------------------------------- A US security researcher has come up with an open-source Windows backdoor loosely based on NSA attack code that leaked back in 2017. --------------------------------------------- https://nakedsecurity.sophos.com/2019/04/25/extrapulsar-backdoor-based-on-l… ∗∗∗ Android-App "WiFi Finder" leakte private WLAN-Passwörter ∗∗∗ --------------------------------------------- Auf über 100.000 Handys half WiFi Finder beim Verbinden mit öffentlichen Hotspots. In vielen Fällen sammelte die App aber auch private Zugangsdaten. --------------------------------------------- https://heise.de/-4405783 ∗∗∗ Jetzt patchen! Erpressungstrojaner Gandcrab frisst sich durch Confluence-Lücke ∗∗∗ --------------------------------------------- Die Angriffe auf Confluence weiten sich aus. Derzeit versuchen Angreifer verwundbare Systeme mit der Ransomware Gandcrab zu infizieren. --------------------------------------------- https://heise.de/-4407102 ∗∗∗ JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan ∗∗∗ --------------------------------------------- Malware loaders are playing an increasingly important role in malware distribution. They give adversaries the ability to gain an initial foothold on a system and are typically used to deliver various malware payloads following successful compromise. These attacks are popping up more frequently, as we covered in July with Smoke Loader and Brushaloader earlier this year. --------------------------------------------- https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html ∗∗∗ Erpressungs-E-Mail von mir selbst ∗∗∗ --------------------------------------------- Momentan versenden Kriminelle E-Mails, in denen Sie behaupten Ihre Webcam gehackt und Sie beobachtet zu haben. Sie hätten angeblich Videomaterial, das Sie beim Masturbieren zeigt. Ihnen droht eine Veröffentlichung des Films, wenn Sie nicht einen bestimmten Geldbetrag in Form von Bitcoins überweisen. Weiters scheint es so, als hätten die Kriminellen die E-Mail von Ihrem Account aus an Sie selbst versendet. Bleiben Sie ruhig, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungs-e-mail-von-mir-selbst/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Vulnerability Alert - WebLogic Zero Day, (Thu, Apr 25th) ∗∗∗ --------------------------------------------- The news today is full of a new deserialization vulnerability in Oracle WebLogic. This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected). The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war. A successful attack gets the attacker remote code exec on the vulnerable server. --------------------------------------------- https://isc.sans.edu/diary/rss/24880 ∗∗∗ Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores ∗∗∗ --------------------------------------------- Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware. On some devices, Qualcomms TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. --------------------------------------------- https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-… ∗∗∗ New security release versions of BIND are available: 9.11.6-P1, 9.12.4-P1, and 9.14.1 ∗∗∗ --------------------------------------------- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2019-April/001126.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (putty and systemd), Fedora (kernel, kernel-headers, and kernel-tools), Gentoo (ming and qemu), openSUSE (openexr and slurm), SUSE (ImageMagick, jasper, ntfs-3g_ntfsprogs, openssh, and webkit2gtk3), and Ubuntu (php5 and tcpflow). --------------------------------------------- https://lwn.net/Articles/786749/ ∗∗∗ TIBCO Security Advisories ∗∗∗ --------------------------------------------- https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… ∗∗∗ BIND vulnerability CVE-2018-5743 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74009656 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by information disclosure vulnerability (CVE-2019-6157) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… ∗∗∗ IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2019-4047) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2018-2004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by weak cryptographic algorithms (CVE-2018-2007) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-siteprot… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in GNU C Library (CVE-2017-15804 CVE-2017-15670 CVE-2015-5180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in xorg-x11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability in cURL (CVE-2018-14618) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2018-11236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2019
by Daily end-of-shift report 24 Apr '19

24 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-04-2019 18:00 − Mittwoch 24-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Hosted in Google Sites Sends Data to MySQL Server ∗∗∗ --------------------------------------------- Security researchers found malware hosted on the Google Sites platform for building websites. The threat is a dropper for an information stealer that sends data to a MySQL server controlled by the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-hosted-in-google-sit… ∗∗∗ Qbot Malware Dropped via Context-Aware Phishing Campaign ∗∗∗ --------------------------------------------- A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-dropped-via-con… ∗∗∗ Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators ∗∗∗ --------------------------------------------- Ever been in an internal security assessment or penetration test, and need to list all domain admins? First of all, why would you need to do that? All to often, you'll find that way too many people have domain admins - you know, "just in case" --------------------------------------------- https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Roo… ∗∗∗ Sighting of Mythical New Shadowserver Website Confirmed! ∗∗∗ --------------------------------------------- After over a decade over operations, the Shadowserver Foundation finally launches a shiny new website. The new site hopefully better explains to the public our values, free services and constituents, and what we continue to do to improve the overall security of the Internet. Our team, focus and mission remain otherwise unchanged. But we may hopefully spare ourselves the occasional embarrassing question! --------------------------------------------- https://www.shadowserver.org/news/sighting-of-mythical-new-shadowserver-web… ∗∗∗ DNSpionage brings out the Karkoff ∗∗∗ --------------------------------------------- Cisco Talos publishes new information about the still ongoing DNSpionage campaign. --------------------------------------------- https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.ht… ∗∗∗ BSI warnt vor gezielten Ransomware-Angriffen auf Unternehmen ∗∗∗ --------------------------------------------- Derzeit registriert das Bundesamt für Sicherheit in der Informationstechnik (BSI) verstärkt Netzwerkkompromittierungen bei Unternehmen, die mit der manuellen und gezielten Ausführung eines Verschlüsselungstrojaners (Ransomware) enden. Dabei verschaffen sich die Angreifer mittels breit angelegter Spam-Kampagnen wie Emotet zunächst Zugang zu einzelnen Unternehmensnetzwerken [...] --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/BSI_warnt_v… ∗∗∗ CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis ∗∗∗ --------------------------------------------- In the previous installment, we wrote about how string hashing was used in CARBANAK to manage Windows API resolution throughout the entire codebase. But the authors used this same string hashing algorithm for another task as well. In this installment, we’ll pick up where we left off and write about CARBANAK’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-… ∗∗∗ Honeypot types deployed in SISSDEN ∗∗∗ --------------------------------------------- The SISSDEN sensor network is composed of VPS provider hosted nodes (procured at a cost from the VPS providers) and nodes donated to the project by third-parties acting as endpoints. These VPS nodes are not the actual honeypots themselves. Instead, they act as transparent layer 2 tunnels to the [...] --------------------------------------------- https://sissden.eu/blog/honeypots-deployed ===================== = Vulnerabilities = ===================== ∗∗∗ Fujifilm FCR Capsula X/Carbon X ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s FCR Capsula X and Carbon X Computed Radiography cassette readers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-19-113-01 ∗∗∗ Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers ∗∗∗ --------------------------------------------- This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-113-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, flashplugin, ghostscript, and jenkins), Fedora (glpi, hostapd, python-urllib3, and znc), openSUSE (apache2, audiofile, libqt5-qtvirtualkeyboard, php5, and SDL2), Scientific Linux (kernel), SUSE (curl and dovecot23), and Ubuntu (advancecomp and freeradius). --------------------------------------------- https://lwn.net/Articles/786629/ ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in cURL (CVE-2018-16840 CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: API Connect V5 is impacted by vulnerabilities in Bootstrap (CVE-2018-14040 CVE-2018-14041 CVE-2018-14042) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v5-is-imp… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple Websphere Vulnerabilities Impact IBM Control Center (CVE-2018-3169, CVE-2014-7810, CVE-2018-1767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-websphere-vu… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Data Quality Exception Console is affected by a Reflected XSS (Cross-Site Scripting) vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-data-q… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, and Ruby on Rails affect BigFix Compliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Build Forge (CVE-2018-1890;CVE-2019-2426;CVE-2018-3139;CVE-2018-3180;CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libjpeg ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2019
by Daily end-of-shift report 23 Apr '19

23 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-04-2019 18:00 − Dienstag 23-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Operation ShadowHammer: a high-profile supply chain attack ∗∗∗ --------------------------------------------- In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility. Now it is time to share more details about the research with our readers. --------------------------------------------- https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-a… ∗∗∗ IT Security Guidelines for Transport Layer Security (TLS) ∗∗∗ --------------------------------------------- These guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). TLS is the most popular protocol to secure connections on the Internet. --------------------------------------------- https://www.ncsc.nl/english/current-topics/factsheets/it-security-guideline… ∗∗∗ Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts ∗∗∗ --------------------------------------------- We recently discovered malicious Microsoft Software Installation (MSI) files that download and execute other files, and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations.The post Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-… ∗∗∗ CARBANAK Week Part One: A Rare Occurrence ∗∗∗ --------------------------------------------- It is very unusual for FLARE to analyze a prolifically-used, privately-developed backdoor only to later have the source code and operator tools fall into our laps. Yet this is the extraordinary circumstance that sets the stage for CARBANAK Week, a four-part blog series that commences with this post. CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-… ∗∗∗ So erkennen Sie Fake-Shops bevor es zu spät ist! ∗∗∗ --------------------------------------------- Auf der Schnäppchenjagd im Internet stoßen Konsument/innen häufig auf Online-Shops, die trotz Bezahlung keine Ware liefern. Kurz gesagt: Fake-Shops. Diese Webseiten werden von Kriminellen betrieben, die es ausschließlich auf das Geld ihrer Opfer abgesehen haben. Bezahlungen erfolgen per Vorkasse und die überwiesenen Beträge sind verloren. Das Erkennen von Fake-Shops ist oft schwierig, mit unseren Tipps aber nicht unmöglich! --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-fake-shops-bevor-es-… ∗∗∗ Trojanized TeamViewer used in government, embassy attacks across Europe ∗∗∗ --------------------------------------------- The remote desktop software is being weaponized to gain access to victim systems. --------------------------------------------- https://www.zdnet.com/article/trojanized-teamviewer-used-in-government-poli… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk and java-11-openjdk), Debian (clamav, debian-security-support, and drupal7), Fedora (egl-wayland, elementary-camera, elementary-code, elementary-terminal, ephemeral, geocode-glib, gnome-characters, gnome-shell-extension-gsconnect, group-service, libmodulemd, libxmlb, mate-user-admin, mesa, meson, mpris-scrobbler, reportd, switchboard-plug-display, switchboard-plug-pantheon-shell, wingpanel, and wireshark), openSUSE (blueman and glibc), Red Hat (java-1.7.0-openjdk). --------------------------------------------- https://lwn.net/Articles/786458/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.7.0-openjdk), Debian (ghostscript and wget), Gentoo (apache, glib, opendkim, and sqlite), Red Hat (kernel, kernel-alt, kernel-rt, ovmf, polkit, and python27-python), Scientific Linux (java-1.7.0-openjdk), and SUSE (php72). --------------------------------------------- https://lwn.net/Articles/786538/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - April 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Malware-Verteiler werden immer jünger, infizieren sich oft selbst ∗∗∗ --------------------------------------------- https://heise.de/-4403823 ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-v ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-1901) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2017-15804) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… ∗∗∗ IBM Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2014-7810) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integration-bus-i… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211 CVE-2019-0220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Potential vulnerability related to Unsafe Deserialization in Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2019-0192) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-vulnerabili… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2019-4146, CVE-2019-4222) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities CVE-2018-5744 CVE-2019-6465 and CVE-2018-5745. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-… ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Content Navigator is affected by an open redirect vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm… ∗∗∗ IBM Security Bulletin: Multiple Cross-Site Scripting Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-cross-site-s… ∗∗∗ IBM Security Bulletin: Public disclosed vulnerability from SQLite CVE-2018-20346 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-public-disclosed-vuln… ∗∗∗ IBM Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Weak Cryptographic Algorithm Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-1720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-weak-cryptographic-al… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2019
by Daily end-of-shift report 19 Apr '19

19 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-04-2019 18:00 − Freitag 19-04-2019 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Wipro Intruders Targeted Other Major IT Firms ∗∗∗ --------------------------------------------- The criminals responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, Indias third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant -- two other large technology consulting companies, new evidence suggests. --------------------------------------------- https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it… ∗∗∗ Threat Source (April 18): New attacks distribute Formbook, LokiBot ∗∗∗ --------------------------------------------- Newsletter compiled by Jonathan Munshaw.Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week. --------------------------------------------- https://blog.talosintelligence.com/2019/04/threat-source-april-18-new-attac… ∗∗∗ DNS Hijacking Abuses Trust In Core Internet Service ∗∗∗ --------------------------------------------- Authors: Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistancePrefaceThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the [...] --------------------------------------------- https://blog.talosintelligence.com/2019/04/seaturtle.html ∗∗∗ What did Ransomware do in March? ∗∗∗ --------------------------------------------- According to the monitoring of 360 Brain of Safety, the overall attack trend of Ransomware in March is relatively stable. There is no new large-scale...The post What did Ransomware do in March? appeared first on 360 Total Security Blog. --------------------------------------------- https://blog.360totalsecurity.com/en/what-did-ransomware-do-in-march/ ∗∗∗ Daily Emotet IoCs and Notes for 04/17-18/19 ∗∗∗ --------------------------------------------- Emotet Malware Document links/IOCs for 04/17-18/19 as of 04/19/19 02:00 EDTNotes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.Epoch 1 Document/Downloader links seen for [...] --------------------------------------------- https://paste.cryptolaemus.com/emotet/2019/04/18/18-emotet-malware-IoCs_04-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (atomic-reactor and osbs-client), openSUSE (libqt5-qtbase, lxc, tar, wget, and xmltooling), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (php5), and Ubuntu (znc). --------------------------------------------- https://lwn.net/Articles/786299/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos TM1 (CVE-2018-3180, CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Insight (CVE-2018-3180, CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2019
by Daily end-of-shift report 18 Apr '19

18 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-04-2019 18:00 − Donnerstag 18-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure ∗∗∗ --------------------------------------------- A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revengerat-distributed-via-b… ∗∗∗ Malware Sample Delivered Through UDF Image ∗∗∗ --------------------------------------------- So be careful with .img files! They should also be added to the list of prohibited file extensions in your mail relays or change the file association in your Windows environments to NOT open them Windowd Explorer. --------------------------------------------- https://isc.sans.edu/forums/diary/Malware+Sample+Delivered+Through+UDF+Imag… ∗∗∗ keysmix.com stiehlt Steam-Accounts ∗∗∗ --------------------------------------------- Gamer/innen aufgepasst: Auf Steam kommt es momentan zu Phishing-Versuchen. Accounts aus dem eigenen Freundeskreis versenden Nachrichten, die ein gratis Spiel für Neuanmeldungen versprechen. Die Links führen zu keysmix.com. Wer sich auf der Website mit dem Steam-Login anmeldet, wird Opfer eines Datendiebstahls und verliert den eigenen Steam-Account. --------------------------------------------- https://www.watchlist-internet.at/news/keysmixcom-stiehlt-steam-accounts/ ∗∗∗ media-shopping.org – zu schön, um wahr zu sein ∗∗∗ --------------------------------------------- Im Online-Shop media-shopping.org finden Sie Elektroartikel zu unschlagbaren Preisen. Zusätzlich erhalten Sie auf Ihre Bestellung angeblich einen Rabatt von 30 Euro. Ein Angebot dieser Art ist leider zu schön, um wahr zu sein! media-shopping.org ist ein Fake-Shop, der keine Ware liefert. --------------------------------------------- https://www.watchlist-internet.at/news/media-shoppingorg-zu-schoen-um-wahr-… ===================== = Vulnerabilities = ===================== ∗∗∗ Broadcom WiFi chipset drivers contain multiple vulnerabilities ∗∗∗ --------------------------------------------- The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities --------------------------------------------- https://www.kb.cert.org/vuls/id/166939/ ∗∗∗ OpenSSH 8.0 released ∗∗∗ --------------------------------------------- This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. --------------------------------------------- https://lwn.net/Articles/786236/ ∗∗∗ Sicherheitsupdates: Mehrere Lücken in Drupal geschlossen ∗∗∗ --------------------------------------------- In aktualisierten Versionen haben die Drupal-Entwickler Schwachstellen geschlossen. Der Bedrohungsgrad gilt als "mittelschwer". --------------------------------------------- https://heise.de/-4402364 ∗∗∗ Wichtige Sicherheitsupdates für Cisco Wireless LAN Controller & Co. ∗∗∗ --------------------------------------------- Cisco hat jede Menge Patches für verschiedene Netzwerkgeräte veröffentlicht. Nur eine Schwachstelle gilt als "kritisch". --------------------------------------------- https://heise.de/-4402425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Gentoo (dovecot, libseccomp, and patch), openSUSE (aubio, blktrace, flac, lxc, lxcfs, pspp, SDL, sqlite3, and xen), Red Hat (java-1.8.0-openjdk, java-11-openjdk, and rh-maven35-jackson-databind), Scientific Linux (java-1.8.0-openjdk), Slackware (libpng), SUSE (python, python3, sqlite3, and xerces-c), and Ubuntu (ntfs-3g). --------------------------------------------- https://lwn.net/Articles/786235/ ∗∗∗ BSRT-2019-002 Vulnerability in UEM Core Impacts BlackBerry UEM ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Java Runtime could affect DB2 Query Management Facility (CVE-2018-12547, CVE-2019-2426, CVE-2018-1890, CVE-2018-12549, CVE-2018-11212) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Java Runtime which affects DataQuant for z/OS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerability in OpenSSL (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-nextscale-fan-pow… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for UNIX (CVE-2018-0734 and CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSSL (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in GNU glibc (CVE-2018-11236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Information Exposure (CVE-2018-1729) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to publicly disclosed vulnerabilities from [All] Python (CVE-2018-1060, CVE-2018-1061) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-pa… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to a Publicly disclosed vulnerability from GNU glibc (CVE-2018-11237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-pa… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to publicly disclosed vulnerabilities from OpenSSL (CVE-2018-0739, CVE-2018-0732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-pa… ∗∗∗ BIG-IP URL classification vulnerability CVE-2019-6610 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42465020 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2019
by Daily end-of-shift report 17 Apr '19

17 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-04-2019 18:00 − Mittwoch 17-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Microsoft Edge to Warn Users When in Administrator Mode ∗∗∗ --------------------------------------------- The upcoming Chromium-based Microsoft Edge browser will warn users when they launch the browser with administrative privileges and suggest that they relaunch the browser as a non-administrator. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-microsoft-edge-to-warn-u… ∗∗∗ Subdomain Takeover: Microsoft verliert Kontrolle über Windows-Kacheln ∗∗∗ --------------------------------------------- Mit einem Service von Microsoft konnten Webseiten Neuigkeiten auf Windows-Kacheln als sogenannte Windows Live Tiles darstellen. Den Service gibt es nicht mehr, die zugehörige Subdomain konnten wir übernehmen und eigene Kachelinhalte anzeigen. --------------------------------------------- https://www.golem.de/news/subdomain-takeover-microsoft-verliert-kontrolle-u… ∗∗∗ Angriffe auf Confluence - Patch-Stand checken ∗∗∗ --------------------------------------------- Das DFN-CERT warnt vor verstärkten Angriffen auf den Collaboration-Service Confluence. Die nutzen Lücken aus, für die es bereits Patches gibt --------------------------------------------- https://heise.de/-4401658 ∗∗∗ A third-party patch for Microsoft’s Internet Explorer zero-day vulnerability ∗∗∗ --------------------------------------------- Don’t want to wait for Microsoft to fix the problem in how Internet Explorer handles .MHT files? Other security researchers come to the rescue. --------------------------------------------- https://www.grahamcluley.com/third-party-patch-internet-explorer/ ∗∗∗ Betrügerische Job-Angebote führen zu Identitätsdiebstahl und Geldwäsche! ∗∗∗ --------------------------------------------- Immer wieder stoßen Konsument/innen auf verlockende Job-Angebote bei vermeintlichen Marktforschungsinstituten. Als solches stellte sich auch webspection.de dar. Für die Teilnahme an der ersten Umfrage – ein angeblicher Test des Video-Ident-Verfahrens IDnow – mussten Interessent/innen Ausweise und Dokumente an die kriminellen Betreiber/innen weiterleiten. Die Folge: Betrüger/innen verfügen über ein Konto im Namen der Betroffenen und nutzen dieses zur --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-job-angebote-fuehren-… ===================== = Vulnerabilities = ===================== ∗∗∗ Evernote Fixes Remote Code Execution Vulnerability in macOS App ∗∗∗ --------------------------------------------- A local file path traversal vulnerability which allows attackers to run arbitrary code on their targets Macs remotely was fixed by Evernote after receiving a report from security researcher Dhiraj Mishra. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evernote-fixes-remote-code-e… ∗∗∗ Sicherheitslücke: EA Origin führte Schadcode per Link aus ∗∗∗ --------------------------------------------- Ein Klick auf den falschen Link konnte genügen: Die Spieleplattform EA Origin führte über präparierte Links beliebige Software oder Schadcode aus. Auch die Konten der Spieler konnten auf diese Weise übernommen werden. (Origin, Phishing) --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per… ∗∗∗ Delta Industrial Automation CNCSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for heap-based buffer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities reported in Delta Electronics Delta Industrial Automation CNCSoft ScreenEditor software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-106-01 ∗∗∗ Oracle Critical Patch Update Advisory - April 2019 ∗∗∗ --------------------------------------------- Java, MySQL, Solairs, VirtualBox uvam. --------------------------------------------- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html ∗∗∗ Security Advisory - Information Disclosure Vulnerability on Smartphones ∗∗∗ --------------------------------------------- There is an information disclosure vulnerability on certain Huawei smartphones. An attacker could view the photos after a series of operation without unlock the screen lock. Successful exploit could cause an information disclosure condition. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190417-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (mod_auth_mellon), Debian (ghostscript and ruby2.3), openSUSE (dovecot22, gnuplot, and openwsman), Scientific Linux (mod_auth_mellon), SUSE (krb5, openexr, python3, and wget), and Ubuntu (firefox and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/786157/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2019-1559) Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-open… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack within the TLS key renegotiation functions (CVE-2019-4055) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in OpenSSL (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2019
by Daily end-of-shift report 16 Apr '19

16 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2019 18:00 − Dienstag 16-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Behavioural aspects of cybersecurity ∗∗∗ --------------------------------------------- Technical cybersecurity measures do not exist in a vacuum and need to operate in harmony with people. Against this backdrop, ENISA publishes a report comprising four evidence-based reviews of human aspects of cybersecurity: two based on the use and effectiveness of models from social science, one on qualitative studies, and one on current practice within organisations. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/behavioural-aspects-of-cybersec… ∗∗∗ The Outlook Winner is Dash ∗∗∗ --------------------------------------------- When trying to abuse the Office groups, I stepped on a single character group Dash “-”. At first, I reserved the group Dash for the mail -(a)example.com as it is somewhat uncommon to see a single “special” character mail address. The next morning (after the creation of this group), I had already received 5 mails. --------------------------------------------- https://blog.ettic.ca/the-outlook-winner-is-dash-ac15dbc4098d ∗∗∗ Adobe Flash security tool Flashmingo debuts in open source community ∗∗∗ --------------------------------------------- In order to maintain adequate levels of security for Flash until its demise, a balance has to be met between spending time and resources auditing the software and the need for analysis. To assist the cause, cybersecurity firm FireEye has released Flashmingo, a framework for the automatic analysis of SWF files. --------------------------------------------- https://www.zdnet.com/article/security-tool-for-flash-flashmingo-released-t… ∗∗∗ Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered ∗∗∗ --------------------------------------------- ... the malware gains persistence on infected machines by installing a digitally-signed rootkit driver. Researchers believe attackers obtained the valid digital code-signing certificate fraudulently, which was originally issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and has not been revoked at the time of writing. --------------------------------------------- https://thehackernews.com/2019/04/scranos-rootkit-spyware.html ===================== = Vulnerabilities = ===================== ∗∗∗ New Malicious Medical DICOM Image Files Cause HIPAA Headache ∗∗∗ --------------------------------------------- Malicious DICOM files can be crafted to contain both CT and MRI scan imaging data and potentially dangerous PE executables, a process which can be used by threat actors to hide malware inside seemingly harmless files. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malicious-medical-dicom-… ∗∗∗ Adblock Plus Filters Can Be Exploited to Run Malicious Code ∗∗∗ --------------------------------------------- An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to create filters that inject remote scripts into web sites. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/adblock-plus-filters-can-be-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti and libxslt), Fedora (pcsc-lite and samba), Gentoo (gnutls, phpmyadmin, and tiff), openSUSE (apache2, clamav, dovecot23, nodejs10, SDL, and webkit2gtk3), Red Hat (mod_auth_mellon and rh-python36-python), SUSE (firefox, nspr, nss and python), and Ubuntu (libxslt and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/786106/ ∗∗∗ IBM Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: IBM Planning Analytics Local is affected by multiple vulnerabilities (CVE-2018-12116, CVE-2018-12121, CVE-2018-12122, CVE-2018-12123) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-planning-analytic… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in GNU glibc (CVE-2017-15804 CVE-2017-15670 CVE-2015-5180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in PHP (CVE-2018-14851 CVE-2017-9118) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in python (CVE-2018-1061 CVE-2018-1060 CVE-2016-5636) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: Security vulnerability in Apache FOP affects IBM® Rational® Quality Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ glibc vulnerability CVE-2019-9169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54823184 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2019
by Daily end-of-shift report 15 Apr '19

15 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2019 18:00 − Montag 15-04-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers could read non-corporate Outlook.com, Hotmail for six months ∗∗∗ --------------------------------------------- Hackers and Microsoft seem to disagree on key details of the hack. --------------------------------------------- https://arstechnica.com/?p=1491071 ∗∗∗ Sicherheitslücken und mangelnder Datenschutz: Microsoft patzt bei Office 365 ∗∗∗ --------------------------------------------- Viele Unternehmen sind bereits auf Office 365 umgestiegen. Doch Microsoft schlampt beim Datenschutz und hält sich nicht an Sicherheitsstandards. --------------------------------------------- http://heise.de/-4398584 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPNs helper tool ∗∗∗ --------------------------------------------- Discovered by Tyler Bohan of Cisco Talos.OverviewCisco Talos is disclosing a series of vulnerabilities found in the Shimo VPN Helper Tool. Shimo VPN is a popular VPN client for MacOS that can be used to connect multiple VPN accounts to one application. These specific vulnerabilities were found in the "helper tool", a feature that Shimo VPN uses to accomplish some of its privileged work.These vulnerabilities are being released without a patch, per our disclosure policy, after [...] --------------------------------------------- https://blog.talosintelligence.com/2019/04/vulnerability-spotlight-multiple… ∗∗∗ Tic Toc Pwned ∗∗∗ --------------------------------------------- We were recently tipped off that the Australian Tic Toc Track watch was almost undoubtedly just a version of the Gator kids GPS tracking watch. That's the tracker watch which leaked real time kids position data to anyone, it also allowed anyone to silently listen to children through the watch. Creepy! It all started with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/tic-toc-pwned/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, jasper, and libssh2), Fedora (kernel, kernel-headers, kernel-tools, nodejs-simple-markdown, and php), openSUSE (netpbm and xen), and SUSE (audiofile, firefox, java-1_7_0-openjdk, libvirt, openssh, and systemd). --------------------------------------------- https://lwn.net/Articles/786031/ ∗∗∗ Security Advisory - Digital Signature Verification Bypass Vulnerability in Some Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190320-… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-3880 in Samba affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: IBM Algo Credit Manager Is Affected by a Denial of Service Vulnerability in WebSphere Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-algo-credit-manag… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2019
by Daily end-of-shift report 12 Apr '19

12 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2019 18:00 − Freitag 12-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 0day im Internet Explorer: Dateidiebstahl auf Windows-PCs ∗∗∗ --------------------------------------------- Ein Problem im Internet-Explorer gefährdet alle Windows-Nutzer – auch wenn sie den Zombie-Browser nicht nutzen. Microsoft will das jedoch nicht patchen. --------------------------------------------- http://heise.de/-4398797 ∗∗∗ Messenger: Matrix.org-Server gehackt ∗∗∗ --------------------------------------------- Mit Matrix.org ist einer der am meisten genutzten Server des Messengers Matrix gehackt worden. Betroffene sollten umgehend ihr Passwört ändern. Auch der vermeintliche Angreifer gibt Sicherheitstipps auf Github. (Matrix, Instant Messenger) --------------------------------------------- https://www.golem.de/news/messenger-matrix-org-server-gehackt-1904-140655-r… ∗∗∗ Bad news, everyone! New [BGP] hijack attack in the wild ∗∗∗ --------------------------------------------- With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes. Moreover, it again raises concerns about the possible motives for the future attack of this type. --------------------------------------------- https://habr.com/en/company/qrator/blog/447776/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vuln: Multiple VMware Products CVE-2019-5516 Out of Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- VMWare Workstation, VMWare Fusion, VMWare Esxi Multiple VMware products are prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information or cause denial-of-service condition. --------------------------------------------- http://www.securityfocus.com/bid/107878 ∗∗∗ Vuln: Oracle April 2019 Critical Patch Update Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Oracle has released advance notification regarding the April 2019 Critical Patch Update (CPU) to be released on April 16, 2019. The update addresses 296 vulnerabilities --------------------------------------------- http://www.securityfocus.com/bid/107875 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (freerdp, kernel, openssh, and python), Fedora (checkstyle), openSUSE (bluez, file, kernel, and libarchive), SUSE (apache2, curl, ghostscript, libvirt, openssh, and systemd), and Ubuntu (rssh). --------------------------------------------- https://lwn.net/Articles/785841/ ∗∗∗ WAGO Undocumented service access in Series 750-88x and 750-87x devices ∗∗∗ --------------------------------------------- CVE Identifier CVE-2019-10712 Severity 9.8 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-008 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform v2.1.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Algo Credit Manager Is Affected by a Pivotal Spring Framework Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-algo-credit-manag… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in cURL (CVE-2018-16840 CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in OpenSSH (CVE-2018-15473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and IBM Watson Content Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in python (CVE-2018-14647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in PHP (CVE-2018-17082) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in X.Org libx11 (CVE-2018-14599 CVE-2018-14598) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ Apache Thrift vulnerability CVE-2018-1320 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36361684 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2019
by Daily end-of-shift report 11 Apr '19

11 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2019 18:00 − Donnerstag 11-04-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Introducing the security configuration framework: A prioritized guide to hardening Windows 10 ∗∗∗ --------------------------------------------- The security configuration framework is designed to help simplify security configuration while still allowing enough flexibility to allow you to balance security, productivity, and user experience. We are defining discrete prescriptive Windows 10 security configurations (levels 5 through 1) to meet many of the common device scenarios we see today in the enterprise. --------------------------------------------- https://www.microsoft.com/security/blog/2019/04/11/introducing-the-security… ∗∗∗ Selfie: reflections on TLS 1.3 with PSK ∗∗∗ --------------------------------------------- TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed Pre Shared Key (PSK). ... We identify a security vulnerability in this TLS 1.3 path, by showing a new reflection attack that we call ``Selfie. The Selfie attack breaks the mutual authentication. It leverages the fact that TLS does not mandate explicit authentication of the server and the client in every message. --------------------------------------------- https://eprint.iacr.org/2019/347 ∗∗∗ Amazon-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle geben sich als amazon-Kundenservice aus und versuchen persönliche Daten abzugreifen. Angeblich arbeitet amazon derzeit daran, den Kundendatenschutz zu verbessern und bittet um die Überprüfung der persönlichen Kontodaten. Folgen Nutzer/innen den Anweisungen, übmittlen sie Betrüger/innen sämtliche Daten. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-phishing-mail-im-umlauf/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#192371: Multiple VPN applications insecurely store session cookies ∗∗∗ --------------------------------------------- Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - Palo Alto Networks GlobalProtect prior to 4.1.0(CVE-2019-15373)- Pulse Secure Connect Secure prior to 8.1R14,8.2,8.3R6,and 9.0R2 The following products [...] --------------------------------------------- https://kb.cert.org/vuls/id/192371 ∗∗∗ Dragonblood: Angreifer können bei WPA3 unter Umständen WLAN-Passwörter knacken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in der WPA3-Personal-Anmeldung von WLANs erlauben es Angreifern unter bestimmten Umständen, den Traffic von Geräten abzuhören. --------------------------------------------- http://heise.de/-4393108 ∗∗∗ Juniper Networks fixt teils kritische Schwachstellen ∗∗∗ --------------------------------------------- Zahlreiche Netzwerkgeräte von Juniper sind anfällig für Remote-Angriffe. Der Hersteller hat Sicherheitshinweise und Updates veröffentlicht. --------------------------------------------- http://heise.de/-4397797 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, evolution, gnutls, and thunderbird), Debian (wpa), Gentoo (git), Mageia (dovecot, flash-player-plugin, gpac, gpsd, imagemagick, koji, libssh2, libvirt, mariadb, ming, mumble, ntp, python, python3, squirrelmail, and wget), openSUSE (apache2), Red Hat (httpd24-httpd and httpd24-mod_auth_mellon), SUSE (libqt5-qtbase, openldap2, tar, and xmltooling), and Ubuntu (ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 and wpa). --------------------------------------------- https://lwn.net/Articles/785676/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0002.html ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is impacted by a critical local file Inclusion vulnerability (CVE-2019-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by a CNI security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is vulnerable to command injection (CVE-2019-4202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: Security vulnerability in FlexNet Publisher affects IBM Rational License Key Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Check Services for Multi-Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A security vulnerabiltiy has been addressed in IBM Cognos Analytics (CVE-2019-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-is-a… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer used in IBM Business Automation Workflow, IBM Business Process Manager, and IBM WebSphere Lombardi Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ BIG-IP APM URL classification vulnerability CVE-2019-6610 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42465020 ∗∗∗ HPESBHF03912 rev.2 - Certain HPE Servers with a UEFI-based BIOS, Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0306 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0305 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2019
by Daily end-of-shift report 10 Apr '19

10 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-04-2019 18:00 − Mittwoch 10-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability ∗∗∗ --------------------------------------------- A complex attack chain incorporating the CVE-2018-20250 exploit and multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines. --------------------------------------------- https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-a… ∗∗∗ Pentesting: Nutzen, Rechtliches und Kosten ∗∗∗ --------------------------------------------- Immer mehr Schwachstellen in Produkten des täglichen Bedarfs wie intelligenten Appliances, Routern und anderen verbundenen Geräten werden publik und Benutzer beginnen die zugrunde liegenden Verfahren (oder deren Fehlen) zu hinterfragen, um ihre privaten Informationen zu schützen. Hier finden Sie eine wichtige und effiziente Methode zur Verbesserung des Sicherheitsniveaus von Netzwerken und diversen Anwendungen. --------------------------------------------- https://sec-consult.com/blog/2019/04/pentesting-nutzen-rechtliches-und-kost… ∗∗∗ A Peek Into the Toolkit of the Dangerous Triton Hackers ∗∗∗ --------------------------------------------- Security firm FireEye is naming a collection of tools it says might help identify more of the digital saboteurs intrusions. --------------------------------------------- https://www.wired.com/story/triton-hacker-toolkit-fireeye ∗∗∗ Umfrage: Unternehmen unterschätzen Gefahr durch Cyber-Sicherheitsvorfälle ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Cyber-Siche… ===================== = Vulnerabilities = ===================== ∗∗∗ Its raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes ∗∗∗ --------------------------------------------- Hefty patch Tuesday checks in at just under 100 CVEs. For Microsoft, the monthly flaw folder fixes for a total of 74 CVE-listed security bugs in Windows and Office. Of those, 33 are flaws which, if exploited, would allow the attacker to achieve remote code execution. Adobe, meanwhile, has kicked out updates for Acrobat and Reader that address 21 remote code execution flaws in the PDF app. Flash Player also got an update this month. For SAP, the month brings 11 security updates. --------------------------------------------- https://www.theregister.co.uk/2019/04/09/patch_tuesday_april/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba and spip), openSUSE (samba), Red Hat (flash-plugin), Scientific Linux (kernel and openssh), SUSE (clamav and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/785466/ ∗∗∗ Vuln: WordPress Wordfence Plugin Unspecified Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107804 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server in IBM Cloud January 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: BigFix WebUI is affected by vulnerabilities CVE-2019-4013 and CVE-2019-4012 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-webui-is-affec… ∗∗∗ IBM Security Bulletin: IBM MQ Console is vulnerable to a man in the middle attack (CVE-2018-1925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-console-is-vul… ∗∗∗ IBM Security Bulletin: BigFix Platform 9.2.x affected by multiple vulnerabilities (CVE-2017-1231, CVE-2018-5407, CVE-2012-5883, CVE-2012-6708, CVE-2015-9251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-platform-9-2-x… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server Liberty affect IBM Spectrum Protect for Workstations Central Administration Console (CVE-2014-7810, CVE-2018-8039, CVE-2018-1901) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2019
by Daily end-of-shift report 09 Apr '19

09 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2019 18:00 − Dienstag 09-04-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ShadowHammer-Angriffe zielten auch auf die Gaming-Industrie ∗∗∗ --------------------------------------------- Die Shadowhammer-Attacken 2018 trafen neben ASUS mindestens drei asiatische Spielehersteller. Und damit auch die Rechner von mindestens 96.000 Gamern. --------------------------------------------- http://heise.de/-4367681 ∗∗∗ Duqu Remained Active After Operations Were Exposed in 2011 ∗∗∗ --------------------------------------------- The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011. read more --------------------------------------------- https://www.securityweek.com/duqu-remained-active-after-operations-were-exp… ∗∗∗ Probleme bei Buchungen über galahotels.com ∗∗∗ --------------------------------------------- Vorsicht bei Hotelbuchungen über galahotels.com. Uns liegen zahlreiche Berichte zu ausbleibenden Rückzahlungen nach Stornierung und anderen Problemen vor. In den schlimmsten Fällen stehen Betroffene ohne Unterkunft am Zielort da. Da das Unternehmen den Sitz in der Türkei hat, ist eine Rechtsdurchsetzung oft schwierig und der einzige Weg zum eigenen Geld führt häufig über den Kreditkartenanbieter. --------------------------------------------- https://www.watchlist-internet.at/news/probleme-bei-buchungen-ueber-galahot… ∗∗∗ Betrügerische Billa- und Amazon-Umfragen locken in Abo-Falle! ∗∗∗ --------------------------------------------- Vorsicht vor gefälschten E-Mails im Namen von Amazon und Billa, die für die Teilnahme an einer Umfrage Belohnungen versprechen. Konsument/innen, die den Buttons in den Mails folgen, landen auf gefälschten Websites der Unternehmen. Wer die eigenen Daten bekanntgibt, rutscht in eine Abo-Falle und erhält die versprochenen iPhone XS, Samsung Galaxy S10+ oder Gutscheine nie! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-billa-und-amazon-umfr… ∗∗∗ Aktuelle Malspam Kampagne ∗∗∗ --------------------------------------------- CERT.at möchte auf eine aktuelle Malspam-Kampagne hinweisen zu der wir aus ganz Österreich Anfragen erhalten haben. Beschreibung Der Betreff der E-Mails enhält einen Hinweis darauf, dass es sich um eine Rechnung oder einen Scan handelt. Der From-Header ist gefälscht und enthält als angezeigten Namen den lokalen Part der Domäne an die die E-Mail geht. Der Linktext scheint auf ein internes .doc-Dokument zu verweisen, de facto [...] --------------------------------------------- http://www.cert.at/services/blog/20190409151309-2416.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB19-17), Adobe Flash Player (APSB19-19), Adobe Shockwave player (APSB19-20), Adobe Dreamweaver (APSB19-21), Adobe XD (APSB19-22), Adobe InDesign (APSB19-23) ,Adobe Experience Manager Forms (APSB19-24) and Adobe Bridge CC (APSB19-25). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1735 ∗∗∗ DLL injection in Go < 1.12.2 [CVE-2019-9634] ∗∗∗ --------------------------------------------- Golang before 1.12.2 linked against various DLLs that were same-directory injectable and generally its library loading mechanism did not use LoadLibraryEx, allowing the classic DLL injection attacks, especially with regards to executables saved to the Downloads/ folder --------------------------------------------- https://www.openwall.com/lists/oss-security/2019/04/09/1 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler, proftpd-dfsg, suricata, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and wget), Gentoo (clamav, emerge-delta-webrsync, and mailman), openSUSE (bash), Red Hat (kernel and openssh), Scientific Linux (python), SUSE (gnuplot, libtcnative-1-0, and sqlite3), and Ubuntu (clamav, lua5.3, openjdk-7, samba, systemd, and wget). --------------------------------------------- https://lwn.net/Articles/785367/ ∗∗∗ Synology-SA-19:15 Samba ∗∗∗ --------------------------------------------- CVE-2019-3880 allows remote authenticated users to create arbitrary files or obtain sensitive information via a susceptible version of DiskStation Manager (DSM) and Synology Router Manager (SRM).None of Synology products are affected by CVE-2019-3870 as the vulnerability only affect Samba 4.9.0 and later. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_15 ∗∗∗ [20190403] - Core - Object.prototype pollution in JQuery $.extend ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/779-20190403-core-object-proto… ∗∗∗ [20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/778-20190402-core-helpsites-re… ∗∗∗ [20190401] - Core - Directory Traversal in com_media ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/777-20190401-core-directory-tr… ∗∗∗ IBM Security Bulletin: BigFix Platform 9.5.x affected by multiple vulnerabilities (CVE-2019-4013, CVE-2018-5407, CVE-2012-5883, CVE-2012-6708, CVE-2015-9251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-platform-9-5-x… ∗∗∗ SSA-141614 (Last Update: 2019-04-09): Denial-of-Service in SIMOCODE pro V EIP ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-141614.txt ∗∗∗ SSA-307392 (Last Update: 2019-04-09): Denial-of-Service in OPC UA in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt ∗∗∗ SSA-324467 (Last Update: 2019-04-09): OS Command Injection in Spectrum Power 4.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-324467.txt ∗∗∗ SSA-436177 (Last Update: 2019-04-09): Multiple Vulnerabilities in SINEMA Remote Connect ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-436177.txt ∗∗∗ SSA-451142 (Last Update: 2019-04-09): Multiple Vulnerabilities in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-451142.txt ∗∗∗ SSA-480230 (Last Update: 2019-04-09): Denial-of-Service in Webserver of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt ∗∗∗ GnuTLS vulnerability CVE-2015-0294 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54022413 ∗∗∗ GnuTLS vulnerability CVE-2014-8155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53330207 ∗∗∗ SAP Basic Components (BC): Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0279 ∗∗∗ Symantec Endpoint Encryption: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0281 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2019
by Daily end-of-shift report 08 Apr '19

08 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2019 18:00 − Montag 08-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ThinkPHP 5.x - Remote Code Execution Actively Exploited In The Wild ∗∗∗ --------------------------------------------- Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar: ]]> --------------------------------------------- http://labs.sucuri.net/?note=2019-04-08 ===================== = Vulnerabilities = ===================== ∗∗∗ SQL Injection in Duplicate-Page WordPress Plugin ∗∗∗ --------------------------------------------- While investigating the Duplicate Page plugin we have discovered a dangerous SQL Injection vulnerability. It was not being abused externally and impacts over 800,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability. A key contributor to the criticality of this vulnerability is that it’s exploitable by any users with an account on the vulnerable site (regardless of the privileges --------------------------------------------- https://blog.sucuri.net/2019/04/sql-injection-in-duplicate-page-wordpress-p… ∗∗∗ Jetzt patchen: Sicherheitssoftware von Trend Micro birgt kritische Schwachstelle ∗∗∗ --------------------------------------------- Updates für Apex One, OfficeScan und Worry-Free Business Security schützen unter anderem vor Remote-Angriffen. Nutzer sollten die Software zügig aktualisieren. --------------------------------------------- http://heise.de/-4365964 ∗∗∗ Via Dovecot zu Root-Rechten ∗∗∗ --------------------------------------------- Die Entwickler des Linux-Mailservers Dovecot haben einen Fehler gefunden und beseitigt, über den sich ein Angreifer Root-Rechte verschaffen könnte. --------------------------------------------- http://heise.de/-4366806 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundup, samba, tryton-server, and wget), Fedora (evolution-data-server, evolution-ews, glpi, ntp, poppler, pspp, and wget), Mageia (advancecomp, cfitsio, firefox, ghostscript, gnutls, libjpeg, libpng, ocaml, python-yaml, ruby-ox, SDL12, and thunderbird), openSUSE (adcli, sssd, go1.11, liblouis, nodejs6, openssl, ovmf, sqlite3, sysstat, thunderbird, tiff, and znc), Red Hat (chromium-browser and python), Slackware (httpd, openjpeg, and wget), SUSE --------------------------------------------- https://lwn.net/Articles/785238/ ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- CB-K19/0277: Samba: Mehrere Schwachstellen ermöglichen Manipulation von Dateien --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0277 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Metadata Asset Manager is affected by an SQL Injection vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-metada… ∗∗∗ IBM Security Bulletin: IBM Sterling Connect:Direct for UNIX Allows a User with Sudo Access Restricted to Certain Connect:Direct Executable Files to Expand Access Beyond the Restriction (CVE-2018-1903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sterling-connectd… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-1871) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: A reflected cross-site scripting (XSS) vulnerability affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-reflected-cross-sit… ∗∗∗ HPESBHF03916 rev.1 - HPE Virtual Connect SE 16Gb Fibre Channel Module for Synergy, Local or Remote Unauthorized Elevation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2019
by Daily end-of-shift report 05 Apr '19

05 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2019 18:00 − Freitag 05-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ This Preinstalled Mobile Security App Delivered Vulnerabilities, Not Protection ∗∗∗ --------------------------------------------- No. 4 global phone maker, Xiaomi, preinstalled a security app called ‘Guard Provider’ that had a major flaw. --------------------------------------------- https://threatpost.com/this-preinstalled-mobile-security-app-delivered-vuln… ∗∗∗ Spammed PNG file hides LokiBot ∗∗∗ --------------------------------------------- Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png… ∗∗∗ The evolution of phishing kits ∗∗∗ --------------------------------------------- Gone are the days when a phishing page was a single page designed to capture user credentials. Phishing kits have become sophisticated and advanced to evade detection and look more legitimate to the user. In this blog, .. --------------------------------------------- https://www.zscaler.com/blogs/research/evolution-phishing-kits ∗∗∗ Hiding in Plain Sight ∗∗∗ --------------------------------------------- Cisco Talos is continually working to ensure that our threat intelligence not only accounts for the latest threats but also new versions of old threats, such as spam. This often means pursuing cybercriminals wherever they congregate. However, instead of wheeling-and-dealing using hidden servers on .. --------------------------------------------- https://blog.talosintelligence.com/2019/04/hiding-in-plain-sight.html ∗∗∗ Ongoing DNS hijacking campaign targeting consumer routers ∗∗∗ --------------------------------------------- Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect .. --------------------------------------------- https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-ro… ===================== = Vulnerabilities = ===================== ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- This advisory includes mitigations for a use after free vulnerability reported in Omrons CX-Programmer PLC software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01 ∗∗∗ Rockwell Automation Stratix 5400/5410 and ArmorStratix 5700 ∗∗∗ --------------------------------------------- This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automations Stratix and ArmorStratix Ethernet switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-02 ∗∗∗ Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700 ∗∗∗ --------------------------------------------- This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automations Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700 switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-03 ∗∗∗ Rockwell Automation Stratix 5950 ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automations Stratix 5950 security appliance products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-04 ∗∗∗ ZDI-19-341: (0Day) Hewlett Packard Enterprise Intelligent Management Center navigationTo Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-341/ ∗∗∗ ZDI-19-339: (0Day) Hewlett Packard Enterprise Intelligent Management Center faultStatChooseFaultType Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-339/ ∗∗∗ ZDI-19-335: (0Day) Hewlett Packard Enterprise Intelligent Management Center perfSelectTask Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-335/ ∗∗∗ ZDI-19-334: (0Day) Hewlett Packard Enterprise Intelligent Management Center viewBatchTaskResultDetailFact Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-334/ ∗∗∗ HPESBHF03914 rev.1 - Certain HPE Servers with Intel Server Platform Services (SPS) Firmware, Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2019
by Daily end-of-shift report 04 Apr '19

04 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2019 18:00 − Donnerstag 04-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Betrügerische Phishing-Mails sollen Willhaben-Login stehlen ∗∗∗ --------------------------------------------- Kriminelle geben sich als die Kleinanzeigenplattform Willhaben aus und versenden wahllos Phishing-Nachrichten. Willhaben-Nutzer/innen, die die Nachricht in ihrem Posteingang finden, werden über die erfolgreiche Veröffentlichung einer Anzeige für ein Apple Iphone Xs Max informiert. Betroffene dürfen den gefälschten Links in der Nachricht nicht folgen und keine Login-Daten eingeben, ansonsten verlieren sie ihr Willhaben-Konto an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-phishing-mails-sollen… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGuard/FortiOS: Unprivileged, authenticated user can change the routing settings ∗∗∗ --------------------------------------------- An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-230 ∗∗∗ HPESBHF03912 rev.1 - Certain HPE Servers with a UEFI-based BIOS, Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- Security vulnerabilities in UEFI Open Source (EDK2)-based BIOS firmware may allow escalation of privilege, information disclosure or denial of service. Vendors are releasing firmware updates to mitigate these vulnerabilities. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, golang, and putty), Gentoo (xen), and SUSE (clamav, SM3.1, and SMS3.1). --------------------------------------------- https://lwn.net/Articles/784917/ ∗∗∗ Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is by Cross Site Scripting(XSS) in Drupal core (CVE-2019-6341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by multiple PHP vulnerabilities (CVE-2019-9641 CVE-2019-9637 CVE-2019-9639 CVE-2019-9638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by a cross site scripting vulnerability in Drupal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by vulnerability in the Kubernetes API server (CVE-2019-1002100) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-spoofing-vulnerabilit… ∗∗∗ IBM Security Bulletin: Cross-site request forgery vulnerability in IBM Business Automation Workflow (CVE-2018-2000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-request-fo… ∗∗∗ IBM Security Bulletin: Information leakage in IBM Business Automation Workflow (CVE-2018-1999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-leakage-i… ∗∗∗ IBM Security Bulletin: Denial of service vulnerability in IBM Business Automation Workflow (CVE-2018-1997) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-denial-of-service-vul… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by sensitive information disclosure (CVE-2019-4051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-external-service-invo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2019
by Daily end-of-shift report 03 Apr '19

03 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2019 18:00 − Mittwoch 03-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Campaigns Sharing Network Resources: r00ts.ninja ∗∗∗ --------------------------------------------- We recently noticed an interesting example of network infrastructure resources being used over a period of time by more than one large scale malware campaign (e.g redirected traffic, cryptomining). This was discovered when reviewing sources of the various malicious domains used in a recent WordPress plugin exploit wave. --------------------------------------------- https://blog.sucuri.net/2019/04/malware-campaigns-sharing-network-resources… ∗∗∗ Hijacked Email Reply Chains ∗∗∗ --------------------------------------------- Although phishing has been around in various forms since the 1980s, our research shows it continues to evolve—and remains a major threat. These days, phishing tactics have gotten so sophisticated, it can be difficult to spot a scam—particularly in the case of hijacked email reply chains. Let's look at a concrete example. --------------------------------------------- https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/ ∗∗∗ Xwo - A Python-based bot scanner ∗∗∗ --------------------------------------------- Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it "Xwo" - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock. --------------------------------------------- https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scann… ∗∗∗ Vorsicht vor kostenpflichtigen Ping-Anrufen mit der Vorwahl +676! ∗∗∗ --------------------------------------------- Konsument/innen erhalten momentan gehäuft Ping-Anrufe von Nummern mit der Vorwahl +676 oder 00676. Wer verpasste Anrufe derartiger Nummern auf dem Mobiltelefon findet, darf nicht zurückrufen! Es handelt sich um die Ländervorwahl des Inselstaats Tonga und ein Rückruf kann hohe Kosten verursachen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenpflichtigen-ping-… ∗∗∗ T-POT integration to SISSDEN ∗∗∗ --------------------------------------------- The primary data collection mechanism at the heart of the SISSDEN project is a sensor network of honeypots. The sensor network is composed of VPS provider hosted nodes and nodes donated to the project by third-parties acting as endpoints. These VPS nodes/endpoints are not the actual honeypots [...] --------------------------------------------- https://sissden.eu/blog/tpot-integration ∗∗∗ Bashlite IoT malware upgrade lets it target WeMo home automation devices ∗∗∗ --------------------------------------------- New Bashlite version not widely detected, but was spotted infecting devices in the wild. --------------------------------------------- https://www.zdnet.com/article/bashlite-iot-malware-upgrade-lets-it-target-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advantechs WebAccess SCADA software platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Fedora (edk2 and tomcat), openSUSE (ansible, ghostscript, lftp, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, libssh2_org, openssl-1_0_0, openwsman, pdns, perl-Email-Address, putty, python-azure-agent, python-cryptography, python-pyOpenSSL, python-Flask, thunderbird, tor, unzip, and wireshark), Scientific Linux (freerdp), Slackware (wget), SUSE (bluez, file, firefox, libsndfile, netpbm, thunderbird, and xen), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/784806/ ∗∗∗ FortiSandbox reflected XSS in the file scan component ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-024 ∗∗∗ IBM Security Bulletin: Vulnerabilities affect NVIDIA GPU Display Drivers for Linux and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-affec… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – CVE-2019-4143 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-3139, CVE-2018-3180, CVE-2018-12457, CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect for Virtual Environments (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Backup-Archive Client on Windows and Macintosh (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901) affects IBM Security AppScan Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-privilege-e… ∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect for Space Management (CVE-2018-1882) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v… ∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2018-1882) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server OpenID Connect affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2019
by Daily end-of-shift report 02 Apr '19

02 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 01-04-2019 18:00 − Dienstag 02-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ MXSS: Cross-Site-Scripting in der Google-Suche ∗∗∗ --------------------------------------------- Aufgrund subtiler Unterschiede beim Parsen von HTML-Code gelang es einem Sicherheitsforscher, gängige Filtermechanismen zu umgehen. Betroffen waren zwei Javascript-Bibliotheken und die Google-Suche. --------------------------------------------- https://www.golem.de/news/mxss-cross-site-scripting-in-der-google-suche-190… ∗∗∗ Splitting atoms in XNU ∗∗∗ --------------------------------------------- TL;DR A locking bug in the XNU virtual memory subsystem allowed violation of the preconditions required for the correctness of an optimized virtual memory operation. This was abused to create shared memory where it wasnt expected, allowing the creation of a time-of-check-time-of-use bug where one wouldnt usually exist. This was exploited to cause a heap overflow in XPC, which was used to trigger the execution of a jump-oriented payload which chained [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/04/splitting-atoms-in-xnu.html ∗∗∗ Information on open source vulnerabilities is as distributed as the community ∗∗∗ --------------------------------------------- [...] a sizable number of the open source vulnerabilities that we see out there are actually being posted and discussed on a wide range of different security advisories and issue trackers. This means that even for relatively popular projects, these red flags may fly beneath the radar. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/information-on-open-so… ∗∗∗ Studie: Angreifer lieben PowerShell ∗∗∗ --------------------------------------------- Microsofts Skript-Sprache ist die am meisten genutzte Angriffstechnik, warnt die Sicherheitsfirma Red Canary. Bei vielen Firmen besteht da noch Nachholbedarf. --------------------------------------------- http://heise.de/-4357396 ∗∗∗ Malware Actors Using New File Hosting Service to Launch Attacks ∗∗∗ --------------------------------------------- Bad actors are leveraging a new file hosting service in order to launch attack campaigns involving FormBook and other malware. Near the end of March, researchers at Deep Instinct observed a new FormBook attack. The infection chain for this campaign began with a phishing email that contains a malicious attachment. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cyber-s… ∗∗∗ Gefälschte card complete Nachricht zu Kreditkartensperre ∗∗∗ --------------------------------------------- Kriminelle versenden eine erfundene Nachricht im card complete Design. Darin informieren Sie die Empfänger/innen über eine angebliche Sperre des Kreditkartenkontos, die durch Aktualisierung der Daten über einen Link in der E-Mail aufgehoben werden kann. Die Anweisungen dürfen nicht befolgt werden! Andernfalls wird Schadsoftware auf dem Smartphone installiert und die Kreditkartendaten landen bei Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-card-complete-nachricht-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Nutzer des Apache-Webservers können Root-Rechte erlangen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Apache-Webserver erlaubt es Nutzern, mit Hilfe von CGI- oder PHP-Skripten Root-Rechte zu erlangen. Ein Update steht bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-nutzer-des-apache-webservers-ko… ∗∗∗ Security Patch: Google beseitigt im April Qualcomm-Sicherheitslücken ∗∗∗ --------------------------------------------- In einer Vorankündigung verweist Google auf ein neues Security Patch Level. Das April-Update schließt viele Lücken und sollte für einige, aber nicht alle aktuellen Android-Geräte erscheinen. Es gibt auch viele Sicherheitslücken, die Qualcomm-basierte Smartphones betreffen. --------------------------------------------- https://www.golem.de/news/security-patch-google-beseitigt-im-april-qualcomm… ∗∗∗ Zero-Day-Lücken in Edge und Internet Explorer – Patches stehen noch aus ∗∗∗ --------------------------------------------- Ein Forscher hat Angriffspunkte für Universal-Cross-Site-Scripting-Attacken in Microsofts Browsern gefunden. Der Konzern scheint desinteressiert. --------------------------------------------- http://heise.de/-4357840 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, libssh2, and thunderbird), Debian (firmware-nonfree, kernel, and libssh2), Fedora (drupal7, flatpak, and mod_auth_mellon), Gentoo (burp, cairo, glusterfs, libical, poppler, subversion, thunderbird, and unbound), openSUSE (yast2-rmt), Red Hat (freerdp), and SUSE (bash, ed, libarchive, ntp, and sqlite3). --------------------------------------------- https://lwn.net/Articles/784665/ ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2019-4014). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable… ∗∗∗ IBM Security Bulletin: API Connect is impacted by multiple nodeJS vulnerabilities (CVE-2018-12122 CVE-2018-12121 CVE-2018-12123 CVE-2018-12116) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-is-impact… ∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-im… ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2018-1936). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerabilities in Rational DOORS Next Generation with potential for cross-site scripting attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily