Daily

daily@lists.cert.at

1 participants
3150 discussions

Tageszusammenfassung - 06.04.2020
by Daily end-of-shift report 06 Apr '20

06 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-04-2020 18:00 − Montag 06-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web server security: Command line-fu for web server protection ∗∗∗ --------------------------------------------- Adequate web server security requires proper understanding, implementation and use of a variety of different tools. In this article, we will take a look at some command line tools that can be used to manage the security of web servers. --------------------------------------------- https://resources.infosecinstitute.com/web-server-security-command-line-fu-… ∗∗∗ Analyzing & Decrypting L4NC34’s Simple Ransomware ∗∗∗ --------------------------------------------- We’re constantly seeing news about computers being infected by ransomware, but very little do we hear about it affecting websites. That being said, the impact can be serious if the affected website is the webmaster’s only source of income or a business relies entirely on it’s website and online presence. --------------------------------------------- https://blog.sucuri.net/2020/04/analyzing-decrypting-l4nc34s-simple-ransomw… ∗∗∗ Kinsing Linux Malware Deploys Crypto-Miner in Container Environments ∗∗∗ --------------------------------------------- A campaign that has been ongoing for months is targeting misconfigured open Docker Daemon API ports to install a piece of malware named Kinsing, which in turn deploys a cryptocurrency miner in compromised container environments. --------------------------------------------- https://www.securityweek.com/kinsing-linux-malware-deploys-crypto-miner-con… ∗∗∗ 8,000 Unprotected Redis Instances Accessible From Internet ∗∗∗ --------------------------------------------- Trend Micro’s security researchers discovered roughly 8,000 unsecured Redis instances that were exposed to anyone with an Internet connection. Spread all over the world, the unsecured instances were found to lack Transport Layer Security (TLS) encryption and without any password protection. Some of these instances were even deployed in public clouds. --------------------------------------------- https://www.securityweek.com/8000-unprotected-redis-instances-accessible-in… ∗∗∗ Userdir URLs like https://example.org/~username/ are dangerous ∗∗∗ --------------------------------------------- I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly. Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). --------------------------------------------- https://blog.hboeck.de/archives/899-Userdir-URLs-like-httpsexample.orgusern… ∗∗∗ MISP 2.4.124 released (aka the dashboard, auditing improvements) ∗∗∗ --------------------------------------------- MISP 2.4.124 releasedA new version of MISP (2.4.124) has been released. This version includes various improvements including a new multiline widgets in the dashboard, auditing improvements and many bugs fixed. --------------------------------------------- https://www.misp-project.org/2020/04/06/MISP.2.4.124.released.html ∗∗∗ Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2020-8515 that was made publicly available in March is found being employed by a new DDoS botnet called hoaxcalls. --------------------------------------------- https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#660597: Periscope BuySpeed is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed version 14.5 is vulnerable to stored cross-site scripting,which could allow a local,authenticated attacker to store arbitrary JavaScript within the application. --------------------------------------------- https://kb.cert.org/vuls/id/660597 ∗∗∗ Gefährliche Sicherheitslücken in HP Support Assistant immer noch offen ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher rügt HP, weil die Entwickler seit Monaten im standardmäßig installierten HP Support Assistant diverse Schwachstellen nicht schließen. --------------------------------------------- https://heise.de/-4697583 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, and libmtp), Fedora (cyrus-sasl, firefox, glibc, squid, and telnet), Gentoo (firefox), Mageia (dcraw, firefox, kernel, kernel-linus, librsvg, and python-nltk), openSUSE (firefox, haproxy, icu, and spamassassin), Red Hat (nodejs:10, openstack-manila, python-django, python-XStatic-jQuery, and telnet), Slackware (firefox), SUSE (bluez, exiv2, and libxslt), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/816886/ ∗∗∗ XSS vulnerability in the Dashboard name parameter of FortiADC. ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-012 ∗∗∗ Improper Authorization vulnerability in FortiADC ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-013 ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Bouncy Castle API affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16782). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-o… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2020
by Daily end-of-shift report 03 Apr '20

03 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-04-2020 18:00 − Freitag 03-04-2020 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln ∗∗∗ --------------------------------------------- I’m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero’s ideas and goals around in-the-wild 0-days in a November blog post. On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-y… ∗∗∗ Progress In 2020 Funding Challenge - Thanks To Fantastic Global Supporters, But More Help Still Needed! ∗∗∗ --------------------------------------------- Our first status update on the critical initial milestone in Shadowservers urgent 2020 funding challenge. Great progress from our awesome community, with particular thanks to philanthropist Craig Newmark, but more help still needed to fully secure our data center operations in 2020. Join with us to continue protecting victims of cybercrime and help protect the Internet. --------------------------------------------- https://www.shadowserver.org/news/progress-in-2020-funding-challenge-thanks… ∗∗∗ Contact Form 7 Datepicker: Gefährliches WordPress-Plugin ohne Support ∗∗∗ --------------------------------------------- Angreifer könnten WordPress-Websites attackieren und Admin-Sessions übernehmen. --------------------------------------------- https://heise.de/-4696045 ∗∗∗ Researchers Discover Hidden Behavior in Thousands of Android Apps ∗∗∗ --------------------------------------------- Thousands of mobile applications for Android contain hidden behavior such as backdoors and blacklists, a group of researchers has discovered. With smartphones being part of our every-day lives, millions of applications are being used for a broad variety of activities, yet many of these engage in behaviors that are never disclosed to their users. --------------------------------------------- https://www.securityweek.com/researchers-discover-hidden-behavior-thousands… ∗∗∗ Mahnungen und Zahlungsaufforderungen von Flirthub.de ungerechtfertigt ∗∗∗ --------------------------------------------- Zahlreiche InternetuserInnen wenden sich momentan an uns, da sie plötzlich Zahlungsaufforderungen von Flirthub.de erhalten. Angeblich hätten sie sich auf der Website der MD Service GmbH angemeldet und eine Testphase sei nun in ein Premium-Abo übergelaufen. Wir haben uns die Websites und Zahlungsaufforderungen genauer angesehen. Unser Urteil: Betroffene müssen die geforderten 265,62 Euro nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-und-zahlungsaufforderungen… ∗∗∗ Vorsicht bei gefälschten Nachrichten von SMSinfo zu Paketlieferungen ∗∗∗ --------------------------------------------- Aufgrund der Corona-Krise müssen Fachgeschäfte in Österreich geschlossen sein. Viele Menschen greifen daher auf Online-Bestellungen zurück und warten auf ihr bestelltes Paket. Das nutzen derzeit vermehrt Kriminelle aus und versenden SMS unter den Namen „SMSinfo“. Der mitgeschickte Link in dieser SMS führt zu einer gefälschten Post-Webseite auf der Sie aufgefordert werden zwei Euro zu zahlen. Geben Sie Ihre Daten hier nicht ein, denn die Nachricht stammt [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-gefaelschten-nachrichte… ∗∗∗ GuLoader: Malspam Campaign Installing NetWire RAT ∗∗∗ --------------------------------------------- NetWire, a publicly-available RAT, was found being distributed through a file downloader called GuLoader. We explain how its infection chain works and how to defend against it. --------------------------------------------- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ ∗∗∗ Microsoft: How one Emotet infection took out this organizations entire network ∗∗∗ --------------------------------------------- An Emotet victims IT disaster shows why organizations should filter internal emails and use two-factor authentication. --------------------------------------------- https://www.zdnet.com/article/microsoft-how-one-emotet-infection-took-out-t… ===================== = Vulnerabilities = ===================== ∗∗∗ B&R Automation Studio ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper privilege management, missing required cryptographic step, and path traversal vulnerabilities in B&R Automation Studio software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-093-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qbittorrent), Gentoo (gnutls), Mageia (bluez, kernel, python-yaml, varnish, and weechat), Oracle (haproxy and nodejs:12), SUSE (exiv2, haproxy, libpng12, mgetty, and python3), and Ubuntu (libgd2). --------------------------------------------- https://lwn.net/Articles/816757/ ∗∗∗ Security Bulletin: IBM Agile Lifecycle Manager is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-agile-lifecycle-manag… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Agile Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2020
by Daily end-of-shift report 02 Apr '20

02 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-04-2020 18:00 − Donnerstag 02-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Office 365 Phishing Uses CSS Tricks to Bypass Email Gateways ∗∗∗ --------------------------------------------- A phishing campaign using Office 365 voicemail lures to trick them into visiting landing pages designed to steal their personal information or infect their computers with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-phishing-uses-css… ∗∗∗ Pekraut - German RAT starts gnawing ∗∗∗ --------------------------------------------- Feature-rich remote access malware Pekraut emerges. The rodent seems to be of German origin and is ready to be released. We analyzed the malware in-depth. --------------------------------------------- https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-… ∗∗∗ Cyber-Kriminelle nutzen Corona-Krise vermehrt aus ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet aktuell eine Zunahme von Cyber-Angriffen mit Bezug zum Corona-Virus auf Unternehmen und Bürger. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/Cyber-Krimi… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache HTTP Server 2.4 vulnerabilities, Fixed in Apache httpd 2.4.42 ∗∗∗ --------------------------------------------- low: mod_proxy_ftp use of uninitialized value (CVE-2020-1934): mod_proxy_ftp use of uninitialized value with maliciosu FTP backend. low: mod_rewrite CWE-601 open redirect (CVE-2020-1927): Some mod_rewrite configurations vulnerable to open redirect. --------------------------------------------- https://httpd.apache.org/security/vulnerabilities_24.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, kernel, linux-hardened, linux-lts, and pam-krb5), Debian (haproxy, libplist, and python-bleach), Fedora (tomcat), Gentoo (ghostscript-gpl, haproxy, ledger, qtwebengine, and virtualbox), Red Hat (haproxy, nodejs:12, qemu-kvm-rhev, and rh-haproxy18-haproxy), SUSE (memcached and qemu), and Ubuntu (apport). --------------------------------------------- https://lwn.net/Articles/816633/ ∗∗∗ 2020-04-02: Vulnerabilities in Telephone Gateway TG/S 3.2 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A3921&Lan… ∗∗∗ 2020-04-02: SECURITY System 800xA Information Manager - Remote Code Execution ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121232&Language… ∗∗∗ 2020-04-02: SECURITY System 800xA Weak Registry Permissions ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2PAA121221&Language… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.5.0 ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-2989 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2989-vulnerabili… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Integration Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: IBM Process Federation Server REST API is subject to DoS attacks ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-federation-se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2020
by Daily end-of-shift report 01 Apr '20

01 Apr '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-03-2020 18:00 − Mittwoch 01-04-2020 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zoom Lets Attackers Steal Windows Credentials via UNC Links ∗∗∗ --------------------------------------------- The Zoom Windows client is vulnerable to UNC path injection in the clients chat feature that could allow attackers to steal the Windows credentials of users who click on the link. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-wi… ∗∗∗ WARNING: Hackers Install Secret Backdoor on Thousands of Microsoft SQL Servers ∗∗∗ --------------------------------------------- [...] Named "Vollgar" after the Vollar cryptocurrency it mines and its offensive "vulgar" modus operandi, researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet. --------------------------------------------- https://thehackernews.com/2020/04/backdoor-.html ∗∗∗ WordPress-SEO-Plugin Rank Math: Admin-Lücke gefährdet Websites ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke mit Höchstwertung im WordPress-Plugin Rank Math kann Angreifer zu Admins machen. Ein Update ist verfügbar. --------------------------------------------- https://heise.de/-4694641 ∗∗∗ Kleinanzeigenbetrug: So funktioniert der Dreiecksbetrug ∗∗∗ --------------------------------------------- Ebay, Willhaben, Shpock und Co. sind beliebt, um günstige und gebrauchte Ware zu kaufen oder nicht mehr gebrauchte Gegenstände zu verkaufen. Doch auch Kriminelle fühlen sich auf diesen Kleinanzeigenportalen wohl, da sie die Anonymität im Internet gezielt nutzen können. Eine besonders perfide Betrugsfalle in diesem Bereich ist der „Dreiecksbetrug“. Hier werden sowohl KäuferInnen als auch VerkäuferInnen abgezockt. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-so-funktioniert-… ===================== = Vulnerabilities = ===================== ∗∗∗ BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System ∗∗∗ --------------------------------------------- This advisory contains mitigations for a protection mechanism failure vulnerability in BD Pyxis medical devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-091-01 ∗∗∗ Hirschmann Automation and Control HiOS and HiSecOS Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a classic buffer overflow vulnerability in Hirschmann Automation and Control HiOS and HiSecOS software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-01 ∗∗∗ Mitsubishi Electric MELSEC ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in Mitsubishi Electric MELSEC programmable controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-091-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, [...] --------------------------------------------- https://lwn.net/Articles/816511/ ∗∗∗ Cisco NX-OS Software Anycast Gateway Invalid ARP Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200401-… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data returning decrypted credentials ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2020-2604) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Possible denial of service vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-possible-denial-of-servic… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Tririga Application Platform (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by multiple vulnerabilities in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerabilities in Java runtime environment that IBM provides affect WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-r… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple Db2 vulnerabilities affect the IBM Spectrum Protect Server (CVE-2019-4057, CVE-2019-4101, CVE-2019-4154, CVE-2019-4386, CVE-2019-4322) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-vulnerabilit… ∗∗∗ Security Bulletin: Security vulnerability in IBM Java SDK affect Rational Build Forge (CVE-2020-2654) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ HPESBHF03994 rev.1 - HPE Superdome Flex with iLO4, Remote or Local Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03940 rev.1 - HPE MSA 1040, HPE MSA 2040, HPE MSA 2042, HPE MSA 1050, HPE MSA 2050, and HPE MSA 2052 Multiple Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03993 rev.1 - HPE Superdome X servers with iLO4, Remote Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03995 rev.1 - HPE Superdome X servers with iLO4, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03986 rev.1 - HPE Superdome X servers with iLO4, Remote Code Execution and Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2020
by Daily end-of-shift report 31 Mar '20

31 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-03-2020 18:00 − Dienstag 31-03-2020 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Networking Basics for Reverse Engineers ∗∗∗ --------------------------------------------- This article will define network reverse engineering, list tools used by reverse engineers for reverse engineering and then highlight the network basics required by such engineers. The article will illustrate, through the lens of an attacker, how to expose the vulnerability of a network protocol and exploit the vulnerability, and then discuss how to [...] --------------------------------------------- https://resources.infosecinstitute.com/networking-basics-for-reverse-engine… ∗∗∗ OWASP Firmware Security Testing Methodology ∗∗∗ --------------------------------------------- FSTM is composed of nine stages tailored to enable security researchers, software developers, hobbyists, and Information Security professionals with conducting firmware security assessments. --------------------------------------------- https://scriptingxss.gitbook.io/firmware-security-testing-methodology/ ∗∗∗ They told me I could be anything, so I became a Kubernetes node - Using K3s for command and control on compromised Linux hosts ∗∗∗ --------------------------------------------- In their RSA 2020 talk Advanced Persistence Threats: The Future of Kubernetes Attacks, Ian Coldwater and Brad Geesaman demonstrated that K3s, a lightweight version of Kubernetes, can be used to backdoor compromised Kubernetes clusters. This post describes how K3s can also serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines. --------------------------------------------- https://blog.christophetd.fr/using-k3s-for-command-and-control-on-compromis… ∗∗∗ Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit ∗∗∗ --------------------------------------------- While following reports on these infections, we stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, we found ourselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service. --------------------------------------------- https://www.perimeterx.com/resources/blog/2020/skimming-as-a-service-anatom… ∗∗∗ Microsoft fixt Windows 10 VPN-Bug mit optionalen Sonderupdates ∗∗∗ --------------------------------------------- Microsoft bringt Windows-10-Updates, die einen Fehler beim Internetzugang beheben sollen, speziell wenn VPN-Software mit Proxy-Konfigurationen verwendet wird. --------------------------------------------- https://heise.de/-4694177 ∗∗∗ Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks ∗∗∗ --------------------------------------------- Researchers demonstrated recently that hackers could launch a Stuxnet-style attack against Schneider Electric’s Modicon programmable logic controllers (PLCs), but it’s believed that products from other vendors could also be vulnerable to the same type of attack. --------------------------------------------- https://www.securityweek.com/industrial-controllers-still-vulnerable-stuxne… ∗∗∗ FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries ∗∗∗ --------------------------------------------- A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns. --------------------------------------------- https://www.securityweek.com/fbi-warns-ongoing-kwampirs-attacks-targeting-g… ∗∗∗ Vorsicht vor Gewinnspielen, die Kreditkartendaten erfordern ∗∗∗ --------------------------------------------- Kriminelle geben sich als bekannte Unternehmen aus und verbreiten über unterschiedliche Kanäle gefälschte Gewinnspiele. Sie täuschen den TeilnehmerInnen vor, ein iPhone 11 Pro, einen E-Scooter oder Weber Grill gewonnen zu haben. Für den Versand des Gewinnes werden jedoch 1-3 Euro, die per Kreditkarte bezahlt werden müssen, verlangt. Vorsicht: Es handelt sich um eine Abo-Falle. Kriminelle buchen monatlich bis zu 90 Euro ab. Ihren angeblichen Gewinn erhalten Sie [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gewinnspielen-die-kredi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin ∗∗∗ --------------------------------------------- On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. --------------------------------------------- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-o… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift). --------------------------------------------- https://lwn.net/Articles/816368/ ∗∗∗ VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/962085 ∗∗∗ VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/944837 ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ PEPPERL+FUCHS Kr00k vulnerabilities in Broadcom Wi-Fi chipsets ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-014 ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4238) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Denial of service vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in TLS (CVE-2019-6485) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Potential information disclosure vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4239) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-information-dis… ∗∗∗ Security Bulletin: Directory Traversal vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4240, CVE-2020-4209) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-vulne… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Protect Plus (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605, CVE-2019-9511, CVE-2019-9516, CVE-2019-9512, CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9513, CVE-2019-9514) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerabi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2020
by Daily end-of-shift report 30 Mar '20

30 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-03-2020 18:00 − Montag 30-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: BIG-IP Appliances von F5 angreifbar ∗∗∗ --------------------------------------------- Die Entwickler von F5 haben mehrere Sicherheitslücken in verschiedenen Produkten geschlossen. --------------------------------------------- https://heise.de/-4693455 ∗∗∗ A mysterious hacker group is eavesdropping on corporate email and FTP traffic ∗∗∗ --------------------------------------------- Hacker group uses zero-day in DrayTek Vigor enterprise routers and VPN gateways to record network traffic. --------------------------------------------- https://www.zdnet.com/article/a-mysterious-hacker-group-is-eavesdropping-on… ∗∗∗ Source code of Dharma ransomware pops up for sale on hacking forums ∗∗∗ --------------------------------------------- The source code of one of todays most profitable and advanced ransomware strains is up for sale on two Russian-language hacking forums. --------------------------------------------- https://www.zdnet.com/article/source-code-of-dharma-ransomware-pops-up-for-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/816267/ ∗∗∗ Synology-SA-20:04 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_04_Drupal ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0272 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2020
by Daily end-of-shift report 27 Mar '20

27 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-03-2020 18:00 − Freitag 27-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Bug: Kein durchgängiges VPN unter iOS ∗∗∗ --------------------------------------------- Alte Verbindungen werden unter iOS derzeit am VPN vorbeigeleitet. --------------------------------------------- https://www.golem.de/news/bug-kein-durchgaengiges-vpn-unter-ios-2003-147552… ∗∗∗ Corona-Malware-Kampagne im Namen der WHO über manipulierte Routereinstellungen ∗∗∗ --------------------------------------------- Manipulierte DNS-Settings von D-Link- und Linksys-Routern leiten auf angebliche Warnhinweise der World Health Organization, hinter denen sich Malware verbirgt. --------------------------------------------- https://heise.de/-4692092 ∗∗∗ Micropatching Unknown 0days in Windows Type 1 Font Parsing ∗∗∗ --------------------------------------------- Three days ago, Microsoft published a security advisory alerting about two vulnerabilities in Windows font parsing, which were noticed as being exploited in "limited targeted Windows 7 based attacks." These vulnerabilities currently dont have an official vendor fix. As weve done before in a similar situation, we decided to provide our users with a micropatch to protect [...] --------------------------------------------- https://blog.0patch.com/2020/03/micropatching-unknown-0days-in-windows.html ∗∗∗ Unseriöser Online-Shop: silahmall.com ∗∗∗ --------------------------------------------- Antiquitäten, Kleidung, Schmuck und Uhren, Möbel oder Computer-Zubehör. Der Online-Shop silahmall.com bietet eine breite Produktpalette an und verspricht hochwertige Qualität. Die Seite verlockt zum Einkaufen. Doch seien Sie vorsichtig! Wir raten von einer Bestellung ab, da es kein Impressum auf der Seite gibt und die einzige angegebene Kontaktmöglichkeit unseriös ist. --------------------------------------------- https://www.watchlist-internet.at/news/unserioeser-online-shop-silahmallcom/ ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-086-01 ∗∗∗ VISAM Automation Base (VBASE) ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in VISAMs VBASE automation platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-01 ∗∗∗ Schneider Electric IGSS SCADA Software ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal and missing authentication for critical function vulnerabilities in the Schneider Electric ICSS SCADA software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-084-02 ∗∗∗ Critical CODESYS Bug Allows Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2020-10245, a heap-based buffer overflow that rates 10 out of 10 in severity, exists in the CODESYS web server and takes little skill to exploit. --------------------------------------------- https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/ ∗∗∗ [Wikitech-l] MediaWiki Extensions and Skins Security Release Supplement (1.31.7/1.33.3/1.34.1) ∗∗∗ --------------------------------------------- With the security/maintenance release of MediaWiki 1.31.7/1.33.3/1.34.1 [0], we would also like to provide this supplementary announcement of MediaWiki extensions and skins with now-public Phabricator tasks, security patches and backports [1]: [...] --------------------------------------------- https://lists.wikimedia.org/pipermail/wikitech-l/2020-March/093245.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6). --------------------------------------------- https://lwn.net/Articles/816130/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0268 ∗∗∗ MediaWiki: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0271 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in PC WORX SRT ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-012 ∗∗∗ PHOENIX CONTACT Local Privilege Escalation in Portico Remote desktop control software ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-013 ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ BIG-IP TMM Ram Cache vulnerability CVE-2020-5861 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22113131 ∗∗∗ BIG-IP HTTP profile vulnerability CVE-2020-5857 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70275209 ∗∗∗ BIG-IP HTTP/3 QUIC vulnerability CVE-2020-5859 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61367237 ∗∗∗ BIG-IP AWS vulnerability CVE-2020-5862 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01054113 ∗∗∗ BIG-IP tmsh vulnerability CVE-2020-5858 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36814487 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2020
by Daily end-of-shift report 26 Mar '20

26 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-03-2020 18:00 − Donnerstag 26-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Angespannter Arbeitsmarkt sorgt für betrügerische Job-Angebote ∗∗∗ --------------------------------------------- Aufgrund der durch das Coronavirus bedingten Arbeitsmarktsituation, suchen viele InternetuserInnen momentan online nach Jobs oder einer zusätzlichen Verdienstmöglichkeit. Dies nützen Kriminelle gezielt aus, indem Sie betrügerische Job-Angebote im Internet inserieren. Die Fake-Berufe können zu Geldwäsche führen, Pyramidensysteme sein oder zu gefährlichen Investments verleiten. --------------------------------------------- https://www.watchlist-internet.at/news/angespannter-arbeitsmarkt-sorgt-fuer… ∗∗∗ WordPress Malware Distributed via Pirated Coronavirus Plugins ∗∗∗ --------------------------------------------- The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-malware-distribute… ∗∗∗ Malware spotlight: Nemty ∗∗∗ --------------------------------------------- If the last five years or so have proven anything, it is that ransomware is here to stay as a threat in the cybersecurity wild. This should not be used as rationale to simply ignore the deluge of new types of malware that are discovered weekly, as the recently discovered malware family Nemty has [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-spotlight-nemty/ ∗∗∗ As Zoom Booms Incidents of ‘ZoomBombing’ Become a Growing Nuisance ∗∗∗ --------------------------------------------- Numerous instances of online conferences being disrupted by pornographic images, hate speech or even threats can be mitigated using some platform tools. --------------------------------------------- https://threatpost.com/as-zoom-booms-incidents-of-zoombombing-become-a-grow… ∗∗∗ Alternative ways for security professionals and IT to achieve modern security controls in today’s unique remote work scenarios ∗∗∗ --------------------------------------------- Increased remote work has many organizations rethinking network and security strategies. In this post we share guidance on how to manage security in this changing environment. --------------------------------------------- https://www.microsoft.com/security/blog/2020/03/26/alternative-security-pro… ∗∗∗ Assemble the Cookies ∗∗∗ --------------------------------------------- When we investigate compromised websites, it’s not unusual to find malicious files that have been obfuscated through forms of encoding or encryption — however, these are not the only methods that attackers use to obfuscate code. Obfuscation via Predefined PHP Variables Here’s an example of obfuscation that doesn’t use encoding or encryption in any way: [...] --------------------------------------------- https://blog.sucuri.net/2020/03/assemble-the-cookies.html ∗∗∗ Apple iOS users served mobile malware in Poisoned News campaign ∗∗∗ --------------------------------------------- As we all devour online news sources in the current climate, cyberattackers are waiting to spring. --------------------------------------------- https://www.zdnet.com/article/apple-ios-users-served-mobile-malware-in-oper… ∗∗∗ 4G networks vulnerable to denial of service attacks, subscriber tracking ∗∗∗ --------------------------------------------- Don’t think you’re protected on upcoming 5G networks, either. --------------------------------------------- https://www.zdnet.com/article/100-of-4g-networks-vulnerable-to-denial-of-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr). --------------------------------------------- https://lwn.net/Articles/816039/ ∗∗∗ Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-008 ∗∗∗ Security Advisory - Use-after-free Vulnerability in Some Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Vulnerabilities Patched in IMPress for IDX Broker ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-f… ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0264 ∗∗∗ Security Bulletin: Security: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services (CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-a-vulnerability-… ∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2020
by Daily end-of-shift report 25 Mar '20

25 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-03-2020 18:00 − Mittwoch 25-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ginp Mobile Banker Targets Spain with "Coronavirus Finder" Lure ∗∗∗ --------------------------------------------- In todays deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ginp-mobile-banker-targets-s… ∗∗∗ Three More Ransomware Families Create Sites to Leak Stolen Data ∗∗∗ --------------------------------------------- Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-more-ransomware-famili… ∗∗∗ Firmware-Bug zerstört SSDs nach genau 40.000 Stunden ∗∗∗ --------------------------------------------- Hewlett Packard warnt davor, dass alle Daten nach Ablauf der Zeit unwiederbringlich gelöscht werden. --------------------------------------------- https://futurezone.at/produkte/firmware-bug-zerstoert-ssds-nach-genau-40000… ∗∗∗ Traffic to Malicious Websites Spiking as more Employees Take Up Work from Home ∗∗∗ --------------------------------------------- Heimdal™ Security’s Incident Response and Research team has recently uncovered evidence of what a potentially dangerous campaign directed at employees working from home. With many cities under lockdown due to the COVID-19 pandemic, companies were mandated to allow the employees to work from home, in a bid to stop the spread of the virus. Since [...] --------------------------------------------- https://heimdalsecurity.com/blog/malicious-websites-work-from-home/ ∗∗∗ TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services ∗∗∗ --------------------------------------------- The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called "TrickMo" by IBM X-Force researchers, is under active development and has exclusively targeted German users [...] --------------------------------------------- https://thehackernews.com/2020/03/trickbot-two-factor-mobile-malware.html ∗∗∗ Microsoft Defender: "Scan-Skip-Bug" mit Update KB4052623 anscheinend beseitigt ∗∗∗ --------------------------------------------- Das von Microsoft für den Windows Defender veröffentlichte Update KB4052623 scheint die Meldung, dass Elemente beim Scan übersprungen wurden, zu eliminieren. --------------------------------------------- https://heise.de/-4690575 ∗∗∗ VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion ∗∗∗ --------------------------------------------- VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. However, one of the researchers who found it says the patch is "still bad". --------------------------------------------- https://www.securityweek.com/vmware-again-fails-patch-privilege-escalation-… ∗∗∗ Videolabs Patches Code Execution, DoS Vulnerabilities in libmicrodns Library ∗∗∗ --------------------------------------------- Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn. --------------------------------------------- https://www.securityweek.com/videolabs-patches-code-execution-dos-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Bug Affects Millions of OpenWrt-based Network Devices ∗∗∗ --------------------------------------------- A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic. Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the [...] --------------------------------------------- https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: iTunes 12.10.5 for Windows iOS 13.4 and iPadOS 13.4 Safari 13.1 watchOS 6.2 tvOS 13.4 macOS [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/25/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived). --------------------------------------------- https://lwn.net/Articles/815937/ ∗∗∗ BlackBerry Powered by Android Security Bulletin – March 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0262 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200325-… ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Security vulnerability is identified in Apache POI server where Rational Asset Manager is deployed (CVE-2019-12415) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-is… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: CVE-2019-4732 vulnerabilitiy in IBM Java Runtime affects IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4732-vulnerabili… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime 1.8 affect IBM Sterling Secure Proxy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2020
by Daily end-of-shift report 24 Mar '20

24 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 23-03-2020 18:00 − Dienstag 24-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps ∗∗∗ --------------------------------------------- A new cyber attack is hijacking routers DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Vidar information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-t… ∗∗∗ Unknown Hackers Use New Milum RAT in WildPressure Campaign ∗∗∗ --------------------------------------------- A new piece of malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the threat Milum and dubbed the operation WildPressure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unknown-hackers-use-new-milu… ∗∗∗ Tekya Malware Threatens Millions of Android Users via Google Play ∗∗∗ --------------------------------------------- The ad-fraud malware lurks in dozens of childrens and utilities apps. --------------------------------------------- https://threatpost.com/tekya-malware-android-google-play/154064/ ∗∗∗ Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it ∗∗∗ --------------------------------------------- Yes, you may have detected some sarcasm An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/memcache… ∗∗∗ Betrügerische Raiffeisen-E-Mails im Umlauf ∗∗∗ --------------------------------------------- Aktuell erhalten Raiffeisen-KundInnen eine Benachrichtigung, dass die smsTAN deaktiviert wird und ELBA-NutzerInnen z. B. auf pushTAN umsteigen können. Für weitere Informationen zur Umstellung werden sie aufgefordert, sich ins Online Banking einzuloggen. Seien Sie bei E-Mails der Raiffeisen Bank zum Thema smsTAN und pushTAN besonders vorsichtig und kontrollieren Sie sorgfältig, ob die Aufforderung tatsächlich von der Raiffeisen Bank stammt. Es sind auch betrügerische [...] --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-raiffeisen-e-mails-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch für Adobe Creative Cloud Application ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Creative Cloud Application von Adobe macht Windows-Computer angreifbar. --------------------------------------------- https://heise.de/-4689478 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim). --------------------------------------------- https://lwn.net/Articles/815882/ ∗∗∗ Kritische Sicherheitslücke in Microsoft Windows (Adobe Type Manager Library) - Workarounds verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory für eine kritische Sicherheitslücke in der Adobe Type Manager Library veröffentlicht. Laut Microsoft und CERT/CC wird die Schwachstelle bereits aktiv ausgenutzt, [...] --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ systemd-journald vulnerability CVE-2019-3815 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22040951 ∗∗∗ Apache vulnerability CVE-2020-8840 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15320518 ∗∗∗ Paessler PRTG: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0256 ∗∗∗ Kubernetes: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0253 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Arbitrary Script Injection vulnerability (CVE-2019-4681) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to a session management vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Content Navigator includes the host IP address in an HTTP response. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-inc… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Netcool Impact (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM API Connect is impacted by weak cryptographic algorithms (CVE-2019-4553) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: IBM API Connect is potentially impacted by vulnerabilities in MySQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-potent… ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by a denial of service vulnerability in MySQL (CVE-2019-2805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: IBM API Connect is impacted by an unspecified vulnerability in Java(CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: A security vulnerability has been disclosed in Expat, which is installed as part of IBM Tivoli Network Manager (CVE-2019-15903). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily