Daily

daily@lists.cert.at

1 participants
3183 discussions

Tageszusammenfassung - 12.11.2020
by Daily end-of-shift report 12 Nov '20

12 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-11-2020 18:00 − Donnerstag 12-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Angeblich Quellcode des Exploit-Toolkits Cobalt Strike durchgesickert ∗∗∗ --------------------------------------------- Auf GitHub findet sich seit fast zwei Wochen ein Repository mit dem Namen CobaltStrike. Es enthält angeblich den Code von Cobalt Strike 4.0. Der Autor entfernt zudem die Lizenzprüfung, was auf eine geknackte Version schließen lässt. --------------------------------------------- https://www.zdnet.de/88389725/angeblich-quellcode-des-exploit-toolkits-coba… ∗∗∗ Hungrig nach Daten – ModPipe Backdoor bedroht POS‑Software im Gastgewerbe ∗∗∗ --------------------------------------------- Die Backdoor-Autoren verfügen offenbar über umfassende Kenntnisse der Software und entschlüsseln Datenbankkennwörter aus Windows-Registry-Werten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/11/12/hungrig-nach-daten-modpip… ∗∗∗ Extrapolating Adversary Intent Through Infrastructure ∗∗∗ --------------------------------------------- Hear from Senior Security Researcher Joe Slowik to discover the significance behind domain name patterns and learn how defenders can use these thematic insights to further their security operations. --------------------------------------------- https://www.domaintools.com/resources/blog/extrapolating-adversary-intent-t… ∗∗∗ 2 More Google Chrome Zero-Days Under Active Exploitation ∗∗∗ --------------------------------------------- Browser users are once again being asked to patch severe vulnerabilities that can lead to remote code execution. --------------------------------------------- https://threatpost.com/2-zero-day-bugs-google-chrome/161160/ ∗∗∗ Preventing Exposed Azure Blob Storage, (Thu, Nov 12th) ∗∗∗ --------------------------------------------- In the previous diary, I explained the three public access levels of Azure Blob Storage, and how to investigate the setup for any issues. Until a couple of months ago, there was no reliable way to prevent the problem from occurring in the first place, but thankfully, Microsoft has finally seen the light. --------------------------------------------- https://isc.sans.edu/diary/rss/26786 ∗∗∗ Attacking SCADA Part II: Vulnerabilities in Schneider Electric EcoStruxure Machine Expert and M221 PLC ∗∗∗ --------------------------------------------- We present two vulnerabilities in EcoStruxure Machine Expert v1.0 and Schneider Electric M221 (Firmware 1.10.2.2) Programmable Logic Controller (PLC). All three vulnerabilities were disclosed to Schneider Electric and the details were released on 10 November 2020. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacking-s… ∗∗∗ Exploring the Exploitability of "Bad Neighbor": The Recent ICMPv6 Vulnerability (CVE-2020-16898) ∗∗∗ --------------------------------------------- We wanted to find out whether something else could be done with this vulnerability, aside from triggering the buffer overflow and causing a blue screen (BSOD) --------------------------------------------- https://blog.zecops.com/vulnerabilities/exploring-the-exploitability-of-bad… ∗∗∗ CRAT wants to plunder your endpoints ∗∗∗ --------------------------------------------- Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT. Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint. One of the plugins is a ransomware known as "Hansom." --------------------------------------------- https://blog.talosintelligence.com/2020/11/crat-and-plugins.html ∗∗∗ Avionics Safety and Secured Connectivity: A Look at DO-326A/ED-202A, DO-355 and DO-356 ∗∗∗ --------------------------------------------- One of the major improvements that the avionics industry is undergoing is an Internet of Things (IoT) upgrade. And this is inevitably affecting how airlines approach aircraft safety. From the beginning, safety has been paramount to the aviation industry. But while it is a welcome innovation, the incorporation of IoT devices in aircraft comes with [...] --------------------------------------------- https://www.tripwire.com/state-of-security/regulatory-compliance/avionics-s… ∗∗∗ Comodo open-sources its EDR solution ∗∗∗ --------------------------------------------- OpenEDR, announced in September, is available on GitHub starting this week. --------------------------------------------- https://www.zdnet.com/article/comodo-open-sources-its-edr-solution/ ∗∗∗ Why you should keep your Netflix password to yourself ∗∗∗ --------------------------------------------- Sharing is caring - except when it isn't. Here’s why you shouldn't share your password for online media services with other people. --------------------------------------------- https://www.welivesecurity.com/2020/11/11/why-you-should-keep-netflix-passw… ∗∗∗ Cryptominers Exploiting Weblogic RCE CVE-2020-14882 ∗∗∗ --------------------------------------------- Intro Towards the end of October, we started seeing attackers take advantage of a Weblogic RCE vulnerability (CVE-2020-14882). Recently, SANS ISC talked about this vulnerability being exploited in the wild, [...] --------------------------------------------- https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2). --------------------------------------------- https://lwn.net/Articles/836994/ ∗∗∗ Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs ∗∗∗ --------------------------------------------- Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/encryption-vulnerabilities-allow-hackers-take-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111… ∗∗∗ Security Bulletin: IBM API Connect V5 is vulnerable to denial of service (CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-vul… ∗∗∗ Security Bulletin: Vulnerability in HTTPD affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-httpd-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2020
by Daily end-of-shift report 11 Nov '20

11 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-11-2020 18:00 − Mittwoch 11-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Targeted ransomware: it’s not just about encrypting your data! ∗∗∗ --------------------------------------------- When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data – it’s primarily about data exfiltration. --------------------------------------------- https://securelist.com/targeted-ransomware-encrypting-data/99255/ ∗∗∗ Decrypting OpenSSH sessions for fun and profit ∗∗∗ --------------------------------------------- A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers. --------------------------------------------- https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-… ∗∗∗ So kaufen Sie Weihnachtsgeschenke sicher im Internet ein! ∗∗∗ --------------------------------------------- Damit die Weihnachtsvorfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie unseriöse Online-Shops erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/so-kaufen-sie-weihnachtsgeschenke-si… ∗∗∗ Play Store identified as main distribution vector for most Android malware ∗∗∗ --------------------------------------------- Mammoth research project using Symantec (now NortonLifeLock) telemetry confirms what everyone suspected. --------------------------------------------- https://www.zdnet.com/article/play-store-identified-as-main-distribution-ve… ∗∗∗ Neuer Android-Trojaner spioniert 153 mobile Anwendungen aus ∗∗∗ --------------------------------------------- Darunter sind auch vier Apps deutscher Banken. Die Verbreitung erfolgt über Links in Spam-E-Mails. Mithilfe der Android-Bedienungshilfen nistet sich der Trojaner dauerhaft auf einem Gerät ein und erlaubt dessen Fernsteuerung. --------------------------------------------- https://www.zdnet.de/88389654/neuer-android-trojaner-spioniert-153-mobile-a… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA fixes severe flaw in GeForce NOW cloud gaming service ∗∗∗ --------------------------------------------- NVIDIA released a security update for the GeForce Now cloud gaming Windows app to address a vulnerability that could allow attackers to execute arbitrary code or escalate privileges on systems running unpatched software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-fixes-severe-flaw-in-… ∗∗∗ VU#231329: Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks ∗∗∗ --------------------------------------------- The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. --------------------------------------------- https://kb.cert.org/vuls/id/231329 ∗∗∗ VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. --------------------------------------------- https://kb.cert.org/vuls/id/760767 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2, --------------------------------------------- https://lwn.net/Articles/836897/ ∗∗∗ Patchday: Microsoft schließt Kernel-Lücke in Windows ∗∗∗ --------------------------------------------- Es sind über 100 Sicherheitsupdates für Microsoft Office, Windows & Co. erschienen. Eine Lücke nutzen Angreifer derzeit aktiv aus. --------------------------------------------- https://heise.de/-4954195 ∗∗∗ Security Advisory - Command Injection Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111-… ∗∗∗ XSA-351 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-351.html ∗∗∗ Citrix Systems Virtual Apps and Desktops: Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2020
by Daily end-of-shift report 10 Nov '20

10 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 09-11-2020 18:00 − Dienstag 10-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ PLATYPUS - With Great Power comes Great Leakage ∗∗∗ --------------------------------------------- With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processors power consumption to infer data and extract cryptographic keys. --------------------------------------------- https://platypusattack.com/ ∗∗∗ wetransfer.com: So nutzen Sie den kostenlosen Dienst sicher ∗∗∗ --------------------------------------------- wetransfer.com - ein beliebter Dienst, um kostenlos und unkompliziert viele Dateien oder Ordner zu teilen. Beim Empfang eines E-Mails von wetransfer.com raten wir jedoch zur Vorsicht, denn Kriminelle versenden im Design des Datenversanddienstes Phishing-E-Mails oder gefährliche E-Mails mit Schadsoftware. Also: Zuerst kontrollieren, dann klicken! --------------------------------------------- https://www.watchlist-internet.at/news/wetransfercom-so-nutzen-sie-den-kost… ∗∗∗ Plötzliche Abkündigung: Avira stellt Business-Sicherheitsprodukte Ende 2021 ein ∗∗∗ --------------------------------------------- Avira weist Geschäftskunden derzeit auf die Einstellung des B2B-Bereichs hin: Bestehende Lizenzen verlieren demnach zum 01.01.22 ihre Gültigkeit. --------------------------------------------- https://heise.de/-4952577 ∗∗∗ Microsoft Teams Users Under Attack in 'FakeUpdates' Malware Campaign ∗∗∗ --------------------------------------------- Microsoft warns that cybercriminals are using Cobalt Strike to infect entire networks beyond the infection point, according to a report. --------------------------------------------- https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/ ∗∗∗ Code Comments Reveal SCP-173 Malware ∗∗∗ --------------------------------------------- We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code - for example, a short description of a feature or functionality for other developers to reference. Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes. --------------------------------------------- https://blog.sucuri.net/2020/11/code-comments-reveal-scp-173-malware.html ∗∗∗ WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques ∗∗∗ --------------------------------------------- Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW (Windows on Windows) system was coined. This layer, which will be referred to as 'WOW64' from here on out, is responsible for translating all Windows API calls from 32-bit userspace to the 64-bit operating system --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-intern… ∗∗∗ Snakes and Ladder Logic ∗∗∗ --------------------------------------------- A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn’t run everything as root in PLC and RTUs. --------------------------------------------- https://www.pentestpartners.com/security-blog/snakes-and-ladder-logic/ ∗∗∗ Npm package caught stealing sensitive Discord and browser files ∗∗∗ --------------------------------------------- Malicious code was found hidden inside a JavaScript library named Discord.dll. --------------------------------------------- https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord… ∗∗∗ IoT security is a mess. These guidelines could help fix that ∗∗∗ --------------------------------------------- New guidelines from ENISA recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure. --------------------------------------------- https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Ultimate Member Plug-in gefährdet Wordpress-Seiten ∗∗∗ --------------------------------------------- Admin-Lücken im Plug-in Ultimate Member bedrohen über 100.000 Wordpress-Websites. Eine abgesicherte Version ist verfügbar. --------------------------------------------- https://heise.de/-4952685 ∗∗∗ Remote-Code-Execution-Lücke in Firefox, Firefox ESR und Thunderbird ∗∗∗ --------------------------------------------- Mozilla hat eine kritische Schwachstelle in seinen Webbrowsern und seinem Mail-Client geschlossen. --------------------------------------------- https://heise.de/-4953356 ∗∗∗ SAP Patchday November 2020 ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1090 ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Connect (APSB20-69) and Adobe Reader Mobile (APSB20-71). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1942 ∗∗∗ Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper resource allocation when an affected device processes network traffic in software switching mode (punted). --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SSA-492828: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK Controller ∗∗∗ --------------------------------------------- A vulnerability in S7-300 might allow an attacker to cause a Denial-of-Service condition on port 102 of the affected devices by sending specially crafted packets. Siemens is preparing updates and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-492828.txt ∗∗∗ SSA-431802: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- Siemens SCALANCE W1750D is a brandlabled device. Aruba has released a related security advisory (ARUBA-PSA-2016-004) [0] disclosing vulnerabilities in its Aruba Instant product line. The advisory contains multiple related vulnerabilities that are summarized in CVE-2016-2031. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-431802.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif). --------------------------------------------- https://lwn.net/Articles/836770/ ∗∗∗ IPAS: Security Advisories for November 2020 ∗∗∗ --------------------------------------------- Hello, It’s the second Tuesday in November and today we are releasing 40 security advisories. If this seems like a large number of advisories for Intel to be releasing, you’re right. However, there are two primary reasons for this. First, as I mentioned in August, we are aligning public disclosures, as much as possible, to [...] --------------------------------------------- https://blogs.intel.com/technology/2020/11/ipas-security-advisories-for-nov… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2020
by Daily end-of-shift report 09 Nov '20

09 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-11-2020 18:00 − Montag 09-11-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker haben mehrfach Sourcecode aus SonarQube-Instanzen abgegriffen ∗∗∗ --------------------------------------------- Das FBI warnte bereits im Oktober vor einem Angriff auf Installationen unter anderem von US-Regierungsbehörden, aber auch privater Firmen. --------------------------------------------- https://heise.de/-4951630 ∗∗∗ Lets Encrypt: Alte Android-Geräte bekommen Probleme mit Millionen Seiten ∗∗∗ --------------------------------------------- Der Zertifikatswechsel bei Lets Encrypt sorgt für Probleme bei einem Drittel aller Android-Geräte. Die Lösung dafür ist der Firefox. --------------------------------------------- https://www.golem.de/news/let-s-encrypt-alte-android-geraete-bekommen-probl… ∗∗∗ New Pay2Key ransomware encrypts networks within one hour ∗∗∗ --------------------------------------------- A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encry… ∗∗∗ How Ryuk Ransomware operators made $34 million from one victim ∗∗∗ --------------------------------------------- One hacker group that is targeting high-revenue companies with Ryuk ransomware received $34 million from one victim in exchange for the decryption key that unlocked their computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operator… ∗∗∗ Gitpaste-12 Worm Targets Linux Servers, IoT Devices ∗∗∗ --------------------------------------------- The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors. --------------------------------------------- https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/ ∗∗∗ Adventures in Anti-Gravity ∗∗∗ --------------------------------------------- Here we deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces). --------------------------------------------- https://objective-see.com/blog/blog_0x5B.html ∗∗∗ Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th) ∗∗∗ --------------------------------------------- This past week got some interesting logs targeting TCP/7001 (WebLogic CVE-2020-14882 - see previous diary[1][2]) looking to download and launch a shell script to install various cryptominer on the target. The shell script target SELINUX compatible hosts likely CentOS/RedHat, Ubuntu, etc to install various cryptominer applications. --------------------------------------------- https://isc.sans.edu/diary/rss/26768 ∗∗∗ How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th) ∗∗∗ --------------------------------------------- On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very short period of time. All the submitted files were OLE2 files containing a malicious macro. All of them had a low VT score so it deserved some investigations. I downloaded the samples and had a look at them. --------------------------------------------- https://isc.sans.edu/diary/rss/26770 ∗∗∗ When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777 ∗∗∗ --------------------------------------------- Vatet, PyXie and Defray777 are all associated with a financially motivated threat group. We aim to get these malware families on the radar. --------------------------------------------- https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ ∗∗∗ xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control ∗∗∗ --------------------------------------------- We observed evidence that the xHunt campaign used two backdoors on a compromised Microsoft Exchange Server at an organization in Kuwait. --------------------------------------------- https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft schwerwiegende Lücke in Webex Meetings für Windows ∗∗∗ --------------------------------------------- Die Schwachstelle kommt bei internen Tests ans Licht. Ein lokaler Angreifer kann Schadcode ausführen. Weitere Schwachstellen stecken im Web Network Recording Player und Webex Player. --------------------------------------------- https://www.zdnet.de/88389577/cisco-stopft-schwerwiegende-luecke-in-webex-m… ∗∗∗ WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug ∗∗∗ --------------------------------------------- The shopping cart application contains a PHP object-injection bug. --------------------------------------------- https://threatpost.com/wordpress_open_to_attacks_welcart_bug/161037/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, [...] --------------------------------------------- https://lwn.net/Articles/836676/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2020
by Daily end-of-shift report 06 Nov '20

06 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-11-2020 18:00 − Freitag 06-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Reverse shell botnet Gitpaste-12 spreads via GitHub and Pastebin ∗∗∗ --------------------------------------------- A newly discovered worm and botnet named Gitpaste-12 lives on GitHub and also uses Pastebin to host malicious code. The advanced malware comes equipped with reverse shell and crypto mining capabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpast… ∗∗∗ Sicherheitslücke: Admin-Passwort für Rettungsdienst-System ungeschützt im Netz ∗∗∗ --------------------------------------------- Über die Software Ivena werden Notfallpatienten in Krankenhäusern angemeldet. Ein Admin-Passwort ist nun öffentlich auf der Herstellerwebseite einsehbar gewesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-admin-passwort-fuer-rettungsdie… ∗∗∗ RansomEXX Trojan attacks Linux systems ∗∗∗ --------------------------------------------- We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. --------------------------------------------- https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ ∗∗∗ ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis ∗∗∗ --------------------------------------------- We’ve seen a wider variety of PHP web shells being used by attackers this year — including a number of shells that have been significantly updated in an attempt to “improve” them. Depending on the scope of changes and feature enhancements that are added to an existing web shell’s source code, these updates can be tedious and time consuming for bad actors. For this reason, it’s common to see code for web shells reused among different, unaffiliated attackers. --------------------------------------------- https://blog.sucuri.net/2020/11/alfa-team-shell-v4-1-tesla-a-feature-update… ∗∗∗ Rediscovering Limitations of Stateful Firewalls: "NAT Slipstreaming" ? Implications, Detections and Mitigations ∗∗∗ --------------------------------------------- A recent {rediscovered} technique (NAT Slipstreaming) to allow an attacker remotely access any TCP/UDP service bound to a victim’s machine, thus bypassing the victim’s Network Address Translation (NAT)/firewall implementation was detailed by Samy Kamkar [1]. Samy had also shared a similar technique termed “NAT Pinning” back in 2010 [2]. The similarities in both techniques were convincing victims to access a specially crafted site implementing said techniques, resulting in [...] --------------------------------------------- https://isc.sans.edu/forums/diary/Rediscovering+Limitations+of+Stateful+Fir… ∗∗∗ Business VOIP phone systems are being hacked for profit worldwide. Is yours secure? ∗∗∗ --------------------------------------------- Security researchers have uncovered an organised gang of cybercriminals who are compromising the VOIP phone systems of over 1000 organisations worldwide. Check Point has identified a malicious campaign that has targeted a critical vulnerability in the Sangoma PBX open-source GUI, used to manage installations of Asterisk - the worlds most popular VOIP phone system for businesses. --------------------------------------------- https://businessinsights.bitdefender.com/business-voip-phone-systems-are-be… ∗∗∗ IntelMQ offers tutorial lessons and a new documentation page ∗∗∗ --------------------------------------------- The IntelMQ tutorial guiding through various features and tools of IntelMQ is available in the IntelMQ Tutorial GitHub repository. Lesson one introduces the architecture, concepts and terminology of the project. Lessons two and three delve hands-on into working with IntelMQ. Starting with installation and basic usage & configuration they go on to tackle progressively more advanced topics like using advanced features or changing the message queue software to be used. --------------------------------------------- https://cert.at/en/blog/2020/11/intelmq-tutorial-and-new-documentation-page ∗∗∗ Ryuk Speed Run, 2 Hours to Ransom ∗∗∗ --------------------------------------------- Since the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe. We’ve seen major healthcare providers, managed service providers, [...] --------------------------------------------- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in iOS werden aktiv ausgenutzt – kein Update für iOS 13 ∗∗∗ --------------------------------------------- Apple-Nutzer sollten ihr Betriebssystem zügig aktualisieren, kritische Lücken werden wohl für Angriffe verwendet. Nicht alle Systemversionen erhalten Updates. --------------------------------------------- https://heise.de/-4950496 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sddm and wordpress), Fedora (blueman, chromium, pngcheck, and salt), openSUSE (chromium, salt, tiff, tigervnc, tmux, tomcat, transfig, and xen), Oracle (freetype, kernel, libX11, thunderbird, and xorg-x11-server), SUSE (bluez, ImageMagick, java-1_8_0-openjdk, rmt-server, salt, and u-boot), and Ubuntu (dom4j, firefox, netqmail, phpldapadmin, and tmux). --------------------------------------------- https://lwn.net/Articles/836467/ ∗∗∗ Security Advisory - Netlogon Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201105… ∗∗∗ Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2020
by Daily end-of-shift report 05 Nov '20

05 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-11-2020 18:00 − Donnerstag 05-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit für Cisco-VPN AnyConnect in Umlauf - Sicherheitsupdate steht noch aus ∗∗∗ --------------------------------------------- Attacken auf Ciscos VPN-Lösung AnyConnect könnten kurz bevor stehen. Bislang gibt es aber nur Patches für andere Lücken in IOS XR, Webwex & Co. --------------------------------------------- https://heise.de/-4948798 ∗∗∗ Attacks on industrial enterprises using RMS and TeamViewer: new data ∗∗∗ --------------------------------------------- In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another. --------------------------------------------- https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-team… ∗∗∗ Did You Spot "Invoke-Expression"?, (Thu, Nov 5th) ∗∗∗ --------------------------------------------- When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet[1]. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string. --------------------------------------------- https://isc.sans.edu/diary/rss/26762 ∗∗∗ Legacy Mauthtoken Malware Continues to Redirect Mobile Users ∗∗∗ --------------------------------------------- During malware analysis, we regularly find variations of this injected script on various compromised websites: . The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we’ll end up with the following code: [...] --------------------------------------------- https://blog.sucuri.net/2020/11/legacy-mauthtoken-malware-continues-to-redi… ∗∗∗ BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers ∗∗∗ --------------------------------------------- A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations. --------------------------------------------- https://www.securityweek.com/bec-scammers-exploit-flaw-spoof-domains-racksp… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances und die Admin-Falle ∗∗∗ --------------------------------------------- Der Netzwerkausrüster F5 hat wichtige Patches zum Absichern verschiedener Appliances veröffentlicht. --------------------------------------------- https://heise.de/-4949448 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark). --------------------------------------------- https://lwn.net/Articles/836238/ ∗∗∗ In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover - CVE-2020-14871 ∗∗∗ --------------------------------------------- FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer’s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team’s Offensive Task Force analyzed the exploit to determine how it worked, reproduced the vulnerability on different versions of Solaris, and then reported it to Oracle. In this blog post we present a description of the [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overfl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2020
by Daily end-of-shift report 04 Nov '20

04 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-11-2020 18:00 − Mittwoch 04-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 49.500 Euro gewonnen? Vorsicht, BetrügerInnen geben sich am Telefon als EuroMillionen aus! ∗∗∗ --------------------------------------------- „Herzlichen Glückwünsch. Sie haben 49.500 Euro gewonnen“. BetrügerInnen rufen im Namen von EuroMillionen an und übermitteln ihren Opfern diese gute Nachricht. Doch tatsächlich handelt es sich um Vorschussbetrug: Bevor der Betrag überwiesen werden kann, müssen die vermeintlichen GewinnerInnen 1.500 Euro für eine Versicherung bezahlen. Der Gewinn wird trotzdem nicht überwiesen, die 1.500 Euro sind also verloren. --------------------------------------------- https://www.watchlist-internet.at/news/49500-euro-gewonnen-vorsicht-betrueg… ∗∗∗ Exchange-Lücke: Immer noch viele Server offen ∗∗∗ --------------------------------------------- Einen Monat nachdem heise Security über die dramatische Zahl an verwundbaren Systemen berichtete, hat sich die Situation zwar verbessert, aber nicht entspannt. --------------------------------------------- https://heise.de/-4947221 ∗∗∗ Google: Android-Lücke kann Geräte "dauerhaft" lahmlegen ∗∗∗ --------------------------------------------- Google schließt mit dem November-Update für Android mehrere kritische Sicherheitslücken. Geräte können lahmgelegt oder auch übernommen werden. --------------------------------------------- https://www.golem.de/news/google-android-luecke-kann-geraete-dauerhaft-lahm… ∗∗∗ New RegretLocker ransomware targets Windows virtual machines ∗∗∗ --------------------------------------------- A new ransomware called RegretLocker uses a variety of advanced features that allows it to encrypt virtual hard drives and close open files for encryption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-… ∗∗∗ Sneaky Office 365 phishing inverts images to evade detection ∗∗∗ --------------------------------------------- A creative Office 365 phishing campaign has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by crawlers designed to spot phishing sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-office-365-phishing-i… ∗∗∗ Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike, (Tue, Nov 3rd) ∗∗∗ --------------------------------------------- Starting late last week, we observed a large number of scans against our WebLogic honeypots to detect if they are vulnerable to CVE-2020-14882. CVE-2020-14882 was patched about two weeks ago as part of Oracle's quarterly critical patch update. In addition to scans simply enumerating vulnerable servers, we saw a small number of scans starting on Friday (Oct. 30th) attempting to install crypto-mining tools [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/26752 ===================== = Vulnerabilities = ===================== ∗∗∗ SaltStack: Security-Packages beseitigen drei teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Für viele SaltStack-Versionen stehen Aktualisierungen bereit; die Entwickler raten angesichts der von drei Lücken ausgehenden Gefahren zum zeitnahen Update. --------------------------------------------- https://heise.de/-4947393 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and firefox), Fedora (nss), openSUSE (pacemaker), Red Hat (bind, binutils, bluez, cloud-init, container-tools:rhel8, cryptsetup, cups, curl, cyrus-imapd, cyrus-sasl, dovecot, dpdk, edk2, evolution, expat, file-roller, fontforge, freeradius:3.0, freerdp and vinagre, freetype, frr, gd, glibc, GNOME, gnome-software and fwupd, gnupg2, grafana, httpd:2.4, idm:DL1 and idm:client, kernel, kernel-rt, libarchive, libexif, libgcrypt, libldb, [...] --------------------------------------------- https://lwn.net/Articles/836137/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- Cisco hat für mehrere Produkte insgesamt 35 Security Advisories mit folgenden Security Impact Ratings veröffentlicht: High: 12 Medium: 23 --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Patch for Critical VMware ESXi Vulnerability Incomplete ∗∗∗ --------------------------------------------- VMware on Wednesday informed customers that it has released new patches for ESXi after learning that a fix made available last month for a critical vulnerability was incomplete. --------------------------------------------- https://www.securityweek.com/patch-critical-vmware-esxi-vulnerability-incom… ∗∗∗ Joomla Publisher V 3.0.19 Stored XSS ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110017 ∗∗∗ Joomla JomSocial 4.7.6 Stored XSS ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020110016 ∗∗∗ Security Advisory - Insecure Encryption Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20201104… ∗∗∗ Vulnerabilities in Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/vulnerabilities-in-trend-micro… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1076 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2020
by Daily end-of-shift report 03 Nov '20

03 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Montag 02-11-2020 18:00 − Dienstag 03-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet -> Qakbot -> more Emotet, (Tue, Nov 3rd) ∗∗∗ --------------------------------------------- On Friday 2020-10-30, I generated an Emotet infection in my lab and saw Qakbot as the follow-up malware. I let the activity run for a while, then another Emotet infection appeared on the same host after Qakbot started. --------------------------------------------- https://isc.sans.edu/diary/rss/26750 ∗∗∗ Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 ∗∗∗ --------------------------------------------- Through Mandiant investigation of intrusions between February 2018 and September 2020, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise telecommunications companies and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups). UNC1945 targeted Oracle Solaris operating systems, utilized several [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-o… ∗∗∗ JavaScript-Paketmanager: Twilio-Brandjacking-Paket öffnet Hintertür ∗∗∗ --------------------------------------------- Vergangenes Wochenende haben Angreifer ein Paket namens twilio-npm veröffentlicht, das eine Reverse Shell auf dem Entwicklersystem startet. --------------------------------------------- https://heise.de/-4945861 ∗∗∗ Schubladen für Schwachstellen: Das CVE-System im Überblick ∗∗∗ --------------------------------------------- MITREs Common Vulnerabilities and Exposures System (CVE) ist der gängige Standard zur Verwaltung von Schwachstellen. Wir erklären, was es damit auf sich hat. --------------------------------------------- https://heise.de/-4940478 ∗∗∗ Hundewelpen im Internet kaufen? - Lieber nicht! ∗∗∗ --------------------------------------------- Bei der Recherche nach Züchtern im Internet, stoßen Sie möglicherweise auf Websites, die wunderschöne Rasse-Hundewelpen verkaufen - meist zu einem sehr günstigen Preis. TierliebhaberInnen werden vor allem mit liebevollen Fotos und Beschreibung verlockt, sich mit dem vermeintlichen Züchter in Verbindung zu setzen. Doch Vorsicht: Der Handel von Hunden und Katzen über das Internet ist in Österreich verboten. --------------------------------------------- https://www.watchlist-internet.at/news/hundewelpen-im-internet-kaufen-liebe… ∗∗∗ These software bugs are years old. But businesses still arent patching them ∗∗∗ --------------------------------------------- Many organisations still havent applied security patches issued years ago, putting them at risk from common cyber attacks. --------------------------------------------- https://www.zdnet.com/article/these-software-bugs-are-years-old-but-busines… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Alert CVE-2020-14750 Released ∗∗∗ --------------------------------------------- Oracle has just released Security Alert CVE-2020-14750. This vulnerability affects a number of versions of Oracle WebLogic Server and has a CVSS Base Score of 9.8. WebLogic Server customers should refer to the Security Alert Advisory for information on affected versions and how to obtain the required patches. This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update. Vulnerability CVE-2020-14750 is remotely exploitable without authentication, [...] --------------------------------------------- https://blogs.oracle.com/security/security-alert-cve-2020-14750-released ∗∗∗ Security Updates Available for Adobe Acrobat and Reader (APSB20-67) ∗∗∗ --------------------------------------------- Adobe has published a security bulletin for Adobe Acrobat and Reader (APSB20-67). The updates referenced in the bulletin address critical, important and moderate vulnerabilities and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1939 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blueman and wordpress), Fedora (fastd, kernel, and samba), Gentoo (bluez, fossil, kpmcore, libssh, and opendmarc), openSUSE (claws-mail and icinga2), and Ubuntu (blueman). --------------------------------------------- https://lwn.net/Articles/835952/ ∗∗∗ Googles Project Zero deckt Sicherheitslücke bei GitHub auf ∗∗∗ --------------------------------------------- Das Sicherheitsteam hat das Risiko der gefundenen Schwachstelle für Entwickler als hoch eingestuft. Eine schnelle Lösung des Problems gibt es bisher nicht. --------------------------------------------- https://heise.de/-4946535 ∗∗∗ Android Security Bulletin - November 2020 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the System component that could enable a proximal attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2020-11-01 ∗∗∗ Google Patches Actively Exploited Chrome Vulnerabilities ∗∗∗ --------------------------------------------- Google has released updates to address multiple vulnerabilities in the Chrome browser, including two that are actively exploited in attacks. Chrome 86.0.4240.183 for Windows, macOS, and Linux was pushed to the stable channel with patches for a total of seven vulnerabilities, all of which feature a severity rating of high. --------------------------------------------- https://www.securityweek.com/google-patches-actively-exploited-chrome-vulne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2020
by Daily end-of-shift report 02 Nov '20

02 Nov '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-10-2020 18:00 − Montag 02-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Zero Day im Windows-Kernel veröffentlicht ∗∗∗ --------------------------------------------- Google hat die Sicherheitslücke nach nur 7 Tagen veröffentlicht, weil sie bereits aktiv ausgenutzt wurde. Patches gibt es nicht. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-zero-day-im-windows-kernel-vero… ∗∗∗ More File Selection Gaffes, (Sat, Oct 31st) ∗∗∗ --------------------------------------------- A reader submitted a file, that turned out to be a mass mailer project file used by malicious actors. --------------------------------------------- https://isc.sans.edu/diary/rss/26722 ∗∗∗ CSS-JS Steganography in Fake Flash Player Update Malware ∗∗∗ --------------------------------------------- This summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico) to hide JavaScript credit card stealers on compromised e-commerce sites. In a tweet, Affable Kraut also reported another similar obfuscation technique using .ico files to conceal JavaScript skimmers. Just something I’ve noticed more recently with digital skimmers/#magecart. --------------------------------------------- https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-u… ∗∗∗ How to Protect Yourself From Pwned and Password Reuse Attacks ∗∗∗ --------------------------------------------- Many businesses are currently looking at how to bolster security across their organization as the pandemic and remote work situation continues to progress towards the end of the year. As organizations continue to implement security measures to protect business-critical data, there is an extremely important area of security that often gets overlooked - passwords. --------------------------------------------- https://thehackernews.com/2020/11/how-to-protect-yourself-from-pwned-and.ht… ∗∗∗ NAT Slipstreaming ∗∗∗ --------------------------------------------- NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victims NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. --------------------------------------------- https://samy.pl/slipstream/ ∗∗∗ Ransomware Protection and Containment Strategies: Practical Guidance forEndpoint Protection, Hardening, and Containment ∗∗∗ --------------------------------------------- UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report: [...] --------------------------------------------- https://www.fireeye.com/blog/threat-research/2019/09/ransomware-protection-… ∗∗∗ Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector ∗∗∗ --------------------------------------------- Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at “potentially hundreds” of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor. --------------------------------------------- https://blog.talosintelligence.com/2020/10/healthcare-advisory.html ∗∗∗ RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware ∗∗∗ --------------------------------------------- Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when theyre needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/ryuk-ransoware-indic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cimg, junit4, kernel, openldap, qtsvg-opensource-src, spice, spice-gtk, tzdata, and wireshark), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), openSUSE (apache2, binutils, libvirt, lout, pacemaker, pagure, phpMyAdmin, samba, sane-backends, singularity, spice, spice-gtk, thunderbird, nspr, tomcat, virt-bootstrap, and xen), SUSE (graphviz, liblouis, and samba), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/835838/ ∗∗∗ Oracle Security Alert for CVE-2020-14750 - 01 November 2020 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2020-14750.html ∗∗∗ Hormann BiSecur Gateway and Home Server multiple vulnerabilities ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/hormann-bisecur-gateway-and-ho… ∗∗∗ WordPress: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1058 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2020
by Daily end-of-shift report 30 Oct '20

30 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-10-2020 18:00 − Freitag 30-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ „2. Lockdown! Krise! Was jetzt?“ – SMS bewirbt betrügerische Investment-Plattform ∗∗∗ --------------------------------------------- Eine Verschärfung der Corona-Maßnahmen bedeutet für viele Menschen weniger Einkommen. Das wissen auch BetrügerInnen. Sie nutzen diese Notsituation bewusst aus. So kursiert derzeit eine betrügerische SMS, in der eine scheinbar einfache Lösung angeboten wird: Das Investieren in Bitcoins – allerdings auf einer unseriösen Plattform. Die Schadenssummen, die dabei entstehen, reichen von 200 Euro bis weit über 100.000 Euro. Löschen Sie daher die SMS! --------------------------------------------- https://www.watchlist-internet.at/news/2-lockdown-krise-was-jetzt-sms-bewir… ∗∗∗ [SANS ISC] Quick Status of the CAA DNS Record Adoption ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Quick Status of the CAA DNS Record Adoption“: In 2017, we already published a guest diary about “CAA” or “Certification Authority Authorization”. I was curious about the status of this technique and the adoption level in 2020. Has it been adopted massively sinceThe post [SANS ISC] Quick Status of the CAA DNS Record Adoption appeared first on /dev/random. --------------------------------------------- https://blog.rootshell.be/2020/10/30/sans-isc-quick-status-of-the-caa-dns-r… ∗∗∗ BEC Attacks Targeting Energy and Infrastructure Rise by 93% ∗∗∗ --------------------------------------------- Business email compromise attacks (BEC) have continued to grow in Q3 of 2020, rising by 15% overall compared to Q2, according to Abnormal Security’s Quarterly BEC Report. The average weekly volume of BEC attacks increased quarter-by-quarter in six out of eight industries, with the biggest rise observed in the energy/infrastructure sector, at 93%. --------------------------------------------- https://www.infosecurity-magazine.com/news/bec-attacks-energy-infrastructur… ∗∗∗ Pktvisor: Open source tool for network visibility ∗∗∗ --------------------------------------------- NS1 announced that pktvisor, a lightweight, open source tool for real-time network visibility, is available on GitHub. The importance of applications and digital services has skyrocketed in 2020. Connectivity and resilience are imperative to keeping people connected and business moving forward. Visibility into network traffic, especially in distributed edge environments and with malicious attacks on the rise, is a critical part of ensuring uptime and performance. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/30/pktvisor-open-source-tool/ ∗∗∗ Oh ... Ransomware hat auch meine Backups verschlüsselt ... Was nun? ∗∗∗ --------------------------------------------- Das Thema Ransomware verfolgt Unternehmen weltweit nun schon ein bis zwei Jahrzehnte [1]. Es ist auch kein Trend zu erkennen, dass sich das bald ändern sollte. Es muss leider vom Gegenteil ausgegangen werden. Die Anzahl an Vorfällen ist besonders in den letzten Jahren gestiegen [2]. Angreifer setzten inzwischen nicht nur auf Verschlüsselung, sondern drohen mit der Veröffentlichung von Unternehmensdaten, welche vor dem Unbrauchbarmachen exfiltriert wurden, um die [...] --------------------------------------------- https://cert.at/de/blog/2020/10/oh-ransomware-hat-auch-meine-backups-versch… ===================== = Vulnerabilities = ===================== ∗∗∗ Attacks exploiting Netlogon vulnerability (CVE-2020-1472) ∗∗∗ --------------------------------------------- Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/10/29/attacks-exploiting-netlogon-… ∗∗∗ Sicherheitslücken: Nvidia veröffentlicht BMC-Firmware-Updates für DGX-Server ∗∗∗ --------------------------------------------- Aus der AMI BMC-Firmware für Nvidias Deep-Learning-Server DGX-1, DGX-2 und DGX A100 wurden neun Sicherheitslücken entfernt, von denen eine als kritisch gilt. --------------------------------------------- https://heise.de/-4943948 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Synology SRM (Synology Router Manager) ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple remote vulnerabilities in software that helps power Synology routers. The bugs exist in Synology Router Manager (SRM) - a Linux-based operating system for Synology routers - and QuickConnect, a feature inside SRM that allows users to remotely connect to their routers. An adversary could use these vulnerabilities to carry out a range of [...] --------------------------------------------- https://blog.talosintelligence.com/2020/10/vulnerability-spotlight-multiple… ∗∗∗ October 29, 2020 TNS-2020-07 [R1] Nessus Agent 8.2.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-07 ∗∗∗ October 29, 2020 TNS-2020-08 [R1] Nessus 8.12.1 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-08 ∗∗∗ Wireshark: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1054 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily