=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 19-06-2019 18:00 − Freitag 21-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Botnet Uses SSH and ADB to Create Android Cryptomining Army ∗∗∗
---------------------------------------------
Researchers discovered a cryptocurrency mining botnet that uses the Android Debug Bridge (ADB) Wi-Fi interface and SSH connections to hosts stored in the known_hosts list to spread to other devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/botnet-uses-ssh-and-adb-to-c…
=====================
= Vulnerabilities =
=====================
∗∗∗ PHOENIX CONTACT Automation Worx Software Suite ∗∗∗
---------------------------------------------
This advisory includes mitigations for access of uninitialized pointer, out-of-bounds read, and use after free vulnerabilities reported in Phoenix Contacts Automation Worx Software Suite.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-171-01
∗∗∗ Cisco schließt zwei kritische und zahlreiche weitere Schwachstellen ∗∗∗
---------------------------------------------
Updates für Ciscos SD-WAN-Lösung und DNA Center beseitigen kritische Sicherheitsprobleme. Aber auch zahlreiche weitere Produkte wurden frisch gepatcht.
---------------------------------------------
https://heise.de/-4451734
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, gvfs, intel-microcode, and python-urllib3), Fedora (advancecomp, firefox, freeradius, kubernetes, pam-u2f, and rubygem-jquery-ui-rails), openSUSE (elfutils and sssd), Red Hat (chromium-browser), SUSE (doxygen and samba), and Ubuntu (evince, firefox, Gunicorn, libvirt, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/791572/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (libvirt and python), Debian (intel-microcode, php-horde-form, and znc), Fedora (firefox), Mageia (firefox, flash-player-plugin, git, graphicsmagick, kernel, kernel-linus, kernel-tmb, phpmyadmin, and thunderbird), Oracle (libssh2, libvirt, and python), Red Hat (libvirt and python), Scientific Linux (libvirt), Slackware (bind and mozilla), SUSE (enigmail), and Ubuntu (bind9, intel-microcode, mosquitto, postgresql-10, postgresql-11, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/791669/
∗∗∗ Synology-SA-19:28 Linux kernel ∗∗∗
---------------------------------------------
CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_19_28
∗∗∗ Multiple vulnerabilities in VAIO Update ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN13555032/
∗∗∗ Intel-SA-00213: Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT vulnerabilities ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K42117350
∗∗∗ Security vulnerabilities fixed in Firefox 67.0.4 and Firefox ESR 60.7.2 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
∗∗∗ Security vulnerabilities fixed in Thunderbird 60.7.2 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/
∗∗∗ AirPort Base Station Firmware Update 7.8.1 ∗∗∗
---------------------------------------------
https://support.apple.com/kb/HT210091
∗∗∗ CVE-2019-10072 Apache Tomcat HTTP/2 DoS ∗∗∗
---------------------------------------------
https://mail-archives.apache.org/mod_mbox/tomcat-announce/201906.mbox/brows…
∗∗∗ DSA-2019-084: Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs Security Update for PC Doctor Vulnerability ∗∗∗
---------------------------------------------
https://www.dell.com/support/article/at/de/atdhs1/sln317291/dsa-2019-084-de…
∗∗∗ [webapps] WebERP 4.15 - SQL injection ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/47013
∗∗∗ DoS Vulnerability in Huawei S Series Switch Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190522-…
∗∗∗ IBM Security Bulletin: IBM MessageSight/MessageGateway is affected by the following jQuery vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-messagesight-mess…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM API Connect is affected by a denial of service vulnerability in Node.js (CVE-2019-5737) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-af…
∗∗∗ IBM Security Bulletin: IBM MessageSight is affected by the following four IBM Java vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-messagesight-is-a…
∗∗∗ IBM Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js lodash module vulnerability (CVE-2018-16487) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-transformat…
∗∗∗ IBM Security Bulletin: IBM MessageSight/MessageGateway is affected by the following WebSphere Application Server vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-messagesight-mess…
∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE-2018-5390 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd…
∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 18-06-2019 18:00 − Mittwoch 19-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Zombieload: Intel-Microcode für Windows v1809/v1803 verfügbar ∗∗∗
---------------------------------------------
Schutz gegen Microarchitectural Data Sampling wie Zombieload: Wer noch Windows 10 oder Windows Server in einer älteren Version auf einem Intel-Prozessor nutzt, erhält nun direkt über das Betriebssystem passenden Microcode, um das System gegen Seitenkanalangriffe zu härten.
---------------------------------------------
https://www.golem.de/news/zombieload-intel-microcode-fuer-windows-v1809-v18…
∗∗∗ Pass the salt! Popular CMSs aren’t securing passwords properly ∗∗∗
---------------------------------------------
A group of researchers has discovered that many of the webs most popular content management systems are using obsolete algorithms to protect their users passwords.
---------------------------------------------
https://nakedsecurity.sophos.com/2019/06/19/popular-content-platforms-putti…
∗∗∗ Quick Detect: Exim "Return of the Wizard" Attack, (Wed, Jun 19th) ∗∗∗
---------------------------------------------
Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit CVE-2019-10149 (aka "Return of the Wizard"). The vulnerability affects Exim and was patched about two weeks ago. There are likely still plenty of vulnerable servers, but it looks like attackers are branching out and are hitting servers not running Exim as well.
---------------------------------------------
https://isc.sans.edu/diary/rss/25052
∗∗∗ Evading Sysmon DNS Monitoring ∗∗∗
---------------------------------------------
In a recent update to Sysmon, a new feature was introduced allowing the ability to log DNS events. While this gives an excellent datapoint for defenders (shout out to the SysInternals team for continuing to provide and support these awesome tools for free), for us as attackers, this means that should our implant or payloads attempt to communicate via DNS, BlueTeam have a potential way to pick up on indicators which could lead to detection.
---------------------------------------------
https://blog.xpnsec.com/
∗∗∗ BSI veröffentlicht Empfehlungen zur sicheren Konfiguration von Microsoft-Office-Produkten ∗∗∗
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat für den Einsatz auf dem Betriebssystem Microsoft Windows sieben Cyber-Sicherheitsempfehlungen für eine sichere Konfiguration von Microsoft Office 2013/2016/2019 erstellt. Diese behandeln zum einen übergreifende Richtlinien für Microsoft Office, zum anderen Richtlinien für sechs häufig genutzte Microsoft Office-Anwendungen (Access, Excel, Outlook, PowerPoint, Visio und Word).
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Empfehlunge…
∗∗∗ Achtung vor gefälschten News zu BitUp und Bitcoin Code ∗∗∗
---------------------------------------------
Internetnutzer/innen stoßen vermehrt auf erfundene Nachrichtenartikel, die die Angebote von Bitcoin Code oder BitUp bewerben. Berichtet wird vom „größten Deal der Geschichte“ bei den Fernsehsendungen „Die Höhle der Löwen“ oder „2 Minuten 2 Millionen“. Die Angebote auf bitcoincodesoftapps.com und bitupapp.com sind unseriös und Anleger/innen verlieren ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-gefaelschten-news-zu-bit…
=====================
= Vulnerabilities =
=====================
∗∗∗ Zero Day: Mozilla schließt ausgenutzte Sicherheitslücke in Firefox ∗∗∗
---------------------------------------------
Firefox-Hersteller Mozilla hat eine kritische Sicherheitslücke in seinem Browser geschlossen, die wohl aktiv ausgenutzt wird. Updates stehen bereit und werden von Mozilla bereits verteilt.
---------------------------------------------
https://www.golem.de/news/zero-day-mozilla-schliesst-ausgenutzte-sicherheit…
∗∗∗ Oracle Releases Security Advisory for WebLogic ∗∗∗
---------------------------------------------
Original release date: June 19, 2019 Oracle has released a security alert to address a vulnerability in WebLogic. A remote attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2019/06/19/Oracle-Releases-Se…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (dbus, firefox, kernel, linux-lts, linux-zen, and python), CentOS (bind and kernel), Debian (firefox-esr, glib2.0, and vim), Fedora (dbus, kernel, kernel-headers, mingw-libxslt, poppler, and python-gnupg), openSUSE (gnome-shell, kernel, libcroco, php7, postgresql10, python, sssd, and thunderbird), Oracle (kernel and libvirt), Red Hat (go-toolset:rhel8, gvfs, java-11-openjdk, pki-deps:10.6, systemd, and WALinuxAgent), SUSE (docker, kernel, libvirt, [...]
---------------------------------------------
https://lwn.net/Articles/791462/
∗∗∗ PHOENIX CONTACT Multiple Vulnerabilities in Automation Worx Software Suite ∗∗∗
---------------------------------------------
Security Advisory for Automation Worx Software Suite version 1.86 and earlier
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2019-014
∗∗∗ Vuln: Symantec DLP CVE-2019-9701 Cross Site Scripting Vulnerability ∗∗∗
---------------------------------------------
http://www.securityfocus.com/bid/108733
∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0521
∗∗∗ IBM Security Bulletin: IBM API Connect is affected by sensitive information leakage in LoopBack (CVE-2019-4382) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-af…
∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-4377) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur…
∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Command Center (CVE-2019-2602) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM API Connect ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by sensitive information leak (CVE-2018-2013) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-…
∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by software stack information leak (CVE-2018-2011) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-…
∗∗∗ IBM Security Bulletin: API Connect V5 is vulnerable to CSRF attacks (CVE-2018-1858) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v5-is-vul…
∗∗∗ FreeBSD SACK Slowness vulnerability CVE-2019-5599 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K75521003
∗∗∗ Linux SACK Slowness vulnerability CVE-2019-11478 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K26618426
∗∗∗ Linux SACK Panic vulnerability CVE-2019-11477 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K78234183
∗∗∗ Excess resource consumption due to low MSS values vulnerability CVE-2019-11479 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K35421172
∗∗∗ Intel CSME and SPS vulnerability CVE-2019-0093 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K13710800
∗∗∗ Intel Server Platform Services vulnerability CVE-2019-0089 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K47234311
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 17-06-2019 18:00 − Dienstag 18-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Security Alert: Booking.Com Fake Emails Infect Computers with Sodinokibi Ransomware ∗∗∗
---------------------------------------------
A new spam campaign pretending to be from Booking.com is now targeting users. The emails carry a document containing macro code. If someone clicks on the document, opens it, and allows the execution of the macro code, a loader will be spawned. This will download and run ransomware of the Sodinokibi class.
---------------------------------------------
https://heimdalsecurity.com/blog/booking-com-fake-emails-sodinokibi-ransomw…
∗∗∗ Plurox: Modular backdoor ∗∗∗
---------------------------------------------
The analysis showed the Backdoor.Win32.Plurox to have a few quite unpleasant features. What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins.
---------------------------------------------
https://securelist.com/plurox-modular-backdoor/91213/
∗∗∗ Malware sidesteps Google permissions policy with new 2FA bypass technique ∗∗∗
---------------------------------------------
When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.
We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems.
---------------------------------------------
https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-by…
∗∗∗ Sharing the Secrets: Pwning an industrial IoT router ∗∗∗
---------------------------------------------
I get involved in a lot of IoT and ICS pen tests and found an interesting device on one of them. I didn’t have enough time on the job to go as deep as I wanted, so got PTP to buy a couple to play with. eBay FTW! It’s an Ewon Flexy IoT Router.
---------------------------------------------
https://www.pentestpartners.com/security-blog/sharing-the-secrets-pwning-an…
∗∗∗ Bestellen Sie nicht bei lastore.net ∗∗∗
---------------------------------------------
Auch wenn die Preise bei lastore.net sehr verlockend sind, raten wir von einer Bestellung ab. Denn lastore.net ist ein Fake-Shop, der trotz Bezahlung keine Ware liefert!
---------------------------------------------
https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-lastorenet/
=====================
= Vulnerabilities =
=====================
∗∗∗ TCP SACK PANIC: Linux- und FreeBSD-Kernel lassen sich aus der Ferne angreifen ∗∗∗
---------------------------------------------
Netflix hat einige Sicherheitsprobleme im Netzwerk-Stack von Linux- und FreeBSD-Kerneln entdeckt, die sich für Denial-of-Service-Attacken eignen.
---------------------------------------------
https://heise.de/-4449183
∗∗∗ Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers ∗∗∗
---------------------------------------------
KCodes’ NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.
---------------------------------------------
https://blog.talosintelligence.com/2019/06/vulnerability-spotlight-two-bugs…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (linux-hardened), Debian (kdepim, kernel, linux-4.9, and phpmyadmin), Fedora (ansible and glib2), openSUSE (kernel and vim), Oracle (bind and kernel), Red Hat (kernel and kernel-rt), Scientific Linux (bind and kernel), SUSE (dbus-1, ImageMagick, kernel, netpbm, openssh, and sqlite3), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon and linux,
---------------------------------------------
https://lwn.net/Articles/791370/
∗∗∗ Critical Flaw Exposes TP-Link Wi-Fi Extenders to Remote Attacks ∗∗∗
---------------------------------------------
A critical remote code execution vulnerability discovered by an IBM X-Force researcher allows an unauthenticated attacker to take complete control of some TP-Link Wi-Fi extenders. Firmware updates that should patch the flaw have been made available by the vendor.
---------------------------------------------
https://www.securityweek.com/critical-flaw-exposes-tp-link-wi-fi-extenders-…
∗∗∗ MISP: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
MISP ist eine Open-Source-Plattform für den Informationsaustausch über Bedrohungen.
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MISP ausnutzen, um beliebigen Programmcode auszuführen.
CVE Liste: CVE-2019-12868
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0515
∗∗∗ Improper Access Control Vulnerability in AppDNA ∗∗∗
---------------------------------------------
A vulnerability has been identified in AppDNA that could result in access controls not being enforced when accessing the web console potentially allowing privilege escalation and remote code execution.
---------------------------------------------
https://support.citrix.com/article/CTX253828
∗∗∗ IBM Security Bulletin: Password exposure via job log in IBM Spectrum Protect Plus (CVE-2019-4385) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-exposure-via…
∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2019-4364) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana…
∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4303) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana…
∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms April 2019 CPU (CVE-2019-2684) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-…
∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2018-5743 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-…
∗∗∗ IBM Security Bulletin: An Arbitrary Download Vulnerability Affects IBM Campaign (CVE-2019-4384) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-an-arbitrary-download…
∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerability Affects IBM Marketing Platform (CVE-2017-1107) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 14-06-2019 18:00 − Montag 17-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw dubbed BlueKeep.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/us-govt-achieves-bluekeep-re…
∗∗∗ Ermittler entschlüsselten neue Version der GandCrab-Ransomware ∗∗∗
---------------------------------------------
Wer Opfer der Ransomware wurde, kann die Schadsoftware mit dem neuen Tool kostenfrei entfernen.
---------------------------------------------
https://futurezone.at/netzpolitik/ermittler-entschluesselten-neue-version-d…
∗∗∗ An infection from Rig exploit kit, (Mon, Jun 17th) ∗∗∗
---------------------------------------------
[...] Today's diary reviews a recent example of infection traffic caused by Rig EK.
---------------------------------------------
https://isc.sans.edu/diary/rss/25040
∗∗∗ Überteuertes Visum für Kanada auf kanadaeta.com und kanada-eta.de ∗∗∗
---------------------------------------------
Zahlreiche verärgerte Konsument/innen berichten uns von überteuerten ETA-Anträgen (Electronic Travel Authorization) – also Reisegenehmigungen – auf kanadaeta.com und kanada-eta.de. Statt etwa 5 Euro auf der offiziellen Website der kanadischen Regierung werden hier zwischen 50 und 80 Euro für ein Visum verrechnet. Die Watchlist Internet empfiehlt: Die offizielle Regierungswebsite nutzen!
---------------------------------------------
https://www.watchlist-internet.at/news/ueberteuertes-visum-fuer-kanada-auf-…
∗∗∗ Security researcher finds critical XSS bug in Googles Invoice Submission Portal ∗∗∗
---------------------------------------------
Security bug would have allowed hackers access to one of Googles backend apps.
---------------------------------------------
https://www.zdnet.com/article/security-researcher-finds-critical-xss-bug-in…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium and thunderbird), Debian (php-horde-form, pyxdg, thunderbird, and znc), Fedora (containernetworking-plugins, mediawiki, and podman), openSUSE (chromium), Red Hat (bind, chromium-browser, and flash-plugin), SUSE (docker, glibc, gstreamer-0_10-plugins-base, gstreamer-plugins-base, postgresql10, sqlite3, and thunderbird), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/791277/
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Cloud Private Platform-UI is vulnerable to a cross-site request forgery attack (CVE-2019-4142) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-pla…
∗∗∗ IBM Security Bulletin: Vulnerability in strongswan affects QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-stro…
∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL and strongswan affect IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op…
∗∗∗ IBM Security Bulletin: Fabric OS firmware for Brocade 8Gb SAN Switch Module for BladeCenter is affected by vulnerabilities in OpenSSL and OpenSSH ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-fabric-os-firmware-fo…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 13-06-2019 18:00 − Freitag 14-06-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs ∗∗∗
---------------------------------------------
Misconfiguration is not novel. However, cybercriminals still find that it is an effective way to get their hands on organizations’ computing resources to use for malicious purposes and it remains a top security concern. In this blog post, we will detail an attack type where an API [...]
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/T-m0jjHJA_o/
∗∗∗ Security and Privacy, Two Sides of the Same Coin ∗∗∗
---------------------------------------------
ENISA Annual Privacy Forum 2019
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/security-and-privacy-two-sides-…
∗∗∗ Phishing-Mails gaukeln Ende von WhatsApp-Abonnement vor ∗∗∗
---------------------------------------------
Eine aktuelle Phishing-Welle versucht, WhatsApp-Nutzer über ein angeblich auslaufendes Abonnement zur Preisgabe von Zahlungsdaten zu bewegen.
---------------------------------------------
https://heise.de/-4447165
∗∗∗ Linux servers under attack via latest Exim flaw ∗∗∗
---------------------------------------------
It didn’t take long for attackers to start exploiting the recently revealed Exim vulnerability (CVE-2019-10149). Active campaigns One security enthusiast detected exploitation attempts five days ago: [...]
---------------------------------------------
https://www.helpnetsecurity.com/2019/06/14/exploiting-cve-2019-10149/
∗∗∗ Adware and PUPs families add push notifications as an attack vector ∗∗∗
---------------------------------------------
Push notifications are being added to the arsenal of PUPs, adware, and even a Trojan browser extension that spams Facebook groups.
---------------------------------------------
https://blog.malwarebytes.com/adware/2019/06/adware-and-pups-families-add-p…
∗∗∗ Yubico Replacing YubiKey FIPS Devices Due to Security Issue ∗∗∗
---------------------------------------------
Yubico is in the process of replacing YubiKey FIPS (Federal Information Processing Standards) security keys following the discovery of a potentially serious cryptography-related issue that can cause RSA keys and ECDSA signatures generated on these devices to have reduced strength.
---------------------------------------------
https://www.securityweek.com/yubico-replacing-yubikey-fips-devices-due-secu…
∗∗∗ French Authorities Release Free Decryptor for PyLocky Ransomware ∗∗∗
---------------------------------------------
The French Ministry of Interior has released a free decryption tool for the PyLocky ransomware to help victims recover their data.
---------------------------------------------
https://www.securityweek.com/french-authorities-release-free-decryptor-pylo…
∗∗∗ MISP 2.4.109 released (aka cool-attributes-to-object) ∗∗∗
---------------------------------------------
MISP 2.4.109 releasedA new version of MISP (2.4.109) has been released with a host of new features, improvements, bug fixes and a minor security fix. We strongly advise all users to update their MISP installations to this latest version.
---------------------------------------------
https://www.misp-project.org/2019/06/14/MISP.2.4.109.released.html
=====================
= Vulnerabilities =
=====================
∗∗∗ BD Alaris Gateway Workstation ∗∗∗
---------------------------------------------
This medical advisory includes mitigations for improper access control and unrestricted upload of file with dangerous type vulnerabilities reported in BD’s Alaris Gateway Workstation.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-19-164-01
∗∗∗ Johnson Controls exacqVision Enterprise System Manager ∗∗∗
---------------------------------------------
This advisory includes mitigations for an improper authorization vulnerability reported in Johnson Controls exacqVision Enterprise System Manager.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-164-01
∗∗∗ Xen Security Advisory XSA-295 - Unlimited Arm Atomics Operations ∗∗∗
---------------------------------------------
An attacker in a domU could perform a denial of service attack on Xen by accessing a memory region shared with the hypervisor, while Xen is performing an atomic operation on the same region. As a result Xen could end up looping boundlessly.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-295.txt
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (gvim, lib32-openssl, openssl, and vim), Debian (dbus), Fedora (dovecot, evince, js-jquery-jstree, libxslt, php-phpmyadmin-sql-parser, and phpMyAdmin), openSUSE (neovim and rubygem-rack), Oracle (docker-engine and python), Scientific Linux (python), Slackware (mozilla), and SUSE (containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork, elfutils, libvirt, and python-requests).
---------------------------------------------
https://lwn.net/Articles/791165/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Secure Proxy ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact Remote Code Execution (CVE-2019-4103) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tivoli-netcool-im…
∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is affected by a XXE (XML External Entity) Injection vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-inform…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM Notes 9 and Domino 9 are affected by Open Source James Clark Expat Vulnerabilities (CVE-2013-0340, CVE-2013-0341) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-notes-9-and-domin…
∗∗∗ IBM Security Bulletin: IBM Cognos Controller 2019Q2 Security Updater: Multiple vulnerabilities have been identified in IBM Cognos Controller ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cognos-controller…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 12-06-2019 18:00 − Donnerstag 13-06-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ What is "THAT" Address Doing on my Network, (Thu, Jun 13th) ∗∗∗
---------------------------------------------
Disclosure: ISC does not endorse any one particular vendor. That said, you may recognize what type of firewall I use :)
---------------------------------------------
https://isc.sans.edu/diary/rss/25028
∗∗∗ LDAP Swiss Army Knife ∗∗∗
---------------------------------------------
This paper presents the "LDAP Swiss Army Knife", an easy to use LDAP server implementation built for penetration oder software testing. Apart from general usage as a server or proxy it also shows some specific attacks against Java/JNDI based LDAP clients.
---------------------------------------------
https://packetstormsecurity.com/files/153270/LDAP-Swiss-Army-Knife.html
∗∗∗ SandboxEscaper enthüllt fünften Win-Exploit, Microsoft patcht die übrigen ∗∗∗
---------------------------------------------
Pünktlich zum Patchday hat Microsoft auch die 0-Day-Lücken des Hackers "SandboxEscaper" geschlossen. Alle bis auf eine.
---------------------------------------------
https://heise.de/-4445318
∗∗∗ Vermeintliche E-Mail von A1 ignorieren ∗∗∗
---------------------------------------------
Eine E-Mail von A1, in der es heißt, dass Ihnen irrtümlicherweise 86,43 Euro in Rechnung gestellt wurde, können Sie ignorieren. Es handelt sich um einen Versuch, an Ihre Zugangs- und Bankdaten zu gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/vermeintliche-e-mail-von-a1-ignorier…
∗∗∗ SEC security alert warns about misconfigured NAS, DBs, and cloud storage servers ∗∗∗
---------------------------------------------
SEC OCIE inspections finds that companies have failed to properly secure network-accessible storage systems.
---------------------------------------------
https://www.zdnet.com/article/sec-security-alert-warns-about-misconfigured-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ About the security content of iCloud for Windows 10.4 ∗∗∗
---------------------------------------------
This document describes the security content of iCloud for Windows 10.4.
---------------------------------------------
https://support.apple.com/en-us/HT210212
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (firefox, kernel, kernel-headers, libreswan, python-urllib3, and vim), Red Hat (python), SUSE (sssd), and Ubuntu (dbus).
---------------------------------------------
https://lwn.net/Articles/791052/
∗∗∗ IBM Security Bulletin: IBM Connections Security Refresh (CVE-2019-4403) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-connections-secur…
∗∗∗ IBM Security Bulletin: IBM i Clustering is affected by CVE-2019-4381 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-clustering-is-a…
∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud April 2019 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: A vulnerability in Python affects PowerKVM ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-py…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Reporting for Development Intelligence ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-06-2019 18:00 − Mittwoch 12-06-2019 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Microsoft Releases June 2019 Office Updates With Security Fixes ∗∗∗
---------------------------------------------
Microsoft released the June 2019 Office Updates today, which consist of 13 security updates and 13 non-security updates. Given that some of the Microsoft Office security updates issued today also resolve critical vulnerabilities, it is strongly advised to install them as soon as possible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-releases-june-2019…
∗∗∗ Bad Cert Vulnerability Can Bring Down Any Windows Server ∗∗∗
---------------------------------------------
A Google security expert today revealed that an unpatched issue in the main cryptographic library in Microsofts operating system can cause a denial-of-service (DoS) condition on Windows 8 servers and above.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/bad-cert-vulnerability-can-b…
∗∗∗ Ransomware identification for the judicious analyst ∗∗∗
---------------------------------------------
When facing a ransomware infection, it helps to be familiar with some tools as well as key points to identify ransomware correctly.
---------------------------------------------
https://www.gdatasoftware.com/blog/2019/06/31666-ransomware-identification-…
∗∗∗ RAMBleed: Rowhammer kann auch Daten auslesen ∗∗∗
---------------------------------------------
Mit Angriffen durch RAM-Bitflips lassen sich unberechtigt Speicherinhalte auslesen. Als Demonstration zeigen Forscher, wie sie mit Nutzerrechten einen RSA-Key eines SSH-Daemons auslesen können.
---------------------------------------------
https://www.golem.de/news/rambleed-rowhammer-kann-auch-daten-auslesen-1906-…
∗∗∗ DICOM Standard in Medical Devices ∗∗∗
---------------------------------------------
NCCIC is aware of a public report of a vulnerability in the DICOM (Digital Imaging and Communications in Medicine) standard with proof-of-concept (PoC) exploit code. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. According to this report, the vulnerability is exploitable by embedding executable code into the 128 byte preamble. This report was released without coordination with NCCIC or any known vendor.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-19-162-01
∗∗∗ AVML - Acquire Volatile Memory for Linux ∗∗∗
---------------------------------------------
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary. AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.
---------------------------------------------
https://github.com/microsoft/avml
∗∗∗ Windows-Schwachstelle „Bluekeep“: Erneute Warnung vor wurmartigen Angriffen ∗∗∗
---------------------------------------------
Wurmartige Cyber-Angriffe mit den Schadprogrammen WannaCry und NotPetya haben im Jahr 2017 weltweit Millionenschäden verursacht und einzelne Unternehmen in Existenznöte gebracht. Ein vergleichbares Szenario ermöglicht die kritische Schwachstelle Bluekeep, die im Remote-Desktop-Protocol-Dienst (RDP) von Microsoft-Windows enthalten ist. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hatte bereits im Mai ebenso wie Microsoft vor dieser Schwachstelle gewarnt und
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Windows-Sch…
∗∗∗ Achtung vor angeblichen Microsoft-Anrufen ∗∗∗
---------------------------------------------
Eine neue Welle angeblicher Microsoft Anrufe rollt momentan über Österreich hinweg. Die Anrufer/innen behaupten, Probleme auf den Geräten der Betroffenen gefunden zu haben. Vorsicht: Es handelt sich um Betrüger/innen, die versuchen, Zugriff auf das System ihrer Opfer zu erhalten und Daten zu stehlen. Konsument/innen sollten derartige Anrufe umgehend beenden.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-angeblichen-microsoft-an…
=====================
= Vulnerabilities =
=====================
∗∗∗ Intel Releases Security Updates, Mitigations for Multiple Products ∗∗∗
---------------------------------------------
Intel has released security updates and recommendations to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2019/06/11/Intel-Releases-Sec…
∗∗∗ Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series ∗∗∗
---------------------------------------------
The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities resulting from old software components embedded in the firmware.
---------------------------------------------
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-wago…
∗∗∗ Patchday: Gefährliche Lücke in Aufgabenplanung von Windows 10 gepatcht ∗∗∗
---------------------------------------------
Microsoft hat jede Menge Sicherheitsupdates für Windows, Office und weitere Software veröffentlicht. Viele Lücke gelten als kritisch.
---------------------------------------------
https://heise.de/-4444614
∗∗∗ Critical Microsoft NTLM vulnerabilities allow remote code execution on any Windows machine ∗∗∗
---------------------------------------------
The Preempt research team found two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. The research shows that all Windows versions are vulnerable.
---------------------------------------------
https://www.helpnetsecurity.com/2019/06/11/microsoft-ntlm-vulnerabilities/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libgd2, mediawiki, otrs2, vlc, and zookeeper), Fedora (containernetworking-plugins, kernel, kernel-headers, nodejs-tough-cookie, podman, python-django, and python-urllib3), openSUSE (virtualbox), SUSE (gnome-shell, libcroco, and php7), and Ubuntu (dbus, Neovim, and vim).
---------------------------------------------
https://lwn.net/Articles/790976/
∗∗∗ Flaw in Evernote Extension Allows Hackers to Steal Data ∗∗∗
---------------------------------------------
A vulnerability identified by researchers in a popular Evernote extension for Chrome can be exploited by hackers to steal sensitive information from the websites accessed by a user. read more
---------------------------------------------
https://www.securityweek.com/flaw-evernote-extension-allows-hackers-steal-d…
∗∗∗ MISP: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗
---------------------------------------------
MISP ist eine Open-Source-Plattform für den Informationsaustausch über Bedrohungen.
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MISP ausnutzen, um seine Privilegien zu erhöhen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0491
∗∗∗ Security Advisory - DLL Hijacking Vulnerability on Huawei HiSuite ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190612-…
∗∗∗ IBM Security Bulletin: A security vulnerability has been idenfied in IBM SDK which affects IBM Db2 Query Management Facility for z/OS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 07-06-2019 18:00 − Dienstag 11-06-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Paketmanagement: Java-Dependencies über unsichere HTTP-Downloads ∗∗∗
---------------------------------------------
In zahlreichen Java-Projekten werden Abhängigkeiten ungeprüft über HTTP ohne TLS heruntergeladen. Ein Netzwerkangreifer kann dadurch trivial die Downloads manipulieren und Schadcode ausführen.
---------------------------------------------
https://www.golem.de/news/paketmanagement-java-dependencies-ueber-unsichere…
∗∗∗ Tip: Sysmon Will Log DNS Queries ∗∗∗
---------------------------------------------
[...] Mark announced a new version of Sysmon that will log DNS queries (and replies): [...]
---------------------------------------------
https://isc.sans.edu/forums/diary/Tip+Sysmon+Will+Log+DNS+Queries/25016/
∗∗∗ Microsoft Office: Gefährliches RTF-Dokument bringt Backdoor-Trojaner mit ∗∗∗
---------------------------------------------
Derzeit nutzen Angreifer vermehrt eine zwei Jahre alte Office-Lücke aus, für die es bereits einen Patch gibt. Dabei stehen vor allem Ziele in Europa im Fokus.
---------------------------------------------
https://heise.de/-4444187
∗∗∗ China Telecom Routes European Traffic to Its Network for Two Hours ∗∗∗
---------------------------------------------
For two hours last week, a BGP route leak resulted in large portions of European Internet traffic being routed through China Telecom’s network. read more
---------------------------------------------
https://www.securityweek.com/china-telecom-routes-european-traffic-its-netw…
∗∗∗ Bitcoin-Erpressungs-Mail mit erfundenen Webcam-Aufnahmen ∗∗∗
---------------------------------------------
Kriminelle versenden massenhaft E-Mails an Internet-Nutzer/innen, in denen sie behaupten, dass die Systeme der Empfänger/innen gehackt wurden. Sie geben an, dadurch Videos über die Webcam aufgenommen zu haben, die die Empfänger/innen beim Masturbieren zeigen sollen. Um eine Verbreitung der Aufnahmen zu verhindern, werden 2000 Euro in Bitcoins gefordert. Es besteht kein Grund zur Sorge, denn es handelt sich um einen Erpressungsversuch und die Videos existieren nicht.
---------------------------------------------
https://www.watchlist-internet.at/news/bitcoin-erpressungs-mail-mit-erfunde…
∗∗∗ Major HSM vulnerabilities impact banks, cloud providers, governments ∗∗∗
---------------------------------------------
Researchers disclose major vulnerabilities in HSMs (Hardware Security Modules).
---------------------------------------------
https://www.zdnet.com/article/major-hsm-vulnerabilities-impact-banks-cloud-…
∗∗∗ Das CERT, das Wolf rief ∗∗∗
---------------------------------------------
Die Fabel ist bekannt: dem Hirtenjungen war fad, er schlug Alarm ("Wolf!"), um die Eintönigkeit zu vertreiben, und als dann der Wolf wirklich da war, hörte keiner mehr auf seinen Hilferuf. Wir haben regelmäßig ein ähnliches Thema: Wir sollen möglichst früh vor kommenden Problemen warnen, aber wenn der vorhergesagte Notfall doch nicht eintritt, dann senkt das unsere Glaubwürdigkeit.
---------------------------------------------
http://www.cert.at/services/blog/20190611093533-2484.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Bulletins Posted ∗∗∗
---------------------------------------------
Adobe has published security bulletins for Adobe ColdFusion (APSB19-27), Adobe Flash Player (APSB19-30) and Adobe Campaign (APSB19-28). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1760
∗∗∗ SAP Security Patch Day – June 2019 ∗∗∗
---------------------------------------------
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
---------------------------------------------
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242
∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580 ∗∗∗
---------------------------------------------
There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information.
---------------------------------------------
https://blog.talosintelligence.com/2019/06/vulnerability-spotlight-multiple…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium and pam-u2f), Debian (cyrus-imapd), Fedora (curl, cyrus-imapd, kernel, kernel-headers, php, and vim), openSUSE (axis, bind, bubblewrap, evolution, firefox, gnome-shell, libpng16, and rmt-server), Oracle (edk2 and kernel), and SUSE (bind, cloud7, and libvirt).
---------------------------------------------
https://lwn.net/Articles/790818/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (bind and thunderbird), Mageia (firefox, ghostscript, graphicsmagick, imagemagick, postgresql, and thunderbird), Oracle (kernel), Red Hat (Advanced Virtualization and rh-haproxy18-haproxy), SUSE (bind, gstreamer-0_10-plugins-base, thunderbird, and vim), and Ubuntu (elfutils, glib2.0, and libsndfile).
---------------------------------------------
https://lwn.net/Articles/790875/
∗∗∗ Synology-SA-19:26 Photo Station ∗∗∗
---------------------------------------------
These vulnerabilities allow remote attackers to obtain sensitive information or modify system settings via a susceptible version of Photo Station.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_19_26
∗∗∗ IBM Security Bulletin: IBM MQ Advanced Cloud Pak may print out plain text credentials in logs. (CVE-2019-4239) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-advanced-cloud…
∗∗∗ [20190603] - Core - ACL hardening of com_joomlaupdate ∗∗∗
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/_M8Ux7hoaTM/785-20190603-c…
∗∗∗ [20190602] - Core - XSS in subform field ∗∗∗
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/pYcjfxwUS9o/784-20190602-c…
∗∗∗ [20190601] - Core - CSV injection in com_actionlogs ∗∗∗
---------------------------------------------
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/XjAgqEhAS7g/783-20190601-c…
∗∗∗ # SSB-439005: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssb-439005.txt
∗∗∗ # SSA-557804: Mirror Port Isolation Vulnerability in SCALANCE X switches ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-557804.txt
∗∗∗ # SSA-480230: Denial-of-Service in Webserver of Industrial Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt
∗∗∗ # SSA-307392: Denial-of-Service in OPC UA in Industrial Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt
∗∗∗ # SSA-254686: Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-254686.txt
∗∗∗ # SSA-181018: Heap Overflow Vulnerability in SCALANCE X switches, RUGGEDCOM Win, RFID 181-EIP, and SIMATIC RF182C ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-181018.txt
∗∗∗ # SSA-816980: Multiple Web Vulnerabilities in SIMATIC Ident MV420 and MV440 families ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-816980.txt
∗∗∗ # SSA-774850: Vulnerabilities in SIEMENS LOGO!8 devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-774850.txt
∗∗∗ # SSA-646841: Recoverable Password from Configuration Storage in SCALANCE X Switches ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-646841.txt
∗∗∗ # SSA-212009: Vulnerabilities in Siveillance VMS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-212009.txt
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 06-06-2019 18:00 − Freitag 07-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ SandboxEscaper Debuts ByeBear Windows Patch Bypass ∗∗∗
---------------------------------------------
SandboxEscaper is back, with a second bypass for the recent CVE-2019-0841 Windows patch.
---------------------------------------------
https://threatpost.com/sandboxescaper-byebear-windows-bypass/145470/
∗∗∗ Keep an Eye on Your WMI Logs, (Thu, Jun 6th) ∗∗∗
---------------------------------------------
WMI ("Windows Management Instrumentation")[1] is, like Microsoft says, "the infrastructure for management data and operations on Windows-based operating systems". Personally, I like to make a (very) rough comparison between WMI and SNMP: You can query information about a system (read) but also alter it (write). WMI is present on Windows systems since the version Windows 2000. As you can imagine, when a tool is available by default on all systems, [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/25012
∗∗∗ The EU Cybersecurity Act: a new Era dawns on ENISA ∗∗∗
---------------------------------------------
Today, 7th June 2019, the EU Cybersecurity Act was published in the Official Journal of the European Union.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/the-eu-cybersecurity-act-a-new-…
∗∗∗ Bloodhound walkthrough. A Tool for Many Tradecrafts ∗∗∗
---------------------------------------------
A walkthrough on how to set up and use BloodHound BloodHound (https://github.com/BloodHoundAD/BloodHound) is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool…
∗∗∗ New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices ∗∗∗
---------------------------------------------
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets. As part of this ongoing research, we’ve recently discovered a new variant of Mirai that[...]
---------------------------------------------
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-t…
∗∗∗ A botnet is brute-forcing over 1.5 million RDP servers all over the world ∗∗∗
---------------------------------------------
Furthermore, statistics show that despite BlueKeep, most RDP attacks today are brute-force attempts.
---------------------------------------------
https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rd…
=====================
= Vulnerabilities =
=====================
∗∗∗ Optergy Proton Enterprise Building Management System ∗∗∗
---------------------------------------------
This advisory includes mitigations for information exposure, cross-site request forgery, unrestricted upload of file with dangerous type, open redirect, hidden functionality, exposed dangerous method or function, and use of hard-coded credentials vulnerabilities reported in Optergy’s Proton/Enterprise Building Management System.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-157-01
∗∗∗ Panasonic Control FPWIN Pro ∗∗∗
---------------------------------------------
This advisory includes mitigations for heap-based buffer overflow and type confusion vulnerabilities reported in Panasonics Control FPWIN Pro PLC programming software.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-157-02
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (evolution and qemu), Fedora (cyrus-imapd and hostapd), Gentoo (exim), openSUSE (exim), Red Hat (qpid-proton), SUSE (bind, libvirt, mariadb, mariadb-connector-c, python, and rubygem-rack), and Ubuntu (firefox, jinja2, and linux-lts-xenial, linux-aws).
---------------------------------------------
https://lwn.net/Articles/790647/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal is impacted by vulnerabilities in PHP (CVE-2019-11035 CVE-2019-11034) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve…
∗∗∗ IBM Security Bulletin: Secure Gateway is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-secure-gateway-is-aff…
∗∗∗ IBM Security Bulletin: IBM API Connect V5 is impacted by Cross Site Scripting vulnerability (CVE-2016-10531 CVE-2018-3721 CVE-2017-0268) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-v5-is…
∗∗∗ Intel UEFI vulnerability CVE-2019-0119 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K85585101
∗∗∗ Intel Xeon access control vulnerability CVE-2019-0126 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K37428370
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 05-06-2019 18:00 − Donnerstag 06-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ USB Killer: What it is and how to protect your devices ∗∗∗
---------------------------------------------
Introduction What’s more ubiquitous in the PC world than USB sticks? They’re easy to use, affordable and are used by millions of people on a daily basis. Everyone knows that USB sticks can house nasties, including malware, but did you know that this same little drive can completely destroy a system by simply inserting it?
---------------------------------------------
https://resources.infosecinstitute.com/usb-killer-how-to-protect-your-devic…
∗∗∗ Telecoms taken by storm: Natural phenomena dominate the outage picture ∗∗∗
---------------------------------------------
A total of 157 telecom outages were reported by the 28 EU member states and 2 EFTA countries, as part of the EU-wide telecom security breach reporting for the year 2018. Today ENISA, the EU Agency for Cybersecurity, publishes the 8th annual report on telecom security incidents, analyzing root causes, impact, and trends.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/telecoms-taken-by-storm-natural…
∗∗∗ Will you be Europe’s best cybersecurity talent? ∗∗∗
---------------------------------------------
European countries have started or are preparing to kick off their national cybersecurity competitions. The winners of the national contests will represent their countries in the ultimate cybersecurity competition on the continent: the European Cyber Security Challenge (ECSC) 2019.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/will-you-be-europe-s-best-cyber…
∗∗∗ Emotet bei Heise – Lehren aus einem Trojaner-Angriff ∗∗∗
---------------------------------------------
Es gab einen schwerwiegenden Einbruch in das Heise-Netz. An der Beseitigung arbeiten aktuell die IT-Abteilungen der Heise Gruppe und weitere Spezialisten.
---------------------------------------------
https://heise.de/-4437807
∗∗∗ Vorsicht bei BAWAG PSK-Mails ∗∗∗
---------------------------------------------
Mit der Aufforderung Ihren "secTAN" zu aktivieren, versuchen Kriminelle derzeit an Ihre Bankzugangsdaten zu gelangen. In der vermeintlichen E-Mail der Bank werden Sie aufgefordert, einem Link zu folgen. Dieser Link führt jedoch zu einer gefälschten BAWAG PSK-Website! Wir raten dazu, derartige Mails in den Spam-Ordner zu verschieben.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-bei-bawag-psk-mails/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslücke: Exim-Sicherheitslücke gefährlicher als gedacht ∗∗∗
---------------------------------------------
EineSicherheitslücke im Exim-Mailserver lässt sich auch übers Netz zur Codeausführung ausnutzen, der Angriff dauert aber in der Standardkonfiguration mehrere Tage. Lokal ist er trivial und emöglicht es Nutzern, Root-Rechte zu erlangen.
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-root-zugriff-fuer-angreifer-bei…
∗∗∗ Angreifer könnten Kommunikationssoftware von Cisco lahmlegen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für Cisco Unified Communications Manager, Webex Meetings Server & Co.
---------------------------------------------
https://heise.de/-4440986
∗∗∗ VMSA-2019-0009 ∗∗∗
---------------------------------------------
VMware Tools and Workstation updates address out of bounds read and use-after-free vulnerabilities. (CVE-2019-5522, CVE-2019-5525)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2019-0009.html
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (binutils), Debian (exim4 and poppler), Fedora (deepin-api, kernel, kernel-headers, kernel-tools, and php), openSUSE (cronie), and Ubuntu (apparmor, exim4, mariadb-10.1, php5, and php7.0, php7.2).
---------------------------------------------
https://lwn.net/Articles/790541/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Software Architect and Rational Software Architect for WebSphere Software ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit…
∗∗∗ IBM Security Bulletin: IBM® Intelligent Operations Center does not correctly validate file types before uploading files (CVE-2019-4069) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-intelligent-opera…
∗∗∗ IBM Security Bulletin: IBM® Intelligent Operations Center has a weak user-creation policy (CVE-2019-4066) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-intelligent-opera…
∗∗∗ IBM Security Bulletin: IBM® Intelligent Operations Center is vulnerable to user enumeration (CVE-2019-4068) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-intelligent-opera…
∗∗∗ IBM Security Bulletin: User passwords might be obtained by a brute force attack on IBM® Intelligent Operations Center (CVE-2019-4067) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-user-passwords-might-…
∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM® Intelligent Operations Center (CVE-2019-4070) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-…
∗∗∗ IBM Security Bulletin: IBM API Connect V5 is impacted by multiple vulnerabilities in IBM Java SDK (CVE-2018-3139 CVE-2018-3180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-v5-is…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily