=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 22-04-2020 18:00 − Donnerstag 23-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ iPhones durch Zero-Day-Lücken in Apple Mail angreifbar ∗∗∗
---------------------------------------------
iOS-Nutzer sollten die Mail-App vorübergehend nicht benutzen, warnen Sicherheitsforscher. Schwachstellen erlauben unbemerktes Code-Einschleusen.
---------------------------------------------
https://heise.de/-4707901
∗∗∗ New Data Center Requirements - Can You Help Host Shadowserver? ∗∗∗
---------------------------------------------
Shadowserver urgently needs to move our current data center by August 2020. We are blogging our data center requirements for hosting and colocation providers, or other companies who might be able to help provide a new home for our public benefit services for the global Internet. Please reach out and get in touch if you can help.
---------------------------------------------
https://www.shadowserver.org/news/new-data-center-requirements-can-you-help…
∗∗∗ Maze Ransomware – What You Need to Know ∗∗∗
---------------------------------------------
What’s this Maze thing I keep hearing about? Maze is a particularly sophisticated strain of Windows ransomware that has hit companies and organizations around the world and demanded that a cryptocurrency payment be made in exchange for the safe recovery of encrypted data. There’s been plenty of ransomware before. What makes Maze so special?
---------------------------------------------
https://www.tripwire.com/state-of-security/featured/maze-ransomware-what-yo…
∗∗∗ Researchers Turn Antivirus Software Into Destructive Tools ∗∗∗
---------------------------------------------
A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal.
---------------------------------------------
https://www.securityweek.com/researchers-turn-antivirus-software-destructiv…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (openssl), openSUSE (freeradius-server, kernel, thunderbird, and vlc), Oracle (git, java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), SUSE (ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, [...]
---------------------------------------------
https://lwn.net/Articles/818481/
∗∗∗ Security Advisory - Three Out of Bounds Vulnerabilities in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-…
∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei OSD Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by an SQLite vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerabilities in OpenSSL (CVE-2019-1547 and CVE-2019-1563) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-nextscale-fan-power-c…
∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System 3000(CVE-2019-4720) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we…
∗∗∗ Security Bulletin: Vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Symphony and IBM Platform Symphony ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs…
∗∗∗ Security Bulletin: IBM Tivoli Monitoring insufficient default file/folder permissions on windows. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-ins…
∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK affects IBM Elastic Storage System (CVE-2020-2654) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to side channel attack with Intel CPUs (CVE-2019-11135) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner…
∗∗∗ NGINX Controller sensitive command-line arguments vulnerability CVE-2020-5866 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K11922628
∗∗∗ NGINX Controller vulnerability CVE-2020-5864 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K27205552
∗∗∗ NGINX Controller insecure database transport vulnerability CVE-2020-5865 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K21009022
∗∗∗ NGINX Controller vulnerability CVE-2020-5867 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K00958787
∗∗∗ HPESBHF03988 rev.1 - HPE Onboard Administrator, Remote Reflected Cross Site Scripting ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
∗∗∗ HPESBNS03996 rev.1 - HPE NonStop Blade Maintenance Entity, Integrated Maintenance Entity and Maintenance Entity, Multiple Remote Vulnerabilities ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
∗∗∗ Squid: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0360
∗∗∗ Red Hat JBoss A-MQ: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0361
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 21-04-2020 18:00 − Mittwoch 22-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ You Wont Believe what this One Line Change Did to the Chrome Sandbox ∗∗∗
---------------------------------------------
The Chromium sandbox on Windows has stood the test of time. It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS.
---------------------------------------------
https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-o…
∗∗∗ New iPhone Zero-Day Discovered ∗∗∗
---------------------------------------------
Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release: Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said "we were a bit surprised about who was targeted."
---------------------------------------------
https://www.schneier.com/blog/archives/2020/04/new_iphone_zero.html
∗∗∗ NSA, ASD Release Guidance for Mitigating Web Shell Malware ∗∗∗
---------------------------------------------
The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have jointly released a Cybersecurity Information Sheet (CSI) on mitigating web shell malware. Malicious cyber actors are increasingly deploying web shell malware on victim web servers to execute arbitrary system commands. By deploying web shell malware, cyber attackers can gain persistent access to compromised networks.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2020/04/22/nsa-asd-release-gu…
∗∗∗ Achtung vor Shops mit service6(a)vinayotap.com E-Mail-Adressen ∗∗∗
---------------------------------------------
Derzeit melden LeserInnen der Watchlist Internet vermehrt neue Fake-Shops, die vor allem eines gemeinsam haben: Sie verweisen alle auf die E-Mail-Adresse
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-shops-mit-service6vinayo…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D ∗∗∗
---------------------------------------------
The flaws exist in Autodesks FBX library, integrated in Microsofts Office, Office 365 ProPlus and Paint 3D applications.
---------------------------------------------
https://threatpost.com/microsoft-issues-out-of-band-security-update-for-off…
∗∗∗ Zero-Day-Lücken in IBM Data Risk Manager - Forscher-Report ignoriert ∗∗∗
---------------------------------------------
Sicherheitsforscher haben im Überwachungstool IBM Data Risk Manager vier Lücken entdeckt - drei gelten als kritisch. Erste Patches sind bereits da.
---------------------------------------------
https://heise.de/-4707165
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Oracle (java-1.7.0-openjdk and java-1.8.0-openjdk), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, and kernel), Scientific Linux (kernel), Slackware (git), SUSE (openssl-1_1 and puppet), and Ubuntu (binutils and thunderbird).
---------------------------------------------
https://lwn.net/Articles/818359/
∗∗∗ 2020-04-21: Multiple vulnerabilities in B&R Automation Studio ∗∗∗
---------------------------------------------
https://www.br-automation.com/en/downloads/032020-multiple-vulnerabilities-…
∗∗∗ 2020-04-21: TPM-Fail vulnerability in several B&R products ∗∗∗
---------------------------------------------
https://www.br-automation.com/en/downloads/022020-tpm-fail/
∗∗∗ 2020-04-22: UPS Adapter CS141 – Path traversal vulnerability ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK107680A4579&Lan…
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-…
∗∗∗ Security Advisory - Local Privilege Escalation Vulnerability in Huawei PCManager Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-…
∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200422-…
∗∗∗ Security Bulletin: CVE-2020-4202IBM UrbanCode Deploy (UCD) could allow an authenticated user to impersonate another user if the server is configured to enable Distributed Front End (DFE). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-4202ibm-urbancod…
∗∗∗ Security Bulletin: Windows DLL injection vulnerability in IBM Java Runtime affects Collaboration and Deployment Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul…
∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System 3000 (CVE-2020-1734) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff…
∗∗∗ Security Bulletin: CVE-2019-4668 Pattern integration passwords stored in db without current encryption ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4668-pattern-int…
∗∗∗ Security Bulletin: CVE-2014-3524 CSV Injection in reports ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2014-3524-csv-injecti…
∗∗∗ Security Bulletin: Stack-based Buffer Overflow vulnerability in IBM Spectrum Protect Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-stack-based-buffer-overfl…
∗∗∗ Security Bulletin: IBM Elastic Storage System 3000 is affected by a vulnerability where an unprivileged user could execute commands as root ( CVE-2020-4273) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-elastic-storage-syste…
∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0355
∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0351
∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0357
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 20-04-2020 18:00 − Dienstag 21-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows 10 SMBGhost RCE exploit demoed by researchers ∗∗∗
---------------------------------------------
A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 wormable pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-expl…
∗∗∗ SpectX: Log Parser for DFIR, (Tue, Apr 21st) ∗∗∗
---------------------------------------------
I hope this finds you all safe, healthy, and sheltered to the best of your ability. In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases.
---------------------------------------------
https://isc.sans.edu/diary/rss/26040
∗∗∗ Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining ∗∗∗
---------------------------------------------
Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l3TOyRDK1yA/
∗∗∗ Grouping Linux IoT Malware Samples With Trend Micro ELF Hash ∗∗∗
---------------------------------------------
We created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters Linux IoT malware created using ELF files.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tFHtqxisecc/
∗∗∗ Kerberos Tickets on Linux Red Teams ∗∗∗
---------------------------------------------
At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own, but the best value is obtaining data, such as Kerberos tickets, that will facilitate lateral movement techniques.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-lin…
∗∗∗ Unsichere Deserialisierung gefährdet Steam-Spiele ∗∗∗
---------------------------------------------
Viele Videospiele, die .Net oder Unity verwenden, sind angreifbar und führen Schadcode aus. Steam bietet die Möglichkeit einer wurmähnlichen Infektion.
---------------------------------------------
https://heise.de/-4706122
∗∗∗ 46% of SMBs have been targeted by ransomware, 73% have paid the ransom ∗∗∗
---------------------------------------------
Ransomware attacks are not at all unusual in the SMB community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom, Infrascale reveals. Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack.
---------------------------------------------
https://www.helpnetsecurity.com/2020/04/21/paying-ransom/
∗∗∗ BSI aktualisiert den Mindeststandard TLS ∗∗∗
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat zum 9. April 2020 den "Mindeststandard zur Verwendung von Transport Layer Security (TLS)" aktualisiert.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/AktualisierterMST…
∗∗∗ Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC ∗∗∗
---------------------------------------------
A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges.
---------------------------------------------
https://www.securityweek.com/microsoft-will-not-patch-security-bypass-flaw-…
∗∗∗ Zahlungsaufforderungen von angeblichen Streamingdiensten sind Fake ∗∗∗
---------------------------------------------
bodaflix.de, ebaflix.de, teraflix.de, nodaflix.de – angeblich kostenlose Streamingdienste. Nach einer Registrierung erhalten Sie jedoch eine Zahlungsaufforderung über 395,88 Euro. Wird diese ignoriert, folgen meist weitere Zahlungsaufforderungen und Mahnungen von vermeintlichen Inkassobüros. Überweisen Sie kein Geld und antworten Sie auch nicht! Es handelt sich um ein betrügerisches Schreiben.
---------------------------------------------
https://www.watchlist-internet.at/news/zahlungsaufforderungen-von-angeblich…
∗∗∗ Hey there! Are you using WhatsApp? Your account may be hackable ∗∗∗
---------------------------------------------
Can someone take control of your WhatsApp account by just knowing your phone number? We ran a small test to find out.
---------------------------------------------
https://www.welivesecurity.com/2020/04/20/hey-there-using-whatsapp-your-acc…
=====================
= Vulnerabilities =
=====================
∗∗∗ P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting ∗∗∗
---------------------------------------------
The controller suffers from CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a [...]
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
∗∗∗ [R2] Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Tenable.sc leverages third-party software to help provide underlying functionality. One third-party component (jQuery) was found to contain vulnerabilities, and updated versions have been made available by the providers.
---------------------------------------------
https://www.tenable.com/security/tns-2020-02
∗∗∗ Versionsverwaltung: Erneute Sicherheitswarnung für Git ∗∗∗
---------------------------------------------
Updates beheben eine Schwachstelle in Git, die der jüngsten ähnelt und ebenfalls die Credential-Helper-Programme betrifft.
---------------------------------------------
https://heise.de/-4706272
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (webkit2gtk), Debian (awl, git, and openssl), Red Hat (chromium-browser, git, http-parser, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, qemu-kvm-ma, rh-git218-git, and rh-maven35-jackson-databind), Scientific Linux (advancecomp, avahi, bash, bind, bluez, cups, curl, dovecot, doxygen, evolution, expat, file, firefox, gettext, git, GNOME, httpd, ImageMagick, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, kernel, lftp, [...]
---------------------------------------------
https://lwn.net/Articles/818223/
∗∗∗ High-Severity Vulnerability in OpenSSL Allows DoS Attacks ∗∗∗
---------------------------------------------
An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks.
---------------------------------------------
https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos…
∗∗∗ [20200403] - Core - Incorrect access control in com_users access level deletion function ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/811-20200403-core-incorrect-ac…
∗∗∗ [20200402] - Core - Missing checks for the root usergroup in usergroup table ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/810-20200402-core-missing-chec…
∗∗∗ [20200401] - Core - Incorrect access control in com_users access level editing function ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/809-20200401-core-incorrect-ac…
∗∗∗ 2020-04-21: SECURITY ABB Central Licensing System Vulnerabilities, impact on System 800xA, Compact HMI and Control Builder Safe ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&Language…
∗∗∗ 2020-04-21: SECURITY Multiple Vulnerabilities in ABB Central Licensing System ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&Language…
∗∗∗ 2020-04-21: SECURITY Inter process communication vulnerability in System 800xA ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&Language…
∗∗∗ Security Bulletin: A denial of service vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Conductor and IBM Spectrum Conductor with Spark ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-denial-of-service-vulne…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-04-2020 18:00 − Montag 20-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft helped stop a botnet controlled via an LED light console ∗∗∗
---------------------------------------------
Microsoft says that its Digital Crimes Unit (DCU) discovered and helped take down a botnet of 400,000 compromised devices controlled with the help of an LED light control console.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-helped-stop-a-botn…
∗∗∗ KPOT Analysis: Obtaining the Decrypted KPOT EXE, (Sun, Apr 19th) ∗∗∗
---------------------------------------------
https://isc.sans.edu/diary/rss/26014
∗∗∗ KPOT AutoIt Script: Analysis, (Mon, Apr 20th) ∗∗∗
---------------------------------------------
https://isc.sans.edu/diary/rss/26012
∗∗∗ Finding Zoom Meeting Details in the Wild ∗∗∗
---------------------------------------------
The popular web conference platform Zoom has been in the storm for a few weeks. With the COVID19 pandemic, more and more people are working from home and the demand for web conference tools has been growing.
---------------------------------------------
https://blog.rootshell.be/2020/04/18/finding-zoom-meeting-details-in-the-wi…
∗∗∗ Clipboard hijacking malware found in 725 Ruby libraries ∗∗∗
---------------------------------------------
Security researchers from ReversingLabs say theyve discovered 725 Ruby libraries uploaded on the official RubyGems repository that contained malware meant to hijack users clipboards. The malicious packages were uploaded on RubyGems between February 16 and 25 by two accounts [...]
---------------------------------------------
https://www.zdnet.com/article/clipboard-hijacking-malware-found-in-725-ruby…
∗∗∗ PayPal über Google Pay: Lücke von Februar anscheinend klammheimlich behoben ∗∗∗
---------------------------------------------
Die Lücke, die unautorisierte PayPal-Abbuchungen via Google Pay erlaubte, wurde anscheinend – erst kürzlich – von PayPal gefixt.
---------------------------------------------
https://heise.de/-4704339
∗∗∗ Warten auf Patches: Schwachstellen in Nagios XI gefährden Netzwerke ∗∗∗
---------------------------------------------
Die Monitoring-Software für komplexe IT-Infrastrukturen Nagios XI ist verwundbar. Abhilfe gibt es noch nicht.
---------------------------------------------
https://heise.de/-4704444
∗∗∗ Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers ∗∗∗
---------------------------------------------
Multiple botnets are targeting a zero-day vulnerability in fiber routers in an attempt to ensnare them and leverage their power for malicious purposes, security researchers warn.
---------------------------------------------
https://www.securityweek.com/several-botnets-using-zero-day-vulnerability-t…
∗∗∗ In eigener Sache: CERT.at/nic.at sucht Verstärkung (Research Engineer Internet, Vollzeit) ∗∗∗
---------------------------------------------
Unser Research- & Developmentteam sucht für ein Projekt mit CERT.at und Security-Bezug eine/n Research Engineer (m/w, Vollzeit mit 38,5 Stunden) zum ehestmöglichen Einstieg. Dienstort ist Wien. Details finden sich auf der nic.at Jobs-Seite.
---------------------------------------------
https://cert.at/de/blog/2020/4/in-eigener-sache-certatnicat-sucht-verstarku…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2019-9506 Encryption Key Negotiation of Bluetooth Vulnerability ∗∗∗
---------------------------------------------
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-19-224
∗∗∗ Kritische Sicherheitslücke in mehreren Xilinx-FPGAs ∗∗∗
---------------------------------------------
Bei Xilinx-FPGAs der Serie 7 (Spartan-7, Artix-7, Kintex-7, Virtex-7) und Virtex-6 lässt sich die Verschlüsselung der Bitstream-Konfigurationsdaten aushebeln.
---------------------------------------------
https://heise.de/-4706002
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (openvpn), Debian (awl, file-roller, jackson-databind, and shiro), Fedora (chromium, git, and libssh), Mageia (php, python-bleach, and webkit2), openSUSE (chromium, gstreamer-rtsp-server, and mp3gain), Oracle (thunderbird and tigervnc), SUSE (thunderbird), and Ubuntu (file-roller and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/817987/
∗∗∗ Prestashop 1.7.6.4 XSS / CSRF / Remote Code Execution ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2020040108
∗∗∗ Toshiba Electronic Devices & Storage software registers unquoted service paths ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN13467854/
∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server shipped with Jazz for Service Management (CVE-2019-4441) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu…
∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Nimbus-JOSE-JWT affect IBM Spectrum Symphony ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0347
∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX270837
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 16-04-2020 18:00 − Freitag 17-04-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Fehlerhaftes Update legt Virenschutz in Windows 10 lahm ∗∗∗
---------------------------------------------
Die MS-Virenwächter fielen nach einem Update aus. Die betroffenen Programme können manuell aktualisiert werden.
---------------------------------------------
https://futurezone.at/produkte/fehlerhaftes-update-legt-virenschutz-in-wind…
∗∗∗ Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th) ∗∗∗
---------------------------------------------
STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run.
---------------------------------------------
https://isc.sans.edu/diary/rss/26032
∗∗∗ Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) ∗∗∗
---------------------------------------------
Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it.
---------------------------------------------
https://isc.sans.edu/diary/rss/26030
∗∗∗ Excel Malspam: Password Protected ... Not! ∗∗∗
---------------------------------------------
Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/excel-malsp…
∗∗∗ Web Skimmer with a Domain Name Generator ∗∗∗
---------------------------------------------
Our security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a Magento database. The malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to hxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed one interesting feature of the script — instead of using one predefined domain, it generates domain names based on the current date.
---------------------------------------------
https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.ht…
∗∗∗ Continued Threat Actor Exploitation Post Pulse Secure VPN Patching ∗∗∗
---------------------------------------------
[...] This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch [...]
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/aa20-107a
∗∗∗ Sophos zieht problematisches Firmware-Update 9.703 für UTM zurück ∗∗∗
---------------------------------------------
Achtung, nicht installieren: Das Firmware-Update 9.703 für Sophos UTM-Appliances wurde vom Hersteller wegen gravierender Probleme wieder zurückgezogen.
---------------------------------------------
https://heise.de/-4704634
∗∗∗ New AgentTesla variant steals WiFi credentials ∗∗∗
---------------------------------------------
The popular infostealer AgentTesla recently added a new feature that can steal WiFi usernames and passwords, which can potentially be used to spread the malware.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-varian…
=====================
= Vulnerabilities =
=====================
∗∗∗ Apple Releases Security Update for Xcode ∗∗∗
---------------------------------------------
Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 11.4.1 and apply the necessary update.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2020/04/17/apple-releases-sec…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (apache and chromium), Debian (webkit2gtk), Fedora (firefox, nss, and thunderbird), Mageia (chromium-browser-stable and git), openSUSE (gnuhealth), Oracle (thunderbird), Red Hat (kernel-alt, thunderbird, and tigervnc), Scientific Linux (thunderbird), Slackware (openvpn), and SUSE (freeradius-server and libqt4).
---------------------------------------------
https://lwn.net/Articles/817720/
∗∗∗ Foxit Reader und Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0344
∗∗∗ Security Bulletin: IBM TRIRIGA Application Platform discloses error messages that could aid an attacker formulate future attacks (CVE-2020-4277) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-application-p…
∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j…
∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server and Liberty affects IBM Cloud App Management (CVE-2019-4441) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we…
∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java…
∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Insecure Permissions (CVE-2019-4446) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct FTP+ ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-j…
∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4749) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme…
∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4644) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 14-04-2020 18:00 − Mittwoch 15-04-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Patchday: Microsoft schließt über 100 Lücken, drei Windows-Lücken unter Beschuss ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates schützen Windows & Co. 17 Schwachstellen sind mit dem Angriffsrisiko "kritisch" eingestuft.
---------------------------------------------
https://heise.de/-4702540
∗∗∗ Sicherheitswarnungen für Git und GitHub ∗∗∗
---------------------------------------------
Eine Schwachstelle in Git ermöglicht das Umleiten von Credentials, und GitHub warnt vor einer Welle von Phishing-Mails.
---------------------------------------------
https://heise.de/-4702519
∗∗∗ Medikamente sicher und legal online kaufen ∗∗∗
---------------------------------------------
Apotheken sind in Österreich trotz Corona-Krise geöffnet. Dennoch wollen Menschen die Ansteckungsgefahr in den Apotheken vermeiden und kaufen rezeptfreie Medikamente online. Es gibt jedoch zahlreiche Fake-Apotheken im Internet, die mit scheinbar rezeptfreien Medikamenten werben. Mit dem EU-Sicherheitslogo erkennen Sie legale Apotheken und können Medikamente ohne Risiko legal online kaufen.
---------------------------------------------
https://www.watchlist-internet.at/news/medikamente-sicher-und-legal-online-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft Office April security updates fix critical RCE bugs ∗∗∗
---------------------------------------------
Microsoft released the April 2020 Office security updates on April 14, 2020, with a total of 55 security updates and 5 cumulative updates for 7 different products, and patching 5 critical bugs allowing attackers to run scripts as the current user and remotely execute arbitrary code on unpatched systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-office-april-secur…
∗∗∗ Eaton HMiSoft VU3 ∗∗∗
---------------------------------------------
This advisory contains mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in Eatons HMiSoft VU3 human-machine interface (HMI).
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-105-01
∗∗∗ Triangle MicroWorks DNP3 Outstation Libraries ∗∗∗
---------------------------------------------
This advisory contains mitigations for a stack-based buffer overflow vulnerability in Triangle MicroWorks DNP3 components and source code libraries.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-105-02
∗∗∗ Triangle MicroWorks SCADA Data Gateway ∗∗∗
---------------------------------------------
This advisory contains mitigations for stack-based buffer overflow, out-of-bounds read, and type confusion vulnerabilities in the Triangle MicroWorks SCADA Data Gateway.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-105-03
∗∗∗ VMSA-2020-0007 ∗∗∗
---------------------------------------------
VMware vRealize Log Insight addresses Cross Site Scripting (XSS) and Open Redirect vulnerabilities (CVE-2020-3953, CVE-2020-3954)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0007.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (git, graphicsmagick, php-horde-data, and php-horde-trean), Mageia (apache, gnutls, golang, krb5-appl, libssh, libvncserver, mediawiki, thunderbird, tor, and wireshark), openSUSE (chromium, nagios, and thunderbird), Oracle (kernel and krb5-appl), Red Hat (elfutils, kernel, nss-softokn, ntp, procps-ng, and python), Scientific Linux (firefox), Slackware (git), SUSE (git and ruby2.5), and Ubuntu (git).
---------------------------------------------
https://lwn.net/Articles/817565/
∗∗∗ IPAS: Security Advisories for April 2020 ∗∗∗
---------------------------------------------
Hello, Today, in addition to the 6 security advisories we are releasing, we want to call your attention to a new whitepaper we have just published addressing CVE-2019-0090, a vulnerability in the Intel® Converged Security Management Engine (CSME) that we first disclosed in May of last year. You can read the whitepaper HERE.
---------------------------------------------
https://blogs.intel.com/technology/2020/04/ipas-security-advisories-for-apr…
∗∗∗ BSRT-2020-001 Local File Inclusion Vulnerability in Apache Tomcat Impacts BlackBerry Workspaces Server and BlackBerry Good Control ∗∗∗
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber…
∗∗∗ Security Advisory - Denial of Service Vulnerability on Huawei Smartphone ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-…
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-…
∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200415-…
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2020-4270) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: A vulnerability in IBM Websphere Application Server affects the IBM Performance Management product (CVE-2019-4720) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we…
∗∗∗ Security Bulletin: A vulnerability in jQuery affects the IBM Performance Management product (CVE-2019-11358) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-jquery…
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to PHP object injection (CVE-2020-4271) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner…
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure (CVE-2019-4593) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner…
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to instantiation of arbitrary objects (CVE-2020-4272) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner…
∗∗∗ Security Bulletin: Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nx-os-fi…
∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Server-Side Request Forgery (SSRF) (CVE-2020-4294) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Überschreiben von Dateien ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0325
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-04-2020 18:00 − Dienstag 14-04-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Think Fast: Time Between Disclosure, Patch Release and VulnerabilityExploitation — Intelligence for Vulnerability Management, Part Two ∗∗∗
---------------------------------------------
One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization’s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2020/04/time-between-disclosure…
∗∗∗ WhatsApp-Nachricht: Billa verlost keinen 250 € Gutschein ∗∗∗
---------------------------------------------
Sie haben von einem WhatsApp-Kontakt einen Link zu einem Billa-Gutschein erhalten und fragen sich was dahintersteckt? Die Watchlist Internet hat sich diesen sogenannten Kettenbrief näher angesehen! Unser Fazit: Sie erhalten weder einen Gutschein, noch stammt diese Verlosung von Billa.
---------------------------------------------
https://www.watchlist-internet.at/news/whatsapp-nachricht-billa-verlost-kei…
∗∗∗ APT41 Using New Speculoos Backdoor to Target Organizations Globally ∗∗∗
---------------------------------------------
Unit 42 identifies new payload, named Speculoos, exploiting CVE-2019-19781 to target organizations around the world, including state government in the United States.
---------------------------------------------
https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-t…
∗∗∗ Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns ∗∗∗
---------------------------------------------
New research shows COVID-19 themed phishing campaigns are targeting healthcare organizations and medical research facilities around the world.
---------------------------------------------
https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-go…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Bulletins Posted ∗∗∗
---------------------------------------------
Adobe has published security bulletins for Adobe ColdFusion (APSB20-18), Adobe After Effects (APSB20-21) and Adobe Digital Editions (APSB20-23). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1859
∗∗∗ Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update ∗∗∗
---------------------------------------------
Oracle will detail 405 new security vulnerabilities Tuesday, part of its quarterly Critical Patch Update Advisory.
---------------------------------------------
https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-up…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (haproxy), Gentoo (chromium and libssh), openSUSE (ansible, chromium, gmp, gnutls, libnettle, libssh, mgetty, nagios, permissions, and python-PyYAML), and Oracle (firefox, kernel, qemu-kvm, and telnet).
---------------------------------------------
https://lwn.net/Articles/817399/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (thunderbird), Debian (thunderbird), Fedora (drupal7-ckeditor, nrpe, and php-robrichards-xmlseclibs1), Red Hat (firefox and kernel), SUSE (quartz), and Ubuntu (thunderbird).
---------------------------------------------
https://lwn.net/Articles/817471/
∗∗∗ SSA-102233: SegmentSmack in VxWorks-based Industrial Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-102233.txt
∗∗∗ SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-162506.txt
∗∗∗ SSA-359303: Debug Port in TIM 3V-IE and 4R-IE Family Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-359303.txt
∗∗∗ SSA-377115: SegmentSmack in Linux IP-Stack based Industrial Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-377115.txt
∗∗∗ SSA-593272: SegmentSmack in Interniche IP-Stack based Industrial Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-593272.txt
∗∗∗ SSA-886514: Persistent XSS Vulnerabilities in the Web Interface of Climatix POL908 and POL909 Modules ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-886514.txt
∗∗∗ Security Bulletin: A vulnerability in IBM Java affect IBM Decision Optimization Center (CVE-2020-2654) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: A vulnerability in IBM Java affects IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server (CVE-2020-2654) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services (CVE-2019-4732) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Services v2.1.1 (CVE-2019-4732) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jackson-databind vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10209, 10211, 10210, 10208) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie…
∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10164) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie…
∗∗∗ Security Bulletin: PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerabilitie…
∗∗∗ XSA-318 - Bad continuation handling in GNTTABOP_copy ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-318.html
∗∗∗ XSA-316 - Bad error path in GNTTABOP_map_grant ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-316.html
∗∗∗ XSA-314 - Missing memory barriers in read-write unlock paths ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-314.html
∗∗∗ XSA-313 - multiple xenoprof issues ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-313.html
∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0303
∗∗∗ SAP Patchday April 2020 ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0300
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 09-04-2020 18:00 − Freitag 10-04-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ DNS: Gehackte Router zeigen Coronavirus-Warnung mit Schadsoftware ∗∗∗
---------------------------------------------
Gehackte Router leiten bekannte Domains auf eine gefälschte Warnung der WHO um und versuchen, ihren Opfern eine Schadsoftware unterzujubeln.
---------------------------------------------
https://www.golem.de/news/dns-gehackte-router-zeigen-coronavirus-warnung-mi…
∗∗∗ Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th) ∗∗∗
---------------------------------------------
How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified.
---------------------------------------------
https://isc.sans.edu/diary/rss/25960
∗∗∗ PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th) ∗∗∗
---------------------------------------------
Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified.
---------------------------------------------
https://isc.sans.edu/diary/rss/26004
∗∗∗ Analysis of a WordPress Credit Card Swiper ∗∗∗
---------------------------------------------
While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in the past). With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing [...]
---------------------------------------------
https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.…
∗∗∗ Sophos Releases Sandboxie in Open Source ∗∗∗
---------------------------------------------
Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available.
---------------------------------------------
https://www.securityweek.com/sophos-releases-sandboxie-open-source
∗∗∗ Gefälschte Mails von Sebastian Kurz im Umlauf ∗∗∗
---------------------------------------------
Viele Menschen benötigen derzeit aufgrund geschlossener Betriebe oder fehlender Aufträge finanzielle Unterstützung. Kriminelle nützen diese Ausnahmesituation aus und verschicken E-Mails im Namen von Sebastian Kurz, in denen sie rasche Soforthilfe anbieten. Der Link in diesen E-Mails führt jedoch zu einer unseriösen Trading-Plattform, bei der den Internet-NutzerInnen durch das Investment in Bitcoins schnelles Geld versprochen wird.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-mails-von-sebastian-kurz…
∗∗∗ CVE-2020-0688: Verwundbare Microsoft Exchange Server in Österreich ∗∗∗
---------------------------------------------
Mit CVE-2020-0688 wurde im Februar eine Lücke in Microsoft Exchange Servern gepatched, die AngreiferInnen ermöglicht, beliebigen Code über das Netzwerk auszuführen -- und das mit NT Authority\SYSTEM also der Windows-Entsprechung von root. Für eine erfolgreiche Attacke werden zwar gültige Zugangsdaten für einen Mailaccount benötigt, da es bei CVE-2020-0688 aber auch zu einer Privilegieneskaltion kommt, können diese auch unpriviligiert sein.
---------------------------------------------
https://cert.at/de/blog/2020/4/cve-2020-0688-verwundbare-microsoft-exchange…
=====================
= Vulnerabilities =
=====================
∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗
---------------------------------------------
This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in the Rockwell Automation RSLinx Classic PLC communications software.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-20-100-01
∗∗∗ VMSA-2020-0006 ∗∗∗
---------------------------------------------
VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox).
---------------------------------------------
https://lwn.net/Articles/817233/
∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vuln…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-possible-remote-code-exec…
∗∗∗ Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vul…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 08-04-2020 18:00 − Donnerstag 09-04-2020 18:00
Handler: Robert Waldner
Co-Handler: Dimitri Robl
=====================
= News =
=====================
∗∗∗ Visa urges merchants to migrate e-commerce sites to Magento 2.x ∗∗∗
---------------------------------------------
Payments processor Visa is urging merchants to migrate their online stores to Magento 2.x before the Magento 1.x e-commerce platform reaches end-of-life (EoL) in June 2020 to avoid exposing their stores to Magecart attacks and to remain PCI compliant.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/visa-urges-merchants-to-migr…
∗∗∗ Data Center Migration Deadline Extended Due To COVID-19 ∗∗∗
---------------------------------------------
The original deadline for Shadowserver to move our data center has been extended from May 26th to August 31st 2020, due to the worsening COVID-19 pandemic and Silicon Valley Shelter in Place lockdowns. This extension provides us with some much needed additional time to continue raising funding for our 2020 operations, such as the recently received donation from cryptocurrency exchange BitMEX.
---------------------------------------------
https://www.shadowserver.org/news/data-center-migration-deadline-extended-d…
∗∗∗ BGP Hijacking and BGP Security ∗∗∗
---------------------------------------------
BGP Hijacking is a long-standing problem and is a constant possibility in today’s BGP environment. These news stories will continue for some time to come, but there are things the community can do to limit the impact of these events.
---------------------------------------------
https://blog.team-cymru.com/2020/04/08/bgp-hijacking-and-bgp-security/
∗∗∗ Viele Meldungen zu mimty.de und evenlife.de ∗∗∗
---------------------------------------------
Egal ob Atemschutzmasken, Desinfektionsmittel oder Schutzausrüstung - auf mimty.de und evenlife.de finden Sie Produkte, die momentan äußerst schwer zu bekommen sind. Zahlreiche InternetuserInnen melden diese Online-Shops jedoch an die Watchlist Internet und klagen über ausbleibende Lieferungen. Auch auf Bewertungsportalen wird den beiden Shops kein gutes Zeugnis ausgestellt.
---------------------------------------------
https://www.watchlist-internet.at/news/viele-meldungen-zu-mimtyde-und-evenl…
∗∗∗ Jahresbericht 2019 von CERT.at und GovCERT Austria veröffentlicht ∗∗∗
---------------------------------------------
Das Mandat als nationales Computer-Notfallteam nach NISG, Emotet, Ransomware, Sextortion, ein Projektabschluss und CyberExchanges – das Jahr 2019 war für CERT.at und GovCERT Austria ein ereignisreiches, das wir in Form unseres Jahresberichts Revue passieren lassen.
---------------------------------------------
https://cert.at/de/blog/2020/4/jahresbericht-2019-von-certat-und-govcert-au…
=====================
= Vulnerabilities =
=====================
∗∗∗ Juniper Networks Releases Security Updates ∗∗∗
---------------------------------------------
Original release date: April 9, 2020
Juniper Networks has released security updates to address multiple vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Security Advisories webpage and apply the necessary updates or workarounds.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2020/04/09/juniper-networks-r…
∗∗∗ Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009 ∗∗∗
---------------------------------------------
Project: Spamicide
Date: 2020-April-08
Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Access bypass
Description: The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesnt require appropriate permissions for administrative pages leading to an Access Bypass.
Solution: Install the latest version
---------------------------------------------
https://www.drupal.org/sa-contrib-2020-009
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, ipmitool, krb5-appl, and telnet), Debian (ceph and firefox-esr), Mageia (firefox), openSUSE (bluez and exiv2), Red Hat (firefox), SUSE (ceph, libssh, mgetty, permissions, python-PyYAML, rubygem-actionview-4_2, and vino), and Ubuntu (libiberty and libssh).
---------------------------------------------
https://lwn.net/Articles/817128/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t…
∗∗∗ Security Bulletin: IBM Resilient OnPrem does not properly limit the number or frequency of pssword reset interactions ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-onprem-does…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability in IBM® Runtime Environment Java™ Version 8 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transp…
∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) ( CVE-2019-4441) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t…
∗∗∗ Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily