=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-04-2019 18:00 − Dienstag 09-04-2019 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ ShadowHammer-Angriffe zielten auch auf die Gaming-Industrie ∗∗∗
---------------------------------------------
Die Shadowhammer-Attacken 2018 trafen neben ASUS mindestens drei asiatische Spielehersteller. Und damit auch die Rechner von mindestens 96.000 Gamern.
---------------------------------------------
http://heise.de/-4367681
∗∗∗ Duqu Remained Active After Operations Were Exposed in 2011 ∗∗∗
---------------------------------------------
The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011. read more
---------------------------------------------
https://www.securityweek.com/duqu-remained-active-after-operations-were-exp…
∗∗∗ Probleme bei Buchungen über galahotels.com ∗∗∗
---------------------------------------------
Vorsicht bei Hotelbuchungen über galahotels.com. Uns liegen zahlreiche Berichte zu ausbleibenden Rückzahlungen nach Stornierung und anderen Problemen vor. In den schlimmsten Fällen stehen Betroffene ohne Unterkunft am Zielort da. Da das Unternehmen den Sitz in der Türkei hat, ist eine Rechtsdurchsetzung oft schwierig und der einzige Weg zum eigenen Geld führt häufig über den Kreditkartenanbieter.
---------------------------------------------
https://www.watchlist-internet.at/news/probleme-bei-buchungen-ueber-galahot…
∗∗∗ Betrügerische Billa- und Amazon-Umfragen locken in Abo-Falle! ∗∗∗
---------------------------------------------
Vorsicht vor gefälschten E-Mails im Namen von Amazon und Billa, die für die Teilnahme an einer Umfrage Belohnungen versprechen. Konsument/innen, die den Buttons in den Mails folgen, landen auf gefälschten Websites der Unternehmen. Wer die eigenen Daten bekanntgibt, rutscht in eine Abo-Falle und erhält die versprochenen iPhone XS, Samsung Galaxy S10+ oder Gutscheine nie!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-billa-und-amazon-umfr…
∗∗∗ Aktuelle Malspam Kampagne ∗∗∗
---------------------------------------------
CERT.at möchte auf eine aktuelle Malspam-Kampagne hinweisen zu der wir aus ganz Österreich Anfragen erhalten haben. Beschreibung Der Betreff der E-Mails enhält einen Hinweis darauf, dass es sich um eine Rechnung oder einen Scan handelt. Der From-Header ist gefälscht und enthält als angezeigten Namen den lokalen Part der Domäne an die die E-Mail geht. Der Linktext scheint auf ein internes .doc-Dokument zu verweisen, de facto [...]
---------------------------------------------
http://www.cert.at/services/blog/20190409151309-2416.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Bulletins Posted ∗∗∗
---------------------------------------------
Adobe has published security bulletins for Adobe Acrobat and Reader (APSB19-17), Adobe Flash Player (APSB19-19), Adobe Shockwave player (APSB19-20), Adobe Dreamweaver (APSB19-21), Adobe XD (APSB19-22), Adobe InDesign (APSB19-23) ,Adobe Experience Manager Forms (APSB19-24) and Adobe Bridge CC (APSB19-25).
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1735
∗∗∗ DLL injection in Go < 1.12.2 [CVE-2019-9634] ∗∗∗
---------------------------------------------
Golang before 1.12.2 linked against various DLLs that were same-directory injectable and generally its library loading mechanism did not use LoadLibraryEx, allowing the classic DLL injection attacks, especially with regards to executables saved to the Downloads/ folder
---------------------------------------------
https://www.openwall.com/lists/oss-security/2019/04/09/1
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (poppler, proftpd-dfsg, suricata, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and wget), Gentoo (clamav, emerge-delta-webrsync, and mailman), openSUSE (bash), Red Hat (kernel and openssh), Scientific Linux (python), SUSE (gnuplot, libtcnative-1-0, and sqlite3), and Ubuntu (clamav, lua5.3, openjdk-7, samba, systemd, and wget).
---------------------------------------------
https://lwn.net/Articles/785367/
∗∗∗ Synology-SA-19:15 Samba ∗∗∗
---------------------------------------------
CVE-2019-3880 allows remote authenticated users to create arbitrary files or obtain sensitive information via a susceptible version of DiskStation Manager (DSM) and Synology Router Manager (SRM).None of Synology products are affected by CVE-2019-3870 as the vulnerability only affect Samba 4.9.0 and later.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_19_15
∗∗∗ [20190403] - Core - Object.prototype pollution in JQuery $.extend ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/779-20190403-core-object-proto…
∗∗∗ [20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/778-20190402-core-helpsites-re…
∗∗∗ [20190401] - Core - Directory Traversal in com_media ∗∗∗
---------------------------------------------
https://developer.joomla.org/security-centre/777-20190401-core-directory-tr…
∗∗∗ IBM Security Bulletin: BigFix Platform 9.5.x affected by multiple vulnerabilities (CVE-2019-4013, CVE-2018-5407, CVE-2012-5883, CVE-2012-6708, CVE-2015-9251) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-platform-9-5-x…
∗∗∗ SSA-141614 (Last Update: 2019-04-09): Denial-of-Service in SIMOCODE pro V EIP ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-141614.txt
∗∗∗ SSA-307392 (Last Update: 2019-04-09): Denial-of-Service in OPC UA in Industrial Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt
∗∗∗ SSA-324467 (Last Update: 2019-04-09): OS Command Injection in Spectrum Power 4.7 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-324467.txt
∗∗∗ SSA-436177 (Last Update: 2019-04-09): Multiple Vulnerabilities in SINEMA Remote Connect ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-436177.txt
∗∗∗ SSA-451142 (Last Update: 2019-04-09): Multiple Vulnerabilities in RUGGEDCOM ROX II ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-451142.txt
∗∗∗ SSA-480230 (Last Update: 2019-04-09): Denial-of-Service in Webserver of Industrial Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt
∗∗∗ GnuTLS vulnerability CVE-2015-0294 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K54022413
∗∗∗ GnuTLS vulnerability CVE-2014-8155 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K53330207
∗∗∗ SAP Basic Components (BC): Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0279
∗∗∗ Symantec Endpoint Encryption: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0281
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-04-2019 18:00 − Montag 08-04-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ ThinkPHP 5.x - Remote Code Execution Actively Exploited In The Wild ∗∗∗
---------------------------------------------
Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar: ]]>
---------------------------------------------
http://labs.sucuri.net/?note=2019-04-08
=====================
= Vulnerabilities =
=====================
∗∗∗ SQL Injection in Duplicate-Page WordPress Plugin ∗∗∗
---------------------------------------------
While investigating the Duplicate Page plugin we have discovered a dangerous SQL Injection vulnerability. It was not being abused externally and impacts over 800,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability. A key contributor to the criticality of this vulnerability is that it’s exploitable by any users with an account on the vulnerable site (regardless of the privileges
---------------------------------------------
https://blog.sucuri.net/2019/04/sql-injection-in-duplicate-page-wordpress-p…
∗∗∗ Jetzt patchen: Sicherheitssoftware von Trend Micro birgt kritische Schwachstelle ∗∗∗
---------------------------------------------
Updates für Apex One, OfficeScan und Worry-Free Business Security schützen unter anderem vor Remote-Angriffen. Nutzer sollten die Software zügig aktualisieren.
---------------------------------------------
http://heise.de/-4365964
∗∗∗ Via Dovecot zu Root-Rechten ∗∗∗
---------------------------------------------
Die Entwickler des Linux-Mailservers Dovecot haben einen Fehler gefunden und beseitigt, über den sich ein Angreifer Root-Rechte verschaffen könnte.
---------------------------------------------
http://heise.de/-4366806
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (roundup, samba, tryton-server, and wget), Fedora (evolution-data-server, evolution-ews, glpi, ntp, poppler, pspp, and wget), Mageia (advancecomp, cfitsio, firefox, ghostscript, gnutls, libjpeg, libpng, ocaml, python-yaml, ruby-ox, SDL12, and thunderbird), openSUSE (adcli, sssd, go1.11, liblouis, nodejs6, openssl, ovmf, sqlite3, sysstat, thunderbird, tiff, and znc), Red Hat (chromium-browser and python), Slackware (httpd, openjpeg, and wget), SUSE
---------------------------------------------
https://lwn.net/Articles/785238/
∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗
---------------------------------------------
CB-K19/0277: Samba: Mehrere Schwachstellen ermöglichen Manipulation von Dateien
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0277
∗∗∗ IBM Security Bulletin: IBM InfoSphere Metadata Asset Manager is affected by an SQL Injection vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-metada…
∗∗∗ IBM Security Bulletin: IBM Sterling Connect:Direct for UNIX Allows a User with Sudo Access Restricted to Certain Connect:Direct Executable Files to Expand Access Beyond the Restriction (CVE-2018-1903) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sterling-connectd…
∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-1871) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction…
∗∗∗ IBM Security Bulletin: A reflected cross-site scripting (XSS) vulnerability affects IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-reflected-cross-sit…
∗∗∗ HPESBHF03916 rev.1 - HPE Virtual Connect SE 16Gb Fibre Channel Module for Synergy, Local or Remote Unauthorized Elevation of Privilege ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-04-2019 18:00 − Freitag 05-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ This Preinstalled Mobile Security App Delivered Vulnerabilities, Not Protection ∗∗∗
---------------------------------------------
No. 4 global phone maker, Xiaomi, preinstalled a security app called ‘Guard Provider’ that had a major flaw.
---------------------------------------------
https://threatpost.com/this-preinstalled-mobile-security-app-delivered-vuln…
∗∗∗ Spammed PNG file hides LokiBot ∗∗∗
---------------------------------------------
Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png…
∗∗∗ The evolution of phishing kits ∗∗∗
---------------------------------------------
Gone are the days when a phishing page was a single page designed to capture user credentials. Phishing kits have become sophisticated and advanced to evade detection and look more legitimate to the user. In this blog, ..
---------------------------------------------
https://www.zscaler.com/blogs/research/evolution-phishing-kits
∗∗∗ Hiding in Plain Sight ∗∗∗
---------------------------------------------
Cisco Talos is continually working to ensure that our threat intelligence not only accounts for the latest threats but also new versions of old threats, such as spam. This often means pursuing cybercriminals wherever they congregate. However, instead of wheeling-and-dealing using hidden servers on ..
---------------------------------------------
https://blog.talosintelligence.com/2019/04/hiding-in-plain-sight.html
∗∗∗ Ongoing DNS hijacking campaign targeting consumer routers ∗∗∗
---------------------------------------------
Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect ..
---------------------------------------------
https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-ro…
=====================
= Vulnerabilities =
=====================
∗∗∗ Omron CX-Programmer ∗∗∗
---------------------------------------------
This advisory includes mitigations for a use after free vulnerability reported in Omrons CX-Programmer PLC software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01
∗∗∗ Rockwell Automation Stratix 5400/5410 and ArmorStratix 5700 ∗∗∗
---------------------------------------------
This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automations Stratix and ArmorStratix Ethernet switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-094-02
∗∗∗ Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700 ∗∗∗
---------------------------------------------
This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automations Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700 switches.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-094-03
∗∗∗ Rockwell Automation Stratix 5950 ∗∗∗
---------------------------------------------
This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automations Stratix 5950 security appliance products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-094-04
∗∗∗ ZDI-19-341: (0Day) Hewlett Packard Enterprise Intelligent Management Center navigationTo Expression Language Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-341/
∗∗∗ ZDI-19-339: (0Day) Hewlett Packard Enterprise Intelligent Management Center faultStatChooseFaultType Expression Language Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-339/
∗∗∗ ZDI-19-335: (0Day) Hewlett Packard Enterprise Intelligent Management Center perfSelectTask Expression Language Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-335/
∗∗∗ ZDI-19-334: (0Day) Hewlett Packard Enterprise Intelligent Management Center viewBatchTaskResultDetailFact Expression Language Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-334/
∗∗∗ HPESBHF03914 rev.1 - Certain HPE Servers with Intel Server Platform Services (SPS) Firmware, Multiple Local Vulnerabilities ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-04-2019 18:00 − Donnerstag 04-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Betrügerische Phishing-Mails sollen Willhaben-Login stehlen ∗∗∗
---------------------------------------------
Kriminelle geben sich als die Kleinanzeigenplattform Willhaben aus und versenden wahllos Phishing-Nachrichten. Willhaben-Nutzer/innen, die die Nachricht in ihrem Posteingang finden, werden über die erfolgreiche Veröffentlichung einer Anzeige für ein Apple Iphone Xs Max informiert. Betroffene dürfen den gefälschten Links in der Nachricht nicht folgen und keine Login-Daten eingeben, ansonsten verlieren sie ihr Willhaben-Konto an Kriminelle.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-phishing-mails-sollen…
=====================
= Vulnerabilities =
=====================
∗∗∗ FortiGuard/FortiOS: Unprivileged, authenticated user can change the routing settings ∗∗∗
---------------------------------------------
An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component.
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-18-230
∗∗∗ HPESBHF03912 rev.1 - Certain HPE Servers with a UEFI-based BIOS, Multiple Local Vulnerabilities ∗∗∗
---------------------------------------------
Security vulnerabilities in UEFI Open Source (EDK2)-based BIOS firmware may allow escalation of privilege, information disclosure or denial of service. Vendors are releasing firmware updates to mitigate these vulnerabilities.
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2, golang, and putty), Gentoo (xen), and SUSE (clamav, SM3.1, and SMS3.1).
---------------------------------------------
https://lwn.net/Articles/784917/
∗∗∗ Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is by Cross Site Scripting(XSS) in Drupal core (CVE-2019-6341) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel…
∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by multiple PHP vulnerabilities (CVE-2019-9641 CVE-2019-9637 CVE-2019-9639 CVE-2019-9638) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel…
∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by a cross site scripting vulnerability in Drupal ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel…
∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by vulnerability in the Kubernetes API server (CVE-2019-1002100) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-…
∗∗∗ IBM Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-spoofing-vulnerabilit…
∗∗∗ IBM Security Bulletin: Cross-site request forgery vulnerability in IBM Business Automation Workflow (CVE-2018-2000) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-request-fo…
∗∗∗ IBM Security Bulletin: Information leakage in IBM Business Automation Workflow (CVE-2018-1999) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-leakage-i…
∗∗∗ IBM Security Bulletin: Denial of service vulnerability in IBM Business Automation Workflow (CVE-2018-1997) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-denial-of-service-vul…
∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by sensitive information disclosure (CVE-2019-4051) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-…
∗∗∗ IBM Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-external-service-invo…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-04-2019 18:00 − Mittwoch 03-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Malware Campaigns Sharing Network Resources: r00ts.ninja ∗∗∗
---------------------------------------------
We recently noticed an interesting example of network infrastructure resources being used over a period of time by more than one large scale malware campaign (e.g redirected traffic, cryptomining). This was discovered when reviewing sources of the various malicious domains used in a recent WordPress plugin exploit wave.
---------------------------------------------
https://blog.sucuri.net/2019/04/malware-campaigns-sharing-network-resources…
∗∗∗ Hijacked Email Reply Chains ∗∗∗
---------------------------------------------
Although phishing has been around in various forms since the 1980s, our research shows it continues to evolve—and remains a major threat. These days, phishing tactics have gotten so sophisticated, it can be difficult to spot a scam—particularly in the case of hijacked email reply chains. Let's look at a concrete example.
---------------------------------------------
https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/
∗∗∗ Xwo - A Python-based bot scanner ∗∗∗
---------------------------------------------
Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it "Xwo" - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.
---------------------------------------------
https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scann…
∗∗∗ Vorsicht vor kostenpflichtigen Ping-Anrufen mit der Vorwahl +676! ∗∗∗
---------------------------------------------
Konsument/innen erhalten momentan gehäuft Ping-Anrufe von Nummern mit der Vorwahl +676 oder 00676. Wer verpasste Anrufe derartiger Nummern auf dem Mobiltelefon findet, darf nicht zurückrufen! Es handelt sich um die Ländervorwahl des Inselstaats Tonga und ein Rückruf kann hohe Kosten verursachen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-kostenpflichtigen-ping-…
∗∗∗ T-POT integration to SISSDEN ∗∗∗
---------------------------------------------
The primary data collection mechanism at the heart of the SISSDEN project is a sensor network of honeypots. The sensor network is composed of VPS provider hosted nodes and nodes donated to the project by third-parties acting as endpoints. These VPS nodes/endpoints are not the actual honeypots [...]
---------------------------------------------
https://sissden.eu/blog/tpot-integration
∗∗∗ Bashlite IoT malware upgrade lets it target WeMo home automation devices ∗∗∗
---------------------------------------------
New Bashlite version not widely detected, but was spotted infecting devices in the wild.
---------------------------------------------
https://www.zdnet.com/article/bashlite-iot-malware-upgrade-lets-it-target-w…
=====================
= Vulnerabilities =
=====================
∗∗∗ Advantech WebAccess/SCADA ∗∗∗
---------------------------------------------
This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advantechs WebAccess SCADA software platform.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2), Fedora (edk2 and tomcat), openSUSE (ansible, ghostscript, lftp, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, libssh2_org, openssl-1_0_0, openwsman, pdns, perl-Email-Address, putty, python-azure-agent, python-cryptography, python-pyOpenSSL, python-Flask, thunderbird, tor, unzip, and wireshark), Scientific Linux (freerdp), Slackware (wget), SUSE (bluez, file, firefox, libsndfile, netpbm, thunderbird, and xen), and Ubuntu [...]
---------------------------------------------
https://lwn.net/Articles/784806/
∗∗∗ FortiSandbox reflected XSS in the file scan component ∗∗∗
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-18-024
∗∗∗ IBM Security Bulletin: Vulnerabilities affect NVIDIA GPU Display Drivers for Linux and Windows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-affec…
∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – CVE-2019-4143 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-3139, CVE-2018-3180, CVE-2018-12457, CVE-2019-2426) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect for Virtual Environments (CVE-2018-3139, CVE-2018-3180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib…
∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Backup-Archive Client on Windows and Macintosh (CVE-2018-3139, CVE-2018-3180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib…
∗∗∗ IBM Security Bulletin: Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901) affects IBM Security AppScan Enterprise ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-privilege-e…
∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect for Space Management (CVE-2018-1882) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v…
∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2018-1882) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v…
∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server OpenID Connect affects IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 01-04-2019 18:00 − Dienstag 02-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ MXSS: Cross-Site-Scripting in der Google-Suche ∗∗∗
---------------------------------------------
Aufgrund subtiler Unterschiede beim Parsen von HTML-Code gelang es einem Sicherheitsforscher, gängige Filtermechanismen zu umgehen. Betroffen waren zwei Javascript-Bibliotheken und die Google-Suche.
---------------------------------------------
https://www.golem.de/news/mxss-cross-site-scripting-in-der-google-suche-190…
∗∗∗ Splitting atoms in XNU ∗∗∗
---------------------------------------------
TL;DR A locking bug in the XNU virtual memory subsystem allowed violation of the preconditions required for the correctness of an optimized virtual memory operation. This was abused to create shared memory where it wasnt expected, allowing the creation of a time-of-check-time-of-use bug where one wouldnt usually exist. This was exploited to cause a heap overflow in XPC, which was used to trigger the execution of a jump-oriented payload which chained [...]
---------------------------------------------
https://googleprojectzero.blogspot.com/2019/04/splitting-atoms-in-xnu.html
∗∗∗ Information on open source vulnerabilities is as distributed as the community ∗∗∗
---------------------------------------------
[...] a sizable number of the open source vulnerabilities that we see out there are actually being posted and discussed on a wide range of different security advisories and issue trackers. This means that even for relatively popular projects, these red flags may fly beneath the radar.
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/information-on-open-so…
∗∗∗ Studie: Angreifer lieben PowerShell ∗∗∗
---------------------------------------------
Microsofts Skript-Sprache ist die am meisten genutzte Angriffstechnik, warnt die Sicherheitsfirma Red Canary. Bei vielen Firmen besteht da noch Nachholbedarf.
---------------------------------------------
http://heise.de/-4357396
∗∗∗ Malware Actors Using New File Hosting Service to Launch Attacks ∗∗∗
---------------------------------------------
Bad actors are leveraging a new file hosting service in order to launch attack campaigns involving FormBook and other malware. Near the end of March, researchers at Deep Instinct observed a new FormBook attack. The infection chain for this campaign began with a phishing email that contains a malicious attachment.
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/cyber-s…
∗∗∗ Gefälschte card complete Nachricht zu Kreditkartensperre ∗∗∗
---------------------------------------------
Kriminelle versenden eine erfundene Nachricht im card complete Design. Darin informieren Sie die Empfänger/innen über eine angebliche Sperre des Kreditkartenkontos, die durch Aktualisierung der Daten über einen Link in der E-Mail aufgehoben werden kann. Die Anweisungen dürfen nicht befolgt werden! Andernfalls wird Schadsoftware auf dem Smartphone installiert und die Kreditkartendaten landen bei Verbrecher/innen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-card-complete-nachricht-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslücke: Nutzer des Apache-Webservers können Root-Rechte erlangen ∗∗∗
---------------------------------------------
Eine Sicherheitslücke im Apache-Webserver erlaubt es Nutzern, mit Hilfe von CGI- oder PHP-Skripten Root-Rechte zu erlangen. Ein Update steht bereit.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-nutzer-des-apache-webservers-ko…
∗∗∗ Security Patch: Google beseitigt im April Qualcomm-Sicherheitslücken ∗∗∗
---------------------------------------------
In einer Vorankündigung verweist Google auf ein neues Security Patch Level. Das April-Update schließt viele Lücken und sollte für einige, aber nicht alle aktuellen Android-Geräte erscheinen. Es gibt auch viele Sicherheitslücken, die Qualcomm-basierte Smartphones betreffen.
---------------------------------------------
https://www.golem.de/news/security-patch-google-beseitigt-im-april-qualcomm…
∗∗∗ Zero-Day-Lücken in Edge und Internet Explorer – Patches stehen noch aus ∗∗∗
---------------------------------------------
Ein Forscher hat Angriffspunkte für Universal-Cross-Site-Scripting-Attacken in Microsofts Browsern gefunden. Der Konzern scheint desinteressiert.
---------------------------------------------
http://heise.de/-4357840
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, libssh2, and thunderbird), Debian (firmware-nonfree, kernel, and libssh2), Fedora (drupal7, flatpak, and mod_auth_mellon), Gentoo (burp, cairo, glusterfs, libical, poppler, subversion, thunderbird, and unbound), openSUSE (yast2-rmt), Red Hat (freerdp), and SUSE (bash, ed, libarchive, ntp, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/784665/
∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul…
∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2019-4014). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable…
∗∗∗ IBM Security Bulletin: API Connect is impacted by multiple nodeJS vulnerabilities (CVE-2018-12122 CVE-2018-12121 CVE-2018-12123 CVE-2018-12116) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-is-impact…
∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-im…
∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2018-1936). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable…
∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master…
∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2018-3139, CVE-2018-3180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib…
∗∗∗ IBM Security Bulletin: Vulnerabilities in Rational DOORS Next Generation with potential for cross-site scripting attack ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ra…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-03-2019 18:00 − Montag 01-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Mira Ransomware Decryptor ∗∗∗
---------------------------------------------
We investigated some recent Ransomware called Mira (Trojan:W32/Ransomware.AN) in order to check if it's feasible to decrypt the encrypted files. Most often, decryption can be very challenging because of missing keys that are needed for decryption. However, in the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the [...]
---------------------------------------------
https://labsblog.f-secure.com/2019/04/01/mira-ransomware-decryptor/
∗∗∗ Zero-Day-Lücke in Smart-Home-Router SR20 von TP-Link ∗∗∗
---------------------------------------------
Unter gewissen Umständen könnte ein Angreifer Schadcode mit Root-Rechten auf dem TP-Link-Router SR20 ausführen.
---------------------------------------------
http://heise.de/-4356942
∗∗∗ Sicherheitsupdates: Nagios XI für vielfältige Angriffe anfällig ∗∗∗
---------------------------------------------
Die Serverüberwachungssoftware Nagios IX ist über mehrere Sicherheitslücken attackierbar. Abgesicherte Ausgaben sind verfügbar.
---------------------------------------------
http://heise.de/-4357207
∗∗∗ Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin ∗∗∗
---------------------------------------------
This week, our team was notified of suspicious code present in a plugin offered alongside themes sold by Pipdig, a UK-based web development team. The user, who wishes to remain anonymous, reached out to us with concerns that the plugin's developer can grant themselves administrative access to sites using the plugin, or even delete affected [...]
---------------------------------------------
https://www.wordfence.com/blog/2019/03/peculiar-php-present-in-popular-pipd…
∗∗∗ Hilfreiche Infos zu Finanzbetrug der Finanzmarktaufsicht ∗∗∗
---------------------------------------------
Bei Investments, die hohe Gewinne versprechen, ist Vorsicht geboten. Insbesondere im Bereich Bitcoins und Kryptowährungen kursieren zahlreiche betrügerische Angebote im Netz, bei denen Inverstor/innen ihr eingesetztes Geld verlieren. Die Finanzmarktaufsicht Österreich stellt mit ihrem Finanz ABC nun Hilfreiches rund um Finanzen, Geldanlagen sowie dem Erkennen von Finanzbetrug zur Verfügung.
---------------------------------------------
https://www.watchlist-internet.at/news/hilfreiche-infos-zu-finanzbetrug-der…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2019-9193: Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest ∗∗∗
---------------------------------------------
PostgreSQL, commonly known as Postgres is one of the largest and most popular database systems in the world. It is the primary database of Mac OSX but also has Linux and Windows versions available.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-91…
∗∗∗ Pydio 8 Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2), which allows an attacker with regular user access to the application and by tricking an administrator account to open a shared URL bookmark through the application, to obtain the victims session identifiers in order to impersonate him/her and to perform actions such as create a new user administrator account.
---------------------------------------------
https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, drupal7, gpsd, libav, libdatetime-timezone-perl, php5, rails, thunderbird, twig, tzdata, and wordpress), Fedora (edk2, flatpak, fuse, ghostscript, gnutls, golang-googlecode-go-crypto, grub2, mxml, poppler, and systemd), Mageia (file, kernel, live, mplayer, vlc, openjpeg2, pdns, and poppler), openSUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, kernel, ovmf, and ucode-intel), SUSE (adcli, sssd, GraphicsMagick, [...]
---------------------------------------------
https://lwn.net/Articles/784563/
∗∗∗ Vuln: Redhat Atomic OpenShift CVE-2019-3884 Spoofing Vulnerability ∗∗∗
---------------------------------------------
http://www.securityfocus.com/bid/107649
∗∗∗ Apple Mac OS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0243%20UPDATE%201
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1559 in OpenSSL affects IBM i ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Go vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Watson Compare and Comply on IBM Cloud Private ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-…
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Information Disclosure vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-inform…
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Improper Authentication vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-inform…
∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2014-7810, CVE-2018-8039) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib…
∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul…
∗∗∗ IBM Security Bulletin: XML External Entity Injection Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-4043) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-i…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-03-2019 18:00 − Freitag 29-03-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Schwere Sicherheitslücke in SSL/TLS-Bibliothek axTLS ∗∗∗
---------------------------------------------
Webserver, die die Transportverschlüsselung über axTLS realisieren, sind für Angriffe empfänglich.
---------------------------------------------
http://heise.de/-4355704
∗∗∗ World Backup Day: Is your data in safe hands? ∗∗∗
---------------------------------------------
World Backup Day is a reminder that organizations and individuals need to make data backup and protection a priority
---------------------------------------------
https://www.welivesecurity.com/2019/03/29/world-backup-day-data-safe-hands/
∗∗∗ TLS CBC Padding Oracles in 2019 ∗∗∗
---------------------------------------------
Since August, I've spent countless hours studying CBC padding oracle attacks toward the development of a new scan tool called padcheck. Using this tool, I was able to identify thousands of popular domains which could be targeted by an active network adversary (i.e. MiTM) to hijack authenticated HTTPS sessions. The underlying vulnerabilities break down into [...]
---------------------------------------------
https://www.tripwire.com/state-of-security/vert/tls-cbc-padding-oracles/
∗∗∗ Researchers discover and abuse new undocumented feature in Intel chipsets ∗∗∗
---------------------------------------------
Researchers find new Intel VISA (Visualization of Internal Signals Architecture) debugging technology.
---------------------------------------------
https://www.zdnet.com/article/researchers-discover-and-abuse-new-undocument…
∗∗∗ Researchers publish list of MAC addresses targeted in ASUS hack ∗∗∗
---------------------------------------------
Most of the targeted MAC addresses are used by ASUStek, Intel, and AzureWave devices.
---------------------------------------------
https://www.zdnet.com/article/researchers-publish-list-of-mac-addresses-tar…
=====================
= Vulnerabilities =
=====================
∗∗∗ Rockwell Automation PowerFlex 525 AC Drives ∗∗∗
---------------------------------------------
This advisory includes mitigations for a resource exhaustion vulnerability reported in Rockwell Automations PowerFlex 525 AC drive.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01
∗∗∗ Magento 2.3.1, 2.2.8 and 2.1.17 Security Update ∗∗∗
---------------------------------------------
Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.
---------------------------------------------
https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-securit…
∗∗∗ VMSA-2019-0004 ∗∗∗
---------------------------------------------
VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2019-0004.html
∗∗∗ VMSA-2019-0005 ∗∗∗
---------------------------------------------
VMware ESXi, Workstation and Fusion updates address multiple security issues.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2019-0005.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (dovecot and imagemagick), Debian (dovecot, libraw, pdns, and ruby2.1), Fedora (mingw-podofo, openwsman, podofo, qemu, and svgsalamander), openSUSE (chromium, ffmpeg-4, firefox, libssh2_org, nodejs4, and qemu), Red Hat (libssh2), Scientific Linux (libssh2 and thunderbird), SUSE (kernel, liblouis, ntp, openssl-1_1, and tiff), and Ubuntu (firefox, freeimage, libapache2-mod-auth-mellon, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/784370/
∗∗∗ Vuln: Apache HBase CVE-2019-0212 Authorization Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.securityfocus.com/bid/107624
∗∗∗ Vuln: Apache ActiveMQ CVE-2019-0222 Denial of Service Vulnerability ∗∗∗
---------------------------------------------
http://www.securityfocus.com/bid/107622
∗∗∗ GnuTLS: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0253
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by cURL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by vulnerabilities in the shipped Node runtime ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: Rational Build Forge Security Advisory for Apache HTTP Server (CVE-2019-0190; CVE-2018-17189; CVE-2018-17199) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-build-forge-…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Alpine vulnerability CVE-2018-1000849 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Node.js vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by OpenSSL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by gettext vulnerability CVE-2018-18751 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-03-2019 18:00 − Donnerstag 28-03-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Analysis of LockerGoga Ransomware ∗∗∗
---------------------------------------------
We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we’ll provide some technical details of the new variant’s functionalities, as well as some Indicators of Compromise (IOCs). Overview Compared to other ransomware variants that use Window’s CRT library functions, this new variant relies heavily […]
---------------------------------------------
https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/
∗∗∗ [SANS ISC] Running your Own Passive DNS Service ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “Running your Own Passive DNS Service“: Passive DNS is not new but remains a very interesting component to have in your hunting arsenal. As defined by CIRCL, a passive DNS is “a database storing historical DNS records from various resources.
---------------------------------------------
https://blog.rootshell.be/2019/03/28/sans-isc-running-your-own-passive-dns-…
∗∗∗ Unseriöse Installateur- und Elektrodienste erkennen ∗∗∗
---------------------------------------------
Bei Problemen mit verstopften Abflüssen, kaputten Heizungen oder anfälligen Wartungen wenden Sie sich besser nicht an sanitaerhilfe.at oder installateur-top1.at. Es handelt sich um unseriöse Unternehmen, die sich weder an ihre Versprechungen halten noch Schäden beheben. Obendrein wird ein überteuerter Betrag kassiert.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-installateur-und-elektrod…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Botches Fix for RV320, RV325 Routers, Just Blocks curl User Agent ∗∗∗
---------------------------------------------
Ciscos RV320 and RV325 router models for small offices and small businesses remain vulnerable to two high-severity flaws two months after the vendor announced the availability of patches. The fixes failed their purpose and attackers can still chain the bugs to take control of the devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-botches-fix-for-rv320-…
∗∗∗ Multiple "0day" Verwundbarkeiten in HPE Intelligent Management Center ∗∗∗
---------------------------------------------
Die Zero Day Iniative (ZDI) hat heute über mehrere ungepatchte Verwundbarkeiten in HPE Intelligent Management Center berichtet.
Es wird empfohlen, Kommunikation mit HPE Intelligent Management Center entsprechend nur von vertrauenswürdigen Geräten aus zu ermöglichen.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-19-294/https://www.zerodayinitiative.com/advisories/ZDI-19-295/https://www.zerodayinitiative.com/advisories/ZDI-19-296/https://www.zerodayinitiative.com/advisories/ZDI-19-297/https://www.zerodayinitiative.com/advisories/ZDI-19-298/https://www.zerodayinitiative.com/advisories/ZDI-19-299/https://www.zerodayinitiative.com/advisories/ZDI-19-300/https://www.zerodayinitiative.com/advisories/ZDI-19-301/https://www.zerodayinitiative.com/advisories/ZDI-19-302/https://www.zerodayinitiative.com/advisories/ZDI-19-303/
∗∗∗ Apple watchOS 5.2 ∗∗∗
---------------------------------------------
This document describes the security content of watchOS 5.2.
---------------------------------------------
https://support.apple.com/kb/HT209602
∗∗∗ Sicherheitsupdates: Kritische Lücken in Onlineshop-Software Magento ∗∗∗
---------------------------------------------
Viele Magento-Versionen weisen Schlupflöcher für Schadcode auf und gefährden so Onlineshops. Abgesicherte Ausgaben schließen die Schwachstellen.
---------------------------------------------
http://heise.de/-4354925
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel and wpa), Fedora (firefox and pdns), Gentoo (apache, cabextract, chromium, gd, nasm, sdl2-image, and zeromq), openSUSE (GraphicsMagick and lftp), Red Hat (thunderbird), Scientific Linux (firefox), Slackware (gnutls), and SUSE (ImageMagick).
---------------------------------------------
https://lwn.net/Articles/784251/
∗∗∗ ZDI-19-293: Advantech WebAccess Node tv_enua Improper Access Control Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-293/
∗∗∗ ZDI-19-292: Advantech WebAccess Node spchapi Improper Access Control Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-19-292/
∗∗∗ IBM Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench affected by Spring vulnerability (CVE-2018-15756) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-test-control…
∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by glibc vulnerabilities (CVE-2018-19591) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi…
∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0734) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-8039) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib…
∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0732) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi…
∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0737) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 26-03-2019 18:00 − Mittwoch 27-03-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ UC Browser for Android, Desktop Exposes 500+ Million Users to MiTM Attacks ∗∗∗
---------------------------------------------
The extremely popular UC Browser and UC Browser Mini Android applications with a total of over 600 million installs expose their users to MiTM attacks by downloading and installing extra modules from their own servers using unprotected channels and bypassing Google Plays servers altogether.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/uc-browser-for-android-deskt…
∗∗∗ Abuse of hidden "well-known" directory in HTTPS sites ∗∗∗
---------------------------------------------
WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages.
---------------------------------------------
https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-ht…
∗∗∗ Sicherheitsforscher entdecken 36 neue Sicherheitslücken im LTE-Standard ∗∗∗
---------------------------------------------
Aufgrund von Lücken sollen Angreifer in der Lage sein, Verbindungen im LTE-Netz zu stören oder sogar zu manipulieren. Das geht aber mit viel Aufwand einher.
---------------------------------------------
http://heise.de/-4352711
∗∗∗ What Is Access Control? A Key Component Of Data Security ∗∗∗
---------------------------------------------
Who should be able to access a company's data? Under what circumstances do organisations deny access to a user with access privileges? To adequately protect data, an organisation's access control [...]
---------------------------------------------
https://blog.schneider-electric.com/building-management/2019/03/27/what-is-…
∗∗∗ Rechnungen betrügerischer Streaming-Websites nicht bezahlen! ∗∗∗
---------------------------------------------
Die Welle betrügerischer Streaming-Plattformen mit Namen wie nolistream.de, someflix.de, daftstream.de oder savaflix.de reißt nicht ab. Die Websites verfolgen nur ein Ziel: Internetuser/innen zu unberechtigten Zahlungen zu drängen. Durch gefälschte Rechnungen, Mahnungen und Inkassoschreiben sollen Betroffene eingeschüchtert werden. Die geforderten 358,80, 359,88 oder 479,16 Euro dürfen nicht bezahlt werden!
---------------------------------------------
https://www.watchlist-internet.at/news/rechnungen-betruegerischer-streaming…
=====================
= Vulnerabilities =
=====================
∗∗∗ Siemens SCALANCE X ∗∗∗
---------------------------------------------
This advisory includes mitigations for an expected behavior violation vulnerability reported in the Siemens SCALANCE X products.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-085-01
∗∗∗ ENTTEC Lighting Controllers ∗∗∗
---------------------------------------------
This advisory includes mitigations for a missing authentication for critical function vulnerability reported in ENTTEC’s lighting controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-085-03-0
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openjdk-7), Fedora (cfitsio, firefox, librsvg2, and pdns), openSUSE (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (gd, grub2, ImageMagick, kernel, libcaca, libmspack, ntp, ovmf, w3m, and wavpack), and Ubuntu (php7.0, php7.2, qemu, and xmltooling).
---------------------------------------------
https://lwn.net/Articles/784114/
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-71135https://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml
∗∗∗ XML vulnerability CVE-2017-9233 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K03244804
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei AP Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190327-…
∗∗∗ IBM Security Bulletin: Potential denial of service in WebSphere Application Server Admin Console (CVE-2019-4080) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s…
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in xorg-x11-libX11 (CVE-2018-14598 CVE-2018-14599 CVE-2018-14600) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass…
∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in GNU C Library (CVE-2015-5180 CVE-2017-15670 CVE-2017-15804) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass…
∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in cURL (CVE-2018-14618 CVE-2018-16840 CVE-2018-16842) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass…
∗∗∗ IBM Security Bulletin: Content Collector for Email is affected by 3RD PARTY IBM WebSphere Application Server Deserialization ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-content-collector-for…
∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in PHP (CVE-2018-17082 CVE-2018-14883 CVE-2018-14851 CVE-2017-9118) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass…
∗∗∗ IBM Security Bulletin: Content Collector for Email is affected by 3RD PARTY CSRF and OOB-XXE Vulnerabilities in WebSphere Web Application Server’s Integrated Solutions Console 9.0.0.8, 8.5.5.13, and 8.5.5.9 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-content-collector-for…
∗∗∗ IBM Security Bulletin: IBM Security Identity Manager Virtual Appliance is affected by multiple vulnerabilities (CVE-2017-6464, CVE-2017-6463, CVE-2017-6462, CVE-2015-3331, CVE-2014-2523) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-identity…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Identity Manager Virtual Appliance ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily