Daily

daily@lists.cert.at

1 participants
3292 discussions

Tageszusammenfassung - 28.10.2020
by Daily end-of-shift report 28 Oct '20

28 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-10-2020 18:00 − Mittwoch 28-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ So schützen Sie sich im Webbrowser vor Phishing-Attacken ∗∗∗ --------------------------------------------- Derzeit werden der Watchlist Internet sehr viele Phishing-Versuche gemeldet. Die BetrügerInnen werden dabei immer raffinierter. Damit Sie sich besser vor den betrügerischen Phishing-Seiten schützen können, zeigen wir Ihnen Schritt für Schritt wie Sie Phishing-Warnungen in Google Chrome und Firefox einschalten können. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-im-webbrowser-… ∗∗∗ LokiBot Malware: What it is and how to respond to it ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security recently announced that activity in LokiBot, a form of aggressive malware, has increased dramatically over the last two months. The activity increase was discovered by an automated intrusion detection system referred to as EINSTEIN, which the Department of Homeland Security uses for collecting and analyzing security information across numerous [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/lokibot-malware-wha… ∗∗∗ Microsoft Defender ATP scars admins with false Cobalt Strike alerts ∗∗∗ --------------------------------------------- Administrators woke up to a scary surprise today after false positives in Microsoft Defender ATP showed network devices infected with Cobalt Strike. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scar… ∗∗∗ Facebook "copyright violation" tries to get past 2FA - don’t fall for it! ∗∗∗ --------------------------------------------- Watch out for "Facebook copyright violation" emails - even if they link straight back to Facebook.com --------------------------------------------- https://nakedsecurity.sophos.com/2020/10/27/facebook-copyright-violation-tr… ∗∗∗ SMBGhost - the critical vulnerability many seem to have forgotten to patch, (Wed, Oct 28th) ∗∗∗ --------------------------------------------- You probably remember that back in March, Microsoft released a patch for a vulnerability in SMBv3 dubbed SMBGhost (CVE-2020-0796), since at that time, it received as much media attention as was reasonable for a critical (CVSS 10.0) vulnerability in Windows, which might lead to remote code execution[1]. --------------------------------------------- https://isc.sans.edu/diary/rss/26732 ∗∗∗ Hörmann - Tag der offenen Tür für alle... ∗∗∗ --------------------------------------------- Die Erkennung potenzieller Schwachstellen durch SEC Consult erwies sich als hilfreich, um das gesamte BiSecur-System zu verbessern. --------------------------------------------- https://www.sec-consult.com/./blog/2020/10/hoermann-tag-der-offenen-tuer-fu… ∗∗∗ TrickBot Linux Variants Active in the Wild Despite Recent Takedown ∗∗∗ --------------------------------------------- Efforts to disrupt TrickBot may have shut down most of its critical infrastructure, but the operators behind the notorious malware arent sitting idle. According to new findings shared by cybersecurity firm Netscout, TrickBots authors have moved portions of their code to Linux in an attempt to widen the scope of victims that could be targeted. --------------------------------------------- https://thehackernews.com/2020/10/trickbot-linux-variants-active-in-wild.ht… ∗∗∗ Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine ∗∗∗ --------------------------------------------- Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critical to discover these threats within a timely and accurate manner. Therefore, we are actively compiling the most essential software packages into a Windows-based distribution: ThreatPursuit VM. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/10/threatpursuit-vm-threat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blueman), Fedora (nodejs), Gentoo (firefox), openSUSE (kleopatra), Oracle (java-1.8.0-openjdk), SUSE (apache2, binutils, firefox, pacemaker, sane-backends, spice, spice-gtk, tomcat, virt-bootstrap, xen, and zeromq), and Ubuntu (ca-certificates, mariadb-10.1, mariadb-10.3, netty, openjdk-8, openjdk-lts, perl, and tomcat6). --------------------------------------------- https://lwn.net/Articles/835497/ ∗∗∗ Sicherheitsupdate: Angreifer könnten eigene Befehle auf Qnap NAS ausführen ∗∗∗ --------------------------------------------- Netzwerkspeicher von Qnap sind über zwei Lücken attackierbar. Ein Patch schafft Abhilfe. --------------------------------------------- https://heise.de/-4941315 ∗∗∗ MediaWiki: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1048 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1049 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jul 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jul 2020 (CVE-2020-2590) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA (July 2020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js serialize-javascript affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Security vulnerability in Java SE affects Rational Build Forge (CVE-2020-2601) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: Vulnerability in Network Time Protocol (NTP) affects IBM Virtualization Engine TS7700 (CVE-2020-11868) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-network-… ∗∗∗ Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js jison affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-s… ∗∗∗ Security Bulletin: A Remote Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2020-4767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-vulnerability-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2020
by Daily end-of-shift report 27 Oct '20

27 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-10-2020 18:00 − Dienstag 27-10-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: Betrügerisches FinanzOnline-E-Mail im Umlauf ∗∗∗ --------------------------------------------- Aktuell sind gefälschte E-Mails im Namen des Finanzamtes unterwegs. In der E-Mail werden Sie über Ihre Steuerrückerstattung informiert und aufgefordert, die Transaktion zu genehmigen. Klicken Sie aber keinesfalls auf den Link, Sie landen auf einer gefälschten FinanzOnline-Website, die es Kriminellen ermöglicht, persönliche Daten sowie Kreditkartendaten abzugreifen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-betruegerisches-finanzonlin… ∗∗∗ Industrieanlagen mit OPC UA systematisch schlecht konfiguriert ∗∗∗ --------------------------------------------- Forscher des Fraunhofer FKIE und der RWTH Aachen haben das Internet nach Steuerungen auf Basis des Standards OPC UA durchsucht. 92% waren unsicher eingerichtet. --------------------------------------------- https://heise.de/-4939199 ∗∗∗ Sicherheitsupdate: Angreifer attackieren Microsofts Webbrowser Edge ∗∗∗ --------------------------------------------- Die Entwickler von Microsoft haben im Webbrowser Edge mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-4940091 ∗∗∗ Malware Emotet versteckt sich hinter gefälschtem Upgrade für Microsoft Word ∗∗∗ --------------------------------------------- Eine neue Kampagne gaukelt Opfern vor, sie benötigen ein Upgrade mit neuen Funktionen für Microsoft Word. Tatsächlich sollen sie die Sicherheitsvorkehrungen zum Schutz vor gefährlichen Makros deaktivieren. Die schädlichen Dokumente verteilen die Hintermänner weiterhin per E-Mail. --------------------------------------------- https://www.zdnet.de/88389137/malware-emotet-versteckt-sich-hinter-gefaelsc… ∗∗∗ KashmirBlack: Botnet attackiert WordPress, Joomla und Drupal ∗∗∗ --------------------------------------------- Die Hintermänner nutzen bekannte Schwachstellen in CMS-Plattformen und Plug-ins. Darüber schleusen sie einen Cryptominer ein. Laut Imperva verfügt das Botnet inzwischen über eine "massive Infrastruktur". --------------------------------------------- https://www.zdnet.de/88389169/kashmirblack-botnet-attackiert-wordpress-joom… ∗∗∗ New RAT malware gets commands via Discord, has ransomware feature ∗∗∗ --------------------------------------------- The new Abaddon remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-command… ∗∗∗ Massive Nitro data breach impacts Microsoft, Google, Apple, more ∗∗∗ --------------------------------------------- A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-nitro-data-breach-im… ∗∗∗ Study of the ShadowPad APT backdoor and its relation to PlugX ∗∗∗ --------------------------------------------- In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans. --------------------------------------------- https://news.drweb.com/show/?i=14048&lng=en&c=9 ∗∗∗ Majority of Microsoft 365 Admins Don’t Enable MFA ∗∗∗ --------------------------------------------- Beyond admins, researchers say that 97 percent of all total Microsoft 365 users do not use multi-factor authentication. --------------------------------------------- https://threatpost.com/microsoft-365-admins-mfa/160592/ ∗∗∗ LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes ∗∗∗ --------------------------------------------- Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers. --------------------------------------------- https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/ ∗∗∗ Excel 4 Macros: "Abnormal Sheet Visibility", (Mon, Oct 26th) ∗∗∗ --------------------------------------------- Excel 4 macros are composed of formulas (commands) and values stored inside a sheet. --------------------------------------------- https://isc.sans.edu/diary/rss/26726 ∗∗∗ Password Security & Password Managers ∗∗∗ --------------------------------------------- In the spirit of National Cyber Security Awareness Month (NCSAM), let’s talk about a security basic that many people overlook: passwords. These are one of the most fundamental aspects of website security, yet we too often see webmasters taking a lax approach to secure passwords. In fact, the online security provider TeamPassword found that last year the most commonly leaked password was 123456. That edges out some real gems including qwerty and the always-popular password. --------------------------------------------- https://blog.sucuri.net/2020/10/password-security-password-managers.html ∗∗∗ P.A.S. Fork v. 1.0 — A Web Shell Revival ∗∗∗ --------------------------------------------- A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily available) PHP web shells do the job, there’s no need to code an entirely new tool. --------------------------------------------- https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html ===================== = Vulnerabilities = ===================== ∗∗∗ VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Overview Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2020-10143 Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create [...] --------------------------------------------- https://kb.cert.org/vuls/id/760767 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown). --------------------------------------------- https://lwn.net/Articles/835401 ∗∗∗ HPE/Aruba: Kritische Lücken in SSMC, AirWave Glass und weiteren Produkten ∗∗∗ --------------------------------------------- Jetzt updaten: Unter anderem kann eine Lücke mit Höchstwertung in der StoreServ Management Console Angreifern unbefugte Remote-Zugriffe leicht machen. --------------------------------------------- https://heise.de/-4938532 ∗∗∗ NVIDIA Patches Code Execution Flaws in GeForce Experience ∗∗∗ --------------------------------------------- Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high. --------------------------------------------- https://www.securityweek.com/nvidia-patches-code-execution-flaws-geforce-ex… ∗∗∗ Trend Micro AntiVirus for Mac: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1047 ∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-1045 ∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-develope… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8169, CVE-2020-8177) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: Vulnerabilities in NTPv4 affect AIX (CVE-2020-11868, CVE-2020-13817, and CVE-2020-15025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ntpv4-… ∗∗∗ Security Bulletin: CVE-2020-15190 for Tensorflow in Watson Machine Learning Community Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-15190-for-tensor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2020
by Daily end-of-shift report 23 Oct '20

23 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-10-2020 18:00 − Freitag 23-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ R_Evil WordPress Hacktool & Malicious JavaScript Injections ∗∗∗ --------------------------------------------- We often see hackers reusing the same malware, with only a few new adjustments to obfuscate the code so that it is more difficult for scanning tools to detect. However, sometimes entirely new attack tools are created and deployed by threat actors who don’t want to rely on obfuscating existing malware. --------------------------------------------- https://blog.sucuri.net/2020/10/r_evil-wordpress-hacktool-malicious-javascr… ∗∗∗ Zahlreiche neue Fake-Shops locken mit günstigen Angeboten und gutem Kundendienst ∗∗∗ --------------------------------------------- Derzeit melden uns LeserInnen der Watchlist Internet zahlreiche neu registrierte Fake-Shops, die alle ähnlich aufgebaut sind und die gleichen Texte verwenden. Versprochen werden hochwertige Produkte, ein starkes Kundendienstteam und einfache Rückgabemöglichkeiten. Doch tatsächlich stecken hinter diesen vermeintlichen Online-Shops, Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-neue-fake-shops-locken-mi… ∗∗∗ Securing medical devices: Can a hacker break your heart? ∗∗∗ --------------------------------------------- Why are connected medical devices vulnerable to attack and how likely are they to get hacked? Here are five digital chinks in the armor. --------------------------------------------- https://www.welivesecurity.com/2020/10/23/securing-medical-devices-hack-hea… ∗∗∗ Practical example of fuzzing OPC UA applications ∗∗∗ --------------------------------------------- We continue to describe our approaches to searching for vulnerabilities in industrial systems based on the OPC UA protocol. In this article, we examine new techniques that can be used to search for memory corruption vulnerabilities if the source code is available. We also discuss an example of fuzzing using libfuzzer. --------------------------------------------- https://ics-cert.kaspersky.com/reports/2020/10/19/practical-example-of-fuzz… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Horizon Server and VMware Horizon Client updates address multiple security vulnerabilities (CVE-2020-3997, CVE-2020-3998) ∗∗∗ --------------------------------------------- VMware Horizon Server does not correctly validate user input. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0024.html ∗∗∗ Sicherheitsupdate: Nvidia Geforce Experience macht PCs vielfältig angreifbar ∗∗∗ --------------------------------------------- Nvidias Entwickler haben drei Sicherheitslücken im Grafikkarten-Tool Geforce Experience geschlossen. --------------------------------------------- https://heise.de/-4937481 ∗∗∗ Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jul 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jul 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Multiple Vulnerabilities in PubliXone ∗∗∗ --------------------------------------------- https://sec-consult.com/./en/blog/advisories/multiple-vulnerabilities-in-pu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2020
by Daily end-of-shift report 22 Oct '20

22 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-10-2020 18:00 − Donnerstag 22-10-2020 18:00 Handler: Dimitri Robl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Das sind die Gewinner von Österreichs größtem Hacker-Wettbewerb ∗∗∗ --------------------------------------------- Das Finale der Austria Cyber Security Challenge 2020 wurde virtuell ausgetragen. Die Sieger stehen fest. --------------------------------------------- https://futurezone.at/digital-life/das-sind-die-gewinner-von-oesterreichs-g… ∗∗∗ BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon, (Thu, Oct 22nd) ∗∗∗ --------------------------------------------- Phishing messages distributing BazarLoader have come to be commonplace in the past six months, but in the last couple of weeks Ive been seeing more and more e-mails spreading this malware caught in my quarantine. Although contents of these messages differ, their appearance is usually similar [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26710 ∗∗∗ XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability ∗∗∗ --------------------------------------------- This tech support scam is being spread via Facebook links and uses several redirection mechanisms to avoid detection. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2020/10/xss-to-tss-tech-support-sc… ∗∗∗ Abusing RDP’s Remote Credential Guard with Rubeus PTT ∗∗∗ --------------------------------------------- TL;DR Microsoft’s Remote Credential Guard (RCG) for RDP protects creds if an RDP server is compromised. It leaves little scope for password or NTLM credential dumping when a user connects [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/abusing-rdps-remote-credentia… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#208577: Chocolatey Boxstarter vulnerable to privilege escalation due to weak ACLs ∗∗∗ --------------------------------------------- Chocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/208577 ∗∗∗ Gefährliche Lücken in Cisco-Software für Netzwerkschutz und -Management ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für verschiedene Netzwerk-Software veröffentlicht. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-4936512 ∗∗∗ Vulnerability Spotlight: A deep dive into WAGO’s cloud connectivity and the vulnerabilities that arise ∗∗∗ --------------------------------------------- WAGO makes several programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. Cisco Talos discovered 41 vulnerabilities in their PFC200 and PFC100 controllers. --------------------------------------------- https://blog.talosintelligence.com/2020/10/vulnerability-spotlight-deep-div… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js lodash module affects IBM Cloud Pak for Multicloud Management Infrastructure Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2020
by Daily end-of-shift report 22 Oct '20

22 Oct '20

-- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2020
by Daily end-of-shift report 21 Oct '20

21 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-10-2020 18:00 − Mittwoch 21-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TrickBot malware under siege from all sides, and its working ∗∗∗ --------------------------------------------- The Trickbot malware operation is on the brink of going down completely following efforts from an alliance of cybersecurity and hosting providers targeting the botnets command and control servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-malware-under-siege… ∗∗∗ LockBit ransomware moves quietly on the network, strikes fast ∗∗∗ --------------------------------------------- LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-qui… ∗∗∗ Shipping dangerous goods, (Wed, Oct 21st) ∗∗∗ --------------------------------------------- For the past several months, I've been tracking a campaign that sends rather odd-looking emails like this. --------------------------------------------- https://isc.sans.edu/diary/rss/26702 ∗∗∗ Securing Your Online Store for the Holidays ∗∗∗ --------------------------------------------- Shopping season is here, and so is the opportunity for ecommerce site owners to grow their business and generate revenue. In lieu of the changing global ecommerce climate that this pandemic has produced, comes the importance of securing your website to protect your users — and your revenue streams. --------------------------------------------- https://blog.sucuri.net/2020/10/securing-your-online-store-for-the-holidays… ∗∗∗ Studie: Mehr als die Häfte aller Windows-Server ist Security-Schrott ∗∗∗ --------------------------------------------- Rund 58 Prozent aller Windows Server im Internet werden nicht mehr regelmäßig mit Sicherheits-Updates versorgt und sind damit tickende Zeitbomben. --------------------------------------------- https://heise.de/-4933295 ∗∗∗ How safe is your USB drive? ∗∗∗ --------------------------------------------- What are some of the key security risks to be aware of when using USB flash drives and how can you mitigate the threats? --------------------------------------------- https://www.welivesecurity.com/2020/10/20/how-safe-is-your-usb-drive/ ∗∗∗ Video: So entlarven Sie betrügerische Werbung im Internet ∗∗∗ --------------------------------------------- Ob auf Google, in Sozialen Medien oder in Apps – überall lauert Werbung, die uns dazu bringen will, ein bestimmtes Produkt zu kaufen oder eine Dienstleistung in Anspruch zu nehmen. Doch nicht jede Werbung ist seriös. --------------------------------------------- https://www.watchlist-internet.at/news/video-so-entlarven-sie-betruegerisch… ∗∗∗ IP Spoofing inbound verhindern ∗∗∗ --------------------------------------------- Die Brigham Young University schickt gerade Empfehlungsschreiben an Internet Provider aus, in denen darauf hingewiesen wird, dass es beidiesen möglich ist, eingehende IP Pakete mit Source-Adressen aus dem Netz des Internet Providers zu empfangen. --------------------------------------------- https://cert.at/de/blog/2020/10/ip-spoofing-inbound-verhindern ===================== = Vulnerabilities = ===================== ∗∗∗ Big Blue Button: Das große blaue Sicherheitsrisiko ∗∗∗ --------------------------------------------- Kritische Sicherheitslücken, die Golem.de dem Entwickler der Videochat-Software Big Blue Button meldete, sind erst nach Monaten geschlossen worden. --------------------------------------------- https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisik… ∗∗∗ Chrome zero-day in the wild – patch now! ∗∗∗ --------------------------------------------- https://nakedsecurity.sophos.com/2020/10/21/chrome-zero-day-in-the-wild-pat… ∗∗∗ Oracle Critical Patch Update Advisory - October 2020 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2020.html ∗∗∗ Security Bulletin: A security vulnerability in angular.js affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged local user may cause a denial of service ( CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js acorn and bootstrap-select affects IBM Cloud Pak for Multicloud Management Infrastructure Management and Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Pak for Multicloud Management Managed Service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: BIND for IBM i is affected by CVE-2020-8622 and CVE-2020-8624 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bind-for-ibm-i-is-affecte… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale packaged in IBM Elastic Storage System could cause a denial of service (CVE-2020-4756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: IBM MQ could allow leak sensitive information due to an error within the pre-v7 pubsub logic (CVE-2020-4319) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-leak-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2020
by Daily end-of-shift report 20 Oct '20

20 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Montag 19-10-2020 18:00 − Dienstag 20-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack ∗∗∗ --------------------------------------------- Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours. --------------------------------------------- https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/1602… ∗∗∗ Mirai-alike Python Scanner, (Tue, Oct 20th) ∗∗∗ --------------------------------------------- Last week, I found an interesting Python script that behaves like a Mirai bot. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. --------------------------------------------- https://isc.sans.edu/diary/rss/26698 ∗∗∗ Advanced Ransomware Attacks ∗∗∗ --------------------------------------------- SI-CERT, the national CSIRT of Slovenia has been handling reports of ransomware attacks on a regular basis since April 2012. Until 2019, attack victims were selected randomly as part of a mass-volume campaign aiming to spread the virus. However, since 2019 the attacks have been more targeted. --------------------------------------------- https://connect.geant.org/2020/10/19/advanced-ransomware-attacks ∗∗∗ Beim Kauf auf Kleinanzeigen-Plattformen: Zahlung nicht via PayPal-Funktion „Geld an Freunde oder Familie senden“ durchführen ∗∗∗ --------------------------------------------- Auf den beliebten Kleinanzeigen-Plattformen wie willhaben, shpock oder ebay Kleinanzeigen treiben auch Kriminelle ihr Unwesen. Neben Vorkasse- und Treuhand-Betrug ist auch der PayPal-Trick eine beliebte Masche, um KäuferInnen abzuzocken. --------------------------------------------- https://www.watchlist-internet.at/news/beim-kauf-auf-kleinanzeigen-plattfor… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Illustrator (APSB20-53), Adobe Dreamweaver (APSB20-55), Marketo(APSB20-60), Adobe Animate (APSB20-61), Adobe After Effects (APSB20-62), Adobe Photoshop (APSB20-63), Adobe Premiere Pro (APSB20-64), Adobe Media Encoder (APSB20-65), Adobe InDesign (APSB20-66) and Adobe Creative Cloud Desktop Application (APSB20-68). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1930 ∗∗∗ QNAP: Sicherheitsupdates für QTS wehren "Zerologon"-Angriffe auf NAS ab ∗∗∗ --------------------------------------------- Je nach Konfiguration können Netzwerkspeicher von QNAP über die Sicherheitslücke "Zerologon" aus der Ferne angreifbar sein. Updates für QTS stehen bereit. --------------------------------------------- https://heise.de/-4932748 ∗∗∗ Seven mobile browsers vulnerable to address bar spoofing attacks ∗∗∗ --------------------------------------------- Vulnerabilities allow attackers to trick users into accessing malicious sites while showing the incorrect URL in the address bar. --------------------------------------------- https://www.zdnet.com/article/seven-mobile-browsers-vulnerable-to-address-b… ∗∗∗ Security Bulletin: Cross-Site Scripting Security Vulnerability Affects IBM Sterling B2B Integrator Standard Edition ( CVE-2020-4564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-secu… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unprivileged local user may cause a denial of service ( CVE-2020-4411) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by weak cryptographic algorithm (CVE-2020-4350) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects the Graphic Process Modeler in IBM Sterling B2B Integrator (CVE-2019-4680) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Spectrum Scale packaged in IBM Elastic Storage System could cause a denial of service (CVE-2020-4756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sp… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM Sterling File Gateway (CVE-2020-4564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ XSA-347 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-347.html ∗∗∗ XSA-346 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-346.html ∗∗∗ XSA-345 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-345.html ∗∗∗ XSA-332 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-332.html ∗∗∗ XSA-331 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-331.html ∗∗∗ XSA-286 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-286.html ∗∗∗ Security Vulnerabilities fixed in Firefox 82 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-45/ ∗∗∗ Synology-SA-20:24 Media Server ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_24 ∗∗∗ Synology-SA-20:23 Download Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_23 ∗∗∗ VMware ESXi: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1003 ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2020
by Daily end-of-shift report 19 Oct '20

19 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-10-2020 18:00 − Montag 19-10-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers now abuse BaseCamp for free malware hosting ∗∗∗ --------------------------------------------- Phishing campaigns have started to use Basecamp as part of malicious phishing campaigns that distribute malware or steal your login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-now-abuse-basecamp-f… ∗∗∗ Enumerate AWS API Permissions Without Logging to CloudTrail ∗∗∗ --------------------------------------------- The following is a technical writeup for a bug I found in the AWS API that allows you to enumerate certain permissions for a role without logging to CloudTrail. It affects 645 different API actions across 40 different AWS services. This would be beneficial for a Penetration Tester or a Red Teamer to enumerate what permissions the role or user they’ve compromised has access to without alerting the blue team as no logs are generated in CloudTrail. --------------------------------------------- https://frichetten.com/blog/aws-api-enum-vuln/ ∗∗∗ Secret fragments: Remote code execution on Symfony based websites ∗∗∗ --------------------------------------------- This configuration value, secret, is also used, for instance, to build CSRF tokens and remember-me tokens. Given its importance, this value must obviously be very random. Unfortunately, we discovered that oftentimes, the secret either has a default value, or there exist ways to obtain the value, bruteforce it offline, or to purely and simply bypass the security check that it is involved with. It most notably affects Bolt, eZPlatform, and eZPublish. --------------------------------------------- https://www.ambionics.io/blog/symfony-secret-fragment ===================== = Vulnerabilities = ===================== ∗∗∗ Magento, Visual Studio Code users: You need to patch! ∗∗∗ --------------------------------------------- * Microsoft has fixed CVE-2020-17023, a remote code execution vulnerability in Visual Studio Code, its free and extremely popular source-code editor that’s available for Windows, macOS and Linux. * Microsoft has also fixed a RCE (CVE-2020-17022) in the way that Microsoft Windows Codecs Library handles objects in memory, which could be triggered by a program processing a specially crafted image file. It only affects Windows 10 users, and only if they installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store. * After fixing just one Adobe Flash Player flaw on October 2020 Patch Tuesday, Adobe has followed up with security updates for several Magento Commerce and Magento Open Source versions. --------------------------------------------- https://www.helpnetsecurity.com/2020/10/19/magento-visual-studio-code-users… ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen (CVE-2020-14185) ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in der Atlassian Jira Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-1002 ∗∗∗ Discord desktop app vulnerability chain triggered remote code execution attacks ∗∗∗ --------------------------------------------- Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks. --------------------------------------------- https://www.zdnet.com/article/discord-desktop-app-vulnerable-to-remote-code… ∗∗∗ FRITZ!Box DNS Rebinding Protection Bypass ∗∗∗ --------------------------------------------- RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-003/ ∗∗∗ ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php ∗∗∗ ReQuest Serious Play F3 Media Server 7.0.3 Remote Denial of Service ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php ∗∗∗ ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php ∗∗∗ ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products Q3 2020 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: Multiple Oracle Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-oracle-database-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a DB2 jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2020
by Daily end-of-shift report 16 Oct '20

16 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-10-2020 18:00 − Freitag 16-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NPM nukes NodeJS malware opening Windows, Linux reverse shells ∗∗∗ --------------------------------------------- NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data. These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-nukes-nodejs-malware-ope… ∗∗∗ CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability, (Thu, Oct 15th) ∗∗∗ --------------------------------------------- Highlights - Do not disable IPv6 entirely unless you want to break Windows in interesting ways. - This can only be exploited from the local subnet. - But it may lead to remote code execution / BSOD - PoC exploit is easy, but actual RCE is hard. - Patch For more details, see also the YouTube video I just published: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/26684 ∗∗∗ Traffic Analysis Quiz: Ugly-Wolf.net, (Fri, Oct 16th) ∗∗∗ --------------------------------------------- It's that time of the month again... Time for another traffic analysis quiz! This one is from a Windows 10 client logged into an Active Directory (AD) environment. --------------------------------------------- https://isc.sans.edu/diary/rss/26688 ∗∗∗ CVE-2020-15157 "ContainerDrip" Write-up ∗∗∗ --------------------------------------------- CVE-2020-15157: If an attacker publishes a public image with a crafted manifest that directs one of the image layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used by ctr/containerd to access that registry. In some cases, this may be the user’s username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other [...] --------------------------------------------- https://darkbit.io/blog/cve-2020-15157-containerdrip ∗∗∗ CMS Drupal: OAuth Server-Modul anfällig für SQL-Injection-Angriffe ∗∗∗ --------------------------------------------- Das OAuth Server-Modul für Drupal 8 benötigt ein Update auf 8.x-1.1. Die neue Version schließt eine "moderat kritische" Lücke. --------------------------------------------- https://heise.de/-4930778 ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Horizon Client update addresses a denial-of-service vulnerability (CVE-2020-3991) ∗∗∗ --------------------------------------------- VMware Horizon Client for Windows contains a denial-of-service vulnerability due to a file system access control issue during install time. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0022.html ∗∗∗ Kritische Lücke in SonicWall Firewall für Denial-of-Service-Angriffe ausnutzbar ∗∗∗ --------------------------------------------- Es stehen Updates für mehrere Versionen von SonicOS bereit, die eine kritische sowie zehn weitere Sicherheitslücken von "Medium" bis "High" beseitigen. --------------------------------------------- https://heise.de/-4930351 ∗∗∗ CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ∗∗∗ Adobe patches Magento bugs that lead to code execution, customer list tampering ∗∗∗ --------------------------------------------- The out-of-band security update tackles eight critical and important vulnerabilities. --------------------------------------------- https://www.zdnet.com/article/adobe-patches-magento-bugs-that-lead-to-code-… ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2020 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Jackson Core affect IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3RD PARTY Cryptographc vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Authentication Bypass (CVE-2020-4493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerabilities in Apache ActiveMQ affect IBM Operations Analytics Predictive Insights (CVE-2020-11998, CVE-2020-13920) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: IBM Resilient SOAR could allow a privileged user to inject malicious commands through Python3 scripting (CVE-2020-4636). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-could-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2020
by Daily end-of-shift report 15 Oct '20

15 Oct '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-10-2020 18:00 − Donnerstag 15-10-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bleedingtooth: Google und Intel warnen vor neuen Bluetooth-Lücken ∗∗∗ --------------------------------------------- Laut Google lässt sich über die Sicherheitslücken Code aus der Ferne ausführen. Intel hat sie veröffentlicht, bevor Patches ausgeliefert wurden. --------------------------------------------- https://www.golem.de/news/bleedingtooth-google-und-intel-warnen-vor-neuen-b… ∗∗∗ Security Analysis of CHERI ISA ∗∗∗ --------------------------------------------- Is it possible to get to a state where memory safety issues would be deterministically mitigated? Our quest to mitigate memory corruption vulnerabilities led us to examine CHERI (Capability Hardware Enhanced RISC Instructions), which provides memory protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits. --------------------------------------------- https://msrc-blog.microsoft.com:443/2020/10/14/security-analysis-of-cheri-i… ∗∗∗ Magento Phishing Leverages JavaScript For Exfiltration ∗∗∗ --------------------------------------------- During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page. --------------------------------------------- https://blog.sucuri.net/2020/10/magento-phishing-leverages-javascript-for-e… ∗∗∗ [SANS ISC] Nicely Obfuscated Python RAT ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Nicely Obfuscated Python RAT“: While hunting, I found an interesting Python script. It matched one of my YARA rules due to the interesting list of imports but the content itself was nicely obfuscated. --------------------------------------------- https://blog.rootshell.be/2020/10/15/sans-isc-nicely-obfuscated-python-rat/ ∗∗∗ Dockerfile Security Best Practices ∗∗∗ --------------------------------------------- Container security is a broad problem space and there are many low hanging fruits one can harvest to mitigate risks. A good starting point is to follow some rules when writing Dockerfiles. --------------------------------------------- https://cloudberry.engineering/article/dockerfile-security-best-practices/ ∗∗∗ QR code scams are making a comeback ∗∗∗ --------------------------------------------- With QR codes being used more as a means to help create a COVID-19 proof environment, were also seeing a comeback of QR codes scams. --------------------------------------------- https://blog.malwarebytes.com/scams/2020/10/qr-code-scams-are-making-a-come… ∗∗∗ This major criminal hacking group just switched to ransomware attacks ∗∗∗ --------------------------------------------- A newly detailed financial cybercrime group has been conducting attacks around the world since 2016 - but now theyve switched to ransomware because its the biggest and easiest pay day. --------------------------------------------- https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switch… ∗∗∗ New Emotet attacks use fake Windows Update lures ∗∗∗ --------------------------------------------- Emotet diversifies arsenal with new lures to trick users into infecting themselves. --------------------------------------------- https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lu… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034 ∗∗∗ --------------------------------------------- Project: Drupal OAuth Server ( OAuth Provider) - Single Sign On ( SSO ) Date: 2020-October-14 Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability: SQL Injection Description: This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection. Solution: Install the latest version: If you use the Drupal OAuth Server module for Drupal 8.x, upgrade to 8.x-1.1 --------------------------------------------- https://www.drupal.org/sa-contrib-2020-034 ∗∗∗ Juniper Security Bulletins 2020-10 ∗∗∗ --------------------------------------------- JSA11045 - 2020-10 Security Bulletin: JSA Series: Intel CPUs could allow a local authenticated attacker to obtain sensitive information (CVE-2019-11135) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11045 JSA11046 - 2020-10 Security Bulletin: Junos OS: FreeBSD-SA-20:03.thrmisc: kernel stack data disclosure (CVE-2019-15875) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11046 JSA11047 - 2020-10 Security Bulletin: FreeBSD-SA-19:20.bsnmp : Insufficient message length validation in bsnmp library (CVE-2019-5610) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11047 JSA11048 - 2020-10 Security Bulletin: Junos Space and Junos Space Security Director: Zombie POODLE and GOLDENDOODLE resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11048 JSA11049 - 2020-10 Security Bulletin: Junos OS: When a DHCPv6 Relay-Agent is configured upon receipt of a specific DHCPv6 client message, Remote Code Execution may occur. (CVE-2020-1656) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11049 JSA11050 - 2020-10 Security Bulletin: Junos OS: SRX Series: An attacker sending spoofed packets to IPSec peers may cause a Denial of Service. (CVE-2020-1657) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11050 JSA11053 - 2020-10 Security Bulletin: Junos OS: NFX Series: Multiple vulnerabilities resolved in 20.2R1 release https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11053 JSA11054 - 2020-10 Security Bulletin: Junos OS: MX Series: Receipt of specific packets can cause services card to restart when DNS filtering is configured. (CVE-2020-1660) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11054 JSA11055 - 2020-10 Security Bulletin: Junos OS: Multiple SQLite vulnerabilities resolved. https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11055 JSA11056 - 2020-10 Security Bulletin: Junos OS: jdhcpd process crash when forwarding a malformed DHCP packet. (CVE-2020-1661) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11056 JSA11062 - 2020-10 Security Bulletin: Junos OS: MX series/EX9200 Series: IPv6 DDoS protection does not work as expected. (CVE-2020-1665) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11062 JSA11076 - 2020-10 Security Bulletin: Junos OS: PTX/QFX Series: Kernel Routing Table (KRT) queue stuck after packet sampling a malformed packet when the tunnel-observation mpls-over-udp configuration is enabled. (CVE-2020-1679) https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11076 JSA11079 - 2020-10 Security Bulletin: Junos OS: SRX1500, vSRX, SRX4K, NFX150: Denial of service vulnerability executing local CLI command (CVE-2020-1682) --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11079 ∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K20-0992 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Hibernate Validator affects WebSphere Application Server Liberty (CVE-2020-10693) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernat… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14195 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Vulnerabilities in IBM WebSphere Liberty fixed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight component IBM Network Performance Insight 1.3.1 affected by CVE-2020-14062 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Commons Codec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily