=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 24-09-2019 18:00 − Mittwoch 25-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ vBulletin Zero-Day Exploited for Years, Gets Unofficial Patch ∗∗∗
---------------------------------------------
A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vbulletin-zero-day-exploited…
∗∗∗ Free Decryptors Released for Two Ransomware Families ∗∗∗
---------------------------------------------
Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free. On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families.
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/free-de…
=====================
= Vulnerabilities =
=====================
∗∗∗ Apple Releases Security Updates ∗∗∗
---------------------------------------------
Original release date: September 25, 2019Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to obtain access to sensitive information.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2019/09/25/apple-releases-sec…
∗∗∗ Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ VMSA-2019-0015 ∗∗∗
---------------------------------------------
VMware Cloud Foundation and VMware Harbor Container Registry for PCF address remote escalation of privilege vulnerability (CVE-2019-16097)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2019-0015.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel, libgcrypt20, and spip), Fedora (compat-openssl10, expat, ghostscript, ibus, java-1.8.0-openjdk-aarch32, and SDL2_image), openSUSE (bird, chromium, kernel, libreoffice, links, and varnish), Oracle (httpd:2.4 and qemu-kvm), Red Hat (kernel), Scientific Linux (qemu-kvm), SUSE (djvulibre, dovecot22, ghostscript, kernel, libxml2, and python-Twisted), and Ubuntu (file-roller and libreoffice).
---------------------------------------------
https://lwn.net/Articles/800553/
∗∗∗ [20190901] - Core - XSS in logo parameter of default templates ∗∗∗
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/PO-TPPu7rQ0/791-20190901-c…
∗∗∗ SBA-ADV-20190911-01: Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS) ∗∗∗
---------------------------------------------
https://github.com/sbaresearch/advisories/commit/9000d9bfd120a1b8f5f1643e5f…
∗∗∗ Security Advisory - Two Integer overflow Vulnerabilities in Some Huawei Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-…
∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Gauss100 OLTP Database of Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-…
∗∗∗ Security Advisory - Improper Validation Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-…
∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-…
∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Linux Kernel as used in IBM QRadar Network Packet Capture is vulnerable to denial of service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-…
∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance command server is vulnerable to a denial of service attack caused by specially crafted PCF messages (CVE-2019-4378) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app…
∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2019-10241, CVE-2019-10246 & CVE-2019-10247) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af…
∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty Admin Center in IBM Cloud (CVE-2019-4285) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab…
∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (CVE-2019-4262) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu…
∗∗∗ IBM Security Bulletin:IBM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-security-identity-…
∗∗∗ BIG-IQ services for stats vulnerability CVE-2019-6652 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K23101430
∗∗∗ BIG-IP APM Edge Client logging vulnerability CVE-2019-6656 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K23876153
∗∗∗ BIG-IP Analytics vulnerability CVE-2019-6655 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K31152411
∗∗∗ Martian address filtering vulnerability CVE-2019-6654 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K45644893
∗∗∗ BIG-IQ vulnerability CVE-2019-6653 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K71712132
∗∗∗ REST Framework vulnerability CVE-2019-6651 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K89509323
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-09-2019 18:00 − Dienstag 24-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ MITRE ATT&CK vulnerability spotlight: Access token manipulation ∗∗∗
---------------------------------------------
MITRE is a U.S. government federally-funded research and development center (FFRDC) which performs a large amount of research and assessment as a trusted third party for the government. One of their research areas is cybersecurity, and they have developed the MITRE ATT&CK matrix to help with research and education about cybersecurity threats.
---------------------------------------------
https://resources.infosecinstitute.com/mitre-attck-access-token-manipulatio…
∗∗∗ Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs ∗∗∗
---------------------------------------------
Im keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain remotewebaccess.com.
---------------------------------------------
https://isc.sans.edu/forums/diary/Huge+Amount+of+remotewebaccesscom+Sites+F…
∗∗∗ E-Mail der Chaos-Hacking-Gruppe ignorieren ∗∗∗
---------------------------------------------
Angeblich hat sich die Chaos-Hacking-Gruppe in Ihr E-Mail-Konto und Betriebssystem gehackt und Ihr Surfverhalten drei Monate lang beobachtet. Die Kriminellen behaupten, Sie beim Surfen auf Porno-Seiten erwischt und bei intimen Handlungen gefilmt zu haben. Damit das Video über Sie nicht an all Ihre Kontakte gesendet wird, fordern die Hacker eine Überweisung von 2.000 Euro in Form von Bitcoins.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-der-chaos-hacking-gruppe-igno…
∗∗∗ No summer vacations for Zebrocy ∗∗∗
---------------------------------------------
ESET researchers describe the latest components used in a recent Sednit campaign The post No summer vacations for Zebrocy appeared first on WeLiveSecurity
---------------------------------------------
https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Updates Available for ColdFusion (APSB19-47) ∗∗∗
---------------------------------------------
Adobe has published a Security Bulletin (APSB19-47) for ColdFusion versions 2018 and 2016. These updates resolve two critical and one moderate vulnerability that could lead to arbitrary code execution and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1789
∗∗∗ Notfallpatch: Attacken gegen Internet Explorer ∗∗∗
---------------------------------------------
Ein Update schließt eine kritische Lücke im Internet Explorer – es ist aber noch nicht über Windows Update verfügbar. Auch Windows Defender bekommt einen Patch.
---------------------------------------------
https://heise.de/-4537525
∗∗∗ Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild ∗∗∗
---------------------------------------------
Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: [...]
---------------------------------------------
https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-ex…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php5), Fedora (blis, kernel, and kernel-headers), openSUSE (bird, curl, fish3, ghostscript, ibus, kernel, libgcrypt, openldap2, openssl-1_1, skopeo, and util-linux and shadow), Oracle (dovecot and kernel), Red Hat (dovecot, httpd:2.4, qemu-kvm, and redhat-virtualization-host), Scientific Linux (dovecot), SUSE (djvulibre, expat, firefox, libopenmpt, and rust), and Ubuntu (ibus and Mosquitto).
---------------------------------------------
https://lwn.net/Articles/800448/
∗∗∗ IBM Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator…
∗∗∗ IBM Security Bulletin: IBM Cloud Private for Data is affected by a vulnerability in Go Language (CVE-2019-6486) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-for…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-09-2019 18:00 − Montag 23-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Zunahme von erfolgreichen Cyber-Angriffen mit Emotet – BSI rät zu Schutzmaßnahmen ∗∗∗
---------------------------------------------
Cyber-Angriffe mit der Schadsoftware Emotet haben in den vergangenen Tagen erhebliche Schäden in der deutschen Wirtschaft, aber auch bei Behörden und Organisationen verursacht. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt daher erneut eindringlich vor dieser Schadsoftware und gibt ausführliche Hinweise zum Schutz vor Emotet. Auch Privatanwender stehen im Fokus der Angreifer.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Emotet-Warn…
∗∗∗ Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About ∗∗∗
---------------------------------------------
Have you ever heard of the STOP Ransomware? Probably not, as few write about it, most researchers dont cover it, and for the most part it targets consumers through cracked software, adware bundles, and shady sites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-mos…
∗∗∗ What you should know about Ryuk ransomware ∗∗∗
---------------------------------------------
The ransomware called Ryuk has established ransomware as a lucrative enterprise product. This sentence may sound provocative, as it is treating cybercriminals like businesspeople, but this is what Ryuk is about - making money. This strain of ransomware is estimated by Crowdstrike to have made the gang behind it over $3.7 million USD since [...]
---------------------------------------------
https://resources.infosecinstitute.com/what-you-should-know-about-ryuk-rans…
∗∗∗ Hello! My name is Dtrack ∗∗∗
---------------------------------------------
When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family. Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack.
---------------------------------------------
https://securelist.com/my-name-is-dtrack/93338/
∗∗∗ YARA XOR Strings: an Update, (Sun, Sep 22nd) ∗∗∗
---------------------------------------------
Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.
---------------------------------------------
https://isc.sans.edu/diary/rss/25346
∗∗∗ Bereit für NISG & NISV? – Anforderungen an den Umgang mit Sicherheitsvorfällen ∗∗∗
---------------------------------------------
Es ist so weit - Österreich hat mit dem Beschluss der Netz- und Informationssystemsicherheitsverordnung (NISV) nun konkrete Netzwerk- und Informationssicherheitsanforderungen für Anbietern wesentlicher Dienste i.S.d. Netz- und Informationssystemsicherheitsgesetz (NISG) festgelegt.
---------------------------------------------
https://www.sec-consult.com/blog/2019/09/bereit-fuer-nisg-nisv-anforderunge…
∗∗∗ Dear network operators, please use the existing tools to fix security ∗∗∗
---------------------------------------------
The internets security and stability would be significantly improved if network operators implemented protocols that were already written into technical standards and if vendors provided better tools for fixing security.
---------------------------------------------
https://www.zdnet.com/article/dear-network-operators-please-use-the-existin…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: Jira Server und Data Center vor Schadcode-Attacken gefährdet ∗∗∗
---------------------------------------------
Verschiedene Software von Jira ist über kritische Sicherheitslücken attackierbar. Angreifer könnten die Kontrolle über Server übernehmen.
---------------------------------------------
https://heise.de/-4536050
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat, php-pecl-http, and php7.0), Fedora (ImageMagick, jackson-annotations, jackson-bom, jackson-core, jackson-databind, and rubygem-rmagick), Mageia (chromium-browser-stable, ibus, kernel, samba, and thunderbird), openSUSE (chromium), Oracle (dovecot and kernel), Red Hat (dbus, kernel, kernel-alt, and kpatch-patch), Scientific Linux (dovecot and kernel), and SUSE (expat, ibus, kernel, kernel-source-rt, nmap, openssl, and webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/800377/
∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190921-…
∗∗∗ Security Advisory - Race Condition Vulnerability on Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190911-…
∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager stores password in clear text (CVE-2019-4566) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life…
∗∗∗ IBM Security Bulletin: Apache Commons Compress vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-12402) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-commons-compre…
∗∗∗ IBM Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-vulnerabiliti…
∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4285) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-2684, CVE-2019-4473, CVE-2019-11771) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 19-09-2019 18:00 − Freitag 20-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Forcepoint Fixes Privilege Escalation Bug in Windows VPN Client ∗∗∗
---------------------------------------------
A vulnerability affecting all versions of Forcepoint VPN Client for Windows, save the latest release, can be used to achieve persistence and evade detection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/forcepoint-fixes-privilege-e…
∗∗∗ Fake SSO Used In Multi-Email Provider Phishing ∗∗∗
---------------------------------------------
Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a separate username and password. This feature also extends to third party services such as the popular Dropbox file sharing application, which offers users the option to access their account using Google’s authentication from their sign in page. Malicious Pages Mimic Popular Login Workflows [...]
---------------------------------------------
https://blog.sucuri.net/2019/09/fake-sso-used-in-multi-email-provider-phish…
∗∗∗ Blacklisting or Whitelisting in the Right Way ∗∗∗
---------------------------------------------
Its Friday today, Id like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different:
---------------------------------------------
https://isc.sans.edu/forums/diary/Blacklisting+or+Whitelisting+in+the+Right…
∗∗∗ Wenn Instagram- und Facebook-Freunde nach der Handynummer fragen ∗∗∗
---------------------------------------------
Zahlreiche NutzerInnen berichten derzeit, dass sie von FreundInnen über den Instagram-Chat oder den Facebook-Messenger nach ihrer Handynummer gefragt werden. Anschließend wird noch nach einem 4-stelligen PIN Code gefragt. Achtung! Hier schreiben nicht die FreundInnen. Deren Zugang wurde gehackt. Kriminelle versuchen so, ein kostenpflichtiges Abo abzuschließen.
---------------------------------------------
https://www.watchlist-internet.at/news/wenn-instagram-und-facebook-freunde-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Tridium Niagara ∗∗∗
---------------------------------------------
This advisory contains mitigations for information exposure and improper authorization vulnerabilities in Tridiums Niagara business application framework software.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-262-01
∗∗∗ WECON LeviStudioU (Update A) ∗∗∗
---------------------------------------------
WECON has produced Version 1.8.69 to fix the reported vulnerabilities in Version 1.8.56; however, exploits are still successful against this updated version.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/ICSA-19-036-03
∗∗∗ VMSA-2019-0014 ∗∗∗
---------------------------------------------
VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2019-0014.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug).
---------------------------------------------
https://lwn.net/Articles/800149/
∗∗∗ Western Digital My Book World II NAS 1.02.12 Hardcoded Credential ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2019090130
∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Cross-Site Request Forgery (CVE-2019-4515 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4 is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag…
∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4.x is affected by multiple vulnerabilities of Mozilla Firefox ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-09-2019 18:00 − Donnerstag 19-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Fake Human Verification Spam ∗∗∗
---------------------------------------------
We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin.
---------------------------------------------
https://blog.sucuri.net/2019/09/fake-human-verification-spam.html
∗∗∗ Agent Tesla Trojan Abusing Corporate Email Accounts ∗∗∗
---------------------------------------------
The trojan Agent Tesla is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1].
---------------------------------------------
https://isc.sans.edu/forums/diary/Agent+Tesla+Trojan+Abusing+Corporate+Emai…
∗∗∗ Shhmon — Silencing Sysmon via Driver Unload ∗∗∗
---------------------------------------------
https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Lücke erlaubt Root-Zugriff auf D-Link-NAS DNS-320 ∗∗∗
---------------------------------------------
Ein Update schließt eine Schwachstelle mit Höchstwertung im Netzwerkspeicher DNS-320 von D-Link.
---------------------------------------------
https://heise.de/-4533707
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, [...]
---------------------------------------------
https://lwn.net/Articles/799971/
∗∗∗ Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097) ∗∗∗
---------------------------------------------
Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole.
---------------------------------------------
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enable…
∗∗∗ TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2019-067
∗∗∗ Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2019-066
∗∗∗ Kubernetes: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0826
∗∗∗ Cisco HyperFlex Software Counter Value Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco HyperFlex Software Cross-Frame Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei CloudEngine Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190918-…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Security QRadar Packet Capture is vulnerable to Denial of Service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-3896) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-qradar-p…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct File Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system and Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs CVE-2019-4473 and CVE-2019-11771 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-eclipse-openj9-could-…
∗∗∗ IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE’s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-as-used-in-ib…
∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 17-09-2019 18:00 − Mittwoch 18-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions ∗∗∗
---------------------------------------------
A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases.
---------------------------------------------
https://thehackernews.com/2019/09/phpmyadmin-csrf-exploit.html
∗∗∗ Clever New DDoS Attack Gets a Lot of Bang for a Hackers Buck ∗∗∗
---------------------------------------------
By exploiting the WS-Discovery protocol, a new breed of DDoS attack can get a huge rate of return.
---------------------------------------------
https://www.wired.com/story/ddos-attack-ws-discovery
∗∗∗ FAQ: Emotet (bei Heise) ∗∗∗
---------------------------------------------
Seit die Heise Gruppe von einer Emotet-Infektion betroffen war, erreichen uns immer wieder Rückfragen. Hier die Antworten auf die häufigsten davon.
---------------------------------------------
https://heise.de/-4517354
∗∗∗ SMS von "PostInfo" führt in Abo-Falle ∗∗∗
---------------------------------------------
Zahlreiche HandynutzerInnen erhalten momentan eine SMS von PostInfo. Sie haben angeblich etwas bei einer Verlosung gewonnen. Um den Gewinn einzulösen, müssen sie einem Link folgen. Dieser führt zu einer Umfrage auf einer gefälschten Post-Seite. Achtung: dieses SMS stammt nicht von der Post, sondern von Kriminellen. Sie werden in eine Abo-Falle gelockt.
---------------------------------------------
https://www.watchlist-internet.at/news/sms-von-postinfo-fuehrt-in-abo-falle/
∗∗∗ Daily Emotet IoCs and Notes for 09/16/19 ∗∗∗
---------------------------------------------
Emotet Malware Document links/IOCs for 09/16/19 as of 09/17/19 02:30 EDTNotes and Credits at the bottom Follow us on twitter @cryptolaemus1 for more updates.
---------------------------------------------
https://paste.cryptolaemus.com/emotet/2019/09/16/emotet-malware-IoCs_09-16-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Advantech WebAccess ∗∗∗
---------------------------------------------
This advisory contains mitigations for code injection, command injection, stack-based buffer overflow, and improper authorization vulnerabilities in Advantechs WebAccess HMI platform.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-260-01
∗∗∗ Honeywell Performance IP Cameras and Performance NVRs ∗∗∗
---------------------------------------------
This advisory includes mitigations for an information exposure vulnerability in the Honeywell Performance IP Cameras and Performance NVRs product.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-260-03
∗∗∗ HPESBHF03844 rev.3 - HPE Integrated Lights-Out 4, 5 (iLO 4, 5) iLO Moonshot and Moonshot iLO Chassis Manager, Remote or Local Code Execution ∗∗∗
---------------------------------------------
Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
∗∗∗ HPESBHF03866 rev.3 - HPE Integrated Lights-Out 3,4,5 iLO Moonshot and Moonshot iLO Chassis Manager, using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information ∗∗∗
---------------------------------------------
Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
∗∗∗ Security update available in Foxit Studio Photo 3.6.6.913 ∗∗∗
---------------------------------------------
Foxit has released Foxit Studio Photo 3.6.6.913, which addresses potential security and stability issues.
---------------------------------------------
https://www.foxitsoftware.com/support/security-bulletins.php
∗∗∗ Kritisches Update für AMD-Grafikkarten löst spezielles Sicherheitsproblem ∗∗∗
---------------------------------------------
Die Kombination von VMware Workstation Pro und AMD-GPUs könnte die Computersicherheit gefährden.
---------------------------------------------
https://heise.de/-4533148
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa).
---------------------------------------------
https://lwn.net/Articles/799765/
∗∗∗ WAGO Series PFC100/PCF200 Information Disclosure ∗∗∗
---------------------------------------------
The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations.
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2019-017
∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager uses Weak password policy (CVE-2019-4565) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life…
∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2019 – Includes Oracle Jul 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo…
∗∗∗ IBM Security Bulletin: Vulnerability in Eclipse Jetty affecting Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ecli…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been identified in bundled libraries of IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2019-12086, CVE-2019-0201) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects…
∗∗∗ Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF ∗∗∗
---------------------------------------------
https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-x…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-09-2019 18:00 − Dienstag 17-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Emotet Revived with Large Spam Campaigns Around the World ∗∗∗
---------------------------------------------
Less than a month after reactivating its command and control (C2) servers, the Emotet botnet has come to like by spewing spam messages to countries around the globe.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-sp…
∗∗∗ Misuse of WordPress update_option() function Leads to Website Infections ∗∗∗
---------------------------------------------
In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website. Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code.
---------------------------------------------
https://blog.sucuri.net/2019/09/misuse-of-wordpress-update_option-function-…
∗∗∗ Explaining Server Side Template Injections ∗∗∗
---------------------------------------------
[...] Exploiting SSTI in strange cases will be the next post I make. Any and all feedback is appreciated
---------------------------------------------
https://0x00sec.org/t/explaining-server-side-template-injections/16297
∗∗∗ 2019 CWE Top 25 Most Dangerous Software Errors ∗∗∗
---------------------------------------------
The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working.
---------------------------------------------
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
∗∗∗ Investigating Gaps in your Windows Event Logs ∗∗∗
---------------------------------------------
I recently TAd the SANS SEC 504 class (Hacker Tools, Techniques, Exploits, and Incident Handling) , and one of the topics we covered was attackers "editing" windows event logs to cover their tracks, especially the Windows Security Event Log.
---------------------------------------------
https://isc.sans.edu/forums/diary/Investigating+Gaps+in+your+Windows+Event+…
∗∗∗ Phishing: BAWAG PSK fordert keine Datenbestätigung per E-Mail ∗∗∗
---------------------------------------------
Kriminelle geben sich als BAWAG PSK Bank aus und behaupten, dass Online-Banking-NutzerInnen aufgrund der EU-Zahlungsrichtlinie ihre Daten bestätigen müssen. Angeblich sei auch das Konto gesperrt. Es handelt sich jedoch um einen Vorwand, um an Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den Button, Sie gelangen zu einer gefälschten Login-Seite!
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-bawag-psk-fordert-keine-dat…
∗∗∗ MISP 2.4.116 released (aka the new decaying feature) ∗∗∗
---------------------------------------------
A new version of MISP (2.4.116) has been release, including a long awaited major new feature that deals with decaying indicators in addition to a new ATT&CK sightings export and a new sync priority capability.
---------------------------------------------
https://www.misp-project.org/2019/09/17/MISP.2.4.116.released.html
∗∗∗ Gootkit malware crew left their database exposed online without a password ∗∗∗
---------------------------------------------
Even cyber-criminal gangs cant secure their MongoDB servers properly.
---------------------------------------------
https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-expo…
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira ∗∗∗
---------------------------------------------
Ben Taylor of Cisco ASIG discovered these vulnerabilities.Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and [...]
---------------------------------------------
https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-se…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).
---------------------------------------------
https://lwn.net/Articles/799509/
∗∗∗ SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices ∗∗∗
---------------------------------------------
Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0.
---------------------------------------------
https://www.securityweek.com/sohopelessly-broken-20-125-vulnerabilities-fou…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Apache HTTPD vulnerability CVE-2019-10098 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K25126370
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-09-2019 18:00 − Montag 16-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Gefährliche Sicherheitslücken in Überwachungskameras von Dahua ∗∗∗
---------------------------------------------
Angreifer könnten einige Dahua-Überwachungskameras attackieren und in ein Botnetz zwingen. Sicherheitsupdates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-4523355
∗∗∗ Fake-Bewerbung von "Eva Richter" hat Erpressungstrojaner Ordinypt im Gepäck ∗∗∗
---------------------------------------------
Vorsicht: Derzeit sind wieder gefälschte Bewerbungen mit gefährlichem Dateianhang in Umlauf. Wer darauf reinfällt, steht vor einem digitalen Scherbenhaufen.
---------------------------------------------
https://heise.de/-4523365
∗∗∗ How to Enable Ransomware Protection in Windows 10 ∗∗∗
---------------------------------------------
Windows Defender includes a security feature called "Ransomware Protection" that allows you to enable various protections against ransomware infections. This feature is disabled by default in Windows 10, but with ransomware running rampant, it is important to enable this feature in order to get the most protection on your computer.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/how-to-enable-ransomware-pr…
∗∗∗ iPhone: PIN-Sperre in iOS 13 umgangen ∗∗∗
---------------------------------------------
Der Sperrbildschirm in iOS 13 kann mit einem einfachen Trick umgangen werden. So kann auf das Adressbuch des Besitzers zugegriffen werden. iOS 13 soll am 19. September veröffentlicht werden - die Lücke will Apple bis dahin nicht schließen.
---------------------------------------------
https://www.golem.de/news/iphone-pin-sperre-in-ios-13-umgangen-1909-143860-…
∗∗∗ WordPress XSS Bug Allows Drive-By Code Execution ∗∗∗
---------------------------------------------
Sites that use the Gutenberg (found in WordPress 5.0 to 5.2.2) are open to complete takeover.
---------------------------------------------
https://threatpost.com/wordpress-xss-drive-by-code-execution/148324/
∗∗∗ Dissecting the WordPress 5.2.3 Update ∗∗∗
---------------------------------------------
Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing.
---------------------------------------------
https://blog.sucuri.net/2019/09/dissecting-the-wordpress-5-2-3-update.html
∗∗∗ Smishing Explained: What It Is and How to Prevent It ∗∗∗
---------------------------------------------
Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late? It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around [...]
---------------------------------------------
https://www.webroot.com/blog/2019/09/16/smishing-explained-what-it-is-and-h…
∗∗∗ You Can Run, But You Can't Hide - Detecting Process Reimaging Behavior ∗∗∗
---------------------------------------------
Around 3 months ago, a new attack technique was introduced to the InfoSec community known as "Process Reimaging." This technique was released by the McAfee Security team in a blog titled — "In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass." A few days after this attack technique was released, a co-worker and friend of mine - Dwight Hohnstein - came out with proof of concept code demonstrating this technique, [...]
---------------------------------------------
https://posts.specterops.io/you-can-run-but-you-cant-hide-detecting-process…
∗∗∗ Open source breach and attack simulation tool Infection Monkey gets new features ∗∗∗
---------------------------------------------
Guardicore, a leader in internal data center and cloud security, unveiled new capabilities for its Infection Monkey that make it the industry’s first Zero Trust assessment tool. Added features extend the functionality of the already successful Infection Monkey, a free, open source breach and attack simulation tool used by thousands to demonstrate and analyze their environments against lateral movement and attacks.
---------------------------------------------
https://www.helpnetsecurity.com/2019/09/16/infection-monkey-tool/
∗∗∗ LastPass Patches Bug Leaking Last-Used Credentials ∗∗∗
---------------------------------------------
A vulnerability recently addressed in LastPass could be abused by attackers to expose the last site credentials filled by LastPass. A freemium password manager, LastPass stores encrypted passwords online and provides users with a web interface to access them, as well as with plugins for web browsers and apps for smartphones.
---------------------------------------------
https://www.securityweek.com/lastpass-patches-bug-leaking-last-used-credent…
∗∗∗ Sophos open-sources Sandboxie, a utility for sandboxing any application ∗∗∗
---------------------------------------------
Sandboxie is now a free download. Source code to be open-sourced at a later date.
---------------------------------------------
https://www.zdnet.com/article/sophos-open-sources-sandboxie-a-utility-for-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2019-0013 ∗∗∗
---------------------------------------------
VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2019-0013.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ansible, faad2, linux-4.9, and thunderbird), Fedora (jbig2dec, libextractor, sphinx, and thunderbird), Mageia (expat, kconfig, mediawiki, nodejs, openldap, poppler, thunderbird, webkit2, and wireguard), openSUSE (buildah, ghostscript, go1.12, libmirage, python-urllib3, rdesktop, and skopeo), SUSE (python-Django), and Ubuntu (exim4, ibus, and Wireshark).
---------------------------------------------
https://lwn.net/Articles/799324/
∗∗∗ [remote] Inteno IOPSYS Gateway - Improper Access Restrictions ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/47390
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-09-2019 18:00 − Freitag 13-09-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Rig Exploit Kit Delivering VBScript, (Thu, Sep 12th) ∗∗∗
---------------------------------------------
I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the web, you can spot malicious scripts that will try to infect your computer (Exploit Kits).
---------------------------------------------
https://isc.sans.edu/diary/rss/25318
∗∗∗ Hacking LED Wristbands: A ‘Lightning’ Recap of RF Security Basics ∗∗∗
---------------------------------------------
We’re always eager for new research and learning opportunities, but this time, serendipitously, the opportunity found us. At the closing party of the Hack In The Box Amsterdam conference — where we presented our industrial radio research and ran a CTS contest — we were given LED wristbands to wear. They’re flashing wristbands meant to enhance the experience of an event, party, or show. At the beginning, we were not interested in the security impact; we just wanted to [...]
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/MzmWyorokxA/
∗∗∗ InnfiRAT: A new RAT aiming for your cryptocurrency and more ∗∗∗
---------------------------------------------
Recently, the Zscaler ThreatLabZ team came across a new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine. This blog provides an analysis of this new RAT, including the way it communicates, all the tasks it performs, and the information it steals.
---------------------------------------------
https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptoc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (curl, dnsmasq, and golang-go.crypto), Mageia (docker, firefox, flash-player-plugin, ghostscript, links, squid, sympa, tcpflow, thunderbird, and znc), openSUSE (srt), Oracle (.NET Core, kernel, libwmf, and poppler), Scientific Linux (firefox), SUSE (cri-o, curl, java-1_8_0-ibm, python-SQLAlchemy, and python-urllib3), and Ubuntu (curl and expat).
---------------------------------------------
https://lwn.net/Articles/799127/
∗∗∗ Philips IntelliVue WLAN ∗∗∗
---------------------------------------------
This medical advisory contains mitigations for use of hard-coded password, and download of code without integrity check vulnerabilities in Philips IntelliVue WLAN firmware.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsma-19-255-01
∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Web Server ∗∗∗
---------------------------------------------
This advisory contains mitigations for path traversal and stack-based buffer overflow vulnerabilities in 3S-Smart Software Solutions CODESYS V3 runtime systems.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-255-01
∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Library Manager ∗∗∗
---------------------------------------------
This advisory contains mitigations for a cross-site scripting vulnerability in 3S-Smart Software Solutions CODESYS V3 library manager software.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-255-02
∗∗∗ 3S-Smart Software Solutions GmbH CODESYS Control V3 Online User Management ∗∗∗
---------------------------------------------
This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in 3S-Smart Software Solutions CODESYS Control V3 online user management software.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-255-03
∗∗∗ 3S-Smart Software Solutions GmbH CODESYS Control V3 OPC UA Server ∗∗∗
---------------------------------------------
This advisory contains mitigations for a NULL pointer dereference vulnerability in 3S-Smart Software Solutions CODESYS Control V3 OPC UA Server.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-255-04
∗∗∗ 3S-Smart Software Solutions GmbH CODESYS V3 Products Containing a CODESYS Communication Server ∗∗∗
---------------------------------------------
This advisory contains mitigations for an improper input validation vulnerability in 3S-Smart Software Solutions CODESYS V3 runtime systems.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-255-05
∗∗∗ Multiple buffer overflow vulnerabilities in multiple Ricoh printers and Multifunction Printers (MFPs) ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN11708203/
∗∗∗ libssh2 vulnerability CVE-2019-13115 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K13322484
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-09-2019 18:00 − Donnerstag 12-09-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ 1B Mobile Users Vulnerable to Ongoing 'SimJacker' Surveillance Attack ∗∗∗
---------------------------------------------
More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn.
---------------------------------------------
https://threatpost.com/1b-mobile-users-vulnerable-to-ongoing-simjacker-surv…
∗∗∗ Attacking the VM Worker Process ∗∗∗
---------------------------------------------
In the past year we invested a lot of time making Hyper-V research more accessible to everyone. Our first blog post, “First Steps in Hyper-V Research”, describes the tools and setup for debugging the hypervisor and examines the interesting attack surfaces of the virtualization stack components.
---------------------------------------------
https://msrc-blog.microsoft.com:443/2019/09/11/attacking-the-vm-worker-proc…
∗∗∗ From BinDiff to Zero-Day: A Proof of Concept Exploiting CVE-2019-1208 in Internet Explorer ∗∗∗
---------------------------------------------
Last June, I disclosed a use-after-free (UAF) vulnerability in Internet Explorer (IE) to Microsoft. It was rated as critical, designated as CVE-2019-1208, and then addressed in Microsoft’s September Patch Tuesday. I discovered this flaw through BinDiff (a binary code analysis tool) and wrote a proof of concept (PoC) showing how it can be fully and consistently exploited in Windows 10 RS5.A more in-depth analysis of this vulnerability is in this technical brief.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/NkmJvxTNnHM/
∗∗∗ Phishing & Co: Betrüger nutzen Start der PSD2-Richtlinie aus ∗∗∗
---------------------------------------------
Die neue Zahlungsdienste-Richtlinie der EU steht vor der Umsetzung. Das sorgt für Verwirrung, die Betrüger schamlos ausnutzen.
---------------------------------------------
https://heise.de/-4522179
∗∗∗ Five years later, Heartbleed vulnerability still unpatched ∗∗∗
---------------------------------------------
The Heartbleed vulnerability was discovered and fixed in 2014, yet today—five years later—there are still unpatched systems.
---------------------------------------------
https://blog.malwarebytes.com/malwarebytes-news/2019/09/everything-you-need…
∗∗∗ Sind meine persönlichen Daten im Internet bekannt? ∗∗∗
---------------------------------------------
Wenn es Kriminellen gelingt, in Datenbanken von Unternehmen zu gelangen, können sie KundInnendaten stehlen. Mit den erbeuteten Informationen ist es ihnen möglich, dass sie Verbrechen unter fremden Namen begehen. KonsumentInnen sollten deshalb regelmäßig überprüfen, ob sie von einem Datendiebstahl betroffen sind, um geeignete Gegenmaßnahmen ergreifen zu können.
---------------------------------------------
https://www.watchlist-internet.at/news/sind-meine-persoenlichen-daten-im-in…
∗∗∗ Warnung vor Ron Inkasso-Mahnungen ∗∗∗
---------------------------------------------
KonsumentInnen erhalten eine Mahnung, die angeblich von der Ron Adams Ltd stammt. Darin heißt es, dass sie sich auf grindplay.com registriert haben. Sie sollen dem Anbieter für ein Premium–Jahresabo 395,88 Euro zuzüglich Mahnspesen und Verzugszinsen gesamt 516,24 Euro bezahlen. KonsumentInnen müssen den Betrag nicht an ron-inkasso.eu bezahlen, denn das Schreiben ist betrügerisch.
---------------------------------------------
https://www.watchlist-internet.at/news/warnung-vor-ron-inkasso-mahnungen/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (exim, firefox, and webkit2gtk), Debian (libonig and opensc), Fedora (cobbler), Oracle (firefox and kernel), Red Hat (flash-plugin, kernel, kernel-rt, rh-maven35-jackson-databind, rh-nginx110-nginx, and rh-nginx112-nginx), Scientific Linux (kernel), Slackware (curl, mozilla, and openssl), SUSE (ceph, libvirt, and python-Werkzeug), and Ubuntu (vlc and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/799052/
∗∗∗ Cisco Enterprise Network Functions Virtualization Infrastructure Software File Enumeration Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ IBM Security Bulletin: Linux Kernel vulnerabilities affect IBM Spectrum Protect Plus CVE-2019-10140, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-13233, CVE-2019-13272, CVE-2019-14283, CVE-2019-14284, CVE-2019-15090, CVE-2019-15807, ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-vulnerab…
∗∗∗ IBM Security Bulletin: SQL Injection Vulnerability Affects IBM Sterling File Gateway (CVE-2019-4147) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-sql-injection-vulnera…
∗∗∗ Stored and reflected XSS vulnerabilities in LimeSurvey (CVE-2019-16172, CVE-2019-16173) ∗∗∗
---------------------------------------------
https://sec-consult.com/en/blog/advisories/stored-and-reflected-xss-vulnera…
∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0813
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily