Daily

daily@lists.cert.at

1 participants
3205 discussions

Tageszusammenfassung - 05.09.2019
by Daily end-of-shift report 05 Sep '19

05 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2019 18:00 − Donnerstag 05-09-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Android Zero-Day Bug Does Not Make It on Google's Fix List ∗∗∗ --------------------------------------------- Google yesterday rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-zero-day-bug-does-no… ∗∗∗ WordPress 5.2.3 Released with Security and Bug Fixes ∗∗∗ --------------------------------------------- WordPress 5.2.3 has been released and includes fixes for six vulnerabilities and 29 bugs or enhancements. As WordPress is a common target for threat actors looking to host their malicious campaigns, it is important that all WordPress users upgrade to the latest release as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-523-released-with-… ∗∗∗ Unifying: Sicherheitsupdate für Logitech-Tastaturen umgangen ∗∗∗ --------------------------------------------- Mit einem einfachen Trick kann ein Sicherheitsupdate von Logitech umgangen werden. Damit lassen sich weiterhin Eingaben von kabellosen Tastaturen abgreifen - oder Schadcode eintippen. Dabei hatte Logitech nicht einmal alle Sicherheitslücken behoben. --------------------------------------------- https://www.golem.de/news/unifying-sicherheitsupdate-fuer-logitech-tastatur… ∗∗∗ Das Smart‑Ding‑Dilemma ∗∗∗ --------------------------------------------- Vom 6.-11. September 2019 öffnet die Internationale Funkausstellung (IFA) in Berlin wieder ihre Pforten. Auch diesjährig wird das Thema "Vollvernetzung" die Messehallen beherrschen. Doch wie steht es nun, ein Jahr weiter, um die Sicherheit? --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/09/05/das-smart-ding-dilemma/ ∗∗∗ henrikson-research.de: Umfrage führt zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen einer HENRIKSON Research GmbH. Schon bei der Registrierung verlangt man Ihre Ausweiskopie sowie Selfies mit Pass oder Personalausweis. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. --------------------------------------------- https://www.watchlist-internet.at/news/henrikson-researchde-umfrage-fuehrt-… ∗∗∗ Betrügerische Angebote für Cineplexx-Gutscheine locken in die Abo-Falle ∗∗∗ --------------------------------------------- Mit Facebook-Anzeigen und über Facebook-Messenger werben Kriminelle für ein Gewinnspiel. Angeblich können Cineplexx-Geschenkgutscheine gewonnen werden. Das Gewinnspiel gibt es nicht. Die Kriminellen locken in eine Abofalle und sind auf Kreditkartendaten aus! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-angebote-fuer-cineple… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Cisco sichert macOS- und Windows-Software ab – und noch mehr ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Cisco-Produkte. Angreifer könnten Schadcode auf Systemen ausführen. --------------------------------------------- https://heise.de/-4514009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream). --------------------------------------------- https://lwn.net/Articles/798487/ ∗∗∗ Multiple vulnerabilities in Cisco router series RV34X, RV26X and RV16X ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-cisc… ∗∗∗ Various 3rd Party Vulnerabilities - PSA-2019-09-04 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2019-09-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2019
by Daily end-of-shift report 04 Sep '19

04 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2019 18:00 − Mittwoch 04-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacked SharePoint Sites Used to Bypass Secure Email Gateways ∗∗∗ --------------------------------------------- Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sharepoint-sites-used… ∗∗∗ Half of Android Handsets Susceptible to Clever SMS Phishing Attack ∗∗∗ --------------------------------------------- Researchers say an attacker could send a rogue over-the-air provisioning message to susceptible phones and route all internet traffic through a hacker-controlled proxy. --------------------------------------------- https://threatpost.com/half-of-android-handsets-susceptible-to-clever-sms-p… ∗∗∗ BRATA Android RAT Steals Banking Info in Real Time ∗∗∗ --------------------------------------------- The RAT targets users via fake WhatsApp updates in Google Play. --------------------------------------------- https://threatpost.com/brata-android-rat-steals-banking-info/148003/ ∗∗∗ ENISA: Secure Group Communications for incident response and operational communities ∗∗∗ --------------------------------------------- This document serves as a starting point for incident response communities to conduct their own evaluation and see how the various communication tools can fit their sizes and needs. --------------------------------------------- https://www.enisa.europa.eu/publications/secure-group-communications ∗∗∗ Spam In your Calendar? Here’s What to Do. ∗∗∗ --------------------------------------------- Many spam trends are cyclical: Spammers tend to switch tactics when one method of hijacking your time and attention stops working. But periodically they circle back to old tricks, and few spam trends are as perennial as calendar spam, in which invitations to click on dodgy links show up unbidden in your digital calendar application from Apple, Google and Microsoft. Heres a brief primer on what you can do about it. --------------------------------------------- https://krebsonsecurity.com/2019/09/spam-in-your-calendar-heres-what-to-do/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 4, 2019 The Samba Team has released security updates to address a vulnerability in all versions of Samba from 4.9.0 onward. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/04/samba-releases-sec… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t. These releases will be made available on 10th September 2019 between approximately 1200-1600 UTC. These are security fix releases. The highest severity security issue fixed by these releases is rated as LOW. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-September/000156.ht… ∗∗∗ Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-09-01.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (grafana, irssi, and jenkins), Debian (freetype, samba, and varnish), Fedora (community-mysql, kernel, kernel-headers, kernel-tools, and python-mitogen), openSUSE (postgresql10 and python-SQLAlchemy), Oracle (kdelibs and kde-settings and squid:4), Red Hat (kdelibs and kde-settings, kernel, kernel-rt, openstack-nova, qemu-kvm, and redis), Scientific Linux (kdelibs and kde-settings, kernel, and qemu-kvm), SUSE (ansible, java-1_7_1-ibm, libosinfo, [...] --------------------------------------------- https://lwn.net/Articles/798357/ ∗∗∗ Security Advisory - Version Downgrade Vulnerabilities on Smartphones and HiSuite ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190904-… ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4149) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2019
by Daily end-of-shift report 03 Sep '19

03 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2019 18:00 − Dienstag 03-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nemty Ransomware Gets Distribution from RIG Exploit Kit ∗∗∗ --------------------------------------------- The operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology that can still be infected by exploit kits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distri… ∗∗∗ Fake BleachBit Website Built to Distribute AZORult Info Stealer ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the popularity of the BleachBit disk cleaning tool to spread Azorult information stealer. For this purpose, they created a static web page that purports to be the official website for the utility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-bleachbit-website-built… ∗∗∗ Credential Management and Enforcement for ICS/SCADA environments ∗∗∗ --------------------------------------------- In the world of Operational Technology (OT), Industrial Control Systems (ICS) comprise the majority of the segment. Where ICS assets are dispersed and require centralized data acquisition and control, Supervisory Control and Data Acquisition (SCADA) systems are used. --------------------------------------------- https://resources.infosecinstitute.com/credential-management-and-enforcemen… ∗∗∗ Ratgeber vom Hersteller: So erkennt man gehackte Cisco-Geräte ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat vier Guides für verschiedene Software veröffentlicht, die helfen sollen, Hinweise auf mögliche Kompromittierungen zu finden. --------------------------------------------- https://heise.de/-4512704 ∗∗∗ Meet Domen, a New and Sophisticated Social Engineering Toolkit ∗∗∗ --------------------------------------------- A new social engineering toolkit has been discovered. The operational premise has been used many times, but the execution of that premise is new and described by security researchers "a beautiful piece of work". --------------------------------------------- https://www.securityweek.com/meet-domen-new-and-sophisticated-social-engine… https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2019… ∗∗∗ Diese Kleinanzeigen-Betrugsmasche sollten Sie kennen ∗∗∗ --------------------------------------------- BetrügerInnen versuchen auf Online-Marktplätzen wie willhaben, shpock und Co, ohne Bezahlung an Ihre Ware zu kommen. Sie geben sich als vermeintliche Zahlungsdienstleister und Zwischenvermittler aus und senden Ihnen eine gefälschte Zahlungsbestätigung. Das Geld wird angeblich erst für Sie freigegeben, wenn Sie den zu viel überwiesenen Betrag für das Speditionsunternehmen oder eine Versandbestätigung des Paketes übermitteln. --------------------------------------------- https://www.watchlist-internet.at/news/diese-kleinanzeigen-betrugsmasche-so… ===================== = Vulnerabilities = ===================== ∗∗∗ 'USBAnywhere' Bugs Open Supermicro Servers to Remote Attackers ∗∗∗ --------------------------------------------- Trivial-to-exploit authentication flaws can give an unsophisticated remote attacker omnipotent control over a server and its contents. --------------------------------------------- https://threatpost.com/usbanywhere-bugs-supermicro-remote-attack/147899/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Fedora (ansible and wavpack), openSUSE (apache-commons-beanutils, apache2, go1.12, httpie, libreoffice, qemu, and slurm), Oracle (ghostscript), Scientific Linux (ghostscript), SUSE (ardana-ansible, ardana-barbican, ardana-cinder, ardana-cluster, ardana-cobbler, ardana-db, ardana-designate, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-horizon, ardana-input-model, ardana-installer-ui, ardana-ironic, ardana-keystone, ardana-logging, [...] --------------------------------------------- https://lwn.net/Articles/798225/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2019
by Daily end-of-shift report 02 Sep '19

02 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2019 18:00 − Montag 02-09-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sodinokibi Ransomware Spreads via Fake Forums on Hacked Sites ∗∗∗ --------------------------------------------- A distributor for the Sodinokibi Ransomware is hacking into WordPress sites and injecting JavaScript that displays a fake Q & A forum post over the content of the original site. This fake post contains an "answer" from the sites "admin" that contains a link to the ransomware installer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spread… ∗∗∗ Oh there it is, Facebook shrugs as Free Basics private key found to be signing unrelated apps ∗∗∗ --------------------------------------------- Walled-garden Android platform security easily copied Facebook has insisted that losing control of the private key used to sign its Facebook Basics app is no biggie despite totally unrelated apps from other vendors, signed with the same key, popping up in unofficial repositories. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/09/02/facebook_ba… ∗∗∗ Analyse: Was bedeutet der iPhone-Massen-Hack? ∗∗∗ --------------------------------------------- Tausende iPhones wurden beim Besuch scheinbar harmloser Web-Sites gehackt. Wer steckt dahinter und wie schütze ich mich? --------------------------------------------- https://heise.de/-4511921 ∗∗∗ TrickBot Tricks U.S. Users into Sharing their PIN Codes ∗∗∗ --------------------------------------------- The threat actor behind the infamous TrickBot botnet has added new functionality to their malware to request PIN codes from mobile users, Secureworks reports. --------------------------------------------- https://www.securityweek.com/trickbot-tricks-us-users-sharing-their-pin-cod… ∗∗∗ WordPress sites under attack as hacker group tries to create rogue admin accounts ∗∗∗ --------------------------------------------- Hackers exploit vulnerabilities in more than ten WordPress plugins to plant backdoor accounts on unpatched sites. --------------------------------------------- https://www.zdnet.com/article/wordpress-sites-under-attack-as-hacker-group-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gosa, libav, libextractor, nghttp2, pump, and python2.7), Fedora (dovecot, mod_http2, and pango), Gentoo (dovecot, gnome-desktop, libofx, and nautilus), Mageia (ansible, ghostscript, graphicsmagick, memcached, mpg123, pango, vlc, wavpack, webmin, wireshark, and wpa_supplicant, hostapd), openSUSE (flatpak, libmirage, podman, slirp4netns and libcontainers-common, python-SQLAlchemy, and qemu), Red Hat (ghostscript, java-1.8.0-ibm, and squid:4), and SUSE [...] --------------------------------------------- https://lwn.net/Articles/798143/ ∗∗∗ Panasonic Video Insight VMS vulnerable to SQL injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN93833849/ ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Local File inclusion ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47340 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47339 ∗∗∗ [webapps] Alkacon OpenCMS 10.5.x - Cross-Site Scripting ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47338 ∗∗∗ IBM Security Bulletin: Password vulnerability in IBM® Intelligent Operations Center (CVE-2019-4321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2019
by Daily end-of-shift report 30 Aug '19

30 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2019 18:00 − Freitag 30-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 7: Update-Blockade für Symantec-Nutzer aufgehoben ∗∗∗ --------------------------------------------- Microsoft hat Windows-Updates wieder für Nutzer von Symantec Endpoint Protection freigegeben. --------------------------------------------- https://heise.de/-4509981 ∗∗∗ CERT-Bund warnt vor offenen Smarthome-Systemen ∗∗∗ --------------------------------------------- Fast 3000 Homematic-Systeme sind offenbar aus dem Internet erreichbar -- die meisten davon lassen sich beliebig fernsteuern. --------------------------------------------- https://heise.de/-4509977 ∗∗∗ It Saved Our Community: 16 Realistic Ransomware Defenses for Cities ∗∗∗ --------------------------------------------- Practical steps municipal governments can take to better prevent and respond to ransomware infections. --------------------------------------------- https://www.darkreading.com/edge/theedge/it-saved-our-community-16-realisti… ∗∗∗ A very deep dive into iOS Exploit chains found in the wild ∗∗∗ --------------------------------------------- Posted by Ian Beer, Project ZeroProject Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere. Earlier this year Googles Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-ex… ∗∗∗ Scalable infrastructure for investigations and incident response ∗∗∗ --------------------------------------------- Traditional computer forensics and cyber investigations are as relevant in the cloud as they are in on-premise environments, but the methods in which to access and perform such investigations differ. This post will describe some of the challenges of bringing on-premises forensics techniques to the cloud and show one solution to overcome these challenges, using [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/08/30/scalable-infrastructure-for-… ∗∗∗ [SANS ISC] Malware Dropping a Local Node.js Instance ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Malware Dropping a Local Node.js Instance“: Yesterday, I wrote a diary about misused Microsoft tools[1]. I just found another interesting piece of code. This time the malware is using Node.js[2]. --------------------------------------------- https://blog.rootshell.be/2019/08/30/sans-isc-malware-dropping-a-local-node… ∗∗∗ Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware ∗∗∗ --------------------------------------------- Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Change Healthcare McKesson and Horizon Cardiology ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect default permissions vulnerability in Change Healthcares cardiology devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-01 ∗∗∗ Philips HDI 4000 Ultrasound ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Philips HDI 4000 Ultrasound Systems diagnostic tool. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-241-02 ∗∗∗ Cisco Firepower 4100 and 9300 Security Appliance Local Management Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the process for creating default IP blocks during device initialization for Cisco Firepower 4100 Series and Firepower 9300 Security Appliances running Cisco FXOS Software could allow an unauthenticated, remote attacker to send traffic to the local IP address of the device, bypassing any filters that are configured to deny local IP management traffic. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, gettext, go, go-pie, libnghttp2, and pigeonhole), Debian (djvulibre, dovecot, and subversion), Fedora (sleuthkit and wireshark), openSUSE (containerd, docker, docker-runc, and qbittorrent), Oracle (pango), SUSE (kernel, nodejs10, and python-SQLAlchemy), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/797938/ ∗∗∗ Linux kernel vulnerability CVE-2019-10639 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32804955 ∗∗∗ Avira Optimizer Local Privilege Escalation ∗∗∗ --------------------------------------------- https://posts.specterops.io/avira-optimizer-local-privilege-escalation-af10… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-za ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-z ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-websphere-cast-ir… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2019
by Daily end-of-shift report 29 Aug '19

29 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2019 18:00 − Donnerstag 29-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Samples Compiling Their Next Stage on Premise, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- I would like to cover today two different malware samples I spotted two days ago. They have one interesting behaviour in common: they compile their next stage on the fly directly on the victim's computer. At a first point, it seems weird but, after all, its an interesting approach to bypass low-level detection mechanisms that look for PE files. --------------------------------------------- https://isc.sans.edu/diary/rss/25278 ∗∗∗ ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information ∗∗∗ --------------------------------------------- Despite having an apparent lull in the first half of 2019, phishing will remain a staple in a cybercriminal’s arsenal, and theyre not going to stop using it. The latest example is a phishing campaign dubbed Heatstroke, based on a variable found in their phishing kit code. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hQZwZfgZ7U/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Buffer Overflow in Dovecot-Mailserver ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Dovecot-Mailserver könnte es Angreifern erlauben, Code auszuführen. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-buffer-overflow-in-dovecot-mail… ∗∗∗ Kritische Lücke mit Höchstwertung in Ciscos Betriebssystem ISO EX ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für verschiedene Betriebssystem-Versionen für Netzwerkgeräte von Cisco. --------------------------------------------- https://heise.de/-4509454 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and faad2), openSUSE (schismtracker), Red Hat (ceph and pango), Scientific Linux (pango), SUSE (apache-commons-beanutils, ceph, php7, and qemu), and Ubuntu (ceph, dovecot, and ghostscript). --------------------------------------------- https://lwn.net/Articles/797775/ ∗∗∗ Nextgen Gallery < 3.2.11 - SQL Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/9816 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1543 in OpenSSL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ External DNS Requests in Zyxel USG/UAG/ATP/VPN/NXC series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/external-dns-requests-in-zyxel-u… ∗∗∗ Hardcoded FTP Credentials in Zyxel NWA/NAP/WAC wireless access point series ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/hardcoded-ftp-credentials-in-zyx… ∗∗∗ A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member webserver (HTTP Desync Attack) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50375550 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0004.html ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0768 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0769 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2019
by Daily end-of-shift report 28 Aug '19

28 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2019 18:00 − Mittwoch 28-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs ∗∗∗ --------------------------------------------- Law enforcement takedown causes Retadup malware to eat itself. --------------------------------------------- https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/ ∗∗∗ [Guest Diary] Open Redirect: A Small But Very Common Vulnerability, (Wed, Aug 28th) ∗∗∗ --------------------------------------------- This is a guest diary submitted by Jan Kopriva. Jan is working for Alef Nula (http://www.alef.com) and you can follow him on Twitter at @jk0pr --------------------------------------------- https://isc.sans.edu/diary/rss/25276 ∗∗∗ Extracting Certificates From the Windows Registry ∗∗∗ --------------------------------------------- I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. --------------------------------------------- https://blog.nviso.be/2019/08/28/extracting-certificates-from-the-windows-r… ∗∗∗ RAT Ratatouille: Backdooring PCs with leaked RATs ∗∗∗ --------------------------------------------- Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. --------------------------------------------- https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html ∗∗∗ Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Achtung: Kriminelle versenden erfundene Mails im Namen von Airbnb an zahlreiche Kundinnen und Kunden. Darin behaupten sie, dass das Konto gesperrt wurde und nun Kopien des Personalausweises, Selfies mit dem Ausweis neben dem Gesicht sowie eine handschriftliche Notiz zur Freischaltung notwendig wären. Die Nachricht muss ignoriert werden, andernfalls kommt es zu Identitätsmissbrauch! --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-mit-gefaelschte… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Controls enteliBUS Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for a buffer overflow vulnerability in Delta Controllers enteliBUS Controllers industrial control systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-01 ∗∗∗ Datalogic AV7000 Linear Barcode Scanner ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass using an alternate path vulnerability in Datalogics AV7000 Linear Barcode Scanners. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-239-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot), Fedora (docker and nghttp2), Oracle (pango), SUSE (apache2, fontforge, ghostscript-library, libreoffice, libvirt, podman, slirp4netns and libcontainers-common, postgresql10, and slurm), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/797579/ ∗∗∗ DLL Hijacking Flaw Patched in Check Point Endpoint Security ∗∗∗ --------------------------------------------- Researchers at SafeBreach discovered that Check Point’s Endpoint Security product is affected by a DLL hijacking vulnerability that can be exploited for privilege escalation and other purposes. read more --------------------------------------------- https://www.securityweek.com/dll-hijacking-flaw-patched-check-point-endpoin… ∗∗∗ CVE-2019-13609 - CRLF Vulnerability in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- A Carriage Return Line Feed (CRLF) injection vulnerability has been identified in Citrix License Server for Windows and VPX that could allow an unauthenticated attacker to bypass authentication and allow a malicious website to read or modify license server [...] --------------------------------------------- https://support.citrix.com/article/CTX257644 ∗∗∗ Realtek Managed Switch Controller RTL83xx Stack Overflow ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019080138 ∗∗∗ Security Advisory - Key Negotiation of Bluetooth (KNOB) Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190828-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a insecure Content-Security-Policy header vulnerability CVE-2019-4133 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2019
by Daily end-of-shift report 27 Aug '19

27 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2019 18:00 − Dienstag 27-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ macOS: Zurückgelassene Helper-Tools als Sicherheitsproblem ∗∗∗ --------------------------------------------- "Privileged Helper Tools" können es Mac-Malware erlauben, Root-Rechte zu erlangen, warnt ein Entwickler. Nutzer sollten zum Schutz selbst aktiv werden. --------------------------------------------- https://heise.de/-4507656 ∗∗∗ Mobile Menace Monday: Android Trojan raises xHelper ∗∗∗ --------------------------------------------- Since its introduction in May 2019, the xHelper dropper, an Android Trojan, has climbed to our top 10 list of most detected mobile malware. --------------------------------------------- https://blog.malwarebytes.com/android/2019/08/mobile-menace-monday-android-… ∗∗∗ New 4CAN tool helps identify vulnerabilities in on-board car computers ∗∗∗ --------------------------------------------- Modern automobiles contain hundreds of sensors and mechanics that communicate via computers to understand their surrounding environment. Those components provide real-time information to drivers, connect the vehicle to a global network, and in some cases use that telemetry to automatically drive the vehicle. Like any computer, those in vehicles are susceptible to threats, such as vulnerabilities in software ... --------------------------------------------- https://blog.talosintelligence.com/2019/08/new-4can-tool-helps-identify.html ∗∗∗ Free Decryption Tool Released for Syrk Ransomware ∗∗∗ --------------------------------------------- Security researchers have released a decryption tool which victims of Syrk ransomware can use to recover their files for free. Emsisoft found that Syrk arrived with its own decryptor, but the security firm decided to release its own utility for three reasons. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ∗∗∗ Lojack’d: Pwning Smart vehicle trackers ∗∗∗ --------------------------------------------- This research is by @evstykas with help from @Yekki_1 and @TheKenMunroShow. Many car insurers insist that smart trackers are fitted to high end vehicles. In the event of theft, the car can be tracked and recovered. Probably the most well-known is LoJack, also known as Tracker in Europe. --------------------------------------------- https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-… ∗∗∗ Aufgepasst: Es kursieren gefährliche Raiffeisen-Phishing-Mails ∗∗∗ --------------------------------------------- Aktuell sind wieder Phishing-Mails im Namen der Raiffeisen Bank unterwegs. Angeblich ist eine Nachricht für Sie eingegangen. Um diese zu lesen, werden Sie aufgefordert, einem Link zu folgen. Sie landen auf einem Nachbau der Raiffeisen-Login-Seite. Kriminelle versuchen so, an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/aufgepasst-es-kursieren-gefaehrliche… ===================== = Vulnerabilities = ===================== ∗∗∗ Betriebssystem: Apple patcht WatchOS und iOS ∗∗∗ --------------------------------------------- Nutzer von Apples mobilen Betriebssystemen haben gegebenenfalls eine Update-Benachrichtigung auf ihren Geräten. Apple hat sowohl für die Apple Watch als auch für iPhone, iPod Touch und iPad ein neues Betriebssystem freigegeben. Unter iOS wird dabei auch eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.golem.de/news/betriebssystem-apple-patcht-watchos-und-ios-1908-… ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 76.0.3809.132 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/08/27/google-releases-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and xymon), openSUSE (putty and vlc), Red Hat (kernel and ruby), Scientific Linux (advancecomp, bind, binutils, blktrace, compat-libtiff3, curl, dhcp, elfutils, exempi, exiv2, fence-agents, freerdp and vinagre, ghostscript, glibc, gvfs, http-parser, httpd, kde-workspace, keepalived, kernel, keycloak-httpd-client-install, libarchive, libcgroup, libguestfs-winsupport, libjpeg-turbo, libmspack, libreoffice, libsolv, libssh2, libtiff, libvirt, ... --------------------------------------------- https://lwn.net/Articles/797442/ ∗∗∗ IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to a denial of service (CVE-2019-10072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-tomcat-as-used… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2019
by Daily end-of-shift report 26 Aug '19

26 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2019 18:00 − Montag 26-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing-Mail: Keine 1.957,05 Euro Rückzahlung vom Finanzministerium! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische Phishing-Mails im Namen des Bundesministeriums für Finanzen (BMF), in denen sie Konsument/innen über eine angebliche Rückzahlung über 1957 Euro informieren. Empfänger/innen dürfen den Links in der Nachricht nicht folgen und keine Daten bekanntgeben. Sie landen in den Händen Krimineller und können für weitere Verbrechen missbraucht werden. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-keine-195705-euro-ruec… ∗∗∗ Lenovo Crapware: Vorinstallierte Systemsoftware macht Laptops angreifbar ∗∗∗ --------------------------------------------- Wer noch das Lenovo Solution Center auf seinem System hat, sollte es schnellstmöglich deinstallieren. --------------------------------------------- https://heise.de/-4505088 ∗∗∗ Jetzt patchen! Exploit-Code für Cisco-Switches in Umlauf ∗∗∗ --------------------------------------------- Es könnten Angriffe auf Switches von Cisco bevorstehen. Sicherheitsupdates gibt es bereits seit Anfang August. --------------------------------------------- https://heise.de/-4505182 ∗∗∗ Attackers are targeting vulnerable Fortigate and Pulse Secure SSL VPNs ∗∗∗ --------------------------------------------- Attackers are taking advantage of recently released vulnerability details and PoC exploit code to extract private keys and user passwords from vulnerable Pulse Connect Secure SSL VPN and Fortigate SSL VPN installations. About the vulnerabilities Attackers have been scanning for and targeting two vulnerabilities: CVE-2019-11510, an arbitrary file reading vulnerability in Pulse Connect Secure CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web portal. --------------------------------------------- https://www.helpnetsecurity.com/2019/08/26/vulnerable-fortigate-pulse-secur… ∗∗∗ Malicious WordPress Redirect Campaign Attacking Several Plugins ∗∗∗ --------------------------------------------- Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations. --------------------------------------------- https://www.wordfence.com/blog/2019/08/malicious-wordpress-redirect-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, libreoffice-still, nginx, nginx-mainline, and subversion), Debian (commons-beanutils, h2o, libapache2-mod-auth-openidc, libmspack, qemu, squid, and tiff), Fedora (kubernetes, libmodbus, nfdump, and nodejs), openSUSE (dkgpg, libTMCG, go1.12, neovim, python, qbittorrent, schismtracker, teeworlds, thunderbird, and zstd), and SUSE (go1.11, go1.12, python-SQLAlchemy, and python-Twisted). --------------------------------------------- https://lwn.net/Articles/797286/ ∗∗∗ IBM Security Bulletin: IBM Db2 Mirror for i is affected by CVE-2019-4536 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-mirror-for-i-… ∗∗∗ IBM Security Bulletin: IBM Cloud Automation Manager is affected by a forbidden resouce redirect for bad API path CVE-2019-4132 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-automation-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2019
by Daily end-of-shift report 23 Aug '19

23 Aug '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2019 18:00 − Freitag 23-08-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Many Possibilities of CVE-2019-8646 ∗∗∗ --------------------------------------------- CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/08/the-many-possibilities-of-cv… ∗∗∗ Instagram phishing uses 2FA as a lure ∗∗∗ --------------------------------------------- If the phishing page looks OK, and it has an HTTPS padlock, how are you supposed to spot phishes these days? --------------------------------------------- https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-… ∗∗∗ Simple Mimikatz & RDPWrapper Dropper, (Thu, Aug 22nd) ∗∗∗ --------------------------------------------- Let's review a malware sample that I spotted a few days ago. I found it interesting because it's not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25262 ∗∗∗ Sommerferien vorbei – Emotet ist zurück ∗∗∗ --------------------------------------------- Seit Freitag früh sind die Server der wohl gefährlichsten Cybercrime-Bande wieder aktiv. --------------------------------------------- https://heise.de/-4503467 ∗∗∗ Hackers Target Vulnerabilities in Fortinet, Pulse Secure Products ∗∗∗ --------------------------------------------- Recently disclosed vulnerabilities affecting enterprise virtual private network (VPN) products from Fortinet and Pulse Secure have been exploited in the wild, a researcher reported on Thursday. --------------------------------------------- https://www.securityweek.com/hackers-target-vulnerabilities-fortinet-pulse-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, nginx, and openjdk-7), Fedora (httpd, mod_md, nghttp2, and patch), and SUSE (rubygem-loofah). --------------------------------------------- https://lwn.net/Articles/797049/ ∗∗∗ PrivEsc in Lenovo Solution Centre, 10 minutes later ∗∗∗ --------------------------------------------- CVE-2019-6177 – Lenovo Solution Centre Privilege Escalation. Slow, but sure. TL;DR We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices. Lenovo say LSC has been shipped since 2011, but haven’t been clear about when they stopped shipping it by default with new devices. --------------------------------------------- https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-ce… ∗∗∗ IBM Security Bulletin: Remote Execution Vulnerability Affects Red Hat Linux Used By IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter (CVE-2019-12735) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-remote-execution-vuln… ∗∗∗ Spectre SWAPGS gadget vulnerability CVE-2019-1125 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31085564 ∗∗∗ HPESBUX03950 rev.1 - HP-UX Web Server Suite running Apache on HP-UX 11iv3, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily