- Daily - CERT.at

Tageszusammenfassung - 12.05.2020
by Daily end-of-shift report 12 May '20

12 May '20

===================== = End-of-Day report = ===================== Timeframe: Montag 11-05-2020 18:00 − Dienstag 12-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Astaroth’s New Evasion Tactics Make It ‘Painful to Analyze’ ∗∗∗ --------------------------------------------- The infostealer has gone above and beyond in its new anti-analysis and obfuscation tactics. --------------------------------------------- https://threatpost.com/astaroths-evasion-tactics-painful-analyze/155633/ ∗∗∗ Anubis Malware Upgrade Logs When Victims Look at Their Screens ∗∗∗ --------------------------------------------- Threat actors are cooking up new features for the sophisticated banking trojan that targets Google Android apps and devices. --------------------------------------------- https://threatpost.com/anubis-malware-upgrade-victims-screens/155644/ ∗∗∗ Analyzing Dark Crystal RAT, a C# backdoor ∗∗∗ --------------------------------------------- [...] The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C# variant of Dark Crystal RAT (DCRat) that the threat intel team passed to us. We reviewed open source intelligence and prior work, performed sandbox testing, and reverse engineered the Dark Crystal RAT to review its capabilities [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-… ∗∗∗ Profilbesuche auf Facebook erkennen – Geht das? ∗∗∗ --------------------------------------------- Auf Facebook kursiert momentan ein Link, der es angeblich ermöglicht, Profilzugriffe anzuzeigen. Das macht natürlich neugierig. Doch Vorsicht: Sie landen auf einer Phishing-Seite! Kriminelle greifen Ihre Facebook-Login-Daten ab und posten betrügerische Beiträge in Ihrem Namen. Und: Facebook bietet kein Tool an, dass Ihnen anzeigt, wer auf Ihrem Profil war. --------------------------------------------- https://www.watchlist-internet.at/news/profilbesuche-auf-facebook-erkennen-… ∗∗∗ Rückblick auf das erste Drittel 2020 ∗∗∗ --------------------------------------------- Jänner: BMEIA, Shitrix, BlueGate – ein besinnlicher Jahresbeginn Februar: Die (fast) letzten Augenblicke von TLS März und April: COVID-19 oder "Im Cyber nix neues" --------------------------------------------- https://cert.at/de/blog/2020/5/ruckblick-auf-das-erste-drittel-2020 ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe fixes critical vulnerabilities in Acrobat, Reader, and DNG SDK ∗∗∗ --------------------------------------------- Adobe has released security updates for Adobe Acrobat, Reader, and Adobe DNG Software Development Kit that resolve a combined total of thirty-six security vulnerabilities in the three products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnera… ∗∗∗ Siemens SSA-352504: Urgent/11 TCP/IP Stack Vulnerabilities in Siemens Power Meters ∗∗∗ --------------------------------------------- Siemens low & high voltage power meters are affected by multiple security vulnerabilities due to the underlying Wind River VxWorks network stack. This stack is affected by eleven vulnerabilities known as the "URGENT/11". --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-352504.txt ∗∗∗ TYPO3 Core version 10.4.2 fixes multiple vulnerabilities ∗∗∗ --------------------------------------------- TYPO3-CORE-SA-2020-001: Information Disclosure in Password Reset TYPO3-CORE-SA-2020-002: Cross-Site Scripting in Form Engine TYPO3-CORE-SA-2020-003: Cross-Site Scripting in Link Handling TYPO3-CORE-SA-2020-004: Class destructors causing side-effects when being unserialized TYPO3-CORE-SA-2020-005: Insecure Deserialization in Backend User Settings TYPO3-CORE-SA-2020-006: Same-Site Request Forgery to Backend User Interface --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms ∗∗∗ TYPO3 - vulnerabilities in multiple extensions - 2020-05-12 ∗∗∗ --------------------------------------------- TYPO3-EXT-SA-2020-004: SQL Injection in extension "phpMyAdmin" (phpmyadmin) TYPO3-EXT-SA-2020-005: Multiple vulnerabilities in extension "Direct Mail" (direct_mail) TYPO3-EXT-SA-2020-006: Broken Access Control in extension "gForum" (g_forum) TYPO3-EXT-SA-2020-007: Sensitive Data Exposure in extension "Job Fair" (jobfair) TYPO3-EXT-SA-2020-008: Cross-Site Scripting in "SVG Sanitizer" (svg_sanitizer) --------------------------------------------- https://typo3.org/help/security-advisories/typo3-extensions ∗∗∗ Sicherheitspatches: Online-Foren über vBulletin-Lücke attackierbar ∗∗∗ --------------------------------------------- Es sind mehrere abgesicherte Version der Foren-Software vBulletin erschienen. --------------------------------------------- https://heise.de/-4719217 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (a2ps and qutebrowser), openSUSE (cacti, cacti-spine, ghostscript, and python-markdown2), Oracle (kernel), Red Hat (chromium-browser, libreswan, and qemu-kvm-ma), Scientific Linux (thunderbird), and SUSE (kernel and libvirt). --------------------------------------------- https://lwn.net/Articles/820307/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/2020/05/ ∗∗∗ Bitdefender Antivirus: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0441 ∗∗∗ Exim: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0444 ∗∗∗ Symantec Endpoint Protection: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0443 ∗∗∗ SAP Patchday Mai 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0442 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0449 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0448 ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0445 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2020
by Daily end-of-shift report 11 May '20

11 May '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-05-2020 18:00 − Montag 11-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sodinokibi ransomware can now encrypt open and locked files ∗∗∗ --------------------------------------------- The Sodinokibi (REvil) ransomware has added a new feature that makes it easier to encrypt all files, even those that are opened and locked by another process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-can-no… ∗∗∗ Thunderspy: Nicht patchbare Sicherheitslücken in Thunderbolt ∗∗∗ --------------------------------------------- Mit einem Schraubendreher und einem SPI-Programmer lassen sich zentrale Sicherheitsfunktionen von Thunderbolt deaktivieren. --------------------------------------------- https://www.golem.de/news/thunderspy-nicht-patchbare-sicherheitsluecken-in-… ∗∗∗ Sphinx Malware Returns to Riddle U.S. Targets ∗∗∗ --------------------------------------------- The banking trojan has upgraded and is seeing a resurgence on the back of coronavirus stimulus payment themes. --------------------------------------------- https://threatpost.com/sphinx-riddle-us-targets-modifications/155621/ ∗∗∗ Lieferzeiten & Zahlung beim Online-Shopping: Das sind Ihre Rechte ∗∗∗ --------------------------------------------- Der Watchlist Internet werden in letzter Zeit vermehrt Online-Shops gemeldet, die zwar nicht unbedingt Fake-Shops sind, sich jedoch durch verzögerte Lieferzeiten nicht an geltende Gesetze halten. Aber welche Rechte haben Sie als Konsumentin oder Konsument eigentlich? Was können Sie machen, wenn sich ein Online-Shop nicht an die vereinbarte Lieferzeit hält? Wann müssen Sie Bestellungen bezahlen? Wie können Sie Ihre Rechte geltend machen? --------------------------------------------- https://www.watchlist-internet.at/news/lieferzeiten-zahlung-beim-online-sho… ∗∗∗ Intel und Microsoft entwickeln Deep-Learning-Technik zur Malware-Analyse ∗∗∗ --------------------------------------------- Das Stamina genannte Projekt wandelt Dateien in Graustufen-Bilder um. Microsoft analysiert die Bilder auf Textur- und Struktur-Muster. Bei Tests erreicht das System eine Genauigkeit von mehr als 99 Prozent. --------------------------------------------- https://www.zdnet.de/88379578/intel-und-microsoft-entwickeln-deep-learning-… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities Patched in Page Builder by SiteOrigin Affects Over 1 Million Sites ∗∗∗ --------------------------------------------- On Monday, May 4, 2020, the Wordfence Threat Intelligence team discovered two vulnerabilities present in Page Builder by SiteOrigin, a WordPress plugin actively installed on over 1,000,000 sites. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. --------------------------------------------- https://www.wordfence.com/blog/2020/05/vulnerabilities-patched-in-page-buil… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and firefox), Debian (libntlm, squid, thunderbird, and wordpress), Fedora (chromium, community-mysql, crawl, roundcubemail, and xen), Mageia (chromium-browser-stable), openSUSE (chromium, firefox, LibVNCServer, openldap2, opera, ovmf, php7, python-PyYAML, rpmlint, rubygem-actionview-5_1, slirp4netns, sqliteodbc, squid, thunderbird, and webkit2gtk3), Oracle (firefox, git, gnutls, kernel, libvirt, squid, and targetcli), Red Hat [...] --------------------------------------------- https://lwn.net/Articles/820196/ ∗∗∗ VMware to Patch Recent Salt Vulnerabilities in vROps ∗∗∗ --------------------------------------------- VMware is working on patches for its vRealize Operations Manager (vROps) product to fix two recently disclosed Salt vulnerabilities that have already been exploited to hack organizations. read more --------------------------------------------- https://www.securityweek.com/vmware-patch-recent-salt-vulnerabilities-vrops ∗∗∗ Data leak, phishing security flaws disclosed in Oracle iPlanet Web Server ∗∗∗ --------------------------------------------- Security patches will not be issued to fix the problems. --------------------------------------------- https://www.zdnet.com/article/data-leak-phishing-security-flaws-exposed-in-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200506-… ∗∗∗ Security Bulletin: CVE-2019-4667 Lack of Built in HSTS option ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4667-lack-of-bui… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A Security Vulnerability in IBM Java Runtime affects IBM Cloud Private (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – Node.js (CVE-2019-15605, CVE-2019-15606) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-s… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2020
by Daily end-of-shift report 08 May '20

08 May '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-05-2020 18:00 − Freitag 08-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Blue Mockingbird Monero-Mining Campaign Exploits Web Apps ∗∗∗ --------------------------------------------- The cybercriminals are using a deserialization vulnerability, CVE-2019-18935, to achieve remote code execution before moving laterally through the enterprise. --------------------------------------------- https://threatpost.com/blue-mockingbird-monero-mining/155581/ ∗∗∗ Navigating the MAZE: Tactics, Techniques and Procedures Associated WithMAZE Ransomware Incidents ∗∗∗ --------------------------------------------- Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-proc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, salt, and webkit2gtk), Fedora (firefox, mingw-gnutls, nss, and teeworlds), Mageia (firefox, libvncserver, matio, qt4, roundcubemail, samba, thunderbird, and vlc), Oracle (firefox and squid), SUSE (firefox, ghostscript, openldap2, rmt-server, syslog-ng, and webkit2gtk3), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/819969/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0436 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities exist in IBM Data Risk Manager (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429, and CVE-2020-4430) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-… ∗∗∗ Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2020 CPU plus deferred CVE-2019-2949 and CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in dependent libraries affect IBM® Db2® leading to denial of service or privilege escalation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2020
by Daily end-of-shift report 07 May '20

07 May '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-05-2020 18:00 − Donnerstag 07-05-2020 18:00 Handler: n/a Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefährliche Schadsoftware-Mail im Namen von A1 ∗∗∗ --------------------------------------------- Nehmen Sie sich vor einer gefälschten A1-Mail mit dem Betreff *Wichtige Mitteilung* in Acht. Es handelt sich um eine Nachricht, die von Kriminellen verschickt wird, die Schadsoftware auf Ihrem Smartphone installieren wollen. Wenn Sie den Aufforderungen nachkommen, können die VerbrecherInnen sensible Daten von Ihrem Mobiltelefon stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-schadsoftware-mail-im-n… ∗∗∗ Large scale Snake Ransomware campaign targets healthcare, more ∗∗∗ --------------------------------------------- The operators of the Snake Ransomware have launched a worldwide campaign of cyberattacks that have infected numerous businesses and at least one health care organization over the last few days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware… ∗∗∗ Cisco Webex phishing uses fake cert errors to steal credentials ∗∗∗ --------------------------------------------- A highly convincing series of phishing attacks are using fake certificate error warnings with graphics and formatting lifted from Cisco Webex emails to steal users account credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-webex-phishing-uses-fa… ∗∗∗ Keep your IR on the Ball ∗∗∗ --------------------------------------------- Even with the myriad of security tools we have at our disposal today, cybercriminals are still able to penetrate our networks. Is it really necessary to have a Cyber Incident Response Plan in place? --------------------------------------------- https://www.domaintools.com/resources/blog/keep-your-ir-on-the-ball ∗∗∗ How a favicon delivered a web credit card skimmer to victims ∗∗∗ --------------------------------------------- Cyber crooks deploying web credit card skimmers on compromised Magento websites have a new trick up their sleeve: favicons that “turn” malicious when victims visit a checkout page. --------------------------------------------- https://www.helpnetsecurity.com/2020/05/07/favicons-card-skimmers/ ∗∗∗ Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk ∗∗∗ --------------------------------------------- On May 6, 2020, our Threat Intelligence team received reports of active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of compromised sites to confirm this activity. As this is an active attack, we wanted to alert you so that you can take [...] --------------------------------------------- https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB20-24) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB20-24) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, May 12, 2020. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well as the Adobe PSIRT Blog. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1869 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco has released 34 Security Advisories for multiple products on 2020-05-06. 12 rated "High" 22 rated "Medium" --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, keystone, mailman, and tomcat9), Fedora (ceph, firefox, java-1.8.0-openjdk, libldb, nss, samba, seamonkey, and suricata), Oracle (kernel), Scientific Linux (firefox and squid), SUSE (libvirt, php7, slirp4netns, and webkit2gtk3), and Ubuntu (linux-firmware and openldap). --------------------------------------------- https://lwn.net/Articles/819761/ ∗∗∗ For six years Samsung smartphone users have been at risk from critical security bug. Patch now ∗∗∗ --------------------------------------------- Samsung has released a security update for its popular Android smartphones which includes a critical fix for a vulnerability that affects all devices sold by the manufacturer since 2014. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/six-yea… ∗∗∗ Joomla: Schwachstelle ermöglicht SQL-Injection ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0425 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0424 ∗∗∗ [webapps] Draytek VigorAP 1000C - Persistent Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/48436 ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics Subscription ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability CVE-2020-8492 in Python affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2020-84… ∗∗∗ Security Bulletin: Vulnerability CVE-2019-18348 in Python affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2019-18… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2949-may-affect-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics Subscription ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2019-1551 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2020
by Daily end-of-shift report 06 May '20

06 May '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-05-2020 18:00 − Mittwoch 06-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Betrügerische FinanzOnline E-Mails im Umlauf ∗∗∗ --------------------------------------------- „Ihre Steuerrückerstattung von 1.850 EUR wurde zurückerstattet“ heißt es in einer E-Mail, angeblich vom Finanzamt. Doch Vorsicht: Dieses E-Mail stammt nicht vom Finanzamt, sondern von Kriminellen. Klicken Sie keinesfalls auf den Link, Sie landen auf einer gefälschten FinanzOnline-Seite. Kriminelle stehlen mit dieser nachgebauten FinanzOnline-Website sensible Daten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-betruegerische-finanzonline… ∗∗∗ Least Privilege: The Most Effective Approach to Endpoint Security ∗∗∗ --------------------------------------------- I always try to remind people that the principle of least privilege is not just about security, but about productivity as well. I have multiple customers who have decreased the number of tickets to their service desk by a whopping 75% by getting rid of end-user admin rights. --------------------------------------------- https://www.beyondtrust.com/blog/entry/least-privilege-the-most-effective-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libmicrodns and salt), Debian (graphicsmagick, salt, sqlite3, and wordpress), Fedora (java-11-openjdk), openSUSE (chromium and sqliteodbc), Red Hat (firefox, squid, and squid:4), Slackware (firefox and thunderbird), SUSE (ardana-ansible, ardana-barbican, ardana-cluster, ardana-db, ardana-designate, ardana-input-model, ardana-logging, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, [...] --------------------------------------------- https://lwn.net/Articles/819600/ ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Go (CVE-2019-16276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere does not have device jailbreak detection. (CVE-2019-4266) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-does-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Information disclosure vulnerability affecting IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-4446 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Potential spoofing attack in Webshere Application Server (CVE-2020-4421) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-spoofing-attack… ∗∗∗ Security Bulletin: IBM InfoSphere QualityStage is affected by a Cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-qualitysta… ∗∗∗ HPESBHF03966 rev.1 - HPE Servers with certain Intel Core and Xeon Processors System Memory Management (SMM), Local Disclosure of Privileged Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03934 rev.1 - HPE CloudLIne servers using AMI BMC Remote Unauthorized Disclosure of Information, Unauthorized Modification and Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03961 rev.1 - Certain HPE Servers with 6th Generation Intel Core Processors and greater supporting SGX and TXT, Local Disclosure of Privileged Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2020
by Daily end-of-shift report 05 May '20

05 May '20

===================== = End-of-Day report = ===================== Timeframe: Montag 04-05-2020 18:00 − Dienstag 05-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Weitere Zero-Day-Schwachstelle in iOS: Apps können aus Sandbox ausbrechen ∗∗∗ --------------------------------------------- Mit manipulierten XML-Kommentaren ist es Apps auf iPhone und iPad offenbar möglich, sich ungehindert beliebige Berechtigungen einzuräumen. --------------------------------------------- https://heise.de/-4714373 ∗∗∗ Dell OS Recovery: Lücke in älteren Wiederherstellungs-Images für Windows 10 ∗∗∗ --------------------------------------------- Client-Systeme von Dell, auf denen Windows 10 mit einem älteren Recovery-Image wiederhergestellt wurde, benötigen ein Sicherheitsupdate. --------------------------------------------- https://heise.de/-4714810 ∗∗∗ New VCrypt Ransomware locks files in password-protected 7ZIPs ∗∗∗ --------------------------------------------- A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-vcrypt-ransomware-locks-… ∗∗∗ LockBit ransomware self-spreads to quickly encrypt 225 systems ∗∗∗ --------------------------------------------- A feature of the LockBit ransomware allows threat actors to breach a corporate network and deploy their ransomware to encrypt hundreds of devices in just a few hours. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-self-spre… ∗∗∗ Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems ∗∗∗ --------------------------------------------- Researchers warn commercial airplane systems can be spoofed impacting flight safety of nearby aircraft. --------------------------------------------- https://threatpost.com/airplane-hack-exposes-weaknesses-of-alert-and-avoida… ∗∗∗ New Kaiji Botnet Targets IoT, Linux Devices ∗∗∗ --------------------------------------------- The botnet uses SSH brute-force attacks to infect devices and uses a custom implant written in the Go Language. --------------------------------------------- https://threatpost.com/kaiji-botnet-iot-linux-devices/155463/ ∗∗∗ Nearly a Million WP Sites Targeted in Large-Scale Attacks ∗∗∗ --------------------------------------------- Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat [...] --------------------------------------------- https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Google macht verschiedene Android-Versionen sicherer ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android. Zwei Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-4714596 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, ntp, and roundcube), Fedora (libldb and samba), Mageia (chromium-browser-stable, crawl, dolphin-emu, exiv2, fortune-mod, gnuchess, kernel, libsndfile, openexr, openldap, openvpn, qtbase5, ruby-json, squid, teeworlds, and webkit2), Red Hat (sqlite), and SUSE (icu, mailman, nginx, rmt-server, rpmlint, and rubygem-actionview-5_1). --------------------------------------------- https://lwn.net/Articles/819517/ ∗∗∗ Citrix ShareFile storage zones Controller multiple security updates ∗∗∗ --------------------------------------------- Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users’ documents and folders. --------------------------------------------- https://support.citrix.com/article/CTX269106 ∗∗∗ Security Bulletin: Java Vulnerability Impacts IBM Control Center (CVE-2019-4723) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-impact… ∗∗∗ Security Bulletin: Vulnerability in Ubuntu affects IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ubuntu-a… ∗∗∗ Security Bulletin: Muluple vulnerabilities in Ubuntu affect IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-muluple-vulnerabilities-i… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Automation Manager – Go (CVE-2019-17596) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Ubuntu affects IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ubuntu-a… ∗∗∗ Security Bulletin: Websphere denial-of-service vulnerability affects IBM Control Center (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-denial-of-servi… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Automation Manager – Node.js (CVE-2019-10747) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Websphere denial-of-service vulnerability affects IBM Control Center (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-denial-of-servi… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Ubuntu affect IBM Workload Scheduler 9.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Digital Payments (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2020
by Daily end-of-shift report 04 May '20

04 May '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-04-2020 18:00 − Montag 04-05-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New phishing campaign packs an info-stealer, ransomware punch ∗∗∗ --------------------------------------------- A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-campaign-packs-… ∗∗∗ Jetzt patchen! Angreifer attackieren Oracle WebLogic Server ∗∗∗ --------------------------------------------- Derzeit haben es Angreifer unter anderem auf eine kritische Sicherheitslücke in Oracle WebLogic Server abgesehen. --------------------------------------------- https://heise.de/-4713619 ∗∗∗ Power Supply Can Turn Into Speaker for Data Exfiltration Over Air Gap ∗∗∗ --------------------------------------------- A researcher has demonstrated that threat actors could exfiltrate data from an air-gapped device over an acoustic channel even if the targeted machine does not have any speakers, by abusing the power supply. --------------------------------------------- https://www.securityweek.com/power-supply-can-turn-speaker-data-exfiltratio… ∗∗∗ Vorsicht vor gefährlichen VPN-Diensten ∗∗∗ --------------------------------------------- VPN-Dienste sind momentan gefragt wie nie zuvor. „Virtuelle private Netzwerke“ erhalten besonders durch verstärktes Home-Office Zulauf. Sie ermöglichen beispielsweise sicheren Zugriff auf Firmennetzwerke von zu Hause aus. Doch Vorsicht: Die hohe Nachfrage wird von Kriminellen ausgenützt. Sie kopieren Websites echter VPN-Dienste und laden gefährliche Schadsoftware auf die Systeme ihrer Opfer! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaehrlichen-vpn-diens… ∗∗∗ CursedChrome turns your browser into a hackers proxy ∗∗∗ --------------------------------------------- CursedChrome shows how hackers can take full control over your Chrome browser using just one extension. --------------------------------------------- https://www.zdnet.com/article/cursedchrome-turns-your-browser-into-a-hacker… ∗∗∗ Angriffe auf Salt, LineageOS, Ghost und Digicert ∗∗∗ --------------------------------------------- Hacker nutzen Schwachstellen aus, um Systeme zu attackieren. Im Blickpunkt stehen aktuell der SaltStack, das Handy-Betriebssystem LineageOS, die Bloggerplattform Ghost und der Zertifizierungsanbieter Digicert. --------------------------------------------- https://www.zdnet.de/88379335/angriffe-auf-salt-lineageos-ghost-und-digicer… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, python-twisted-web, and thunderbird), Debian (dom4j, miniupnpc, otrs2, pound, ruby2.1, vlc, w3m, and yodl), Fedora (git, java-latest-openjdk, mingw-libxml2, php-horde-horde, pxz, sqliteodbc, and xen), Gentoo (cacti, django, fontforge, and libu2f-host), openSUSE (cacti, cacti-spine, chromium, python-typed-ast, and salt), Red Hat (gnutls and kernel), SUSE (kernel), and Ubuntu (edk2). --------------------------------------------- https://lwn.net/Articles/819200/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mailman, openldap, pound, tomcat8, and trafficserver), Fedora (chromium, java-11-openjdk, kernel, openvpn, pxz, and rubygem-json), openSUSE (apache2, bouncycastle, chromium, git, python-typed-ast, resource-agents, ruby2.5, samba, squid, webkit2gtk3, and xen), Slackware (seamonkey), SUSE (LibVNCServer and permissions), and Ubuntu (mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/819394/ ∗∗∗ TP-Link Patches Multiple Vulnerabilities in NC Cloud Cameras ∗∗∗ --------------------------------------------- TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. --------------------------------------------- https://www.securityweek.com/tp-link-patches-multiple-vulnerabilities-nc-cl… ∗∗∗ Synology-SA-20:11 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of SRM. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_11 ∗∗∗ Synology-SA-20:10 WordPress ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_10 ∗∗∗ Security Bulletin: Vulnerability in Xerces-C (CVE-2018-1311) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-xerces-c… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: OpenSSL disclosed vulnerability affects MessageGatweay (CVE-2020-1967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-disclosed-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2019-1551 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0409 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2020
by Daily end-of-shift report 30 Apr '20

30 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-04-2020 18:00 − Donnerstag 30-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Sway abused in PerSwaysion spear-phishing operation ∗∗∗ --------------------------------------------- Multiple threat actors running phishing attacks on corporate targets have been counting on Microsoft Sway service to trick victims into giving their Office 365 login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-per… ∗∗∗ „Sarah“ verschickt gefälschte HOFER-Umfrage ∗∗∗ --------------------------------------------- Unter dem Namen „Sarah“ verschicken Kriminelle derzeit willkürlich SMS mit einem Link, der zu einem gefälschten HOFER-Treueprogramm führt. Versprochen werden exklusive Preise, sofern an einer Umfrage zur Kundenzufriedenheit teilgenommen wird. Wir haben uns das vermeintliche Treueprogramm genauer angeschaut. Unser Fazit: Die versprochenen Preise erhalten Sie nicht. Stattdessen hoffen die BetrügerInnen, dass sie ein Abo abschließen. Dieses würde Sie [...] --------------------------------------------- https://www.watchlist-internet.at/news/sarah-verschickt-gefaelschte-hofer-u… ∗∗∗ Cybercriminals are using Google reCAPTCHA to hide their phishing attacks ∗∗∗ --------------------------------------------- Security researchers say that they are seeing cybercriminals deploying Google’s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns. --------------------------------------------- https://hotforsecurity.bitdefender.com/blog/cybercriminal-are-using-google-… ∗∗∗ Cybereason warnt vor neuem mobilen Banking-Trojaner ∗∗∗ --------------------------------------------- EventBot ist erst seit März 2020 im Umlauf. Die Malware stiehlt Daten von Finanz-Apps und hebelt die 2-Faktor-Authentifizierung auf. Die Hintermänner sind so in der Lage, geschäftliche und private Finanztransaktionen zu kapern. --------------------------------------------- https://www.zdnet.de/88379272/cybereason-warnt-vor-neuem-mobilen-banking-tr… ===================== = Vulnerabilities = ===================== ∗∗∗ Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now ∗∗∗ --------------------------------------------- The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/30/salt_aut… ∗∗∗ WordPress Releases Security Update ∗∗∗ --------------------------------------------- WordPress 5.4 and prior versions are affected by multiple vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected website. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.4.1. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/30/wordpress-releases… ∗∗∗ macOS: Sandbox-Ausbruch per Editor ∗∗∗ --------------------------------------------- In TextEdit steckt ein Bug, mit dem böswillige Apps eigentlich verbotene Kommandos ausführen können. --------------------------------------------- https://heise.de/-4712045 ∗∗∗ High Severity Vulnerability Patched in Ninja Forms ∗∗∗ --------------------------------------------- On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version. --------------------------------------------- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, git, and webkit2gtk), Debian (nodejs and tiff), Fedora (libxml2, php-horde-horde, pxz, and sqliteodbc), Oracle (python-twisted-web), Red Hat (chromium-browser, git, and rh-git218-git), Scientific Linux (python-twisted-web), SUSE (ceph, kernel, munge, openldap2, salt, squid, and xen), and Ubuntu (mailman, python3.8, samba, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/819064/ ∗∗∗ Synology-SA-20:08 Cloud Station Backup ∗∗∗ --------------------------------------------- A vulnerability allows local users to execute arbitrary code via a susceptible version of Cloud Station Backup. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_08_Cloud… ∗∗∗ Synology-SA-20:07 Synology Calendar ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to download arbitrary files or hijack the authentication of administrators via a susceptible version of Synology Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_07_Synol… ∗∗∗ Synology-SA-20:06 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of DSM. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_06_DSM ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- An issue has been discovered in Citrix Hypervisor that, if exploited, could potentially allow an attacker on the management network to enumerate valid administrative account usernames. Note that this attack does not disclose the corresponding passwords [...] --------------------------------------------- https://support.citrix.com/article/CTX272237 ∗∗∗ Security Advisory - Invalid Pointer Access Vulnerability in Huawei OceanStor Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200429-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1938) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability found by vFinder in IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ F5 BIG-IP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0402 ∗∗∗ The BIG-IP AFM ACL and IPI features may not function as designed ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K72423000 ∗∗∗ Intel QAT cryptography driver vulnerability CVE-2020-5882 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43815022 ∗∗∗ The BIG-IP ASM system may fail to mask a configured sensitive parameter in the Referer header value ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33572148 ∗∗∗ BIG-IP APM logs may contain random data after the APM session ID ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43404365 ∗∗∗ BIG-IP SSL connection Alert Timeout security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25165813 ∗∗∗ BIG-IP may not detect invalid Transfer-Encoding headers ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10701310 ∗∗∗ HPESBMU03997 rev.1 - HPE Smart Update Manager (SUM), Remote Unauthorized Access ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ OpenLDAP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0405 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2020
by Daily end-of-shift report 29 Apr '20

29 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-04-2020 18:00 − Mittwoch 29-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Would You Have Fallen for This Phone Scam? ∗∗∗ --------------------------------------------- You may have heard that todays phone fraudsters like to use use caller ID spoofing services to make their scam calls seem more believable. But you probably didnt know that your bank may be making it super easy for thieves to impersonate the bank, by giving away information about recent transactions on your account via automated, phone-based customer support systems. --------------------------------------------- https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-sc… ∗∗∗ Cloud Under Pressure: Keeping AWS Projects Secure ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) allow organizations to take advantage of numerous services and capabilities. As the number of available options under the cloud infrastructure of the company grows, so too do the security risks and the possible weaknesses. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cloud/c… ∗∗∗ Google Researchers Find Multiple Vulnerabilities in Apples ImageIO Framework ∗∗∗ --------------------------------------------- Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple’s iOS and macOS operating systems. --------------------------------------------- https://www.securityweek.com/google-researchers-find-multiple-vulnerabiliti… ∗∗∗ Emotet C2 and RSA Key Update - 04/28/2020 23:59 ∗∗∗ --------------------------------------------- Emotet C2 and RSA Key - Update 04/28/2020 at 23:59 UTC News: Still no Emotet back this week for spamming but once again more shennanigans with Trickbot installs doing option 42 to drop Emotet E2 as shown by Fate112 in his post here: https://twitter.com/tosscoinwitcher/status/1255259004164542464 Watch for the falling C2 combos… seems like they are doing a lot of spring cleaning as counts plummet as of late. Key and current C2 list below for each Epoch [...] --------------------------------------------- https://paste.cryptolaemus.com/emotet/2020/04/28/emotet-c2-rsa-update-04-28… ∗∗∗ Check Point: Android-Ransomware verschlüsselt Dateien angeblich im Namen des FBI ∗∗∗ --------------------------------------------- Die Erpressersoftware fordert im Namen der US-Bundespolizei ein Lösegeld von 500 Dollar. Sie kann aber auch die vollständige Kontrolle über ein Smartphone übernehmen und weitere schädliche Apps installieren. Check Point vermutet die Hintermänner in Russland. --------------------------------------------- https://www.zdnet.de/88379222/check-point-android-ransomware-verschluesselt… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Updates Available for Magento | APSB20-22 ∗∗∗ --------------------------------------------- Magento has released updates for Magento Commerce and Open Source editions. These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings). Successful exploitation could lead to arbitrary code execution. --------------------------------------------- https://helpx.adobe.com/security/products/magento/apsb20-22.html ∗∗∗ VMSA-2020-0008 ∗∗∗ --------------------------------------------- VMware ESXi patches address Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3955) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0008.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, openjdk-7, openjdk-8, and openldap), Fedora (openvpn), openSUSE (teeworlds and vlc), Red Hat (bind, binutils, bluez, container-tools:1.0, container-tools:2.0, container-tools:rhel8, cups, curl, dnsmasq, dpdk, e2fsprogs, edk2, evolution, exiv2, fontforge, freeradius:3.0, gcc, gdb, glibc, GNOME, grafana, GStreamer, libmad, and SDL, haproxy, ibus and glib2, irssi, kernel, kernel-rt, liblouis, libmspack, libreoffice, libsndfile, libtiff, libxml2, [...] --------------------------------------------- https://lwn.net/Articles/818950/ ∗∗∗ Advisory: Sophos XG Firewall: Asnarok Vulnerability - Actions required for SFM/CFM managed devices ∗∗∗ --------------------------------------------- This article outlines the remediation steps for XG Firewalls with severed connections to SFM and CFM central management product. --------------------------------------------- https://community.sophos.com/kb/en-US/135429 ∗∗∗ Advisory - Sophos XG Firewall v18: Upgrade from v17.5.x to v18 Build_354 will take longer than previous upgrades ∗∗∗ --------------------------------------------- https://community.sophos.com/kb/en-US/135437 ∗∗∗ April 28, 2020 TNS-2020-03 [R1] Nessus Agent 7.6.3 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-03 ∗∗∗ Red Hat Security Advisories ∗∗∗ --------------------------------------------- https://access.redhat.com/errata/#/?q=&p=1&sort=portal_publication_date%20d… ∗∗∗ Security Bulletin: Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-webspher… ∗∗∗ Security Bulletin: Vulnerabilities exist in Watson Explorer (CVE-2019-4720, CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-… ∗∗∗ Security Bulletin: Vulnerabilities in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2020 CPU (CVE-2020-2583, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in in IBM® Runtime Environment Java™ Version affects IBM WIoTP MessageGateway (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-in-ibm… ∗∗∗ Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-wat… ∗∗∗ Security Bulletin: Sensitive Information Disclosed in Logs (CVE-2019-4286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-dis… ∗∗∗ Security Bulletin: Vulnerability in nss, nss-softokn, nss-util vulnerability (CVE-2019-11729 and CVE-2019-11745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nss-nss-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2020
by Daily end-of-shift report 28 Apr '20

28 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 27-04-2020 18:00 − Dienstag 28-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Achtung Schadsoftware: Bundeskriminalamt warnt vor gefälschter Polizei-Mail ∗∗∗ --------------------------------------------- Zurzeit kursiert eine Mail mit dem Betreff "Letzte Einladung der Polizei". Darin werden die Empfänger aufgefordert, mit der Polizei Kontakt aufzunehmen und die Anhänge zu öffnen. Dabei handelt es sich mit hoher Wahrscheinlichkeit um Schadsoftware. --------------------------------------------- http://www.bmi.gv.at/news.aspx?id=414F7246445856707A58773D ∗∗∗ Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th) ∗∗∗ --------------------------------------------- While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019. --------------------------------------------- https://isc.sans.edu/diary/rss/26062 ∗∗∗ Cybercrime: Führungskräfte geduldig ausspionieren und dann ausnehmen ∗∗∗ --------------------------------------------- Über Man-in-the-Middle-Attacken greift die "Florentiner Bankengruppe" gezielt Entscheidungsträger an – ein erfolgreiches Spiel auf Zeit. --------------------------------------------- https://heise.de/-4710607 ∗∗∗ New Version of Infection Monkey Maps to MITRE ATT&CK Framework ∗∗∗ --------------------------------------------- Guardicores open source breach and attack simulation platform Infection Monkey now maps its attack results to the MITRE ATT&CK framework, allowing users to quickly discover internal vulnerabilities and rapidly fix them. --------------------------------------------- https://www.securityweek.com/new-version-infection-monkey-maps-mitre-attck-… ∗∗∗ Website-BetreiberInnen aufgepasst: Erpressungsmails im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Website-BetreiberInnen erhalten aktuell betrügerische Erpressungsmails. Kriminelle behaupten auf Englisch, sie hätten Ihre Website gehackt und nun Zugriff auf sämtliche Datensätze. Diese drohen sie zu veröffentlichen und Ihre KundInnen über das angebliche Datenleck zu informieren. Damit das nicht geschieht fordern sie 2000 USD in Form von Bitcoins. Gehen Sie nicht darauf ein, es handelt sich um ein betrügerisches Spam-E-Mail! --------------------------------------------- https://www.watchlist-internet.at/news/website-betreiberinnen-aufgepasst-er… ∗∗∗ Anatomy of Formjacking Attacks ∗∗∗ --------------------------------------------- A detailed look at the fast-growing crime of formjacking, where cybercriminals hack a website to collect sensitive user information and steal credit card numbers. --------------------------------------------- https://unit42.paloaltonetworks.com/anatomy-of-formjacking-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Bridge (APSB20-19) and Adobe Illustrator (APSB20-20). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1864 ∗∗∗ High-Severity Vulnerabilities Patched in LearnPress ∗∗∗ --------------------------------------------- On March 16, 2020, LearnPress – WordPress LMS Plugin, a WordPress plugin with over 80,000 installations, patched a high-severity vulnerability that allowed subscriber-level users to elevate their permissions to those of an “LP Instructor”, a custom role with capabilities similar to the WordPress “author” role, including the ability to upload files and create posts containing [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patche… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, qemu-kvm, and thunderbird), Debian (qemu and ruby-json), Fedora (chromium, haproxy, and libssh), openSUSE (cacti, cacti-spine and teeworlds), Oracle (kernel), SUSE (apache2, git, kernel, ovmf, and xen), and Ubuntu (cups, file-roller, and re2c). --------------------------------------------- https://lwn.net/Articles/818821/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0005 ∗∗∗ --------------------------------------------- Date Reported: April 27, 2020 Advisory ID: WSA-2020-0005 CVE identifiers: CVE-2020-3885, CVE-2020-3894,CVE-2020-3895, CVE-2020-3897,CVE-2020-3899, CVE-2020-3900,CVE-2020-3901, CVE-2020-3902. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2020-3885 Versions affected: WebKitGTK before 2.28.0 and WPE WebKit before2.28.0. Credit to Ryan Pickren (ryanpickren.com). Impact: A file URL may be incorrectly processed. Description: Alogic issue was addressed with improved [...] --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0005.html ∗∗∗ IntelMQ Manager release 2.1.1 fixes critical security issue ∗∗∗ --------------------------------------------- The IntelMQ Manager version 2.1.1 released yesterday fixes a Remote Code Execution flaw (CWE-78: OS Command Injection). The documentation for version 2.1.1 and installation instructions can be found on our GitHub repository. Always run IntelMQ Manager instances in private networks with proper authentication & TLS. Further, restrict access to the tool to web-browsers which can only access internal web-sites, as workaround for existing CSRF issues. See also our security considerations with [...] --------------------------------------------- https://cert.at/en/blog/2020/4/intelmq-manager-release-211-fixes-critical-s… ∗∗∗ Security Bulletin: CVE-2019-1552 vulnerability in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-1552-vulnerabili… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a denial of service that affect TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: NVIDIA Windows and Linux GPU Display drivers are have resolved several security vulnerabilities as described below. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-nvidia-windows-and-linux-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a denial of service that affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows(IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2020 CPU (CVE-2020-2583, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ HPESBHF03970 rev.1 - HPE Products with Intel Ethernet 700 Series Processors, Local Escalation of Privilege, Local Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0377 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2020
by Daily end-of-shift report 27 Apr '20

27 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-04-2020 18:00 − Montag 27-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BazarBackdoor: TrickBot gang’s new stealthy network-hacking malware ∗∗∗ --------------------------------------------- A new phishing campaign is delivering a new stealthy backdoor from the developers of TrickBot that is used to compromise and gain full access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-… ∗∗∗ Asnarök malware exploits firewall zero-day to steal credentials ∗∗∗ --------------------------------------------- Some Sophos firewall products were attacked with a new Trojan malware, dubbed Asnarök by researchers cyber-security firm Sophos, to steal usernames and hashed passwords starting with April 22 according to an official timeline. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asnar-k-malware-exploits-fir… ∗∗∗ Shade Ransomware shuts down, releases 750K decryption keys ∗∗∗ --------------------------------------------- The operators behind the Shade Ransomware (Troldesh) have shut down their operations, released over 750,000 decryption keys, and apologized for the harm they caused their victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shade-ransomware-shuts-down-… ∗∗∗ Eight Common OT / Industrial Firewall Mistakes ∗∗∗ --------------------------------------------- Firewalls are easy to misconfigure. While the security consequences of such errors may be acceptable for some firewalls, the accumulated risks of misconfigured firewalls in a defense-in-depth OT network architecture are generally unacceptable. --------------------------------------------- https://threatpost.com/waterfall-eight-common-ot-industrial-firewall-mistak… ∗∗∗ Understanding the basics of API security ∗∗∗ --------------------------------------------- This is the first of a series of articles that introduces and explains application programming interfaces (API) security threats, challenges, and solutions for participants in software development, operations, and protection. --------------------------------------------- https://www.helpnetsecurity.com/2020/04/27/basics-api-security/ ∗∗∗ GDPR.EU has er… a data leakage issue ∗∗∗ --------------------------------------------- The web site GDPR.EU is an advice site ‘operated by Proton Technologies AG, co-funded by … the EU Horizon Framework’. It’s full of useful advice for organisations that need to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/gdpr-eu-has-er-a-data-leakage… ===================== = Vulnerabilities = ===================== ∗∗∗ Hacker nutzen Zero-Day-Lücke in Sophos-Firewall aus ∗∗∗ --------------------------------------------- Unbekannte stehlen Dateien mit Anmeldedaten von Firewall-Administratoren und lokalen Nutzern. Sophos findet keinen Hinweis auf einen Missbrauch dieser Daten. Inzwischen steht ein Notfall-Update für die Schwachstelle zur Verfügung. --------------------------------------------- https://www.zdnet.de/88379086/hacker-nutzen-zero-day-luecke-in-sophos-firew… ∗∗∗ Duplicated Vulnerabilities in WordPress Plugins ∗∗∗ --------------------------------------------- During a recent plugin audit, we noticed a weird pattern among many plugins responsible for performing a specific task: Duplicating a page or a post. With a bit of research, we came to the following conclusion: Many of these plugins came from the same source — and contained the same vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2020/04/duplicated-vulnerabilities-in-wordpress-plu… ∗∗∗ Authentication bypass in FortiMail and FortiVoiceEntreprise ∗∗∗ --------------------------------------------- An improper authentication vulnerability in FortiMail and FortiVoiceEntreprise may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-045 ∗∗∗ High Severity Vulnerability Patched in Real-Time Find and Replace Plugin ∗∗∗ --------------------------------------------- On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium), Debian (eog, jsch, libgsf, mailman, ncmpc, openjdk-11, php5, python-reportlab, radicale, and rzip), Fedora (ansible, dolphin-emu, git, gnuchess, liblas, openvpn, php, qt5-qtbase, rubygem-rake, snakeyaml, webkit2gtk3, and wireshark), Mageia (chromium-browser-stable, git, java-1.8.0-openjdk, kernel, kernel-linus, mp3gain, and virtualbox), openSUSE (crawl, cups, freeradius-server, kubernetes, and otrs), SUSE (apache2, kernel, pam_radius, [...] --------------------------------------------- https://lwn.net/Articles/818763/ ∗∗∗ JSA11021 - 2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021&actp=RSS ∗∗∗ HPESBHF03945 rev.1 - HPE Servers using Supplemental Update / Online ROM Flash Component for Linux, Local Execution of Arbitrary Code. ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ OTRS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0372 ∗∗∗ ILIAS: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0370 ∗∗∗ Postfix: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0376 ∗∗∗ Security Bulletin: IBM Integration Bus affected by multiple Apache Tomcat (core only) vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-affec… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Websphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2019 CPU (CVE-2019-2964, CVE-2019-2989 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2020
by Daily end-of-shift report 24 Apr '20

24 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-04-2020 18:00 − Freitag 24-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Protecting your organization against password spray attacks ∗∗∗ --------------------------------------------- If your users sign in with guessable passwords, you may be at risk of a password spray attack.The post Protecting your organization against password spray attacks appeared first on Microsoft Security. --------------------------------------------- https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-… ∗∗∗ Malicious Excel With a Strong Obfuscation and Sandbox Evasion, (Fri, Apr 24th) ∗∗∗ --------------------------------------------- For a few weeks, we see a bunch of Excel documents spread in the wild with Macro V4[1]. But VBA macros remain a classic way to drop the next stage of the attack on the victims computer. The attacker has many ways to fetch the next stage. He can download it from a compromised server or a public service like pastebin.com, dropbox.com, or any other service that allows sharing content. The problem is, in this case, that it generates more noise via new network flows and the attack [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26048 ∗∗∗ Gefahren durch Webshells: NSA nennt beliebte Einfallstore für Server-Angriffe ∗∗∗ --------------------------------------------- US- und australische Behörden geben Tipps zum Aufspüren von Webshells und nennen einige teils recht alte, bei Angreifern aber noch immer beliebte Lücken. --------------------------------------------- https://heise.de/-4709470 ∗∗∗ When in Doubt: Hang Up, Look Up, & Call Back ∗∗∗ --------------------------------------------- Many security-conscious people probably think theyd never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Heres how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse. --------------------------------------------- https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/ ===================== = Vulnerabilities = ===================== ∗∗∗ Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution ∗∗∗ --------------------------------------------- The FTTH provisioning solution suffers from an unauthenticated remote code execution vulnerability due to an unsafe deserialization of Java objects (ViewState) triggered via the javax.faces.ViewState HTTP POST parameter. The deserialization can cause the vulnerable JSF web application to execute arbitrary Java functions, malicious Java bytecode, and system shell commands with root privileges. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-openssl), Debian (git), Gentoo (chromium, firefox, git, and openssl), Oracle (kernel and python-twisted-web), Red Hat (python-twisted-web), Scientific Linux (python-twisted-web), and SUSE (file-roller, kernel, and resource-agents). --------------------------------------------- https://lwn.net/Articles/818565/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBMJava SDK affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service attack caused by an authenticated user crafting a malicious message (CVE-2019-4656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM Cloud App Management is vulnerable to cross-site request forgery (CVE-2019-4750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-app-management-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Cloud App Management (CVE-2020-2593) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a tcpdump vulnerability (CVE-2018-19519) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service attack due to an error in the Channel processing function. (CVE-2019-4762) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2020-4267) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ BIG-IQ HA vulnerability CVE-2020-5870 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K69422435 ∗∗∗ BIG-IQ HA vulnerability CVE-2020-5869 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28855111 ∗∗∗ BIG-IQ Grafana vulnerability CVE-2020-5868 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37130415 ∗∗∗ HPESBHF03947 rev.1 - HPE UIoT, Remote Unauthorized Access and Access to Sensitive Data ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0362 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2020
by Daily end-of-shift report 23 Apr '20

23 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-04-2020 18:00 − Donnerstag 23-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhones durch Zero-Day-Lücken in Apple Mail angreifbar ∗∗∗ --------------------------------------------- iOS-Nutzer sollten die Mail-App vorübergehend nicht benutzen, warnen Sicherheitsforscher. Schwachstellen erlauben unbemerktes Code-Einschleusen. --------------------------------------------- https://heise.de/-4707901 ∗∗∗ New Data Center Requirements - Can You Help Host Shadowserver? ∗∗∗ --------------------------------------------- Shadowserver urgently needs to move our current data center by August 2020. We are blogging our data center requirements for hosting and colocation providers, or other companies who might be able to help provide a new home for our public benefit services for the global Internet. Please reach out and get in touch if you can help. --------------------------------------------- https://www.shadowserver.org/news/new-data-center-requirements-can-you-help… ∗∗∗ Maze Ransomware – What You Need to Know ∗∗∗ --------------------------------------------- What’s this Maze thing I keep hearing about? Maze is a particularly sophisticated strain of Windows ransomware that has hit companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data. There’s been plenty of ransomware before. What makes Maze so special? --------------------------------------------- https://www.tripwire.com/state-of-security/featured/maze-ransomware-what-yo… ∗∗∗ Researchers Turn Antivirus Software Into Destructive Tools ∗∗∗ --------------------------------------------- A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal. --------------------------------------------- https://www.securityweek.com/researchers-turn-antivirus-software-destructiv… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openssl), openSUSE (freeradius-server, kernel, thunderbird, and vlc), Oracle (git, java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), SUSE (ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, [...] --------------------------------------------- https://lwn.net/Articles/818481/ ∗∗∗ Security Advisory - Three Out of Bounds Vulnerabilities in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei OSD Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerabilities in OpenSSL (CVE-2019-1547 and CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-nextscale-fan-power-c… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System 3000(CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Symphony and IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring insufficient default file/folder permissions on windows. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-ins… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Elastic Storage System (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to side channel attack with Intel CPUs (CVE-2019-11135) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ NGINX Controller sensitive command-line arguments vulnerability CVE-2020-5866 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11922628 ∗∗∗ NGINX Controller vulnerability CVE-2020-5864 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27205552 ∗∗∗ NGINX Controller insecure database transport vulnerability CVE-2020-5865 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21009022 ∗∗∗ NGINX Controller vulnerability CVE-2020-5867 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00958787 ∗∗∗ HPESBHF03988 rev.1 - HPE Onboard Administrator, Remote Reflected Cross Site Scripting ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBNS03996 rev.1 - HPE NonStop Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Squid: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0360 ∗∗∗ Red Hat JBoss A-MQ: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0361 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2020
by Daily end-of-shift report 22 Apr '20

22 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-04-2020 18:00 − Mittwoch 22-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ You Wont Believe what this One Line Change Did to the Chrome Sandbox ∗∗∗ --------------------------------------------- The Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-o… ∗∗∗ New iPhone Zero-Day Discovered ∗∗∗ --------------------------------------------- Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release: Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said "we were a bit surprised about who was targeted." --------------------------------------------- https://www.schneier.com/blog/archives/2020/04/new_iphone_zero.html ∗∗∗ NSA, ASD Release Guidance for Mitigating Web Shell Malware ∗∗∗ --------------------------------------------- The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have jointly released a Cybersecurity Information Sheet (CSI) on mitigating web shell malware. Malicious cyber actors are increasingly deploying web shell malware on victim web servers to execute arbitrary system commands. By deploying web shell malware, cyber attackers can gain persistent access to compromised networks. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/22/nsa-asd-release-gu… ∗∗∗ Achtung vor Shops mit service6(a)vinayotap.com E-Mail-Adressen ∗∗∗ --------------------------------------------- Derzeit melden LeserInnen der Watchlist Internet vermehrt neue Fake-Shops, die vor allem eines gemeinsam haben: Sie verweisen alle auf die E-Mail-Adresse --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-shops-mit-service6vinayo… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D ∗∗∗ --------------------------------------------- The flaws exist in Autodesks FBX library, integrated in Microsofts Office, Office 365 ProPlus and Paint 3D applications. --------------------------------------------- https://threatpost.com/microsoft-issues-out-of-band-security-update-for-off… ∗∗∗ Zero-Day-Lücken in IBM Data Risk Manager - Forscher-Report ignoriert ∗∗∗ --------------------------------------------- Sicherheitsforscher haben im Überwachungstool IBM Data Risk Manager vier Lücken entdeckt - drei gelten als kritisch. Erste Patches sind bereits da. --------------------------------------------- https://heise.de/-4707165 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (java-1.7.0-openjdk and java-1.8.0-openjdk), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, and kernel), Scientific Linux (kernel), Slackware (git), SUSE (openssl-1_1 and puppet), and Ubuntu (binutils and thunderbird). --------------------------------------------- https://lwn.net/Articles/818359/ ∗∗∗ 2020-04-21: Multiple vulnerabilities in B&R Automation Studio ∗∗∗ --------------------------------------------- https://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-… ∗∗∗ 2020-04-21: TPM-Fail vulnerability in several B&R products ∗∗∗ --------------------------------------------- https://www.br-automation.com/en/downloads/022020-tpm-fail/ ∗∗∗ 2020-04-22: UPS Adapter CS141 – Path traversal vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A4579&Lan… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei PCManager Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-… ∗∗∗ Security Bulletin: CVE-2020-4202IBM UrbanCode Deploy (UCD) could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4202ibm-urbancod… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System 3000 (CVE-2020-1734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff… ∗∗∗ Security Bulletin: CVE-2019-4668 Pattern integration passwords stored in db without current encryption ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4668-pattern-int… ∗∗∗ Security Bulletin: CVE-2014-3524 CSV Injection in reports ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2014-3524-csv-injecti… ∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by a vulnerability where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0355 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0351 ∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0357 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2020
by Daily end-of-shift report 21 Apr '20

21 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 20-04-2020 18:00 − Dienstag 21-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 SMBGhost RCE exploit demoed by researchers ∗∗∗ --------------------------------------------- A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 wormable pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-expl… ∗∗∗ SpectX: Log Parser for DFIR, (Tue, Apr 21st) ∗∗∗ --------------------------------------------- I hope this finds you all safe, healthy, and sheltered to the best of your ability. In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases. --------------------------------------------- https://isc.sans.edu/diary/rss/26040 ∗∗∗ Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining ∗∗∗ --------------------------------------------- Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l3TOyRDK1yA/ ∗∗∗ Grouping Linux IoT Malware Samples With Trend Micro ELF Hash ∗∗∗ --------------------------------------------- We created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters Linux IoT malware created using ELF files. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tFHtqxisecc/ ∗∗∗ Kerberos Tickets on Linux Red Teams ∗∗∗ --------------------------------------------- At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own, but the best value is obtaining data, such as Kerberos tickets, that will facilitate lateral movement techniques. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-lin… ∗∗∗ Unsichere Deserialisierung gefährdet Steam-Spiele ∗∗∗ --------------------------------------------- Viele Videospiele, die .Net oder Unity verwenden, sind angreifbar und führen Schadcode aus. Steam bietet die Möglichkeit einer wurmähnlichen Infektion. --------------------------------------------- https://heise.de/-4706122 ∗∗∗ 46% of SMBs have been targeted by ransomware, 73% have paid the ransom ∗∗∗ --------------------------------------------- Ransomware attacks are not at all unusual in the SMB community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom, Infrascale reveals. Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack. --------------------------------------------- https://www.helpnetsecurity.com/2020/04/21/paying-ransom/ ∗∗∗ BSI aktualisiert den Mindeststandard TLS ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat zum 9. April 2020 den "Mindeststandard zur Verwendung von Transport Layer Security (TLS)" aktualisiert. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/AktualisierterMST… ∗∗∗ Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC ∗∗∗ --------------------------------------------- A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges. --------------------------------------------- https://www.securityweek.com/microsoft-will-not-patch-security-bypass-flaw-… ∗∗∗ Zahlungsaufforderungen von angeblichen Streamingdiensten sind Fake ∗∗∗ --------------------------------------------- bodaflix.de, ebaflix.de, teraflix.de, nodaflix.de – angeblich kostenlose Streamingdienste. Nach einer Registrierung erhalten Sie jedoch eine Zahlungsaufforderung über 395,88 Euro. Wird diese ignoriert, folgen meist weitere Zahlungsaufforderungen und Mahnungen von vermeintlichen Inkassobüros. Überweisen Sie kein Geld und antworten Sie auch nicht! Es handelt sich um ein betrügerisches Schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderungen-von-angeblich… ∗∗∗ Hey there! Are you using WhatsApp? Your account may be hackable ∗∗∗ --------------------------------------------- Can someone take control of your WhatsApp account by just knowing your phone number? We ran a small test to find out. --------------------------------------------- https://www.welivesecurity.com/2020/04/20/hey-there-using-whatsapp-your-acc… ===================== = Vulnerabilities = ===================== ∗∗∗ P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting ∗∗∗ --------------------------------------------- The controller suffers from CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a [...] --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php ∗∗∗ [R2] Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc leverages third-party software to help provide underlying functionality. One third-party component (jQuery) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2020-02 ∗∗∗ Versionsverwaltung: Erneute Sicherheitswarnung für Git ∗∗∗ --------------------------------------------- Updates beheben eine Schwachstelle in Git, die der jüngsten ähnelt und ebenfalls die Credential-Helper-Programme betrifft. --------------------------------------------- https://heise.de/-4706272 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (webkit2gtk), Debian (awl, git, and openssl), Red Hat (chromium-browser, git, http-parser, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, qemu-kvm-ma, rh-git218-git, and rh-maven35-jackson-databind), Scientific Linux (advancecomp, avahi, bash, bind, bluez, cups, curl, dovecot, doxygen, evolution, expat, file, firefox, gettext, git, GNOME, httpd, ImageMagick, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, kernel, lftp, [...] --------------------------------------------- https://lwn.net/Articles/818223/ ∗∗∗ High-Severity Vulnerability in OpenSSL Allows DoS Attacks ∗∗∗ --------------------------------------------- An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos… ∗∗∗ [20200403] - Core - Incorrect access control in com_users access level deletion function ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/811-20200403-core-incorrect-ac… ∗∗∗ [20200402] - Core - Missing checks for the root usergroup in usergroup table ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/810-20200402-core-missing-chec… ∗∗∗ [20200401] - Core - Incorrect access control in com_users access level editing function ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/809-20200401-core-incorrect-ac… ∗∗∗ 2020-04-21: SECURITY ABB Central Licensing System Vulnerabilities, impact on System 800xA, Compact HMI and Control Builder Safe ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&Language… ∗∗∗ 2020-04-21: SECURITY Multiple Vulnerabilities in ABB Central Licensing System ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&Language… ∗∗∗ 2020-04-21: SECURITY Inter process communication vulnerability in System 800xA ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&Language… ∗∗∗ Security Bulletin: A denial of service vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-denial-of-service-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2020
by Daily end-of-shift report 20 Apr '20

20 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-04-2020 18:00 − Montag 20-04-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft helped stop a botnet controlled via an LED light console ∗∗∗ --------------------------------------------- Microsoft says that its Digital Crimes Unit (DCU) discovered and helped take down a botnet of 400,000 compromised devices controlled with the help of an LED light control console. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-helped-stop-a-botn… ∗∗∗ KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26014 ∗∗∗ KPOT AutoIt Script: Analysis, (Mon, Apr 20th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/26012 ∗∗∗ Finding Zoom Meeting Details in the Wild ∗∗∗ --------------------------------------------- The popular web conference platform Zoom has been in the storm for a few weeks. With the COVID19 pandemic, more and more people are working from home and the demand for web conference tools has been growing. --------------------------------------------- https://blog.rootshell.be/2020/04/18/finding-zoom-meeting-details-in-the-wi… ∗∗∗ Clipboard hijacking malware found in 725 Ruby libraries ∗∗∗ --------------------------------------------- Security researchers from ReversingLabs say theyve discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users clipboards. The malicious packages were uploaded on RubyGems between February 16 and 25 by two accounts [...] --------------------------------------------- https://www.zdnet.com/article/clipboard-hijacking-malware-found-in-725-ruby… ∗∗∗ PayPal über Google Pay: Lücke von Februar anscheinend klammheimlich behoben ∗∗∗ --------------------------------------------- Die Lücke, die unautorisierte PayPal-Abbuchungen via Google Pay erlaubte, wurde anscheinend – erst kürzlich – von PayPal gefixt. --------------------------------------------- https://heise.de/-4704339 ∗∗∗ Warten auf Patches: Schwachstellen in Nagios XI gefährden Netzwerke ∗∗∗ --------------------------------------------- Die Monitoring-Software für komplexe IT-Infrastrukturen Nagios XI ist verwundbar. Abhilfe gibt es noch nicht. --------------------------------------------- https://heise.de/-4704444 ∗∗∗ Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers ∗∗∗ --------------------------------------------- Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn. --------------------------------------------- https://www.securityweek.com/several-botnets-using-zero-day-vulnerability-t… ∗∗∗ In eigener Sache: CERT.at/nic.at sucht Verstärkung (Research Engineer Internet, Vollzeit) ∗∗∗ --------------------------------------------- Unser Research- & Developmentteam sucht für ein Projekt mit CERT.at und Security-Bezug eine/n Research Engineer (m/w, Vollzeit mit 38,5 Stunden) zum ehestmöglichen Einstieg. Dienstort ist Wien. Details finden sich auf der nic.at Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2020/4/in-eigener-sache-certatnicat-sucht-verstarku… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability ∗∗∗ --------------------------------------------- The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-224 ∗∗∗ Kritische Sicherheitslücke in mehreren Xilinx-FPGAs ∗∗∗ --------------------------------------------- Bei Xilinx-FPGAs der Serie 7 (Spartan-7, Artix-7, Kintex-7, Virtex-7) und Virtex-6 lässt sich die Verschlüsselung der Bitstream-Konfigurationsdaten aushebeln. --------------------------------------------- https://heise.de/-4706002 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openvpn), Debian (awl, file-roller, jackson-databind, and shiro), Fedora (chromium, git, and libssh), Mageia (php, python-bleach, and webkit2), openSUSE (chromium, gstreamer-rtsp-server, and mp3gain), Oracle (thunderbird and tigervnc), SUSE (thunderbird), and Ubuntu (file-roller and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/817987/ ∗∗∗ Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020040108 ∗∗∗ Toshiba Electronic Devices & Storage software registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13467854/ ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server shipped with Jazz for Service Management (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Nimbus-JOSE-JWT affect IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0347 ∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX270837 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2020
by Daily end-of-shift report 17 Apr '20

17 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-04-2020 18:00 − Freitag 17-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fehlerhaftes Update legt Virenschutz in Windows 10 lahm ∗∗∗ --------------------------------------------- Die MS-Virenwächter fielen nach einem Update aus. Die betroffenen Programme können manuell aktualisiert werden. --------------------------------------------- https://futurezone.at/produkte/fehlerhaftes-update-legt-virenschutz-in-wind… ∗∗∗ Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th) ∗∗∗ --------------------------------------------- STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run. --------------------------------------------- https://isc.sans.edu/diary/rss/26032 ∗∗∗ Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) ∗∗∗ --------------------------------------------- Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/26030 ∗∗∗ Excel Malspam: Password Protected ... Not! ∗∗∗ --------------------------------------------- Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/excel-malsp… ∗∗∗ Web Skimmer with a Domain Name Generator ∗∗∗ --------------------------------------------- Our security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a Magento database. The malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to hxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed one interesting feature of the script — instead of using one predefined domain, it generates domain names based on the current date. --------------------------------------------- https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.ht… ∗∗∗ Continued Threat Actor Exploitation Post Pulse Secure VPN Patching ∗∗∗ --------------------------------------------- [...] This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/aa20-107a ∗∗∗ Sophos zieht problematisches Firmware-Update 9.703 für UTM zurück ∗∗∗ --------------------------------------------- Achtung, nicht installieren: Das Firmware-Update 9.703 für Sophos UTM-Appliances wurde vom Hersteller wegen gravierender Probleme wieder zurückgezogen. --------------------------------------------- https://heise.de/-4704634 ∗∗∗ New AgentTesla variant steals WiFi credentials ∗∗∗ --------------------------------------------- The popular infostealer AgentTesla recently added a new feature that can steal WiFi usernames and passwords, which can potentially be used to spread the malware. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-varian… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Update for Xcode ∗∗∗ --------------------------------------------- Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 11.4.1 and apply the necessary update. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/17/apple-releases-sec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache and chromium), Debian (webkit2gtk), Fedora (firefox, nss, and thunderbird), Mageia (chromium-browser-stable and git), openSUSE (gnuhealth), Oracle (thunderbird), Red Hat (kernel-alt, thunderbird, and tigervnc), Scientific Linux (thunderbird), Slackware (openvpn), and SUSE (freeradius-server and libqt4). --------------------------------------------- https://lwn.net/Articles/817720/ ∗∗∗ Foxit Reader und Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0344 ∗∗∗ Security Bulletin: IBM TRIRIGA Application Platform discloses error messages that could aid an attacker formulate future attacks (CVE-2020-4277) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-application-p… ∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server and Liberty affects IBM Cloud App Management (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Insecure Permissions (CVE-2019-4446) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct FTP+ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4749) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4644) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2020
by Daily end-of-shift report 16 Apr '20

16 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-04-2020 18:00 − Donnerstag 16-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Polizei warnt vor Fake-Mail von Gesundheitsministerium ∗∗∗ --------------------------------------------- Das gefälschte E-Mail enthält einen Trojaner, der die Daten am Computer verschlüsselt und Lösegeld fordert. --------------------------------------------- https://futurezone.at/digital-life/polizei-warnt-vor-fake-mail-von-gesundhe… ∗∗∗ Sicherheitsupdates: Root-Lücken gefährden IP-Telefone von Cisco ∗∗∗ --------------------------------------------- Verschiedene Produkte des Netzwerkausrüsters Cisco sind verwundbar. Mehrere Lücken gelten als "kritisch". --------------------------------------------- https://heise.de/-4703471 ===================== = Vulnerabilities = ===================== ∗∗∗ JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010 ∗∗∗ --------------------------------------------- Project: JSON:API Version: 8.x-1.26 Date: 2020-April-15 Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All Vulnerability: Unsupported Description: This module provides a JSON API standards-compliant API for accessing andmanipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are strongly encouraged to upgrade [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2020-010 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git), Fedora (cacti, cacti-spine, chromium, golang-github-buger-jsonparser, kernel, kernel-headers, and kernel-tools), openSUSE (ansible, git, and mp3gain), Oracle (container-tools:ol8, nodejs:10, and virt:ol), Red Hat (chromium-browser, ipmitool, and thunderbird), Slackware (bind), SUSE (quartz), and Ubuntu (php5, php7.0, php7.2, php7.3). --------------------------------------------- https://lwn.net/Articles/817649/ ∗∗∗ CA API Developer Portal 4.2.x / 4.3.1 Access Bypass / Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020040090 ∗∗∗ Cisco IP Phones Web Application Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller 802.11 Generic Advertisement Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller CAPWAP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Mobility Express Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Aironet Series Access Points Client Packet Processing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IoT Field Network Director Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack due to an error in the Channel processing function. (CVE-2019-4762) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server may be vulnerable to attacks based on privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2020-4338) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: CVE-2020-4260 Secure properties can be revealed using a generic process ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4260-secure-prop… ∗∗∗ Security Bulletin: OpenSSL Vulnerability Affects IBM Sterling Connect:Express for UNIX (CVE-2019-1551) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within cURL libcurl (CVE-2019-15601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: Multiple Apache CXF vulnerabilities identified in IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-apache-cxf-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2020
by Daily end-of-shift report 15 Apr '20

15 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-04-2020 18:00 − Mittwoch 15-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Microsoft schließt über 100 Lücken, drei Windows-Lücken unter Beschuss ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schützen Windows & Co. 17 Schwachstellen sind mit dem Angriffsrisiko "kritisch" eingestuft. --------------------------------------------- https://heise.de/-4702540 ∗∗∗ Sicherheitswarnungen für Git und GitHub ∗∗∗ --------------------------------------------- Eine Schwachstelle in Git ermöglicht das Umleiten von Credentials, und GitHub warnt vor einer Welle von Phishing-Mails. --------------------------------------------- https://heise.de/-4702519 ∗∗∗ Medikamente sicher und legal online kaufen ∗∗∗ --------------------------------------------- Apotheken sind in Österreich trotz Corona-Krise geöffnet. Dennoch wollen Menschen die Ansteckungsgefahr in den Apotheken vermeiden und kaufen rezeptfreie Medikamente online. Es gibt jedoch zahlreiche Fake-Apotheken im Internet, die mit scheinbar rezeptfreien Medikamenten werben. Mit dem EU-Sicherheitslogo erkennen Sie legale Apotheken und können Medikamente ohne Risiko legal online kaufen. --------------------------------------------- https://www.watchlist-internet.at/news/medikamente-sicher-und-legal-online-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Office April security updates fix critical RCE bugs ∗∗∗ --------------------------------------------- Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-april-secur… ∗∗∗ Eaton HMiSoft VU3 ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in Eatons HMiSoft VU3 human-machine interface (HMI). --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-01 ∗∗∗ Triangle MicroWorks DNP3 Outstation Libraries ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Triangle MicroWorks DNP3 components and source code libraries. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-02 ∗∗∗ Triangle MicroWorks SCADA Data Gateway ∗∗∗ --------------------------------------------- This advisory contains mitigations for stack-based buffer overflow, out-of-bounds read, and type confusion vulnerabilities in the Triangle MicroWorks SCADA Data Gateway. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-105-03 ∗∗∗ VMSA-2020-0007 ∗∗∗ --------------------------------------------- VMware vRealize Log Insight addresses Cross Site Scripting (XSS) and Open Redirect vulnerabilities (CVE-2020-3953, CVE-2020-3954) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0007.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, graphicsmagick, php-horde-data, and php-horde-trean), Mageia (apache, gnutls, golang, krb5-appl, libssh, libvncserver, mediawiki, thunderbird, tor, and wireshark), openSUSE (chromium, nagios, and thunderbird), Oracle (kernel and krb5-appl), Red Hat (elfutils, kernel, nss-softokn, ntp, procps-ng, and python), Scientific Linux (firefox), Slackware (git), SUSE (git and ruby2.5), and Ubuntu (git). --------------------------------------------- https://lwn.net/Articles/817565/ ∗∗∗ IPAS: Security Advisories for April 2020 ∗∗∗ --------------------------------------------- Hello, Today, in addition to the 6 security advisories we are releasing, we want to call your attention to a new whitepaper we have just published addressing CVE-2019-0090, a vulnerability in the Intel® Converged Security Management Engine (CSME) that we first disclosed in May of last year. You can read the whitepaper HERE. --------------------------------------------- https://blogs.intel.com/technology/2020/04/ipas-security-advisories-for-apr… ∗∗∗ BSRT-2020-001 Local File Inclusion Vulnerability in Apache Tomcat Impacts BlackBerry Workspaces Server and BlackBerry Good Control ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Advisory - Denial of Service Vulnerability on Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2020-4270) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Websphere Application Server affects the IBM Performance Management product (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in jQuery affects the IBM Performance Management product (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jquery… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to PHP object injection (CVE-2020-4271) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure (CVE-2019-4593) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to instantiation of arbitrary objects (CVE-2020-4272) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server-Side Request Forgery (SSRF) (CVE-2020-4294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Überschreiben von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0325 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2020
by Daily end-of-shift report 14 Apr '20

14 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-04-2020 18:00 − Dienstag 14-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Think Fast: Time Between Disclosure, Patch Release and VulnerabilityExploitation — Intelligence for Vulnerability Management, Part Two ∗∗∗ --------------------------------------------- One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure… ∗∗∗ WhatsApp-Nachricht: Billa verlost keinen 250 € Gutschein ∗∗∗ --------------------------------------------- Sie haben von einem WhatsApp-Kontakt einen Link zu einem Billa-Gutschein erhalten und fragen sich was dahintersteckt? Die Watchlist Internet hat sich diesen sogenannten Kettenbrief näher angesehen! Unser Fazit: Sie erhalten weder einen Gutschein, noch stammt diese Verlosung von Billa. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-billa-verlost-kei… ∗∗∗ APT41 Using New Speculoos Backdoor to Target Organizations Globally ∗∗∗ --------------------------------------------- Unit 42 identifies new payload, named Speculoos, exploiting CVE-2019-19781 to target organizations around the world, including state government in the United States. --------------------------------------------- https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-t… ∗∗∗ Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns ∗∗∗ --------------------------------------------- New research shows COVID-19 themed phishing campaigns are targeting healthcare organizations and medical research facilities around the world. --------------------------------------------- https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-go… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe ColdFusion (APSB20-18), Adobe After Effects (APSB20-21) and Adobe Digital Editions (APSB20-23). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1859 ∗∗∗ Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update ∗∗∗ --------------------------------------------- Oracle will detail 405 new security vulnerabilities Tuesday, part of its quarterly Critical Patch Update Advisory. --------------------------------------------- https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-up… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (haproxy), Gentoo (chromium and libssh), openSUSE (ansible, chromium, gmp, gnutls, libnettle, libssh, mgetty, nagios, permissions, and python-PyYAML), and Oracle (firefox, kernel, qemu-kvm, and telnet). --------------------------------------------- https://lwn.net/Articles/817399/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (thunderbird), Debian (thunderbird), Fedora (drupal7-ckeditor, nrpe, and php-robrichards-xmlseclibs1), Red Hat (firefox and kernel), SUSE (quartz), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/817471/ ∗∗∗ SSA-102233: SegmentSmack in VxWorks-based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-102233.txt ∗∗∗ SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162506.txt ∗∗∗ SSA-359303: Debug Port in TIM 3V-IE and 4R-IE Family Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-359303.txt ∗∗∗ SSA-377115: SegmentSmack in Linux IP-Stack based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-377115.txt ∗∗∗ SSA-593272: SegmentSmack in Interniche IP-Stack based Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-593272.txt ∗∗∗ SSA-886514: Persistent XSS Vulnerabilities in the Web Interface of Climatix POL908 and POL909 Modules ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-886514.txt ∗∗∗ Security Bulletin: A vulnerability in IBM Java affect IBM Decision Optimization Center (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services v2.1.1 (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10209, 10211, 10210, 10208) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie… ∗∗∗ XSA-318 - Bad continuation handling in GNTTABOP_copy ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-318.html ∗∗∗ XSA-316 - Bad error path in GNTTABOP_map_grant ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-316.html ∗∗∗ XSA-314 - Missing memory barriers in read-write unlock paths ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-314.html ∗∗∗ XSA-313 - multiple xenoprof issues ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-313.html ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0303 ∗∗∗ SAP Patchday April 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0300 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2020
by Daily end-of-shift report 10 Apr '20

10 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-04-2020 18:00 − Freitag 10-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DNS: Gehackte Router zeigen Coronavirus-Warnung mit Schadsoftware ∗∗∗ --------------------------------------------- Gehackte Router leiten bekannte Domains auf eine gefälschte Warnung der WHO um und versuchen, ihren Opfern eine Schadsoftware unterzujubeln. --------------------------------------------- https://www.golem.de/news/dns-gehackte-router-zeigen-coronavirus-warnung-mi… ∗∗∗ Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th) ∗∗∗ --------------------------------------------- How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified. --------------------------------------------- https://isc.sans.edu/diary/rss/25960 ∗∗∗ PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th) ∗∗∗ --------------------------------------------- Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified. --------------------------------------------- https://isc.sans.edu/diary/rss/26004 ∗∗∗ Analysis of a WordPress Credit Card Swiper ∗∗∗ --------------------------------------------- While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in the past). With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing [...] --------------------------------------------- https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.… ∗∗∗ Sophos Releases Sandboxie in Open Source ∗∗∗ --------------------------------------------- Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available. --------------------------------------------- https://www.securityweek.com/sophos-releases-sandboxie-open-source ∗∗∗ Gefälschte Mails von Sebastian Kurz im Umlauf ∗∗∗ --------------------------------------------- Viele Menschen benötigen derzeit aufgrund geschlossener Betriebe oder fehlender Aufträge finanzielle Unterstützung. Kriminelle nützen diese Ausnahmesituation aus und verschicken E-Mails im Namen von Sebastian Kurz, in denen sie rasche Soforthilfe anbieten. Der Link in diesen E-Mails führt jedoch zu einer unseriösen Trading-Plattform, bei der den Internet-NutzerInnen durch das Investment in Bitcoins schnelles Geld versprochen wird. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mails-von-sebastian-kurz… ∗∗∗ CVE-2020-0688: Verwundbare Microsoft Exchange Server in Österreich ∗∗∗ --------------------------------------------- Mit CVE-2020-0688 wurde im Februar eine Lücke in Microsoft Exchange Servern gepatched, die AngreiferInnen ermöglicht, beliebigen Code über das Netzwerk auszuführen -- und das mit NT Authority\SYSTEM also der Windows-Entsprechung von root. Für eine erfolgreiche Attacke werden zwar gültige Zugangsdaten für einen Mailaccount benötigt, da es bei CVE-2020-0688 aber auch zu einer Privilegieneskaltion kommt, können diese auch unpriviligiert sein. --------------------------------------------- https://cert.at/de/blog/2020/4/cve-2020-0688-verwundbare-microsoft-exchange… ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in the Rockwell Automation RSLinx Classic PLC communications software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-100-01 ∗∗∗ VMSA-2020-0006 ∗∗∗ --------------------------------------------- VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0006.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox). --------------------------------------------- https://lwn.net/Articles/817233/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-remote-code-exec… ∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2020
by Daily end-of-shift report 09 Apr '20

09 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-04-2020 18:00 − Donnerstag 09-04-2020 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Visa urges merchants to migrate e-commerce sites to Magento 2.x ∗∗∗ --------------------------------------------- Payments processor Visa is urging merchants to migrate their online stores to Magento 2.x before the Magento 1.x e-commerce platform reaches end-of-life (EoL) in June 2020 to avoid exposing their stores to Magecart attacks and to remain PCI compliant. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visa-urges-merchants-to-migr… ∗∗∗ Data Center Migration Deadline Extended Due To COVID-19 ∗∗∗ --------------------------------------------- The original deadline for Shadowserver to move our data center has been extended from May 26th to August 31st 2020, due to the worsening COVID-19 pandemic and Silicon Valley Shelter in Place lockdowns. This extension provides us with some much needed additional time to continue raising funding for our 2020 operations, such as the recently received donation from cryptocurrency exchange BitMEX. --------------------------------------------- https://www.shadowserver.org/news/data-center-migration-deadline-extended-d… ∗∗∗ BGP Hijacking and BGP Security ∗∗∗ --------------------------------------------- BGP Hijacking is a long-standing problem and is a constant possibility in today’s BGP environment. These news stories will continue for some time to come, but there are things the community can do to limit the impact of these events. --------------------------------------------- https://blog.team-cymru.com/2020/04/08/bgp-hijacking-and-bgp-security/ ∗∗∗ Viele Meldungen zu mimty.de und evenlife.de ∗∗∗ --------------------------------------------- Egal ob Atemschutzmasken, Desinfektionsmittel oder Schutzausrüstung - auf mimty.de und evenlife.de finden Sie Produkte, die momentan äußerst schwer zu bekommen sind. Zahlreiche InternetuserInnen melden diese Online-Shops jedoch an die Watchlist Internet und klagen über ausbleibende Lieferungen. Auch auf Bewertungsportalen wird den beiden Shops kein gutes Zeugnis ausgestellt. --------------------------------------------- https://www.watchlist-internet.at/news/viele-meldungen-zu-mimtyde-und-evenl… ∗∗∗ Jahresbericht 2019 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗ --------------------------------------------- Das Mandat als nationales Computer-Notfallteam nach NISG, Emotet, Ransomware, Sextortion, ein Projektabschluss und CyberExchanges – das Jahr 2019 war für CERT.at und GovCERT Austria ein ereignisreiches, das wir in Form unseres Jahresberichts Revue passieren lassen. --------------------------------------------- https://cert.at/de/blog/2020/4/jahresbericht-2019-von-certat-und-govcert-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Networks Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: April 9, 2020 Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates or workarounds. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/04/09/juniper-networks-r… ∗∗∗ Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009 ∗∗∗ --------------------------------------------- Project: Spamicide Date: 2020-April-08 Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Access bypass Description: The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesnt require appropriate permissions for administrative pages leading to an Access Bypass. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2020-009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, ipmitool, krb5-appl, and telnet), Debian (ceph and firefox-esr), Mageia (firefox), openSUSE (bluez and exiv2), Red Hat (firefox), SUSE (ceph, libssh, mgetty, permissions, python-PyYAML, rubygem-actionview-4_2, and vino), and Ubuntu (libiberty and libssh). --------------------------------------------- https://lwn.net/Articles/817128/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: IBM Resilient OnPrem does not properly limit the number or frequency of pssword reset interactions ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-onprem-does… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp… ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) ( CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2020
by Daily end-of-shift report 08 Apr '20

08 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-04-2020 18:00 − Mittwoch 08-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Infrastructure components ∗∗∗ --------------------------------------------- Cybercriminals understand that your website is not only the face of your organization, but often also its weakest link. With just one misconfigured port, malicious spearphishing email or unpatched vulnerability, an attacker can deploy a range of techniques and tools to enter and then move undetected throughout a network to find a valuable target. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-infrastructure-c… ∗∗∗ FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks ∗∗∗ --------------------------------------------- FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware. --------------------------------------------- https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/1… ∗∗∗ Microsoft shares new threat intelligence, security guidance during global crisis ∗∗∗ --------------------------------------------- Our threat intelligence shows that COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to the pandemic. We’re seeing a changing of lures, not a surge in attacks. These attacks are settling into the normal ebb and flow of the threat environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-thr… ∗∗∗ DDG botnet, round X, is there an ending? ∗∗∗ --------------------------------------------- DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), [...] --------------------------------------------- https://blog.netlab.360.com/an-update-on-the-ddg-botnet/ ∗∗∗ COVID-19 Exploited by Malicious Cyber Actors ∗∗∗ --------------------------------------------- This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/aa20-099a ∗∗∗ New dark_nexus IoT Botnet Puts Others to Shame ∗∗∗ --------------------------------------------- Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen. --------------------------------------------- https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-… ∗∗∗ Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation ∗∗∗ --------------------------------------------- This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack… ∗∗∗ These hackers have been quietly targeting Linux servers for years ∗∗∗ --------------------------------------------- Researchers at Blackberry detail a newly uncovered hacking campaign that has been operating successfully against unpatched open-source servers for the best part of a decade. --------------------------------------------- https://www.zdnet.com/article/these-hackers-have-been-quietly-targeting-lin… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess/NMS ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in Advantechs WebAccess/NMS network management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-01 ∗∗∗ GE Digital CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigations for a privilege escalation vulnerability in GE Digital CIMPLICITY HMI/SCADA products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-02 ∗∗∗ HMS Networks eWON Flexy and Cosy ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in HMS Networks eWON Flexy and Cosy Industrial VPN routers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-03 ∗∗∗ Fuji Electric V-Server Lite ∗∗∗ --------------------------------------------- This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server Lite data collection and management service. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-04 ∗∗∗ KUKA.Sim Pro ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-098-05 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Debian (chromium and firefox-esr), Oracle (ipmitool and telnet), Red Hat (firefox and qemu-kvm), Scientific Linux (firefox, krb5-appl, and qemu-kvm), Slackware (firefox), SUSE (gmp, gnutls, libnettle and runc), and Ubuntu (firefox, gnutls28, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, [...] --------------------------------------------- https://lwn.net/Articles/817059/ ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0294 ∗∗∗ Security Advisory - Information Disclosure Vulnerability about SWAPGS Instruction ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200408-… ∗∗∗ Security Bulletin: IBM Security Information Queue could reveal sensitive data in application error messages (CVE-2020-4164) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Insufficient command validation in IBM Security Information Queue (CVE-2020-4282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-command-vali… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities affect IBM DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Quality Manager (RQM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2019-19925, CVE-2019-19645, CVE-2019-19924, CVE-2019-19923, CVE-2019-19880, CVE-2019-19646, CVE-2019-19926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-sqlite… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2020
by Daily end-of-shift report 07 Apr '20

07 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Montag 06-04-2020 18:00 − Dienstag 07-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ corp.com: Microsoft kauft gefährliche Domain ∗∗∗ --------------------------------------------- Alte, fehlerhaft konfigurierte Windowsversionen verbinden sich häufig zur Domain corp.com und geben Daten preis. --------------------------------------------- https://www.golem.de/news/corp-com-microsoft-kauft-gefaehrliche-domain-2004… ∗∗∗ Web server protection: Web application firewalls for web server protection ∗∗∗ --------------------------------------------- Firewalls are an integral part of the tools necessary in securing web servers. In this article, we will discuss all relevant aspects of web application firewalls. We’ll explore a few concepts that touch on these firewalls, both from a compliance and technical point of view, as well as examine a few examples of how [...] --------------------------------------------- https://resources.infosecinstitute.com/web-server-protection-web-applicatio… ∗∗∗ Unkillable xHelper and a Trojan matryoshka ∗∗∗ --------------------------------------------- It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. --------------------------------------------- https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ ∗∗∗ ENISA publishes a Tool for the Mapping of Dependencies to International Standards ∗∗∗ --------------------------------------------- The web tool presents the mapping of the indicators demonstrated in the report Good practices on interdependencies between OES and DSPs to international information security standards. This report analysed the dependencies and interdependencies between Operators of Essential Services (OES) and Digital Service Providers (DSPs) and identified a number of indicators to assess them. These indicators are mapped to international standards and frameworks, namely ISO IEC 27002, COBIT5, the NIS [...] --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-a-tool-for-the-… ∗∗∗ Jetzt patchen! Über 350.000 Microsoft Exchange Server immer noch attackierbar ∗∗∗ --------------------------------------------- Auch wenn Angreifer schon seit Ende Februar Ausschau nach verwundbaren Exchange Servern halten, haben viele Admins offensichtlich noch nicht gepatcht. --------------------------------------------- https://heise.de/-4698421 ∗∗∗ Google Patches Critical RCE Vulnerabilities in Androids System Component ∗∗∗ --------------------------------------------- Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component. --------------------------------------------- https://www.securityweek.com/google-patches-critical-rce-vulnerabilities-an… ∗∗∗ Vorsicht Phishing: Amazon führt keine 3-Stufen-Authentifizierung ein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Amazon aus und behaupten, eine „neue 3-Stufen-Authentifizierung für alle Kunden verbindlich einzuführen“. Angeblich in Zusammenarbeit mit Ihrer Bank und Ihrem E-Mail-Provider. Klicken Sie keinesfalls auf den Link in der E-Mail. Sie gelangen auf eine gefälschte Amazon Login-Seite. Kriminelle stehlen Ihre Zugangsdaten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-phishing-amazon-fuehrt-kein… ∗∗∗ More Medical Record Security Flaws ∗∗∗ --------------------------------------------- Tenable Research recently disclosed a number of security-related bugs in a popular open-source medical records application - OpenMRS. This blog details our findings. --------------------------------------------- https://medium.com/tenable-techblog/more-medical-record-security-flaws-8175… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin ∗∗∗ --------------------------------------------- On March 3, 2020, our Threat intelligence team discovered a number of vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations designed to allow site owners to create landing and squeeze pages on their sites. These vulnerabilities allowed an authenticated attacker with minimal permissions, such as a subscriber, to create or [...] --------------------------------------------- https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-l… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, kernel-headers, and kernel-tools), openSUSE (glibc and qemu), Red Hat (chromium-browser, container-tools:1.0, container-tools:rhel8, firefox, ipmitool, kernel, kernel-rt, krb5-appl, ksh, nodejs:10, nss-softokn, python, qemu-kvm, qemu-kvm-ma, telnet, and virt:rhel), Scientific Linux (ipmitool and telnet), SUSE (ceph and firefox), and Ubuntu (haproxy, linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/817003/ ∗∗∗ Joomla! plugin "AcyMailing" vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56890693/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Log Analysis is vulnerable to Injection Attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log-analysis-is-vulnerabl… ∗∗∗ Multiple XSS vulnerabilities in TAO Open Source Assessment Platform ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-xss-vulnerabilities-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2020
by Daily end-of-shift report 06 Apr '20

06 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-04-2020 18:00 − Montag 06-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Command line-fu for web server protection ∗∗∗ --------------------------------------------- Adequate web server security requires proper understanding, implementation and use of a variety of different tools. In this article, we will take a look at some command line tools that can be used to manage the security of web servers. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-command-line-fu-… ∗∗∗ Analyzing & Decrypting L4NC34’s Simple Ransomware ∗∗∗ --------------------------------------------- We’re constantly seeing news about computers being infected by ransomware, but very little do we hear about it affecting websites. That being said, the impact can be serious if the affected website is the webmaster’s only source of income or a business relies entirely on it’s website and online presence. --------------------------------------------- https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomw… ∗∗∗ Kinsing Linux Malware Deploys Crypto-Miner in Container Environments ∗∗∗ --------------------------------------------- A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments. --------------------------------------------- https://www.securityweek.com/kinsing-linux-malware-deploys-crypto-miner-con… ∗∗∗ 8,000 Unprotected Redis Instances Accessible From Internet ∗∗∗ --------------------------------------------- Trend Micro’s security researchers discovered roughly 8,000 unsecured Redis instances that were exposed to anyone with an Internet connection. Spread all over the world, the unsecured instances were found to lack Transport Layer Security (TLS) encryption and without any password protection. Some of these instances were even deployed in public clouds. --------------------------------------------- https://www.securityweek.com/8000-unprotected-redis-instances-accessible-in… ∗∗∗ Userdir URLs like https://example.org/~username/ are dangerous ∗∗∗ --------------------------------------------- I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly. Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). --------------------------------------------- https://blog.hboeck.de/archives/899-Userdir-URLs-like-httpsexample.orgusern… ∗∗∗ MISP 2.4.124 released (aka the dashboard, auditing improvements) ∗∗∗ --------------------------------------------- MISP 2.4.124 releasedA new version of MISP (2.4.124) has been released. This version includes various improvements including a new multiline widgets in the dashboard, auditing improvements and many bugs fixed. --------------------------------------------- https://www.misp-project.org/2020/04/06/MISP.2.4.124.released.html ∗∗∗ Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2020-8515 that was made publicly available in March is found being employed by a new DDoS botnet called hoaxcalls. --------------------------------------------- https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#660597: Periscope BuySpeed is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to store arbitrary JavaScript within the application. --------------------------------------------- https://kb.cert.org/vuls/id/660597 ∗∗∗ Gefährliche Sicherheitslücken in HP Support Assistant immer noch offen ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher rügt HP, weil die Entwickler seit Monaten im standardmäßig installierten HP Support Assistant diverse Schwachstellen nicht schließen. --------------------------------------------- https://heise.de/-4697583 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/816886/ ∗∗∗ XSS vulnerability in the Dashboard name parameter of FortiADC. ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-012 ∗∗∗ Improper Authorization vulnerability in FortiADC ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-013 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Bouncy Castle API affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2020
by Daily end-of-shift report 03 Apr '20

03 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-04-2020 18:00 − Freitag 03-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln ∗∗∗ --------------------------------------------- I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-y… ∗∗∗ Progress In 2020 Funding Challenge - Thanks To Fantastic Global Supporters, But More Help Still Needed! ∗∗∗ --------------------------------------------- Our first status update on the critical initial milestone in Shadowservers urgent 2020 funding challenge. Great progress from our awesome community, with particular thanks to philanthropist Craig Newmark, but more help still needed to fully secure our data center operations in 2020. Join with us to continue protecting victims of cybercrime and help protect the Internet. --------------------------------------------- https://www.shadowserver.org/news/progress-in-2020-funding-challenge-thanks… ∗∗∗ Contact Form 7 Datepicker: Gefährliches WordPress-Plugin ohne Support ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites attackieren und Admin-Sessions übernehmen. --------------------------------------------- https://heise.de/-4696045 ∗∗∗ Researchers Discover Hidden Behavior in Thousands of Android Apps ∗∗∗ --------------------------------------------- Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered. With smartphones being part of our every-day lives, millions of applications are being used for a broad variety of activities, yet many of these engage in behaviors that are never disclosed to their users. --------------------------------------------- https://www.securityweek.com/researchers-discover-hidden-behavior-thousands… ∗∗∗ Mahnungen und Zahlungsaufforderungen von Flirthub.de ungerechtfertigt ∗∗∗ --------------------------------------------- Zahlreiche InternetuserInnen wenden sich momentan an uns, da sie plötzlich Zahlungsaufforderungen von Flirthub.de erhalten. Angeblich hätten sie sich auf der Website der MD Service GmbH angemeldet und eine Testphase sei nun in ein Premium-Abo übergelaufen. Wir haben uns die Websites und Zahlungsaufforderungen genauer angesehen. Unser Urteil: Betroffene müssen die geforderten 265,62 Euro nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-und-zahlungsaufforderungen… ∗∗∗ Vorsicht bei gefälschten Nachrichten von SMSinfo zu Paketlieferungen ∗∗∗ --------------------------------------------- Aufgrund der Corona-Krise müssen Fachgeschäfte in Österreich geschlossen sein. Viele Menschen greifen daher auf Online-Bestellungen zurück und warten auf ihr bestelltes Paket. Das nutzen derzeit vermehrt Kriminelle aus und versenden SMS unter den Namen „SMSinfo“. Der mitgeschickte Link in dieser SMS führt zu einer gefälschten Post-Webseite auf der Sie aufgefordert werden zwei Euro zu zahlen. Geben Sie Ihre Daten hier nicht ein, denn die Nachricht stammt [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-gefaelschten-nachrichte… ∗∗∗ GuLoader: Malspam Campaign Installing NetWire RAT ∗∗∗ --------------------------------------------- NetWire, a publicly-available RAT, was found being distributed through a file downloader called GuLoader. We explain how its infection chain works and how to defend against it. --------------------------------------------- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ ∗∗∗ Microsoft: How one Emotet infection took out this organizations entire network ∗∗∗ --------------------------------------------- An Emotet victims IT disaster shows why organizations should filter internal emails and use two-factor authentication. --------------------------------------------- https://www.zdnet.com/article/microsoft-how-one-emotet-infection-took-out-t… ===================== = Vulnerabilities = ===================== ∗∗∗ B&R Automation Studio ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper privilege management, missing required cryptographic step, and path traversal vulnerabilities in B&R Automation Studio software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-093-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2). --------------------------------------------- https://lwn.net/Articles/816757/ ∗∗∗ Security Bulletin: IBM Agile Lifecycle Manager is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-agile-lifecycle-manag… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Agile Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2020
by Daily end-of-shift report 02 Apr '20

02 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-04-2020 18:00 − Donnerstag 02-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways ∗∗∗ --------------------------------------------- A phishing campaign using Office 365 voicemail lures to trick them into visiting landing pages designed to steal their personal information or infect their computers with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-uses-css… ∗∗∗ Pekraut - German RAT starts gnawing ∗∗∗ --------------------------------------------- Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-… ∗∗∗ Cyber-Kriminelle nutzen Corona-Krise vermehrt aus ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet aktuell eine Zunahme von Cyber-Angriffen mit Bezug zum Corona-Virus auf Unternehmen und Bürger. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/Cyber-Krimi… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache HTTP Server 2.4 vulnerabilities, Fixed in Apache httpd 2.4.42 ∗∗∗ --------------------------------------------- low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934): mod_proxy_ftp use of uninitialized value with maliciosu FTP backend. low: mod_rewrite CWE-601 open redirect (CVE-2020-1927): Some mod_rewrite configurations vulnerable to open redirect. --------------------------------------------- https://httpd.apache.org/security/vulnerabilities_24.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/816633/ ∗∗∗ 2020-04-02: Vulnerabilities in Telephone Gateway TG/S 3.2 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A3921&Lan… ∗∗∗ 2020-04-02: SECURITY System 800xA Information Manager - Remote Code Execution ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&Language… ∗∗∗ 2020-04-02: SECURITY System 800xA Weak Registry Permissions ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121221&Language… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.5.0 ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-2989 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2989-vulnerabili… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: IBM Process Federation Server REST API is subject to DoS attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-federation-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2020
by Daily end-of-shift report 01 Apr '20

01 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-03-2020 18:00 − Mittwoch 01-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom Lets Attackers Steal Windows Credentials via UNC Links ∗∗∗ --------------------------------------------- The Zoom Windows client is vulnerable to UNC path injection in the clients chat feature that could allow attackers to steal the Windows credentials of users who click on the link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-wi… ∗∗∗ WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers ∗∗∗ --------------------------------------------- [...] Named "Vollgar" after the Vollar cryptocurrency it mines and its offensive "vulgar" modus operandi, researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/04/backdoor-.html ∗∗∗ WordPress-SEO-Plugin Rank Math: Admin-Lücke gefährdet Websites ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke mit Höchstwertung im WordPress-Plugin Rank Math kann Angreifer zu Admins machen. Ein Update ist verfügbar. --------------------------------------------- https://heise.de/-4694641 ∗∗∗ Kleinanzeigenbetrug: So funktioniert der Dreiecksbetrug ∗∗∗ --------------------------------------------- Ebay, Willhaben, Shpock und Co. sind beliebt, um günstige und gebrauchte Ware zu kaufen oder nicht mehr gebrauchte Gegenstände zu verkaufen. Doch auch Kriminelle fühlen sich auf diesen Kleinanzeigenportalen wohl, da sie die Anonymität im Internet gezielt nutzen können. Eine besonders perfide Betrugsfalle in diesem Bereich ist der „Dreiecksbetrug“. Hier werden sowohl KäuferInnen als auch VerkäuferInnen abgezockt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-so-funktioniert-… ===================== = Vulnerabilities = ===================== ∗∗∗ BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System ∗∗∗ --------------------------------------------- This advisory contains mitigations for a protection mechanism failure vulnerability in BD Pyxis medical devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-091-01 ∗∗∗ Hirschmann Automation and Control HiOS and HiSecOS Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a classic buffer overflow vulnerability in Hirschmann Automation and Control HiOS and HiSecOS software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-01 ∗∗∗ Mitsubishi Electric MELSEC ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in Mitsubishi Electric MELSEC programmable controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, [...] --------------------------------------------- https://lwn.net/Articles/816511/ ∗∗∗ Cisco NX-OS Software Anycast Gateway Invalid ARP Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200401-… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data returning decrypted credentials ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2020-2604) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Possible denial of service vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-denial-of-servic… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Tririga Application Platform (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by multiple vulnerabilities in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerabilities in Java runtime environment that IBM provides affect WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-r… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server (CVE-2019-4057, CVE-2019-4101, CVE-2019-4154, CVE-2019-4386, CVE-2019-4322) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-vulnerabilit… ∗∗∗ Security Bulletin: Security vulnerability in IBM Java SDK affect Rational Build Forge (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ HPESBHF03994 rev.1 - HPE Superdome Flex with iLO4, Remote or Local Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03940 rev.1 - HPE MSA 1040, HPE MSA 2040, HPE MSA 2042, HPE MSA 1050, HPE MSA 2050, and HPE MSA 2052 Multiple Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03993 rev.1 - HPE Superdome X servers with iLO4, Remote Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03995 rev.1 - HPE Superdome X servers with iLO4, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03986 rev.1 - HPE Superdome X servers with iLO4, Remote Code Execution and Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2020
by Daily end-of-shift report 31 Mar '20

31 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-03-2020 18:00 − Dienstag 31-03-2020 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Networking Basics for Reverse Engineers ∗∗∗ --------------------------------------------- This article will define network reverse engineering, list tools used by reverse engineers for reverse engineering and then highlight the network basics required by such engineers. The article will illustrate, through the lens of an attacker, how to expose the vulnerability of a network protocol and exploit the vulnerability, and then discuss how to [...] --------------------------------------------- https://resources.infosecinstitute.com/networking-basics-for-reverse-engine… ∗∗∗ OWASP Firmware Security Testing Methodology ∗∗∗ --------------------------------------------- FSTM is composed of nine stages tailored to enable security researchers, software developers, hobbyists, and Information Security professionals with conducting firmware security assessments. --------------------------------------------- https://scriptingxss.gitbook.io/firmware-security-testing-methodology/ ∗∗∗ They told me I could be anything, so I became a Kubernetes node - Using K3s for command and control on compromised Linux hosts ∗∗∗ --------------------------------------------- In their RSA 2020 talk Advanced Persistence Threats: The Future of Kubernetes Attacks, Ian Coldwater and Brad Geesaman demonstrated that K3s, a lightweight version of Kubernetes, can be used to backdoor compromised Kubernetes clusters. This post describes how K3s can also serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines. --------------------------------------------- https://blog.christophetd.fr/using-k3s-for-command-and-control-on-compromis… ∗∗∗ Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit ∗∗∗ --------------------------------------------- While following reports on these infections, we stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, we found ourselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service. --------------------------------------------- https://www.perimeterx.com/resources/blog/2020/skimming-as-a-service-anatom… ∗∗∗ Microsoft fixt Windows 10 VPN-Bug mit optionalen Sonderupdates ∗∗∗ --------------------------------------------- Microsoft bringt Windows-10-Updates, die einen Fehler beim Internetzugang beheben sollen, speziell wenn VPN-Software mit Proxy-Konfigurationen verwendet wird. --------------------------------------------- https://heise.de/-4694177 ∗∗∗ Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks ∗∗∗ --------------------------------------------- Researchers demonstrated recently that hackers could launch a Stuxnet-style attack against Schneider Electric’s Modicon programmable logic controllers (PLCs), but it’s believed that products from other vendors could also be vulnerable to the same type of attack. --------------------------------------------- https://www.securityweek.com/industrial-controllers-still-vulnerable-stuxne… ∗∗∗ FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries ∗∗∗ --------------------------------------------- A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns. --------------------------------------------- https://www.securityweek.com/fbi-warns-ongoing-kwampirs-attacks-targeting-g… ∗∗∗ Vorsicht vor Gewinnspielen, die Kreditkartendaten erfordern ∗∗∗ --------------------------------------------- Kriminelle geben sich als bekannte Unternehmen aus und verbreiten über unterschiedliche Kanäle gefälschte Gewinnspiele. Sie täuschen den TeilnehmerInnen vor, ein iPhone 11 Pro, einen E-Scooter oder Weber Grill gewonnen zu haben. Für den Versand des Gewinnes werden jedoch 1-3 Euro, die per Kreditkarte bezahlt werden müssen, verlangt. Vorsicht: Es handelt sich um eine Abo-Falle. Kriminelle buchen monatlich bis zu 90 Euro ab. Ihren angeblichen Gewinn erhalten Sie [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gewinnspielen-die-kredi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin ∗∗∗ --------------------------------------------- On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. --------------------------------------------- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-o… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift). --------------------------------------------- https://lwn.net/Articles/816368/ ∗∗∗ VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/962085 ∗∗∗ VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/944837 ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ PEPPERL+FUCHS Kr00k vulnerabilities in Broadcom Wi-Fi chipsets ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-014 ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Denial of service vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in TLS (CVE-2019-6485) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Potential information disclosure vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4239) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-information-dis… ∗∗∗ Security Bulletin: Directory Traversal vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4240, CVE-2020-4209) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-vulne… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Protect Plus (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605, CVE-2019-9511, CVE-2019-9516, CVE-2019-9512, CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9513, CVE-2019-9514) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2020
by Daily end-of-shift report 30 Mar '20

30 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-03-2020 18:00 − Montag 30-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances von F5 angreifbar ∗∗∗ --------------------------------------------- Die Entwickler von F5 haben mehrere Sicherheitslücken in verschiedenen Produkten geschlossen. --------------------------------------------- https://heise.de/-4693455 ∗∗∗ A mysterious hacker group is eavesdropping on corporate email and FTP traffic ∗∗∗ --------------------------------------------- Hacker group uses zero-day in DrayTek Vigor enterprise routers and VPN gateways to record network traffic. --------------------------------------------- https://www.zdnet.com/article/a-mysterious-hacker-group-is-eavesdropping-on… ∗∗∗ Source code of Dharma ransomware pops up for sale on hacking forums ∗∗∗ --------------------------------------------- The source code of one of todays most profitable and advanced ransomware strains is up for sale on two Russian-language hacking forums. --------------------------------------------- https://www.zdnet.com/article/source-code-of-dharma-ransomware-pops-up-for-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/816267/ ∗∗∗ Synology-SA-20:04 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_04_Drupal ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0272 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2020
by Daily end-of-shift report 27 Mar '20

27 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-03-2020 18:00 − Freitag 27-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Bug: Kein durchgängiges VPN unter iOS ∗∗∗ --------------------------------------------- Alte Verbindungen werden unter iOS derzeit am VPN vorbeigeleitet. --------------------------------------------- https://www.golem.de/news/bug-kein-durchgaengiges-vpn-unter-ios-2003-147552… ∗∗∗ Corona-Malware-Kampagne im Namen der WHO über manipulierte Routereinstellungen ∗∗∗ --------------------------------------------- Manipulierte DNS-Settings von D-Link- und Linksys-Routern leiten auf angebliche Warnhinweise der World Health Organization, hinter denen sich Malware verbirgt. --------------------------------------------- https://heise.de/-4692092 ∗∗∗ Micropatching Unknown 0days in Windows Type 1 Font Parsing ∗∗∗ --------------------------------------------- Three days ago, Microsoft published a security advisory alerting about two vulnerabilities in Windows font parsing, which were noticed as being exploited in "limited targeted Windows 7 based attacks." These vulnerabilities currently dont have an official vendor fix. As weve done before in a similar situation, we decided to provide our users with a micropatch to protect [...] --------------------------------------------- https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html ∗∗∗ Unseriöser Online-Shop: silahmall.com ∗∗∗ --------------------------------------------- Antiquitäten, Kleidung, Schmuck und Uhren, Möbel oder Computer-Zubehör. Der Online-Shop silahmall.com bietet eine breite Produktpalette an und verspricht hochwertige Qualität. Die Seite verlockt zum Einkaufen. Doch seien Sie vorsichtig! Wir raten von einer Bestellung ab, da es kein Impressum auf der Seite gibt und die einzige angegebene Kontaktmöglichkeit unseriös ist. --------------------------------------------- https://www.watchlist-internet.at/news/unserioeser-online-shop-silahmallcom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-086-01 ∗∗∗ VISAM Automation Base (VBASE) ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in VISAMs VBASE automation platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-01 ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal and missing authentication for critical function vulnerabilities in the Schneider Electric ICSS SCADA software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-02 ∗∗∗ Critical CODESYS Bug Allows Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2020-10245, a heap-based buffer overflow that rates 10 out of 10 in severity, exists in the CODESYS web server and takes little skill to exploit. --------------------------------------------- https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/ ∗∗∗ [Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1) ∗∗∗ --------------------------------------------- With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: [...] --------------------------------------------- https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093245.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6). --------------------------------------------- https://lwn.net/Articles/816130/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0268 ∗∗∗ MediaWiki: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0271 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in PC WORX SRT ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-012 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in Portico Remote desktop control software ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-013 ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IP TMM Ram Cache vulnerability CVE-2020-5861 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22113131 ∗∗∗ BIG-IP HTTP profile vulnerability CVE-2020-5857 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70275209 ∗∗∗ BIG-IP HTTP/3 QUIC vulnerability CVE-2020-5859 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61367237 ∗∗∗ BIG-IP AWS vulnerability CVE-2020-5862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01054113 ∗∗∗ BIG-IP tmsh vulnerability CVE-2020-5858 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36814487 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2020
by Daily end-of-shift report 26 Mar '20

26 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-03-2020 18:00 − Donnerstag 26-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angespannter Arbeitsmarkt sorgt für betrügerische Job-Angebote ∗∗∗ --------------------------------------------- Aufgrund der durch das Coronavirus bedingten Arbeitsmarktsituation, suchen viele InternetuserInnen momentan online nach Jobs oder einer zusätzlichen Verdienstmöglichkeit. Dies nützen Kriminelle gezielt aus, indem Sie betrügerische Job-Angebote im Internet inserieren. Die Fake-Berufe können zu Geldwäsche führen, Pyramidensysteme sein oder zu gefährlichen Investments verleiten. --------------------------------------------- https://www.watchlist-internet.at/news/angespannter-arbeitsmarkt-sorgt-fuer… ∗∗∗ WordPress Malware Distributed via Pirated Coronavirus Plugins ∗∗∗ --------------------------------------------- The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-malware-distribute… ∗∗∗ Malware spotlight: Nemty ∗∗∗ --------------------------------------------- If the last five years or so have proven anything, it is that ransomware is here to stay as a threat in the cybersecurity wild. This should not be used as rationale to simply ignore the deluge of new types of malware that are discovered weekly, as the recently discovered malware family Nemty has [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-spotlight-nemty/ ∗∗∗ As Zoom Booms Incidents of ‘ZoomBombing’ Become a Growing Nuisance ∗∗∗ --------------------------------------------- Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools. --------------------------------------------- https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-grow… ∗∗∗ Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios ∗∗∗ --------------------------------------------- Increased remote work has many organizations rethinking network and security strategies. In this post we share guidance on how to manage security in this changing environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/26/alternative-security-pro… ∗∗∗ Assemble the Cookies ∗∗∗ --------------------------------------------- When we investigate compromised websites, it’s not unusual to find malicious files that have been obfuscated through forms of encoding or encryption — however, these are not the only methods that attackers use to obfuscate code. Obfuscation via Predefined PHP Variables Here’s an example of obfuscation that doesn’t use encoding or encryption in any way: [...] --------------------------------------------- https://blog.sucuri.net/2020/03/assemble-the-cookies.html ∗∗∗ Apple iOS users served mobile malware in Poisoned News campaign ∗∗∗ --------------------------------------------- As we all devour online news sources in the current climate, cyberattackers are waiting to spring. --------------------------------------------- https://www.zdnet.com/article/apple-ios-users-served-mobile-malware-in-oper… ∗∗∗ 4G networks vulnerable to denial of service attacks, subscriber tracking ∗∗∗ --------------------------------------------- Don’t think you’re protected on upcoming 5G networks, either. --------------------------------------------- https://www.zdnet.com/article/100-of-4g-networks-vulnerable-to-denial-of-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr). --------------------------------------------- https://lwn.net/Articles/816039/ ∗∗∗ Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-008 ∗∗∗ Security Advisory - Use-after-free Vulnerability in Some Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Vulnerabilities Patched in IMPress for IDX Broker ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-f… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0264 ∗∗∗ Security Bulletin: Security: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-a-vulnerability-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2020
by Daily end-of-shift report 25 Mar '20

25 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-03-2020 18:00 − Mittwoch 25-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ginp Mobile Banker Targets Spain with "Coronavirus Finder" Lure ∗∗∗ --------------------------------------------- In todays deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ginp-mobile-banker-targets-s… ∗∗∗ Three More Ransomware Families Create Sites to Leak Stolen Data ∗∗∗ --------------------------------------------- Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-more-ransomware-famili… ∗∗∗ Firmware-Bug zerstört SSDs nach genau 40.000 Stunden ∗∗∗ --------------------------------------------- Hewlett Packard warnt davor, dass alle Daten nach Ablauf der Zeit unwiederbringlich gelöscht werden. --------------------------------------------- https://futurezone.at/produkte/firmware-bug-zerstoert-ssds-nach-genau-40000… ∗∗∗ Traffic to Malicious Websites Spiking as more Employees Take Up Work from Home ∗∗∗ --------------------------------------------- Heimdal™ Security’s Incident Response and Research team has recently uncovered evidence of what a potentially dangerous campaign directed at employees working from home. With many cities under lockdown due to the COVID-19 pandemic, companies were mandated to allow the employees to work from home, in a bid to stop the spread of the virus. Since [...] --------------------------------------------- https://heimdalsecurity.com/blog/malicious-websites-work-from-home/ ∗∗∗ TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services ∗∗∗ --------------------------------------------- The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users [...] --------------------------------------------- https://thehackernews.com/2020/03/trickbot-two-factor-mobile-malware.html ∗∗∗ Microsoft Defender: "Scan-Skip-Bug" mit Update KB4052623 anscheinend beseitigt ∗∗∗ --------------------------------------------- Das von Microsoft für den Windows Defender veröffentlichte Update KB4052623 scheint die Meldung, dass Elemente beim Scan übersprungen wurden, zu eliminieren. --------------------------------------------- https://heise.de/-4690575 ∗∗∗ VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion ∗∗∗ --------------------------------------------- VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. However, one of the researchers who found it says the patch is "still bad". --------------------------------------------- https://www.securityweek.com/vmware-again-fails-patch-privilege-escalation-… ∗∗∗ Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library ∗∗∗ --------------------------------------------- Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn. --------------------------------------------- https://www.securityweek.com/videolabs-patches-code-execution-dos-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Affects Millions of OpenWrt-based Network Devices ∗∗∗ --------------------------------------------- A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the [...] --------------------------------------------- https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: iTunes 12.10.5 for Windows iOS 13.4 and iPadOS 13.4 Safari 13.1 watchOS 6.2 tvOS 13.4 macOS [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/25/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived). --------------------------------------------- https://lwn.net/Articles/815937/ ∗∗∗ BlackBerry Powered by Android Security Bulletin – March 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0262 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Security vulnerability is identified in Apache POI server where Rational Asset Manager is deployed (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-is… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2020
by Daily end-of-shift report 24 Mar '20

24 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 23-03-2020 18:00 − Dienstag 24-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps ∗∗∗ --------------------------------------------- A new cyber attack is hijacking routers DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Vidar information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-t… ∗∗∗ Unknown Hackers Use New Milum RAT in WildPressure Campaign ∗∗∗ --------------------------------------------- A new piece of malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the threat Milum and dubbed the operation WildPressure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unknown-hackers-use-new-milu… ∗∗∗ Tekya Malware Threatens Millions of Android Users via Google Play ∗∗∗ --------------------------------------------- The ad-fraud malware lurks in dozens of childrens and utilities apps. --------------------------------------------- https://threatpost.com/tekya-malware-android-google-play/154064/ ∗∗∗ Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it ∗∗∗ --------------------------------------------- Yes, you may have detected some sarcasm An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/memcache… ∗∗∗ Betrügerische Raiffeisen-E-Mails im Umlauf ∗∗∗ --------------------------------------------- Aktuell erhalten Raiffeisen-KundInnen eine Benachrichtigung, dass die smsTAN deaktiviert wird und ELBA-NutzerInnen z. B. auf pushTAN umsteigen können. Für weitere Informationen zur Umstellung werden sie aufgefordert, sich ins Online Banking einzuloggen. Seien Sie bei E-Mails der Raiffeisen Bank zum Thema smsTAN und pushTAN besonders vorsichtig und kontrollieren Sie sorgfältig, ob die Aufforderung tatsächlich von der Raiffeisen Bank stammt. Es sind auch betrügerische [...] --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-raiffeisen-e-mails-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch für Adobe Creative Cloud Application ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Creative Cloud Application von Adobe macht Windows-Computer angreifbar. --------------------------------------------- https://heise.de/-4689478 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim). --------------------------------------------- https://lwn.net/Articles/815882/ ∗∗∗ Kritische Sicherheitslücke in Microsoft Windows (Adobe Type Manager Library) - Workarounds verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory für eine kritische Sicherheitslücke in der Adobe Type Manager Library veröffentlicht. Laut Microsoft und CERT/CC wird die Schwachstelle bereits aktiv ausgenutzt, [...] --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ systemd-journald vulnerability CVE-2019-3815 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22040951 ∗∗∗ Apache vulnerability CVE-2020-8840 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15320518 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0256 ∗∗∗ Kubernetes: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0253 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Arbitrary Script Injection vulnerability (CVE-2019-4681) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to a session management vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Content Navigator includes the host IP address in an HTTP response. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-inc… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM API Connect is impacted by weak cryptographic algorithms (CVE-2019-4553) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is potentially impacted by vulnerabilities in MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-potent… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by a denial of service vulnerability in MySQL (CVE-2019-2805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A security vulnerability has been disclosed in Expat, which is installed as part of IBM Tivoli Network Manager (CVE-2019-15903). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2020
by Daily end-of-shift report 23 Mar '20

23 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-03-2020 18:00 − Montag 23-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware ∗∗∗ --------------------------------------------- PwndLocker has rebranded as the ProLock Ransomware after fixing a crypto bug that allowed a free decryptor to be created. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwndlocker-fixes-crypto-bug-… ∗∗∗ Netwalker Ransomware Infecting Users via Coronavirus Phishing ∗∗∗ --------------------------------------------- As if people did not have enough to worry about, attackers are now targeting them with Coronavirus (COVID-19) phishing emails that install ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecti… ∗∗∗ Latest Astaroth living-off-the-land attacks are even more invisible but not less observable ∗∗∗ --------------------------------------------- Astaroth is back sporting significant changes. The updated attack chain maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-o… ∗∗∗ Zero-Day Vulnerabilities in LILIN DVRs Exploited by Several Botnets ∗∗∗ --------------------------------------------- Cybercrime groups have been exploiting vulnerabilities in digital video recorders (DVRs) made by Taiwan-based surveillance solutions provider LILIN to increase the size of their botnets. --------------------------------------------- https://www.securityweek.com/zero-day-vulnerabilities-lilin-dvrs-exploited-… ∗∗∗ Achtung bei Einkäufen auf mimty.de und evenlife.de ∗∗∗ --------------------------------------------- Unzählige InternetuserInnen melden die Online-Shops mimty.de und evenlife.de momentan an die Watchlist Internet. Die Webseiten sind exakt gleich aufgebaut und bieten Atemschutzmasken, Desinfektionssprays und ähnliches an. Die Shopiago GmbH, die hinter den Shops steckt, gibt einen Sitz in Deutschland an, der Versand erfolgt aber stark verzögert aus dem weit entfernten Ausland oder bleibt längerfristig aus. Die Watchlist Internet rät zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bei-einkaeufen-auf-mimtyde-u… ∗∗∗ How to prevent your Zoom meetings being Zoom-bombed (gate-crashed) by trolls ∗∗∗ --------------------------------------------- The coronavirus outbreak has seen an unprecedented number of people working and learning from home, and one of the tools that is making that possible is Zoom. But if you dont take care, you could find your meetings being gate-crashed or Zoom-bombed, potentially causing havoc and mayhem. --------------------------------------------- https://www.zdnet.com/article/how-to-prevent-your-zoom-meetings-being-zoom-… ===================== = Vulnerabilities = ===================== ∗∗∗ Insulet Omnipod ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper access control vulnerability in Insulets Omnipod insulin management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-079-01 ∗∗∗ Systech NDS-5000 Terminal Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a cross-site scripting vulnerability in Systechs NDS-5000 network server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-079-01 ∗∗∗ FIBARO System Home Center v5.021 Remote File Include XSS ∗∗∗ --------------------------------------------- The smart home solution is vulnerable to a remote Cross-Site Scripting triggered via a Remote File Inclusion issue by including arbitrary client-side dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its url GET parameter. This allows hijacking the current session of the user or changing the look of the page by changing the HTML. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php ∗∗∗ PMASA-2020-4 ∗∗∗ --------------------------------------------- SQL injection relating to data displayAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected. We believe the flaw was introduced with phpMyAdmin 3.4.CVE IDCVE-2020-10803 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-4/ ∗∗∗ PMASA-2020-3 ∗∗∗ --------------------------------------------- SQL injection relating to searchingAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.CVE IDCVE-2020-10802 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-3/ ∗∗∗ PMASA-2020-2 ∗∗∗ --------------------------------------------- SQL injection with processing usernameAffected VersionsphpMyAdmin 4.9.x releases prior to 4.9.5 and the 5.0.x releases prior to 5.0.2 are affected.CVE IDCVE-2020-10804 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-2/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, chromium, graphicsmagick, jackson-databind, phpmyadmin, python-bleach, and tor), Gentoo (exim and nodejs), openSUSE (chromium and thunderbird), Oracle (tomcat), Red Hat (devtoolset-8-gcc, libvncserver, runc, samba, thunderbird, and tomcat6), and SUSE (ruby2.5). --------------------------------------------- https://lwn.net/Articles/815798/ ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0250 ∗∗∗ Security Bulletin: Jan 2020 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jan-2020-multiple-vulnera… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI ( CVE-2019-4717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Swagger UI affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Few vulnerabilities affecting IBM Cloud Object Storage Systems (March 2020v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-few-vulnerabilities-affec… ∗∗∗ Security Bulletin: Vulnerabilities affecting IBM Cloud Object Storage Systems (March 2020v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affecting… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2020
by Daily end-of-shift report 20 Mar '20

20 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-03-2020 18:00 − Freitag 20-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ WHO Chief Impersonated in Phishing to Deliver HawkEye Malware ∗∗∗ --------------------------------------------- An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/who-chief-impersonated-in-ph… ∗∗∗ Firefox Reenables Insecure TLS to Improve Access to COVID19 Info ∗∗∗ --------------------------------------------- Mozilla says that the support for the insecure TLS 1.0 and TLS 1.1 will be reenabled in the latest version of Firefox to maintain access to government sites with COVID19 information that havent yet upgraded to TLS 1.2 or TLS 1.3. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firefox-reenables-insecure-t… ∗∗∗ PrivEsc in Lenovo Vantage. Two minutes later ∗∗∗ --------------------------------------------- TL;DR The latest and greatest Lenovo Vantage software which ships with the most recent Lenovo devices is affected by a privilege escalation vulnerability. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-vantage-two… ∗∗∗ New Mirai Variant Targets Zyxel Network-Attached Storage Devices ∗∗∗ --------------------------------------------- Unit 42 researchers discovered a new Mirai variant, dubbed Mukashi, exploiting CVE-2020-9054 to infect vulnerable versions of Zyxel network-attached storage (NAS) devices. --------------------------------------------- https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/ ∗∗∗ Security flaws found in popular password managers ∗∗∗ --------------------------------------------- Not all they’re cracked up to be? Several password vaults have been found to contain vulnerabilities, both new and previously disclosed but never patched, a study says --------------------------------------------- https://www.welivesecurity.com/2020/03/19/security-flaws-found-in-popular-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted). --------------------------------------------- https://lwn.net/Articles/815591/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0246 ∗∗∗ Symantec Veritas NetBackup: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0244 ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by vulnerabilities in WebSphere Application Server Liberty (CVE-2019-9515, CVE-2019-9518, CVE-2019-9517, CVE-2019-9512, CVE-2019-9514, CVE-2019-9513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-17573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Information Disclosure in Cognos Business Intelligence (Cognos BI) shipped with Tivoli Common Reporting (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2020
by Daily end-of-shift report 19 Mar '20

19 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-03-2020 18:00 − Donnerstag 19-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Shadowserver Foundation: Gemeinnütziges IT-Security-Team benötigt Spenden ∗∗∗ --------------------------------------------- Das Shadowserver-Team unterstützt Strafverfolgungsbehörden dabei, Cybergangstern das Handwerk zu legen. Jetzt braucht es selbst zeitnah (finanzielle) Hilfe. --------------------------------------------- https://heise.de/-4686211 ∗∗∗ RedLine Info-Stealing Malware Spread by Folding@home Phishing ∗∗∗ --------------------------------------------- A new phishing email is trying to take advantage of the Coronavirus pandemic and the race to develop medications by promoting a fake Folding@home app that installs an information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redline-info-stealing-malwar… ∗∗∗ InfoSec Conferences Canceled? We’ve Hours Of Recordings! ∗∗∗ --------------------------------------------- If you planned to attend some security conferences in the coming weeks, there are risks to have them canceled… Normally, I should be now in Germany to attend TROOPERS… Canceled! SAS2020 (“Security Analyst Summit”)… Canceled! FIRST TC Amsterdam… Canceled! And more will probably be added to the long list. --------------------------------------------- https://blog.rootshell.be/2020/03/19/infosec-conferences-canceled-weve-hour… ∗∗∗ Achtung vor dem Fake-Shop hausmasters.net ∗∗∗ --------------------------------------------- Hausmasters.net bietet unzählige Haushaltswaren zu Bestpreisen mit kostenlosem Versand nach Österreich, Deutschland und in die Schweiz an. Das breite Sortiment bestehend aus Kühlschränken, Staubsaugern, Waschmaschinen und der moderne Webauftritt laden zu einem schnellen Kauf ein. Doch Vorsicht: Hier zahlen Sie per Vorkasse, erhalten dafür aber nie eine Lieferung. Es handelt sich um einen Fake-Shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-dem-fake-shop-hausmaster… ∗∗∗ France warns of new ransomware gang targeting local governments ∗∗∗ --------------------------------------------- CERT France says some local governments have been infected with a new version of the Pysa (Mespinoza) ransomware. --------------------------------------------- https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting… ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe: Weitere teils kritische Updates unter anderem für Photoshop und Bridge ∗∗∗ --------------------------------------------- Nicht nur bei Acrobat und Reader hat Adobe nachgebessert, sondern auch bei Bridge, ColdFusion, Experience Manager, Photoshop und Genuine Integrity Service. --------------------------------------------- https://heise.de/-4686418 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/815442/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Check Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Java Runtime Vulnerabilities affect the IBM Spectrum Protect Backup-Archive Client and web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments (CVE-2019-4732, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to a DoS issue when processing regular expressions (CVE-2017-16231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2019-4304, CVE-2019-4305, CVE-2019-4441, CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563, CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: Potential exposure of sensitive data in IBM DataPower Gateway (CVE-2020-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-exposure-of-sen… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect OS Images for Red Hat Linux Systems (Oct2019 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0241 ∗∗∗ Drupal: Mehrere Schwachstelle ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0240 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2020
by Daily end-of-shift report 18 Mar '20

18 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-03-2020 18:00 − Mittwoch 18-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks ∗∗∗ --------------------------------------------- A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/03/trickbot-malware-rdp-bruteforce.html ∗∗∗ Home-Office? – Aber sicher! ∗∗∗ --------------------------------------------- Eine empfohlene Maßnahme im Kontext der Corona-Prävention ist die intensivere Nutzung von Home-Office und mobilem Arbeiten. Dafür gilt es, pragmatische Lösungen zu finden, die einerseits die Arbeitsfähigkeit einer Organisation erhalten, gleichzeitig jedoch Vertraulichkeit, Verfügbarkeit und Integrität gewährleisten. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/Empfehlungen_mobi… ∗∗∗ Sicher arbeiten im Homeoffice! ∗∗∗ --------------------------------------------- Unzählige Unternehmen haben ihren Betrieb als Reaktion auf das Coronavirus und entsprechende Regierungsvorgaben mittlerweile auf Arbeit im Homeoffice umgestellt. Da dies einige Änderungen in alltäglichen Arbeitsprozessen bedeutet, gibt es Empfehlungen für Unternehmen und deren MitarbeiterInnen, die Schäden durch Kriminelle in der momentanen Ausnahmesituation vermeiden können. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-arbeiten-im-homeoffice/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Genuine Integrity Service (APSB20-12), Adobe Acrobat and Reader (APSB20-13), Adobe Photoshop (APSB20-14), Adobe Experience Manager (APSB20-15), Adobe ColdFusion (APSB20-16) and Adobe Bridge (APSB20-17). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1847 ∗∗∗ Severe Flaws Patched in Responsive Ready Sites Importer Plugin ∗∗∗ --------------------------------------------- On March 2nd, our Threat Intelligence team discovered several vulnerable endpoints in Responsive Ready Sites Importer, a WordPress plugin installed on over 40,000 sites. These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions. ... We highly recommend updating to the latest version available, 2.2.7, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/03/severe-flaws-patched-in-responsive-r… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im). --------------------------------------------- https://lwn.net/Articles/815309/ ∗∗∗ FreeRADIUS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- FreeRADIUS ist ein Open Source Server zur Authentisierung entfernter Benutzer auf Basis des RADIUS-Protokolls (Remote Access Dial-In User Service). Ein entfernter, anonymer Angreifer kann eine Schwachstelle in FreeRADIUS ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0235 ∗∗∗ Delta Electronics Industrial Automation CNCSoft ScreenEditor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-077-01 ∗∗∗ Cisco SD-WAN Solution vManage SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution vManage Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Logic Error Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Advisory - Double Free Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200318-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud January 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Vulnerability in Apache Log4j affects IBM LKS ART & Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Apache Commons vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Cross-Site Request Forgery (CSRF) vulnerabilities were identified on Tivoli Netcool/OMNIbus WebGUI Relationship admin page (CVE-2020-4199) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects Liberty for Java for IBM Cloud(CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2020
by Daily end-of-shift report 17 Mar '20

17 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 16-03-2020 18:00 − Dienstag 17-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails zum Thema Corona ∗∗∗ --------------------------------------------- Kriminelle nutzen das Corona-Virus für ihre Betrugsmaschen und versenden Phishings-Mails im Namen von Unternehmen. Aktuell sind uns gefälschte E-Mails, die angeblich von A1 und DHL stammen, bekannt. Seien Sie also bei E-Mails zum Thema Corona sehr vorsichtig und klicken keinesfalls auf einen Link oder loggen sich über einen Button am Ende der E-Mail in Ihr Kundenkonto ein. Laden Sie auch keine Anhänge herunter, es könnte sich um Schadsoftware handeln. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-zum-them… ∗∗∗ Die Shadowserver Foundation braucht dringend finanzielle Hilfe ∗∗∗ --------------------------------------------- Die Shadowserver Foundation ist nicht nur weltweit die größte Quelle von Threat Intelligence, sie ist auch bei weitem die wichtigste Informationsquelle für CERT.at zu Themen wie Malwareinfektionen, verwundbaren Systeme, etc. in Österreich (siehe die Liste der Feeds, die wir von Shadowserver erhalten). Insgesamt versorgt die Shadowserver Foundation 107 nationale CERTs/CSIRTs in 136 Ländern mit wertvollen Informationen über Probleme in ihrem jeweiligen [...] --------------------------------------------- https://cert.at/de/blog/2020/3/die-shadowserver-foundation-braucht-dringend… ∗∗∗ Slack fixes account-stealing bug ∗∗∗ --------------------------------------------- Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. --------------------------------------------- https://nakedsecurity.sophos.com/2020/03/17/slack-fixes-account-stealing-bu… ∗∗∗ A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th) ∗∗∗ --------------------------------------------- DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/25916 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, [...] --------------------------------------------- https://lwn.net/Articles/815202/ ∗∗∗ Intel CPUs vulnerable to new Snoop attack ∗∗∗ --------------------------------------------- Applying the the patches for the Foreshadow (L1TF) attack disclosed in 2018 also blocks Snoop attacks. --------------------------------------------- https://www.zdnet.com/article/intel-cpus-vulnerable-to-new-snoop-attack/ ∗∗∗ Trend Micro Produkte: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0230 ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM Operations Analytics Predictive Insights (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2020
by Daily end-of-shift report 16 Mar '20

16 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-03-2020 18:00 − Montag 16-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kritische Lücke: Angreifer könnten aus VMware Fusion und Workstation ausbrechen ∗∗∗ --------------------------------------------- Wer virtuelle Maschinen mit Fusion, Horizon, Remote Console (VMRC) und Workstation betreibt, sollte sich aus Sicherheitsgründen die aktualisierten Versionen herunterladen und installieren. Andernfalls könnten Angreifer im schlimmsten Fall aus einer VM ausbrechen und Schadcode im Host-System ausführen. --------------------------------------------- https://www.heise.de/security/meldung/Kritische-Luecke-Angreifer-koennten-a… ∗∗∗ Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help ∗∗∗ --------------------------------------------- Shadowserver has unexpectedly lost the financial support of our largest sponsor. We need to transition the impacted operations staff and move our data center by May 26th 2020. This is an extremely aggressive timeline. We urgently appeal to our constituents and the community to rally together, help save Shadowserver and help secure the Internet. This is the initial announcement and the index page to more detailed supporting content. --------------------------------------------- https://www.shadowserver.org/news/saving-shadowserver-and-securing-the-inte… ∗∗∗ BlackWater Malware Abuses Cloudflare Workers for C2 Communication ∗∗∗ --------------------------------------------- A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malwares command and control (C2) server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cl… ∗∗∗ MonitorMinor: vicious stalkerware ∗∗∗ --------------------------------------------- The other day, our Android traps ensnared an interesting specimen of stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. --------------------------------------------- https://securelist.com/monitorminor-vicious-stalkerware/95575/?utm_source=r… ∗∗∗ Phishing PDF With Incremental Updates., (Sat, Mar 14th) ∗∗∗ --------------------------------------------- Someone asked me for help with this phishing PDF. --------------------------------------------- https://isc.sans.edu/diary/rss/25904 ∗∗∗ Desktop.ini as a post-exploitation tool, (Mon, Mar 16th) ∗∗∗ --------------------------------------------- Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however. --------------------------------------------- https://isc.sans.edu/diary/rss/25912 ∗∗∗ Open MQTT Report - Expanding the Hunt for Vulnerable IoT devices ∗∗∗ --------------------------------------------- New MQTT IPv4 scans are now carried out daily as part of our efforts to expand our capability to enable the mapping of exposed IoT devices on the Internet. A new report - Open MQTT - is now shared in our free daily victim remediation reports to 107 National CSIRTs and 4600+ network owners. In particular, the report identifies accessible MQTT broker service that enable anonymous access. The work is being carried out as part of the EU CEF VARIoT (Vulnerability and Attack Repository for IoT) --------------------------------------------- https://www.shadowserver.org/news/open-mqtt-report-expanding-the-hunt-for-v… ∗∗∗ Has The Sun Set On The Necurs Botnet? ∗∗∗ --------------------------------------------- Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and [...] --------------------------------------------- https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/ ∗∗∗ COVID-19 Themed Phishing Campaigns Continue ∗∗∗ --------------------------------------------- Another COVID-19 (Coronavirus) phishing campaign has been discovered -- this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. --------------------------------------------- https://www.securityweek.com/covid-19-themed-phishing-campaigns-continue ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), [...] --------------------------------------------- https://lwn.net/Articles/815097/ ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing error messages. (CVE-2019-4656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Cloud Automation Manager Session Fixation Vulnerability (CVE-2019-4617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-automation-mana… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services v2.1.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-a-loca… ∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2020
by Daily end-of-shift report 13 Mar '20

13 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-03-2020 18:00 − Freitag 13-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware ∗∗∗ --------------------------------------------- The security research team at DomainTools recently observed an uptick in suspicious Coronavirus and COVID-19 domains, leading them to discover CovidLock, a malicious Android App. --------------------------------------------- https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tra… ∗∗∗ mTAN abgefangen: Betrüger räumten Konten in Österreich leer ∗∗∗ --------------------------------------------- Mit SIM-Swapping haben Kriminelle bei Dutzenden Österreichern Geld abgehoben. Nun wurden sie verhaftet. (TAN, Malware) --------------------------------------------- https://www.golem.de/news/mtan-abgefangen-betrueger-raeumten-konten-in-oest… ∗∗∗ Persistent Cross-Site Scripting, the MSSQL Way ∗∗∗ --------------------------------------------- If you save wide Unicode brackets (i.e. ＜＞) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. ). So, ＜img src=x onerror=alert(pxss)＞ will be converted to compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/persistent-… ∗∗∗ Tor team warns of Tor Browser bug that runs JavaScript on sites it shouldnt ∗∗∗ --------------------------------------------- Tor team says its working on a fix, but has no timeline. --------------------------------------------- https://www.zdnet.com/article/tor-team-warns-of-tor-browser-bug-that-runs-j… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid). --------------------------------------------- https://lwn.net/Articles/814817/ ∗∗∗ Update - Kritische Sicherheitslücke in Microsoft SMBv3 - Patch und Workarounds verfügbar ∗∗∗ --------------------------------------------- 03. März 2020 Update: 13. März 2020 Beschreibung Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory mit Workarounds für eine kritische Sicherheitslücke in Microsoft Server Message Block 3.1.1 (SMBv3) veröffentlicht. CVE-Nummern: CVE-2020-0796 CVSS Base Score: 10.0 (laut CERT/CC) Update: 13. März 2020 Microsoft gibt unter https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ebenfalls einen CVSS Base Score --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ Security Bulletin: PowerVC is impacted by information leakage from nova APIs during external exception (CVE-2019-14433) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-is-impacted-by-in… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a 3RD PARTY Path Traversal vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a cross-site scripting vulnerability in WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot for VMware (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2019-18348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a File traversal vulnerability in WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a Information disclosure vulnerability in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ VMSA-2020-0004 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0004.html ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2020
by Daily end-of-shift report 12 Mar '20

12 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-03-2020 18:00 − Donnerstag 12-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Prenotification Security Advisory for Adobe Acrobat and Reader ∗∗∗ --------------------------------------------- Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on Tuesday, March 17, 2020. --------------------------------------------- https://helpx.adobe.com/security/products/acrobat/apsb20-13.html ∗∗∗ Live Coronavirus Map Used to Spread Malware ∗∗∗ --------------------------------------------- Cybercriminals constantly latch on to news items that captivate the publics attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software. --------------------------------------------- https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-mal… ===================== = Vulnerabilities = ===================== ∗∗∗ Achtung: Sicherheitspatch gegen kritische SMBv3-Lücke jetzt verfügbar ∗∗∗ --------------------------------------------- Gegen die kritische Windows-Sicherheitslücke CVE-2020-0796 gibt es jetzt einen Patch von Microsoft. Admins sollten ihre Systeme möglichst sofort akualisieren.. --------------------------------------------- https://heise.de/-4681993 ∗∗∗ Flaws Riddle Zyxel’s Network Management Software ∗∗∗ --------------------------------------------- Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software. --------------------------------------------- https://threatpost.com/flaws-zyxels-network-management-software/153554/ ∗∗∗ Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites ∗∗∗ --------------------------------------------- On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. .. We highly recommend updating to the latest version, 3.64.1, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-bui… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (dojo, firefox-esr, sleuthkit, and wpa), Fedora (cacti, cacti-spine, and python-psutil), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, ...), Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/814652/ ∗∗∗ ABB eSOMS ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-01 ∗∗∗ ABB Asset Suite ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-02 ∗∗∗ Rockwell Automation Allen-Bradley Stratix 5950 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-03 ∗∗∗ XSS vulnerability in the FortiManager via the buffer parameter ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-271 ∗∗∗ Information disclosure through diagnose debug commands in FortiWeb ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-269 ∗∗∗ XSS Vulnerability in Disclaimer Description of a Replacement Message in FortiWeb ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-001 ∗∗∗ Unquoted Service Path exploit in FortiClient ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-281 ∗∗∗ Authorizations Bypass in the FortiPresence portal parameters ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-258 ∗∗∗ XSS vulnerability in the URL Description of URL filter ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-270 ∗∗∗ XSS vulnerability in the Anomaly Detection Parameter Name ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-265 ∗∗∗ FortiSIEM is vulnerable to a CSRF attack ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/ FG-IR-19-240 ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Integrity Checking Vulnerability on some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Bulletin: Vulnerability from Apache HttpClient affects IBM Cloud Pak System (CVE-2012-5783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in HTTP/2 implementation used by Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An information disclosure security vulnerability has been identified with the embedded Content Navigator component shipped with IBM Business Automation Workflow (CVE-2019-4679) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2020
by Daily end-of-shift report 11 Mar '20

11 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-03-2020 18:00 − Mittwoch 11-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ LVI Attacks: New Intel CPUs Vulnerability Puts Data Centers At Risk ∗∗∗ --------------------------------------------- Tracked as CVE-2020-0551, dubbed "Load Value Injection in the Line Fill Buffers" or LVI-LFB for short, the new speculative-execution attack could let a less privileged attacker steal sensitive information—encryption keys or passwords—from the protected memory and subsequently, take significant control over a targeted system. --------------------------------------------- https://thehackernews.com/2020/03/intel-load-value-injection.html ∗∗∗ Forthcoming OpenSSL release ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1e. This release will be made available on Tuesday 17th March 2020 between 1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551 --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2020-March/000166.html ∗∗∗ A new and advanced Rowhammer-based attack on DDR4 memory ∗∗∗ --------------------------------------------- A new and advanced Rowhammer-based attack on DDR4 memory was announced on March 10, 2020. (CVE-2020-10255) The attack has been shown to cause memory corruption in lab environments. --------------------------------------------- https://www.ibm.com/blogs/psirt/a-new-and-advanced-rowhammer-based-attack-o… ∗∗∗ Klicken Sie keine Links und Anhänge in E-Mails an! ∗∗∗ --------------------------------------------- „Ihr PayPal-Konto wurde eingeschränkt! … Öffnen Sie die Anhangsdatei, um Ihre Einschränkung aufzuheben!“ Diese Nachricht landet derzeit in zahlreichen E-Mail-Postfächern. Die Datei im Anhang enthält Schadsoftware, die Links führen auf Phishing-Seiten mit denen Zugangsdaten ausspioniert werden sollen. Schützen kann man sich nur, indem man nichts anklickt, sondern sich auf anderen Wegen informiert, ob die E-Mail echt sein kann. --------------------------------------------- https://www.watchlist-internet.at/news/klicken-sie-keine-links-und-anhaenge… ∗∗∗ Microsoft orchestrates coordinated takedown of Necurs botnet ∗∗∗ --------------------------------------------- Microsoft and partners in 35 countries move to bring down Necurs, todays largest malware botnet. --------------------------------------------- https://www.zdnet.com/article/microsoft-orchestrates-coordinated-takedown-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SMBv3 - Workarounds verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory mit Workarounds für eine kritische Sicherheitslücke in Microsoft Server Message Block 3.1.1 (SMBv3) veröffentlicht. ... Die Lücke kann über das Netzwerk ausgenützt werden und ermöglicht die Ausführung von beliebigen Befehlen mit SYSTEM Rechten. --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ IPAS: Security Advisories for March 2020 ∗∗∗ --------------------------------------------- Hi everyone, It’s the second Tuesday in March 2020 and today we released 9 security advisories. For full details on these advisories, please visit the Intel Security Center. --------------------------------------------- https://blogs.intel.com/technology/2020/03/ipas-security-advisories-for-mar… ∗∗∗ SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006 ∗∗∗ --------------------------------------------- This module enables you to authenticate Drupal users using an external SAML Identity Provider. If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesnt sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-006 ∗∗∗ Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage ∗∗∗ --------------------------------------------- Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This months Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important. --------------------------------------------- https://blog.talosintelligence.com/2020/03/microsoft-patch-tuesday-march-20… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (qemu-kvm and sudo), Debian (chromium), Mageia (gpac, libseccomp, and tomcat), openSUSE (gd and postgresql10), Oracle (qemu-kvm), Red Hat (chromium-browser), Scientific Linux (qemu-kvm), Slackware (firefox), and SUSE (ipmitool, java-1_7_0-openjdk, librsvg, and tomcat). --------------------------------------------- https://lwn.net/Articles/814574/ ∗∗∗ Synology-SA-20:03 Kr00k ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology Router Manager (SRM) that is equipped with Broadcom BCM43460. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_03 ∗∗∗ MISP 2.4.123 released (aka the dashboard and security fix release) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.123) has been released. This version includes various security related fixed, and a new Dashboard system. --------------------------------------------- https://www.misp-project.org/2020/03/10/MISP.2.4.123.released.html ∗∗∗ Credential Disclosure in WatchGuard Fireware AD Helper Component ∗∗∗ --------------------------------------------- RedTeam Pentesting discovered a credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-001/ ∗∗∗ Johnson Controls Kantech EntraPass ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-070-04 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-070-05 ∗∗∗ Rockwell Automation MicroLogix Controllers and RSLogix 500 Software ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-070-06 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-202003116… ∗∗∗ Security Bulletin: IBM InfoSphere Governance Catalog is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-governance… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (August 2019 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Linux kernel vulnerability CVE-2019-19072 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42438635 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2020
by Daily end-of-shift report 10 Mar '20

10 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 09-03-2020 18:00 − Dienstag 10-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft Exchange Server Flaw Exploited in APT Attacks ∗∗∗ --------------------------------------------- The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors. --------------------------------------------- https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-atta… ∗∗∗ Variant of Paradise Ransomware Targets Office IQY Files ∗∗∗ --------------------------------------------- A new variant of the Paradise ransomware attacks rarely-targeted Microsoft Office Excel IQY files, providing a new and relatively inobtrusive way to infiltrate and hijack an organization’s network, researchers have found. --------------------------------------------- https://threatpost.com/variant-of-paradise-ransomware-targets-office-iqy-fi… ∗∗∗ How poor IoT security is allowing this 12-year-old malware to make a comeback ∗∗∗ --------------------------------------------- Conficker peaked in 2009, but unsupported connected devices are allowing it to spread in 2020 - and the healthcare sector is where its infected the most targets. --------------------------------------------- https://www.zdnet.com/article/how-poor-iot-security-is-allowing-this-ten-ye… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libvpx and network-manager-ssh), Fedora (cacti, cacti-spine, and podman), openSUSE (chromium and python-bleach), Oracle (curl), Red Hat (ansible and qemu-kvm), SUSE (gd, ipmitool, and php7), and Ubuntu (runc and sqlite3). --------------------------------------------- https://lwn.net/Articles/814493/ ∗∗∗ MISP: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0206 ∗∗∗ SAP Security Patch Day – March 2020 ∗∗∗ --------------------------------------------- On 10th of March 2020, SAP Security Patch Day saw the release of 16 Security Notes. There are 2 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 *** Joomla Security Updates (Severity: low) *** --------------------------------------------- ∗ [20200306] - Core - SQL injection in Featured Articles menu parameters https://developer.joomla.org/security-centre/807-20200306-core-sql-injectio… ∗ [20200304] - Core - Identifier collisions in com_users https://developer.joomla.org/security-centre/805-20200304-core-identifier-c… ∗ [20200305] - Core - Incorrect Access Control in com_fields SQL field https://developer.joomla.org/security-centre/806-20200305-core-incorrect-ac… ∗ [20200303] - Core - Incorrect Access Control in com_templates https://developer.joomla.org/security-centre/804-20200303-core-incorrect-ac… ∗ [20200302] - Core - XSS in Protostar and Beez3 https://developer.joomla.org/security-centre/803-20200302-core-xss-in-proto… ∗ [20200301] - Core - CSRF in com_templates image actions https://developer.joomla.org/security-centre/802-20200301-core-csrf-in-com-… ∗∗∗ TYPO3-EXT-SA-2020-003: Multiple vulnerabilities in extension "Magalone Flipbook for TYPO3" (magaloneflipbook) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-003 ∗∗∗ TYPO3-EXT-SA-2020-002: Remote Code Execution in extension "PHPUnit" (phpunit) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-002 ∗∗∗ TYPO3-EXT-SA-2020-001: SQL Injection in extension "phpmyadmin" (phpmyadmin) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-001 ∗∗∗ SSA-938930: Cross-Site Scripting Vulnerability in Spectrum Power™ 5 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-938930.txt ∗∗∗ SSA-508982: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-508982.txt ∗∗∗ SSA-844761: Multiple Vulnerabilities in CCS, FTP and Streaming Services of SiNVR Video Management Solution ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-844761.txt ∗∗∗ Security Bulletin: Vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dcnm-net… ∗∗∗ Security Bulletin: Vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dcnm-net… ∗∗∗ Security Bulletin: An information disclosure vulnerability has been identified with the embedded Content Platform Engine component shipped with IBM Business Automation Workflow (CVE-2019-4572) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Workload scheduler 9.3 vulnerable to CVE-2019-4608 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-workload-scheduler-9-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2020
by Daily end-of-shift report 09 Mar '20

09 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-03-2020 18:00 − Montag 09-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Data-Stealing FormBook Malware Preys on Coronavirus Fears ∗∗∗ --------------------------------------------- Another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO) is distributing a malware downloader that installs the FormBook information-stealing Trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/data-stealing-formbook-malwa… ∗∗∗ Neue CPU-Sicherheitslücke in AMD-Prozessoren laut AMD gar nicht neu ∗∗∗ --------------------------------------------- Sicherheitsforscher haben laut eigenen Angaben neue Sicherheitslücken in AMDs Prozessoren gefunden – unter anderem Ryzen und Epyc sollen betroffen sein. --------------------------------------------- https://heise.de/-4678823 ∗∗∗ Inkassoschreiben über 516,24 Euro müssen nicht bezahlt werden ∗∗∗ --------------------------------------------- Aktuell werden vermehrt Mahnungen und Zahlungsaufforderungen von angeblichen Inkassobüros für Abos bei Streamingdiensten ausgesendet. Die gute Nachricht: Zahlen Sie nicht! Die schlechte Nachricht: Es wird nicht die letzte Zahlungsaufforderung gewesen sein. --------------------------------------------- https://www.watchlist-internet.at/news/inkassoschreiben-ueber-51624-euro-mu… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Authenticator: 2FA-Codes lassen sich einfach abgreifen ∗∗∗ --------------------------------------------- Google Authenticator, Microsoft Authenticator und etliche andere Apps zur Zwei-Faktor-Authentifizierung haben keinen Schutz vor Screenshots eingerichtet. Eine Schadsoftware soll dies bereits ausnutzen. --------------------------------------------- https://www.golem.de/news/google-authenticator-2fa-codes-lassen-sich-einfac… ∗∗∗ Talos Vulnerability Spotlight: WAGO products contain remote code execution, other vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in multiple products from the company WAGO. WAGO produces a line of automation software called “e!COCKPIT,” an integrated development environment that aims to speed up automation tasks and machine and system startup. --------------------------------------------- https://blog.talosintelligence.com/2020/03/wago-vulnerability-spotlight-mar… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (seamonkey), Mageia (apache-mod_auth_openidc, binutils, chromium-browser-stable, dojo, firejail, gcc, glib2.0, glibc, http-parser, ilmbase, libarchive, libgd, libsolv, mbedtls, pcre, pdfresurrect, php, proftpd, pure-ftpd, python-bleach, ruby-rake, transfig, weechat, and xen), openSUSE (chromium, ovmf, python-bleach, and yast2-rmt), Oracle (curl, http-parser, kernel, sudo, and xerces-c), Red Hat (chromium-browser and kernel-alt) [...] --------------------------------------------- https://lwn.net/Articles/814371/ ∗∗∗ Security Bulletin: Stack is displayed in WebSphere Application Server (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-is-displayed-in-web… ∗∗∗ Security Bulletin: Vulnerability in Node.js affects IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable to Apache Commons Beanutils in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-atlas-ediscovery-process-… ∗∗∗ Security Bulletin: Cookie created without secure flag WAS Liberty (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cookie-created-without-se… ∗∗∗ Security Bulletin: 3RD PARTY Stored Cross-Site Scripting in Tivoli Application Dependency Discovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-3rd-party-stored-cross-si… ∗∗∗ Security Bulletin: Bypass security restrictions in WAS Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bypass-security-restricti… ∗∗∗ Security Bulletin: [All] Python (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-all-python-publicly-discl… ∗∗∗ Security Bulletin: Apache CXF (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-publicly-discl… ∗∗∗ Security Bulletin: Python vulnerability in IBM Tivoli Application Dependency Discovery Manager (CVE-2019-16935) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-vulnerability-in-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.4 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an attacker can cause a denial of service (CVE-2020-4217) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method ( CVE-2019-14907) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Apache Tomcat vulnerability CVE-2020-1935 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43709560 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2020
by Daily end-of-shift report 06 Mar '20

06 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-03-2020 18:00 − Freitag 06-03-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ PwndLocker Ransomware Gets Pwned: Decryption Now Available ∗∗∗ --------------------------------------------- Emsisoft has discovered a way to decrypt files encrypted by the new PwndLocker Ransomware so that victims can recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-p… ∗∗∗ Emotet Actively Using Upgraded WiFi Spreader to Infect Victims ∗∗∗ --------------------------------------------- Emotets authors have upgraded the malwares Wi-Fi spreader by making it a fully-fledged module and adding new functionality as shown by multiple samples that were recently delivered to infected devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-actively-using-upgrad… ∗∗∗ Security: Das Intel-ME-Chaos kommt ∗∗∗ --------------------------------------------- Bis zum Chaos sei es nur eine Frage der Zeit, schreiben die ME-Hacker. Intel versucht, das zu verschweigen, und kann das Security-Theater eigentlich auch gleich sein lassen. --------------------------------------------- https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099-rss… ∗∗∗ Lets Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Lets take time out ∗∗∗ --------------------------------------------- Lets Encrypt has halted its plans to cancel all three million flawed web security certificates – after fearing the super-revocation may effectively break a chunk of the internet for netizens. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/05/lets_enc… ∗∗∗ NCSC Releases Advisory on Securing Internet-Connected Cameras ∗∗∗ --------------------------------------------- The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an advisory on securing internet-connected cameras such as smart security cameras and baby monitors. An attacker could gain access to unsecured, or poorly secured, internet-connected cameras to obtain live feeds or images.The following steps can help consumers secure their devices. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/05/ncsc-releases-advi… ∗∗∗ A Safe Excel Sheet Not So Safe ∗∗∗ --------------------------------------------- I discovered a nice sample yesterday. This excel sheet was found in a mail flagged as “suspicious” by a security appliance. The recipient asked to release the mail from the quarantine because “it was sent from a known contact”. Before releasing such a mail from the quarantine, the process in place is to have a quick look at the file to ensure that it is safe to be released. --------------------------------------------- https://isc.sans.edu/forums/diary/A+Safe+Excel+Sheet+Not+So+Safe/25868/ ===================== = Vulnerabilities = ===================== ∗∗∗ WAGO I/O-CHECK ∗∗∗ --------------------------------------------- This advisory contains mitigations for information exposure through sent data, buffer access with incorrect length value, missing authentication for critical function, and classic buffer overflow vulnerabilities in the WAGO I/O CHECK software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-065-01 ∗∗∗ Critical Zoho Zero-Day Flaw Disclosed ∗∗∗ --------------------------------------------- A Zoho zero day vulnerability and proof of concept (PoC) exploit code was disclosed on Twitter. --------------------------------------------- https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, opensc, opensmtpd, and weechat), Debian (jackson-databind and pdfresurrect), Fedora (sudo), openSUSE (openfortivpn and squid), Red Hat (virt:8.1 and virt-devel:8.1), Scientific Linux (http-parser and xerces-c), and SUSE (gd, kernel, postgresql10, and tomcat). --------------------------------------------- https://lwn.net/Articles/814035/ ∗∗∗ Synology-SA-20:02 ppp ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_02 ∗∗∗ Security Bulletin: Rational Integration Tester HTTP/TCP Proxy component in Rational Test Virtualization Server and Rational Test Workbench affected by Netty vulnerabilities (CVE-2020-7238, CVE-2019-16869, CVE-2019-20445, CVE-2019-20444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-integration-test… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Curl used in OS image for RedHat Enterprise Linux for Cloud Pak System (CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-curl-use… ∗∗∗ Multiple Vulnerabilities Patched in RegistrationMagic Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2020
by Daily end-of-shift report 05 Mar '20

05 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-03-2020 18:00 − Donnerstag 05-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Software Entwickler für Open-Source Projekt, Teil-/Vollzeit) ∗∗∗ --------------------------------------------- Für unser international renommiertes Open-Source Projekt IntelMQ suchen wir eine/n Software Entwickler/in (Teil- oder Vollzeit 25-38,5 Stunden) zum ehestmöglichen Einstieg. Dienstort ist Wien. Details finden sich wie immer auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2020/3/in-eigener-sache-certat-sucht-verstarkung-so… ∗∗∗ Jackpotting malware ∗∗∗ --------------------------------------------- Introduction Jackpotting malware is not well known because it exclusively targets automated teller machines (ATMs). ... In this article, we will examine two of the most widely known types of jackpotting malware, Ploutus and Cutlet Maker. We will also look at the operation of jackpotting malware and provide recommendations on how banks can protect against it. --------------------------------------------- https://resources.infosecinstitute.com/jackpotting-malware/ ∗∗∗ Mokes and Buerak distributed under the guise of security certificates ∗∗∗ --------------------------------------------- We recently discovered a new approach to the well-known distributing malware technique: visitors to infected sites were informed that some kind of security certificate had expired. --------------------------------------------- https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-secu… ∗∗∗ Guildma – innovativer Bankentrojaner aus Lateinamerika ∗∗∗ --------------------------------------------- Ein in Brasilien weitverbreiteter Bankentrojaner treibt sein Unwesen. Wir haben die Guildma-Malware analysiert und sind dabei auf einige interessante Fakten gestoßen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/03/05/guildma-bankentrojaner-la… ∗∗∗ Malicious Chrome extension caught stealing Ledger wallet recovery seeds ∗∗∗ --------------------------------------------- A Chrome extension named Ledger Live was exposed today as malicious. It is currently heavily promoted via Google search ads. --------------------------------------------- https://www.zdnet.com/article/malicious-chrome-extension-caught-stealing-le… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#782301: pppd vulnerable to buffer overflow due to a flaw in EAP packet processing ∗∗∗ --------------------------------------------- Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system. --------------------------------------------- https://kb.cert.org/vuls/id/782301 ∗∗∗ SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005 ∗∗∗ --------------------------------------------- Project: SVG Formatter Security risk: Critical This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-005 ∗∗∗ Cisco Email Security Appliance Uncontrolled Resource Exhaustion Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the malware detection functionality in Cisco Advanced Malware Protection (AMP) in Cisco AsyncOS Software for Cisco Email Security Appliances (ESAs) could allow an unauthenticated remote attacker to exhaust resources on an affected device. The vulnerability is due to insufficient control over system memory allocation. An attacker could exploit this vulnerability by sending a crafted email through the targeted device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Sicherheitslücken: Angreifer könnten WLAN-Router von Netgear übernehmen ∗∗∗ --------------------------------------------- Wer einen WLAN-Router von Netgear besitzt, sollte das Gerät zügig aktualisieren. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-4676824 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (http-parser and xerces-c), Debian (tomcat7), Fedora (opensmtpd), openSUSE (openfortivpn and permissions), Red Hat (http-parser, openstack-octavia, python-waitress, and sudo), Slackware (ppp), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/813888/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is impacted by multiple vulnerabilities in Oracle MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-impacted-b… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server affects IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: WAS Liberty vunerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-was-liberty-vunerabilitie… ∗∗∗ Security Bulletin: API Connect's Developer Portal is impacted by vulnerabilities in PHP ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connects-developer-po… ∗∗∗ Security Bulletin: WAS Liberty vunerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-was-liberty-vunerabilitie… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2020
by Daily end-of-shift report 04 Mar '20

04 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-03-2020 18:00 − Mittwoch 04-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Lets Encrypt macht Mittwochnacht 3 Millionen Zertifikate ungültig ∗∗∗ --------------------------------------------- Webadmins aufgepasst: Wer jetzt seine Lets-Encrypt-Zertifikate nicht erneuert, könnte Donnerstag früh verunsicherte Nutzer auf der Matte stehen haben. --------------------------------------------- https://heise.de/-4676017 ∗∗∗ Ransomware Attackers Use Your Cloud Backups Against You ∗∗∗ --------------------------------------------- Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-you… ∗∗∗ ACSC Releases Securing Content Management Systems Guide ∗∗∗ --------------------------------------------- The Australian Cyber Security Centre (ACSC) has released a cybersecurity guide outlining strategies for identifying and minimizing risks to web servers from installed content management systems (CMS). --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/04/acsc-releases-secu… ∗∗∗ A Zero-Day Homograph Domain Name Attack ∗∗∗ --------------------------------------------- What started as almost casual research in November 2019 and disclosed to various vendors as a vulnerability in November and December 2019 and January 2020 was abruptly reclassified and treated as a zero-day vulnerability on February 13, 2020. --------------------------------------------- https://www.securityweek.com/zero-day-homograph-domain-name-attack ∗∗∗ Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums ∗∗∗ --------------------------------------------- Impacted projects include WordPress, Concrete5, Composr, SilverStripe, ZenCart, and others. --------------------------------------------- https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities… ∗∗∗ Voice assistants can be hacked with ultrasonic waves ∗∗∗ --------------------------------------------- With access to text messages and the ability to make fraudulent phone calls, attackers could wreak more damage than youd think --------------------------------------------- https://www.welivesecurity.com/2020/03/04/voice-assistants-hacked-ultrasoni… ===================== = Vulnerabilities = ===================== ∗∗∗ Emerson ValveLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper access control vulnerability in Emersons ValveLink digital valve controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-01 ∗∗∗ PHOENIX CONTACT Emalytics Controller ILC ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in Phoenix Contacts Emalytics Controller modular inline devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-02 ∗∗∗ Omron PLC CJ Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in Omrons PLC CJ Series programmable logic controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-03 ∗∗∗ Moxa AWK-3131A Series Industrial AP/Bridge/Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in Moxas AWK-3131A wireless networking appliance. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-04 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libzypp), Fedora (opensmtpd and thunderbird), openSUSE (nodejs8), Red Hat (http-parser, kpatch-patch, and xerces-c), SUSE (cloud-init, compat-openssl098, kernel, postgresql96, python, and yast2-rmt), and Ubuntu (python-django and rake). --------------------------------------------- https://lwn.net/Articles/813797/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by a vulnerability in libssh2 (CVE-2016-0787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (February 2020v3) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Beanutils library affect IBM Cúram Social Program Management (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: A security vulnerability has been addressed in IBM Security Privileged Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSSL (CVE-2012-4929) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by a vulnerability with the IPv6 networking support (CVE-2015-2922) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ HPESBHF03987 rev.1 - HPE OneView Global Dashboard (OVGD), Remote Information Disclosure ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat OpenShift Container Platform: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0189 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2020
by Daily end-of-shift report 03 Mar '20

03 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 02-03-2020 18:00 − Dienstag 03-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New PwndLocker Ransomware Targeting U.S. Cities, Enterprises ∗∗∗ --------------------------------------------- Driven by the temptation of big ransom payments, a new ransomware called PwndLocker has started targeting the networks of businesses and local governments with ransom demands over $650,000. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-ta… ∗∗∗ TLS: Lets Encrypt muss drei Millionen Zertifikate zurückziehen ∗∗∗ --------------------------------------------- Ein Fehler bei Lets Encrypt hat dazu geführt, dass der Check von CAA-DNS-Records nicht korrekt durchgeführt wurde. Die Zertifizierungsstelle zieht jetzt kurzfristig betroffene Zertifikate zurück, was für einige Probleme sorgen dürfte. --------------------------------------------- https://www.golem.de/news/tls-let-s-encrypt-muss-drei-millionen-zertifikate… ∗∗∗ TrickBot Adds ActiveX Control, Hides Dropper in Images ∗∗∗ --------------------------------------------- The tricky trojan has evolved again, to stay a step ahead of defenders. --------------------------------------------- https://threatpost.com/trickbot-activex-control-dropper/153370/ ∗∗∗ 7 Tips for Protecting Your Website ∗∗∗ --------------------------------------------- For many people, website security is an intimidating topic. It seems like there’s an endless list of things necessary for protecting your website. And while resources like our Website Security Guide cut through much of the clutter of the threat landscape, some folks might need it simplified even further. Okay, we hear ya. --------------------------------------------- https://blog.sucuri.net/2020/03/7-tips-for-protecting-your-website.html ∗∗∗ The Jan/Feb 2020 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: When backdoors become trapdoors: ‘Crypto Leaks’ hits Switzerland, Crypto Valley – and the entire ecosystem I, Robot, ZigBee and IoT [...] --------------------------------------------- https://securityblog.switch.ch/2020/03/03/the-jan-feb-2020-issue-of-our-swi… ∗∗∗ Leverage ATT&CK for ICS to Secure Industrial Control Systems ∗∗∗ --------------------------------------------- [...] In security operations centers (SOCs), we have already realized the value that MITRE ATT&CK provides through its encyclopedia of mapped tactics, techniques and procedures (TTPs) based on real-world observations of adversaries. The knowledge base enables security teams to link adversarial TTPs when conducting a gap analysis and threat modeling. --------------------------------------------- https://securityintelligence.com/posts/leverage-attck-for-ics-to-secure-ind… ∗∗∗ Jetzt patchen: Kritische Lücke "Ghostcat" in Apache-Tomcat-Versionen seit 6.0 ∗∗∗ --------------------------------------------- Für eine Lücke, die sich seit 13 Jahre lang in Apache Tomcat verbarg, sind mehrere Proofs-of-Concept verfügbar. Abgesicherte Versionen schließen sie. --------------------------------------------- https://heise.de/-4673983 ∗∗∗ The Case for Limiting Your Browser Extensions ∗∗∗ --------------------------------------------- Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee whod edited the Web site in the past month. --------------------------------------------- https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-exte… ∗∗∗ Google Launches Free Fuzzer Benchmarking Service ∗∗∗ --------------------------------------------- Google this week announced the launch of FuzzBench, a free and open source service for evaluating fuzzers. The fully automated service was designed to allow for an easy but rigorous evaluation of fuzzing research, in an attempt to boost the adoption of fuzzing research – an important bug finding technique. --------------------------------------------- https://www.securityweek.com/google-launches-free-fuzzer-benchmarking-servi… ∗∗∗ Corona-Virus: Fake-Shops verkaufen Atemschutzmasken ∗∗∗ --------------------------------------------- Atemschutzmasken werden aus Angst vor dem Corona-Virus aktuell vermehrt gekauft. Auch Organisationen haben Engpässe und suchen daher nach B2B-Online-HändlerInnen. Kriminelle nutzen die Angst der Bevölkerung und die steigende Nachfrage und bieten diverse medizinische Produkte in Fake-Shops an. Bis jetzt sind uns die Fake-Shops globalmasksuppliers.com, medicalsmilesgmbh.com und pharmacyfirstgmbh.com bekannt. --------------------------------------------- https://www.watchlist-internet.at/news/corona-virus-fake-shops-verkaufen-at… ∗∗∗ Malware-free attacks now most popular tactic amongst cybercriminals ∗∗∗ --------------------------------------------- Malware-free or fileless techniques accounted for 51% of attacks last year, compared to 40% the year before, as hackers turn to stolen credentials to breach corporate networks, reveals CrowdStrikes latest threat report. --------------------------------------------- https://www.zdnet.com/article/malware-free-attacks-now-most-popular-tactic-… ===================== = Vulnerabilities = ===================== ∗∗∗ Google-März-Patch: Android Sicherheitslücke wird seit einem Jahr ausgenutzt ∗∗∗ --------------------------------------------- Seit fast einem Jahr lassen sich auf vielen Mittelklasse-Smartphones mit Android leicht Root-Rechte erlangen. Schad-Apps nutzen diese bereits aus, dennoch gibt es kaum Hersteller, die einen Patch ausliefern. Nun will Google ihn selbst verteilen. --------------------------------------------- https://www.golem.de/news/google-maerz-patch-android-sicherheitsluecke-wird… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and webkit2gtk), Debian (collabtive, dojo, firebird2.5, gst-plugins-base0.10, libapache2-mod-auth-openidc, openjdk-7, php5, python-bleach, and rrdtool), Fedora (kernel, kernel-headers, kernel-tools, mingw-openjpeg2, and openjpeg2), Mageia (hiredis, kernel, rsync, wireshark, and zsh), openSUSE (cacti, cacti-spine, libexif, proftpd, python-azure-agent, python3, and webkit2gtk3), Oracle (ppp), SUSE (permissions), and Ubuntu (libarchive). --------------------------------------------- https://lwn.net/Articles/813684/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-4.9, proftpd-dfsg, rrdtool, and zsh), Fedora (kernel), openSUSE (cacti, cacti-spine, mariadb, and ppp), Red Hat (kernel, qemu-kvm, qemu-kvm-ma, and ruby), Slackware (seamonkey), SUSE (kernel, libpng16, ovmf, python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, and python36), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/813757/ ∗∗∗ Security advisory 2020-03-03 ∗∗∗ --------------------------------------------- Insufficient data validation in yubikey-val --------------------------------------------- https://www.yubico.com/support/security-advisories/ysa-2020-01/ ∗∗∗ Security Bulletin: The Relationship admin page in Tivoli Netcool/OMNIbus WebGUI is vulnerable to Cross Site Scripting attack (CVE-2020-4198) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-relationship-admin-pa… ∗∗∗ Security Bulletin: Cacheable HTTPS Responses have been identified on multiple Tivoli Netcool/OMNIbus WebGUI admin pages (CVE-2020-4197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cacheable-https-responses… ∗∗∗ Security Bulletin: Cross-Site Scripting (XSS) vulnerability have been identified on Tool Prompt Configuration page of Tivoli Netcool/OMNIbus WebGUI (CVE-2020-4196) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-xss-… ∗∗∗ Security Bulletin: IBM MobileFirst Platform Foundation susceptible to privilege escalation on Android ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mobilefirst-platform-… ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2020
by Daily end-of-shift report 02 Mar '20

02 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-02-2020 18:00 − Montag 02-03-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Evasion Encyclopedia Shows How Malware Detects Virtual Machines ∗∗∗ --------------------------------------------- A new Malware Evasion Encyclopedia has been launched that offers insight into the various methods malware uses to detect if it is running under a virtual environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-evasion-encyclopedia-sho… ∗∗∗ Secure vs. cleartext protocols - couple of interesting stats, (Mon, Mar 2nd) ∗∗∗ --------------------------------------------- For a very long time, there has been a strong effort aimed toward moving all potentially sensitive network-based communications from unencrypted protocols to the secure and encrypted ones. And with the recently released APWG report noting that 74% of phishing sites used HTTPS in the last quarter of 2019[1] and Apples supposed plan to start supporting only TLS certificates with no more than one year period of validity [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25854 ∗∗∗ Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen ∗∗∗ --------------------------------------------- Im niedersächsischen Neustadt schlug der Trojaner Emotet mit voller Wucht zu. Nun spricht die Stadtverwaltung offen über das Desaster – damit andere lernen. --------------------------------------------- https://heise.de/-4665958 ∗∗∗ Large-scale phishing attack on Western Europe ∗∗∗ --------------------------------------------- Beginning in November 2019, 360 Security Center detected multiple large-scale cyber attack incidents carrying AgentTesla stealing Trojans. This cyber attack mainly targeted countries in Western Europe [...] --------------------------------------------- https://blog.360totalsecurity.com/en/large-scale-phishing-attack-on-western… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA schließt Lücken in GPU-Treiber und vGPU-Software ∗∗∗ --------------------------------------------- Von insgesamt fünf Lücken in NVIDIAs GPU Display-Treiber für Windows und in der vGPU-Software geht ein teils hohes Sicherheitsrisiko aus. Es gibt Updates. --------------------------------------------- https://heise.de/-4672318 ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.3 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Aspera Shares Web Application is affected by NGINX Vulnerabilities (CVE-2019-13067) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-shares-web-app… ∗∗∗ Security Bulletin: IBM Security Information Queue has overly permissive CORS policy (CVE-2020-4292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by the following OpenSLL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2019-16168, CVE-2019-19242 and CVE-2019-19244 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vul… ∗∗∗ Security Bulletin: Aspera Web Shares application is affected by NGINX Vulnerabilities (CVE-2019-12208, CVE-2019-12207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-shares-applica… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a denial of service shipped with Jazz for Service Management (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2019-10160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python… ∗∗∗ Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2018-14647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python… ∗∗∗ Security Bulletin: Vulnerabilities in Python affect IBM Operations Analytics Predictive Insights (CVE-2019-9948, CVE-2019-9947) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-python… ∗∗∗ Security Bulletin: A security vulnerability has been identified in SQLite shipped with PowerAI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in SQLite shipped with PowerAI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in SQLite shipped with PowerAI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in TensorFlow shipped with PowerAI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily