Daily

daily@lists.cert.at

1 participants
3086 discussions

Tageszusammenfassung - 11.08.2020
by Daily end-of-shift report 11 Aug '20

11 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 10-08-2020 18:00 − Dienstag 11-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Upgraded Agent Tesla malware steals passwords from browsers, VPNs ∗∗∗ --------------------------------------------- New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients. --------------------------------------------- https://www.bleepingcomputer.com/news/security/upgraded-agent-tesla-malware… ∗∗∗ SBA phishing scams: from malware to advanced social engineering ∗∗∗ --------------------------------------------- SBA loan scams continue to make the rounds targeting small business owners, CEOS, and CFOs. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware… ∗∗∗ Script-Based Malware: A New Attacker Trend on Internet Explorer ∗∗∗ --------------------------------------------- Script-based malware can be appealing for attackers who want the ability to quickly and easily develop new variants to evade detection. --------------------------------------------- https://unit42.paloaltonetworks.com/script-based-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB20-48) and Adobe Lightroom (APSB20-51). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1908 ∗∗∗ vBulletin fixes ridiculously easy to exploit zero-day RCE bug ∗∗∗ --------------------------------------------- A simple one-line exploit has been published for a zero-day pre-authentication remote code execution (RCE) vulnerability in the vBulletin forum software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vbulletin-fixes-ridiculously… ∗∗∗ Kritische Updates für Citrix Endpoint Management ∗∗∗ --------------------------------------------- Insgesamt 5 Lücken schließt Citrix; wer eine eigene Installation betreibt, sollte schnell patchen. --------------------------------------------- https://heise.de/-4867952 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, ruby-kramdown, wpa, and xrdp), Fedora (ark and rpki-client), Gentoo (apache, ark, global, gthumb, and iproute2), openSUSE (chromium, grub2, java-11-openjdk, libX11, and opera), Red Hat (bind, chromium-browser, java-1.7.1-ibm, java-1.8.0-ibm, and libvncserver), SUSE (LibVNCServer, perl-XML-Twig, thunderbird, and xen), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/828476/ ∗∗∗ iCloud for Windows 11.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211294 ∗∗∗ iCloud for Windows 7.20 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211295 ∗∗∗ SSA-809841: Buffer Overflow Vulnerability in Third-Party Component pppd ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-809841.txt ∗∗∗ SSA-786743: Code Injection Vulnerability in Advanced Reporting for Desigo CC and ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-786743.txt ∗∗∗ SSA-712518: Information Disclosure Vulnerability (Kr00k) in Industrial Wi-Fi ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712518.txt ∗∗∗ SSA-388646: Local Privilege Escalation in Automation License Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388646.txt ∗∗∗ SSA-370042: Cross-Site-Scripting (XSS) in SICAM A8000 RTUs ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-370042.txt ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Java vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams affected by multiple vulnerabilities in OpenSSL package ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-affecte… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is affected by multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: JQuery as used by IBM QRadar Network Packet Capture is vulnerable to Cross Site Scripting (XSS) (CVE-2020-11023, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jquery-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: IBM Event Streams is affected by a Java vulnerability (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affe… ∗∗∗ Security Bulletin: Information disclosure in WebSphere Liberty (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Libreswan affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ SAP Patchday August 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0800 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2020
by Daily end-of-shift report 10 Aug '20

10 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-08-2020 18:00 − Montag 10-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ DDoS attacks in Q2 2020 ∗∗∗ --------------------------------------------- The second quarter is normally calmer than the first, but this year is an exception. The long-term downward trend in DDoS-attacks has unfortunately been interrupted, and this time we are witnessing an increase. --------------------------------------------- https://securelist.com/ddos-attacks-in-q2-2020/98077/ ∗∗∗ Scanning Activity Include Netcat Listener, (Sat, Aug 8th) ∗∗∗ --------------------------------------------- This activity started on the 5 July 2020 and has been active to this day only scanning against TCP port 81. The GET command is always the same except for the Netcat IP which has changed a few times since it started. If you have a webserver or a honeypot listening on TCP 81, this activity might be contained in your logs. --------------------------------------------- https://isc.sans.edu/diary/rss/26442 ∗∗∗ Scoping web application and web service penetration tests, (Mon, Aug 10th) ∗∗∗ --------------------------------------------- Before starting any penetration test, the most important part is to correctly scope it - this will ensure that both the clients expectations are fulfilled and that enough time is allocated to make sure that the penetration test is correctly performed. --------------------------------------------- https://isc.sans.edu/diary/rss/26448 ∗∗∗ Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts ∗∗∗ --------------------------------------------- A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of over 1,000 companies across the world since March 2020. The recent campaigns target senior positions in the United States and Canada. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/water-nue-campa… ∗∗∗ DEF CON 28: Introduction to ACARS ∗∗∗ --------------------------------------------- This post is a companion to the DEF CON 28 video available here: https://www.youtube.com/watch?v=NFS6qNAi0B8 What is ACARS? ACARS (Aircraft Communications Addressing and Reporting System, pronounced ‘ay-cars’) [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/introduction-to-acars/ ∗∗∗ Small and medium‑sized businesses: Big targets for ransomware attacks ∗∗∗ --------------------------------------------- Why are SMBs a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion? --------------------------------------------- https://www.welivesecurity.com/2020/08/07/small-medium-sized-businesses-big… ===================== = Vulnerabilities = ===================== ∗∗∗ Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28 ∗∗∗ --------------------------------------------- Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted application. --------------------------------------------- https://thehackernews.com/2020/08/zoom-software-vulnerabilities.html ∗∗∗ TeamViewer: Fernwartungstool wies gefährliche Schwachstelle auf ∗∗∗ --------------------------------------------- Wer TeamViewer unter Windows länger nicht aktualisiert hat, sollte dies zügig nachholen: Eine Schwachstelle erlaubt(e) unter Umständen unbefugte Fernzugriffe. --------------------------------------------- https://heise.de/-4866337 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.8.0-openjdk, java-11-openjdk, libvncserver, postgresql-jdbc, and thunderbird), Debian (firejail and gupnp), Fedora (cutter-re, postgresql-jdbc, radare2, and webkit2gtk3), openSUSE (chromium, firefox, kernel, and python-rtslib-fb), Oracle (container-tools:ol8, kernel, and nss and nspr), Scientific Linux (thunderbird), and SUSE (firefox, kernel, postgresql10 and postgresql12, python-ipaddress, and xen). --------------------------------------------- https://lwn.net/Articles/828309/ ∗∗∗ Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2020-4541) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerability affects the Lifecycle Query Engine that is shipped with Jazz Reporting Service (CVE-2020-4533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential information disclosure id 177835 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Check Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerability affects the Lifecycle Query Engine that is shipped with Jazz Reporting Service (CVE-2020-4539) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-af… ∗∗∗ Security Bulletin: Version 10.19.0 of Node.js included in IBM Netcool Operations Insight 1.6.0.x has several security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-version-10-19-0-of-node-j… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2020
by Daily end-of-shift report 07 Aug '20

07 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-08-2020 18:00 − Freitag 07-08-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Millionen Smartphones mit Snapdragon-Chip verwundbar ∗∗∗ --------------------------------------------- Der DSP-Prozessor in den weit verbreiteten Snapdragon-Chips von Qualcomm enthält hunderte Sicherheitslücken. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-millionen-smartphones-mit-snap… ∗∗∗ Exploiting Android Messengers with WebRTC: Part 3 ∗∗∗ --------------------------------------------- Posted by Natalie Silvanovich, Project ZeroThis is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. CVE-2020-6514 discussed in the blog post was fixed on July 14 with these CLs.This series highlights what can go wrong when applications dont apply WebRTC patches and when the communication and notification of security issues breaks down. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messenger… ∗∗∗ Spam and phishing in Q2 2020 ∗∗∗ --------------------------------------------- In Q2 2020, the largest share of spam (51.45 percent) was recorded in April. The average percentage of spam in global email traffic was 50,18%, down by 4.43 percentage points from the previous reporting period. --------------------------------------------- https://securelist.com/spam-and-phishing-in-q2-2020/97987/ ∗∗∗ TA551 (Shathak) Word docs push IcedID (Bokbot), (Fri, Aug 7th) ∗∗∗ --------------------------------------------- I've been tracking malicious Word documents from the TA551 (Shathak) campaign This year, we've seen a lot of Valak malware from TA551, but in recent weeks this campaign has been pushing IcedID malware tp English-speaking targets. --------------------------------------------- https://isc.sans.edu/diary/rss/26438 ∗∗∗ Making the Most Out of WLAN Event Log Artifacts ∗∗∗ --------------------------------------------- If you have taken FOR500 (Windows Forensic Analysis) or utilize the FOR500 "Evidence of..." poster, you are probably familiar with the WLAN Event Log listed under the Network Activity/Physical Location section of the poster. This Windows event log (Microsoft-Windows-WLAN-AutoConfig/Operational) records wireless networks that a system has associated with as well as captures network characteristics that can be used for geolocation. In recent testing involving this artifact, a discovery was made that may have implications for investigators. I will outline a scenario that illustrates the issue and present artifacts to help solve it. --------------------------------------------- https://www.sans.org/blog/making-the-most-out-of-wlan-event-log-artifacts/ ∗∗∗ Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach ∗∗∗ --------------------------------------------- The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-an… ∗∗∗ Stuxnet 2.0: Forscher erwecken alten Security-Alptraum zu neuem Leben ∗∗∗ --------------------------------------------- Auf der Blackhat USA 2020 wiesen Forscher unter anderem auf eine Zero-Day-Lücke im Windows Druckerspoolerdienst hin. Ein Patch von Microsoft soll bald folgen. --------------------------------------------- https://heise.de/-4865010 ∗∗∗ Inter skimming kit used in homoglyph attacks ∗∗∗ --------------------------------------------- Threat actors load credit card skimmers using a known phishing technique called homoglyph attacks. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/08/inter-skimming-kit-us… ∗∗∗ WordPress Auto-Updates: What do you have to lose? ∗∗∗ --------------------------------------------- A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the world’s most popular content management system, site owners will have the option to turn auto-updates on for individual plugins and themes directly from the WordPress admin dashboard. --------------------------------------------- https://www.wordfence.com/blog/2020/08/wordpress-auto-updates-what-do-you-h… ∗∗∗ Security Awareness is as valuable today as ever ∗∗∗ --------------------------------------------- A while ago I saw a tweet that initially angered me for many reasons, but then I thought about it and wondered how much effort do companies put in to awareness and training. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-awareness-is-as-valu… ∗∗∗ Zahlreiche Fake-Shops locken mit günstigen Pools, Griller & Terrassenmöbel ∗∗∗ --------------------------------------------- Egal ob im eigenen Pool schwimmen, den Griller anheizen, die Pflanzen pflegen oder einfach auf der Terrasse die Sonne genießen. Sommerzeit ist Gartenzeit. Das sehen auch BetrügerInnen so. Denn derzeit melden LeserInnen der Watchlist Internet zahlreiche Fake-Shops mit Produkten für einen schönen Sommer im Garten. Schauen Sie daher lieber genau auf vermeintliche Online-Shops, die Ihnen günstige Pools, Griller, Terrassenmöbel oder Rasenmäher verkaufen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-fake-shops-locken-mit-gue… ∗∗∗ Upgrade unseres Ticketsystems 2020-08-07 ∗∗∗ --------------------------------------------- Viele unserer Prozesse laufen über ein Ticketsystem, in unserem Fall ist das RTIR. Es ist jetzt Zeit geworden, hier eine radikalere Umstellung zu machen: Neue Version (Und natürlich wurde prompt während der Testphase eine radikal neue herausgegeben. Seufz.) --------------------------------------------- https://cert.at/de/blog/2020/8/upgrade-unseres-ticketsystem-20200807 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav and json-c), Fedora (python2, python36, and python37), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (java-11-openjdk, kernel, rubygem-actionview-4_2, wireshark, xen, and xrdp), and Ubuntu (openjdk-8 and ppp). --------------------------------------------- https://lwn.net/Articles/828209/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere MQ Internet Pass-Thru – CVE-2020-2654 (deferred from Oracle Jan 2020 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-internet-pas… ∗∗∗ Security Bulletin: Embedded WebSphere Application Server is vulnerable to a command execution vulnerability affect Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-embedded-websphere-applic… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server is vulnerable to a Information Disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2020
by Daily end-of-shift report 06 Aug '20

06 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-08-2020 18:00 − Donnerstag 06-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB20-48) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB20-48) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, August 11, 2020. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1906 ∗∗∗ Incident Response Analyst Report 2019 ∗∗∗ --------------------------------------------- As an incident response service provider, Kaspersky delivers a global service that results in a global visibility of adversaries’ cyber-incident tactics and techniques on the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. --------------------------------------------- https://securelist.com/incident-response-analyst-report-2019/97974/ ∗∗∗ A Fork of the FTCode Powershell Ransomware, (Thu, Aug 6th) ∗∗∗ --------------------------------------------- Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victims computer. As usual, the malware was delivered through a malicious Word document with a VBA macro. A first observation reveals that its a file less macro. The malicious Base64 code is stored in multiples environment variables that are concatenated then executed through an IEX command... --------------------------------------------- https://isc.sans.edu/diary/rss/26434 ∗∗∗ Ad Hoc Log-Management im Ernstfall (SEC Defence) ∗∗∗ --------------------------------------------- Viele Organisationen, welche kein eigenes Incident Response Team haben, verfügen über keine oder nur sehr mangelhafte Visibility im eigenen Unternehmensnetzwerk. Doch vor Allem für die Aufarbeitung und Behebung des Vorfalls ist es unerlässlich auf allen Systemen angemessene Sichtbarkeit sicherzustellen. --------------------------------------------- https://www.sec-consult.com/./blog/2020/07/ad-hoc-log-management-im-ernstfa… ∗∗∗ PHP Backdoor Obfuscated One Liner ∗∗∗ --------------------------------------------- In the past, I have explained how small one line PHP backdoors use obfuscation and strings of code in HTTP requests to pass attacker’s commands to backdoors. Today, I’ll highlight another similar injection example and describe some of the malicious behavior we’ve seen recently on compromised websites. --------------------------------------------- https://blog.sucuri.net/2020/08/php-backdoor-obfuscated-one-liner.html ∗∗∗ Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack ∗∗∗ --------------------------------------------- A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented. --------------------------------------------- https://thehackernews.com/2020/08/http-request-smuggling.html ∗∗∗ Makro-Malware für macOS: Forscher warnt vor unterschätzter Gefahr ∗∗∗ --------------------------------------------- Ein "Office Drama" naht für macOS-User, fürchtet Patrick Wardle. Makro-Malware könnte Schutzmaßnahmen aushebeln, erläuterte der Forscher auf der Black Hat 2020. --------------------------------------------- https://heise.de/-4864148 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat 19 Security Advisories veröffentlicht. Keine der Schwachstellen wird als kritisch eingestuft, vier als "High". --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security Bulletin: IBM MQ could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. (CVE-2020-4375) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-an-att… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i is affected by CVE-2020-2654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM MQ is affected by a vulnerability within IBM WebSphere Liberty (CVE-2020-4329) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-v… ∗∗∗ Security Bulletin: CVE-2020-2601 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2601-may-affect-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code (CVE-2020-4465) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Vulnerability CVE-2019-2949 in IBM Java SDK and IBM Java Runtime affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2019-29… ∗∗∗ Security Bulletin: IBM MQ could allow an attacker to cause a denial of service caused by an error within the pubsub logic. (CVE-2020-4376) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-an-att… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: CVE-2020-2590 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2590-may-affect-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2020
by Daily end-of-shift report 05 Aug '20

05 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-08-2020 18:00 − Mittwoch 05-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the fourth of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/mms-exploit-part-4-completin… ∗∗∗ Richtlinien gegen Sicherheitslücken in Legacy-Programmiersprachen veröffentlicht ∗∗∗ --------------------------------------------- Das Politecnico di Milano und Trend Micro haben einen Leitfaden für das Entwickeln mit Legacy-Programmiersprachen für Betriebstechnik in der Industrie erstellt. --------------------------------------------- https://heise.de/-4863229 ∗∗∗ Sophos: Ransomware WastedLocker trickst Sicherheitsanwendungen aus ∗∗∗ --------------------------------------------- Die Hintermänner haben offenbar sehr gute Kenntnisse über interne Funktionen von Windows. Sie nutzen diese, um Dateien im Windows-Cache statt direkt auf der Festplatte zu verschlüsseln. Damit vereiteln sie eine verhaltensbasierte Analyse ihrer Schadsoftware. --------------------------------------------- https://www.zdnet.de/88382004/sophos-ransomware-wastedlocker-trickst-sicher… ∗∗∗ Unseriöse Angebote werben mit ORF-Promis ∗∗∗ --------------------------------------------- Immer wieder werden Promis dazu genutzt, um unseriöse Angebote zu bewerben. Aktuell werden vor allem Bilder von ORF-Stars und von nachgemachten Nachrichten-Logos verwendet, um Menschen in die Falle zu locken. Die gefälschten Werbungen werden Ihnen dabei beim Handy-Spielen angezeigt und sollen Sie dazu bringen Apps für Spieleautomaten herunterzuladen. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-angebote-werben-mit-orf-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers can abuse Microsoft Teams updater to install malware ∗∗∗ --------------------------------------------- Microsoft Teams can still double as a Living off the Land binary (LoLBin) and help attackers retrieve and execute malware from a remote location. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-… ∗∗∗ The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks ∗∗∗ --------------------------------------------- On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-cr… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (net-snmp), Fedora (mingw-curl), openSUSE (firefox, ghostscript, and opera), Oracle (libvncserver and postgresql-jdbc), Scientific Linux (postgresql-jdbc), SUSE (firefox, kernel, libX11, xen, and xorg-x11-libX11), and Ubuntu (apport, grub2, grub2-signed, libssh, libvirt, mysql-8.0, ppp, tomcat8, and whoopsie). --------------------------------------------- https://lwn.net/Articles/828114/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - July 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ GRUB2 Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Information Leak Vulnerabilities in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei FusionCompute Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Protection Mechanism Failure Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Elevation of Privilege Vulnerability in Some Microsoft Windows Systems ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Advisory - Remote Code Execution Vulnerability in Microsoft Windows SMBv1 ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200805-… ∗∗∗ Security Bulletin: jackson-databind (Publicly disclosed vulnerability) found in Network Performance Insight (CVE-2019-14892, CVE-2019-14893) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jackson-databind-publicly… ∗∗∗ Security Bulletin: CVE-2014-3577 HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2014-3577-httpcompone… ∗∗∗ Security Bulletin: CVE-2020-4481 HTTP properties vulnerable to an XXE attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4481-http-proper… ∗∗∗ Security Bulletin: vulnerabilities in in IBM® Runtime Environment Java™ Version 8 affect IBM WIoTP MessageGateway (CVE-2020-2805, CVE-2020-2803, CVE-2020-2781, CVE-2020-2755, CVE-2020-2754) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-in-ibm… ∗∗∗ Security Bulletin: CVE-2009-2625 CVE-2012-0881 CVE-2013-4002 CVE-2014-0107 Multiple Xml handling Issues in xerces and xalan ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2009-2625-cve-2012-08… ∗∗∗ Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js http-proxy module denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integra… ∗∗∗ Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2949-may-affect-… ∗∗∗ Security Bulletin: CVE-2015-5254 Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2015-5254-apache-acti… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2020-4243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ IBM Spectrum Protect: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0785 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2020
by Daily end-of-shift report 04 Aug '20

04 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Montag 03-08-2020 18:00 − Dienstag 04-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploiting Android Messengers with WebRTC: Part 1 ∗∗∗ --------------------------------------------- Posted by Natalie Silvanovich, Project Zero. This is a three-part series on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications dont apply WebRTC patches and when the communication and notification of security issues breaks down. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messenger… ∗∗∗ Network Design: Firewall, IDS/IPS ∗∗∗ --------------------------------------------- There are many different types of devices and mechanisms within the security environment to provide a layered approach of defense. This is so that if an attacker is able to bypass one layer, another layer stands in the way to protect the network. --------------------------------------------- https://resources.infosecinstitute.com/network-design-firewall-idsips/ ∗∗∗ Certificate Transparency: a birds-eye view ∗∗∗ --------------------------------------------- The goal of this post is to build up a high-level description of CT from scratch, explaining why all the pieces are the way they are and how they fit together. --------------------------------------------- https://emilymstark.com/2020/07/20/certificate-transparency-a-birds-eye-vie… ∗∗∗ goldscheideanstalt-solidus24.de & feingold-scheideanstalt.de fälschen Trusted Shops-Zertifikat ∗∗∗ --------------------------------------------- goldscheideanstalt-solidus24.de & feingold-scheideanstalt.de – durchaus ansprechende Webshops für Goldbarren und Goldmünzen. Das vollständige Impressum mit gültigen Angaben, sowie das Trusted Shops-Gütezeichen wirken vertrauensvoll. Doch Vorsicht: Diese Goldhändler sind Fake, Sie erhalten trotz Bezahlung keine Ware! --------------------------------------------- https://www.watchlist-internet.at/news/goldscheideanstalt-solidus24de-feing… ===================== = Vulnerabilities = ===================== ∗∗∗ NodeJS module downloaded 7M times lets hackers inject code ∗∗∗ --------------------------------------------- A Node.js module downloaded millions of times has a security flaw that can enable attackers to perform a denial-of-service (DoS) attack on a server or get full-fledged remote shell access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nodejs-module-downloaded-7m-… ∗∗∗ CVE-2020–9854: "Unauthd" ∗∗∗ --------------------------------------------- Security researcher Ilias Morad, describes an impressive exploit chain, combining three macOS logic bugs he uncovered in macOS. His exploit chain allowed a local user to elevate privileges all the way to ring-0 (kernel)! --------------------------------------------- https://objective-see.com/blog/blog_0x4D.html ∗∗∗ Reminder: Patch Cisco ASA / FTD Devices (CVE-2020-3452). Exploitation Continues , (Tue, Aug 4th) ∗∗∗ --------------------------------------------- Just a quick reminder: We are continuing to see small numbers of exploit attempts against CVE-2020-3452. Cisco patched this directory traversal vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. --------------------------------------------- https://isc.sans.edu/diary/rss/26426 ∗∗∗ Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder ∗∗∗ --------------------------------------------- On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11, webkit2gtk, and zabbix), Fedora (webkit2gtk3), openSUSE (claws-mail, ghostscript, and targetcli-fb), Red Hat (dbus, kpatch-patch, postgresql-jdbc, and python-pillow), Scientific Linux (libvncserver and postgresql-jdbc), SUSE (kernel and python-rtslib-fb), and Ubuntu (ghostscript, sqlite3, squid3, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/828015/ ∗∗∗ Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-aff… ∗∗∗ Security Bulletin: Possible denial of service attack affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-denial-of-servic… ∗∗∗ Security Bulletin: Incorrect file permissions allows authenticated users to recover IPMI user passwords ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-file-permission… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a denial of service vulnerability in MySQL (CVE-2020-2752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Vulnerability in GNU gettext affects IBM Spectrum Protect Plus (CVE-2018-18751) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-gnu-gett… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2020-4459) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability in IBM® Runtime Environment Java™ Version 8.0 affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ru… ∗∗∗ Security Bulletin: OpenSSH vulnerability affects IBM Spectrum Protect Plus (CVE-2020-15778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssh-vulnerability-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability exists in IBM® Runtime Environment Java™ which affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ August 2020 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2020-08-01 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0781 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2020
by Daily end-of-shift report 03 Aug '20

03 Aug '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-07-2020 18:00 − Montag 03-08-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Warnung vor Sicherheitslücke in Abus-Alarmanlagen ∗∗∗ --------------------------------------------- Aufgrund einer neuen Sicherheitslücke ist es möglich, die Alarmanlage aus der Ferne zu deaktivieren. --------------------------------------------- https://futurezone.at/produkte/abus-alarmanlagen-warnung-vor-sicherheitslue… ∗∗∗ The core of Apple is PPL: Breaking the XNU kernels kernel ∗∗∗ --------------------------------------------- This bypass was reported as Project Zero issue 2035 and fixed in iOS 13.6; you can find a POC that demonstrates how to map arbitrary physical addresses into EL0 there. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/the-core-of-apple-is-ppl-bre… ∗∗∗ Emotet is back… and where are we? ∗∗∗ --------------------------------------------- A couple weeks ago, Emotet sprang back to life. The first new spam messages started flowing after a five month hiatus. --------------------------------------------- https://team-cymru.com/2020/07/31/emotet-is-back-and-where-are-we/ ∗∗∗ TCC-Absicherung in macOS "komplett geknackt" ∗∗∗ --------------------------------------------- Einem Sicherheitsexperten ist es gelungen, Apples eigentlich drakonische "Entitlement Checks" zu umgehen. Das Problem wurde gepatcht. --------------------------------------------- https://heise.de/-4860891 ∗∗∗ Meetup fixes security flaws which could have allowed hackers to take over groups ∗∗∗ --------------------------------------------- Researchers at Checkmarx detail "Holy Grail" of two vulnerabilities, now patched. --------------------------------------------- https://www.zdnet.com/article/meetup-fixes-security-flaws-which-could-have-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Group - Critical - Information Disclosure - SA-CONTRIB-2020-030 ∗∗∗ --------------------------------------------- Security risk: Critical 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:ALL This vulnerability is mitigated by the fact that the victim must have the GroupNode plugin installed on their website and have no other hook_node_grants() implementations on their website aside from the one that was recently removed by Group. If you do not use the GroupNode plugin or still have hook_node_grants() implementing modules enabled, your site may not be affected. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2020-030 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2 and mercurial), Fedora (chromium, firefox, and freerdp), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox, grub2, and kernel), and SUSE (ghostscript and targetcli-fb). --------------------------------------------- https://lwn.net/Articles/827697/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (ffmpeg, libjcat, mbedtls, tcpreplay, and wireshark-cli), Debian (ark, evolution-data-server, libjpeg-turbo, libopenmpt, libpam-radius-auth, libphp-phpmailer, libssh, ruby-zip, thunderbird, and transmission), Fedora (chromium, clamav, claws-mail, evolution-data-server, freerdp, glibc, java-latest-openjdk, nspr, and nss), Gentoo (libsndfile, pycrypto, python, snmptt, thunderbird, and webkit-gtk), Mageia (botan2, chocolate-doom, cloud-init, dnsmasq, freerdp/remmina, gssdp/gupnp java-1.8.0-openjdk, matio, microcode, nasm, openjpeg2, pcre2, php-phpmailer, redis, roundcubemail, ruby-rack, thunderbird, virtualbox, xerces-c), openSUSE (claws-mail, ldb, libraw), Oracle (firefox), Red Hat (bind, grub2, grub2, grub2, grub2, grub2, kernel-rt, libvncserver, nss, and, nspr, qemu-kvm-rhev), Scientific Linux (firefox), Slackware (thunderbird), SUSE (claws-mail, ldb, libraw, firefox, kernel, kernel, targetcli-fb). --------------------------------------------- https://lwn.net/Articles/827920/ ∗∗∗ Security Bulletin: Financial Transaction Manager for High Value Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Watson Machine Learning Service is impacted by security vulnerabilities in OpenJDK 11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-s… ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook and IBM i2 Analysts' Notebook Premium Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: Apr 2020 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apr-2020-multiple-vulnera… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4534) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Financial Transaction Manager for High Value Payments is affected by a potential SQL Injection CVE-2020-4328 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2020
by Daily end-of-shift report 31 Jul '20

31 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-07-2020 18:00 − Freitag 31-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Office 365 phishing abuses Google Ads to bypass email filters ∗∗∗ --------------------------------------------- An Office 365 phishing campaign abused Google Ads to bypass secure email gateways (SEGs), redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-abuses-g… ∗∗∗ One Byte to rule them all ∗∗∗ --------------------------------------------- Posted by Brandon Azad, Project Zero. For the last several years, nearly all iOS kernel exploits have followed the same high-level flow: memory corruption and fake Mach ports are used to gain access to the kernel task port, which provides an ideal kernel read/write primitive to userspace. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.ht… ∗∗∗ WastedLocker: technical analysis ∗∗∗ --------------------------------------------- According to currently available information, in the attack on Garmin a targeted build of the Trojan WastedLocker was used. We have performed technical analysis of the Trojan sample. --------------------------------------------- https://securelist.com/wastedlocker-technical-analysis/97944/ ∗∗∗ Obscured by Clouds: Insights into Office 365 Attacks and How MandiantManaged Defense Investigates ∗∗∗ --------------------------------------------- With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-36… ∗∗∗ Malspam campaign caught using GuLoader after service relaunch ∗∗∗ --------------------------------------------- We discovered a spam campaign distributing GuLoader in the aftermath of the services relaunch. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caug… ∗∗∗ New infection chain of njRAT variant ∗∗∗ --------------------------------------------- Recently, 360 Security Center has detected that a variant of the remote access tool njRAT is active. --------------------------------------------- https://blog.360totalsecurity.com/en/new-infection-chain-of-njrat-variant/ ∗∗∗ Umfragen von appdoctor.me führen zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Es klingt so verlockend: Einfach kurz eine App testen und schon hat man 35 Euro verdient. Doch leider steckt hinter solchen Umfrageplattformen und Jobangeboten oftmals Betrug. So auch auf der Webseite appdoctor.me, auf der App-TesterInnen gesucht werden. Geld wird Ihnen hier jedoch nicht ausbezahlt. Stattdessen eröffnen die Kriminellen ein Konto in Ihrem Namen, um dort Geldwäsche zu betreiben. --------------------------------------------- https://www.watchlist-internet.at/news/umfragen-von-appdoctorme-fuehren-zu-… ===================== = Vulnerabilities = ===================== ∗∗∗ KDE archive tool flaw let hackers take over Linux accounts ∗∗∗ --------------------------------------------- A vulnerability exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victims computers simply by tricking them into downloading an archive and extracting it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kde-archive-tool-flaw-let-ha… ∗∗∗ If you own one of these 45 Netgear devices, replace it: Gear maker wont patch vulnerable gear despite live proof-of-concept code ∗∗∗ --------------------------------------------- Thats one way of speeding up the tech refresh cycle. Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2020/07/30/netgear_aban… ∗∗∗ Ripple20 impact onDistribution Automation products ∗∗∗ --------------------------------------------- On the 16th of June 2020, a series of vulnerabilities affecting a TCP/IP library from Treck Inc. were made public by JSOF Tech in Jerusalem, Israel. The products listed in this document have integrated this library and thus are affected by the vulnerabilities listed in this document. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA000473&Language… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg). --------------------------------------------- https://lwn.net/Articles/827572/ ∗∗∗ Forscher legt zwei Zero-Day-Lücken im Tor-Netzwerk und -Browser offen ∗∗∗ --------------------------------------------- Internet Service Provider können unter Umständen alle Verbindungen zum Tor-Netzwerk blockieren. Der Forscher wirft dem Tor Project vor, die von ihm gemeldeten Schwachstellen nicht zu beseitigen. Er kündigt zudem die Offenlegung weiterer Bugs an. --------------------------------------------- https://www.zdnet.de/88381926/forscher-legt-zwei-zero-day-luecken-im-tor-ne… ∗∗∗ iTunes 12.10.8 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT211293 ∗∗∗ Security Bulletin: IBM i2 Analysts' Notebook Memory vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Apache CXF, which is shipped with IBM Tivoli Network Manager (CVE-2020-1954). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2020
by Daily end-of-shift report 30 Jul '20

30 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-07-2020 18:00 − Donnerstag 30-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TrickBots new Linux malware covertly infects Windows devices ∗∗∗ --------------------------------------------- TrickBots Anchor malware platform has been ported to infect Linux devices and compromise further high-impact and high-value targets using covert channels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbots-new-linux-malware-… ∗∗∗ Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 ∗∗∗ --------------------------------------------- Posted by Maddie Stone, Project Zero. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-re… ∗∗∗ Security controls for ICS/SCADA environments ∗∗∗ --------------------------------------------- Supervisory control and data acquisition systems (SCADA) are a subset of ICS. These systems are unique in comparison to traditional IT systems. This makes using standard security controls written with traditional systems in mind somewhat tricky. --------------------------------------------- https://resources.infosecinstitute.com/security-controls-for-ics-scada-envi… ∗∗∗ ESET Threat Report Q2 2020 ∗∗∗ --------------------------------------------- A view of the Q2 2020 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts. --------------------------------------------- https://www.welivesecurity.com/2020/07/29/eset-threat-report-q22020/ ∗∗∗ Researchers exploit HTTP/2, WPA3 protocols to stage highly efficient ‘timeless timing’ attacks ∗∗∗ --------------------------------------------- Presented at this year’s Usenix conference, the technique, named ‘Timeless Timing Attacks’, exploits the way network protocols handle concurrent requests to solve one of the endemic challenges of remote timing side-channel attacks. --------------------------------------------- https://portswigger.net/daily-swig/researchers-exploit-http-2-wpa3-protocol… ∗∗∗ Effective Threat Intelligence Through Vulnerability Analysis ∗∗∗ --------------------------------------------- The vulnerability ecosystem has matured considerably in the last few years. A significant amount of effort has been invested to capture, curate, taxonomize and communicate the vulnerabilities in terms of severity, impact and complexity of the associated exploit or attack. --------------------------------------------- https://www.tripwire.com/state-of-security/vulnerability-management/effecti… ===================== = Vulnerabilities = ===================== ∗∗∗ Grub 2: Boothole ermöglicht Umgehung von Secure Boot ∗∗∗ --------------------------------------------- Der Fehler in dem Bootloader Grub ermöglicht damit ein dauerhaftes Bootkit. Ein komplettes Update wird aber schwierig und dauert. (grub, Linux) --------------------------------------------- https://www.golem.de/news/grub-2-boothole-ermoeglicht-umgehung-von-secure-b… ∗∗∗ CVE-2020–9934: Bypassing TCC for Unauthorized Access ∗∗∗ --------------------------------------------- In this guest blog post, security researcher Matt Shockley describes a lovely security vulnerability he uncovered in macOS. --------------------------------------------- https://objective-see.com/blog/blog_0x4C.html ∗∗∗ Sicherheitsupdates: Gefährliche Lücken in Cisco SD-WAN und Data Center ∗∗∗ --------------------------------------------- Angreifer könnten durch Schwachstellen in Cisco-Software ganze Netzwerke übernehmen. --------------------------------------------- https://heise.de/-4858759 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (October 2019) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (Apr 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2020, Apr 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Open Source logback used in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-open-sou… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ SDK and IBM® Java™ Runtime that affect IBM® Intelligent Operations Center products (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 68.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-35/ ∗∗∗ Dell OpenManage Server Administrator: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0770 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0768 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2020
by Daily end-of-shift report 29 Jul '20

29 Jul '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-07-2020 18:00 − Mittwoch 29-07-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ VermieterInnen aufgepasst: Besonders in der Urlaubszeit wollen BetrügerInnen an Ihr Geld! ∗∗∗ --------------------------------------------- Betrug im Internet zielt manchmal auf ganz bestimmte Personengruppen ab. Gerade jetzt in der Urlaubszeit sind auch Zimmer- oder Ferienwohnung-VermieterInnen sowie Hoteliers im Visier von BetrügerInnen. Die Kriminellen geben sich dabei als interessierte Gäste aus und versuchen durch Scheckbetrug an das Geld der VermieterInnen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/vermieterinnen-aufgepasst-besonders-… ∗∗∗ Betrüger-Mails: Emotet klaut Dateianhänge für mehr Authentizität ∗∗∗ --------------------------------------------- Aufgepasst: Emotet hat dazu gelernt und versteckt sich nun in noch glaubhafteren Mails. --------------------------------------------- https://heise.de/-4857724 ∗∗∗ Netwalker malware: What it is, how it works and how to prevent it | Malware spotlight ∗∗∗ --------------------------------------------- Netwalker is a data encryption malware that represents an evolution of the well-known Kokoklock ransomware and has been active since September 2019. This article will detail the specific technical features of the Netwalker ransomware. --------------------------------------------- https://resources.infosecinstitute.com/netwalker-malware-what-it-is-how-it-… ∗∗∗ MMS Exploit Part 3: Constructing the Memory Corruption Primitives ∗∗∗ --------------------------------------------- Posted by Mateusz Jurczyk, Project Zero. This post is the third of a multi-part series capturing my journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/07/mms-exploit-part-3-construct… ===================== = Vulnerabilities = ===================== ∗∗∗ Magento gets security updates for severe code execution bugs ∗∗∗ --------------------------------------------- Adobe today released security updates to fix two code execution vulnerabilities affecting Magento Commerce and Magento Open Source, rated as important and critical severity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-gets-security-update… ∗∗∗ Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin ∗∗∗ --------------------------------------------- On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. --------------------------------------------- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulne… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, firefox-esr, luajit, and salt), Fedora (clamav, java-1.8.0-openjdk, and java-11-openjdk), Gentoo (claws-mail, dropbear, ffmpeg, libetpan, mujs, mutt, and rsync), openSUSE (qemu), Red Hat (openstack-tripleo-heat-templates), SUSE (freerdp, ldb, rubygem-puma, samba, and webkit2gtk3), and Ubuntu (mysql-5.7, mysql-8.0 and sympa). --------------------------------------------- https://lwn.net/Articles/827376/ ∗∗∗ Security Bulletin: Legacy Components of IBM Netcool Configuration Manager have been updated. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-legacy-components-of-ibm-… ∗∗∗ Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1954) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-vulnerability-… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed multiple Security Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Information Disclosure (CVE-2020-4463) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Security Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ IBM Informix: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0764 ∗∗∗ Stored Cross-Site Scripting (XSS) Vulnerability in Namirial SIGNificant SignAnyWhere ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/stored-cross-site-scripting-xs… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily