=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 05-07-2018 18:00 − Freitag 06-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ HNS Botnet Recent Activities ∗∗∗
---------------------------------------------
Author: Rootkiter, yegenshenHNS is an IoT botnet (Hide and Seek) originally discovered by BitDefender in January this year. In that report, the researchers pointed out that HNS used CVE-2016-10401, and other vulnerabilities to propagate malicious code and stole user information. The HNS communicates through the P2P mechanism, which is [...]
---------------------------------------------
http://blog.netlab.360.com/hns-botnet-recent-activities-en/
∗∗∗ CoinImp Cryptominer and Fully Qualified Domain Names ∗∗∗
---------------------------------------------
We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period). E.g. "www.example.com", where "www" is a subdomain, "example" is a second level domain, and "com" is a top level domain. However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names.
---------------------------------------------
https://blog.sucuri.net/2018/07/coinimp-cryptominer-and-fully-qualified-dom…
∗∗∗ Schädlinge unterminieren Windows-Zertifikats-System ∗∗∗
---------------------------------------------
Immer mehr Trojaner installieren eigene Root-CAs in Windows, um damit ihre Schadprogramme signieren oder Web-Seiten-Aufrufe manipulieren zu können.
---------------------------------------------
http://heise.de/-4100993
∗∗∗ Apple stopft WLAN-Lücken auf Macs unter Windows ∗∗∗
---------------------------------------------
Mit einem Update sollen zwei Angriffspunkte in den Boot-Camp-Treibern behoben werden, mit denen Macs das Microsoft-Betriebssystem nutzen.
---------------------------------------------
http://heise.de/-4102490
∗∗∗ Datenleck bei Domainfactory: Hacker knackt Systeme, lässt Kundendaten mitgehen ∗∗∗
---------------------------------------------
Die Systeme des Hosters Domainfactory wurden offensichtlich von einem Hacker kompromittiert, der nun Zugang zu sensiblen Daten der Kunden hat.
---------------------------------------------
http://heise.de/-4102881
∗∗∗ IT-Sicherheit - Elektronikhändler e-tec und Ditech wurden Kundendaten gestohlen ∗∗∗
---------------------------------------------
Altes Passwort ist abgelaufen und muss neu gesetzt werden, Zahlungsdaten zu Kreditkarten und Kontoverbindungen nicht betroffen
---------------------------------------------
https://derstandard.at/2000082932960/Elektronikhaendler-e-tec-und-Ditech-wu…
∗∗∗ What is it that Makes a Microsoft Executable a Microsoft Executable? ∗∗∗
---------------------------------------------
What exactly is it that separates arbitrary code from code that originates from Microsoft? I would wager that the reaction of most people would be to claim, "well... if it's signed by Microsoft, then it comes from Microsoft. What else is there to talk about?"
---------------------------------------------
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco 5000 Series Enterprise Network Compute System and Cisco UCS E-Series Servers BIOS Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers could allow an unauthenticated, local attacker to bypass the BIOS authentication and execute actions as an unprivileged user.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ WordPress 4.9.7 Security and Maintenance Release ∗∗∗
---------------------------------------------
WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.
---------------------------------------------
https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance…
∗∗∗ Stored XSS under CA and CRL certificate view page ∗∗∗
---------------------------------------------
Javascript code and HTML tags can be injected into the CN value of CA and CRL certificates via the import CA and CRL certificates feature of the GUI. The injected code may be executed when the GUI administrator views the CA certificate details and browses CRL certificates when CN values are rendered.
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-17-305
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dokuwiki, libsoup2.4, mercurial, php7.0, and phpmyadmin), Fedora (ant, gnupg, libgit2, and libsoup), openSUSE (cairo, git-annex, postgresql95, and zsh), Scientific Linux (firefox), Slackware (mozilla), SUSE (nodejs6 and rubygem-yard), and Ubuntu (AMD microcode, devscripts, and firefox).
---------------------------------------------
https://lwn.net/Articles/759212/
∗∗∗ 2018-07-06: Vulnerability in Panel Builder 800 - Improper Input Validation ∗∗∗
---------------------------------------------
http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&Langu…
∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by a resource leakage vulnerability (CVE-2018-1548) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22017136
∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=swg22017003
∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22016892
∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22016895
∗∗∗ IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10716005
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015940
∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects IBM SPSS Analytic Server (CVE-2018-2602, CVE-2018-2634) ∗∗∗
---------------------------------------------
https://www-prd-trops.events.ibm.com/node/715345
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/docview.wss?uid=ibm10713469
∗∗∗ PEPPERL+FUCHS Security advisory for MELTDOWN and SPECTRE attacks in ecom mobile Devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2018-009
∗∗∗ PEPPERL+FUCHS Remote Code Execution Vulnerability in HMI Devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2018-008
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 04-07-2018 18:00 − Donnerstag 05-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ First-Ever Person Sentenced for Malicious Use of Coinhive Library ∗∗∗
---------------------------------------------
Authorities in Japan have sentenced a man for the first time for using the Coinhive JavaScript library for malicious purposes.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/first-ever-person-sentenced-…
∗∗∗ Analysis: Downloader with a twist ∗∗∗
---------------------------------------------
In this latest analysis, we will stay on the topic of fileless malware. Having dissected the Rozena backdoor in the last article, we have taken a peek into another malware that uses “fileless” techniques. Case in point: a downloader.
---------------------------------------------
https://www.gdatasoftware.com/blog/07/30876-analysis-downloader-with-a-twist
∗∗∗ How to Check App Permissions on iOS, Android, Windows, and macOS ∗∗∗
---------------------------------------------
Its never a bad time to audit your app permissions. In fact, its more important than ever.
---------------------------------------------
https://www.wired.com/story/how-to-check-app-permissions-ios-android-macos-…
∗∗∗ NSO-Mitarbeiter bietet iOS-Spyware Pegasus im Darknet an ∗∗∗
---------------------------------------------
Der geheimnisumwitterten israelischen Sicherheitsfirma NSO Group sind mächtige Spyware-Tools abhanden gekommen. Ein Insider wollte sie im Darknet verkaufen.
---------------------------------------------
http://heise.de/-4101187
∗∗∗ Gentoos GitHub mirror compromise incident report ∗∗∗
---------------------------------------------
LWN reported on June 29 that Gentoos GitHub mirror had been compromised. Gentoo now considers the incident resolved and the full report is available. "An unknown entity gained control of an admin account for the Gentoo GitHub Organization and removed all access to the organization (and its repositories) from Gentoo developers. They then proceeded to make ..
---------------------------------------------
https://lwn.net/Articles/759046/
∗∗∗ Warnung vor gefälschtem Microsoft-Sicherheitshinweis ∗∗∗
---------------------------------------------
Konsument/innen sehen in ihrem Browser eine gefälschte Microsoft-Sicherheitswarnung. Darin heißt es, dass ihr Computer mit Schadsoftware befallen sei. Aus diesem Grund sollen sie einen technischen Support anrufen und ein Programm auf ihrem Computer installieren. Es ermöglicht Kriminellen, bei Bezahlung von Rechnungen die Kreditkartendaten ihrer Opfern zu stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/warnung-vor-gefaelschtem-microsoft-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ Custom Tokens - Moderately critical - Arbitrary Code Execution - SA-CONTRIB-2018-046 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2018-046
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 03-07-2018 18:00 − Mittwoch 04-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Malware Authors Seem Intent on Weaponizing Windows SettingContent-ms Files ∗∗∗
---------------------------------------------
Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-authors-seem-intent-…
∗∗∗ Lücken in Provider-Routern entdeckt ∗∗∗
---------------------------------------------
Durch Lücken in Routern des Herstellers ADB kann sich ein Angreifer Root-Rechte verschaffen. Das kann auch für die Provider zum Problem werden.
---------------------------------------------
http://heise.de/-4099449
∗∗∗ Phishing tales: Microsoft Access Macro (.MAM) shortcuts ∗∗∗
---------------------------------------------
Previously, I blogged about the ability to create malicious .ACCDE Microsoft Access Database files and using them as a phishing vector. This post expands on using the ACCDE format and will be introducing Microsoft Access Macro “MAM” ..
---------------------------------------------
https://posts.specterops.io/phishing-tales-microsoft-access-macro-mam-short…
=====================
= Vulnerabilities =
=====================
∗∗∗ Rockwell Automation Allen-Bradley Stratix 5950 ∗∗∗
---------------------------------------------
This advisory includes mitigations for improper input validation, improper certificate validation, and resource management error vulnerabilities in the Allen-Bradley Stratix 5950 security appliance.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-18-184-01
∗∗∗ Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers ∗∗∗
---------------------------------------------
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-lin…
∗∗∗ Authorization Bypass in all ADB Broadband Gateways / Routers ∗∗∗
---------------------------------------------
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-…
∗∗∗ Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers ∗∗∗
---------------------------------------------
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-net…
∗∗∗ Security vulnerabilities fixed in Thunderbird 52.9 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 02-07-2018 18:00 − Dienstag 03-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Malware lockt mit Fortnite-Cheats ∗∗∗
---------------------------------------------
Die Beliebtheit von Fortnite ruft vermehrt auch Kriminelle auf den Plan.
---------------------------------------------
https://futurezone.at/games/malware-lockt-mit-fortnite-cheats/400060664
∗∗∗ Akute Gefahr für Überwachungs-Software Nagios XI ∗∗∗
---------------------------------------------
Ein MetaSploit-Modul nutzt mehrere Schwachstellen in Nagios XI so geschickt aus, dass ein Angreifer den Monitoring-Server übernehmen kann.
---------------------------------------------
http://heise.de/-4096379
∗∗∗ Patchday: Google schließt teils kritische Android-Lücken ∗∗∗
---------------------------------------------
Die monatlich von Google veröffentlichten Sicherheits-Patches für Android betreffen im Juli ausnahmslos Lücken mit hohem bis kritischem Schweregrad.
---------------------------------------------
http://heise.de/-4096435
∗∗∗ Mac malware targets cryptomining users ∗∗∗
---------------------------------------------
A new Mac malware called OSX.Dummy is being distributed on cryptomining chat groups that, even after being removed, leaves behind remnants for future malware to find.
---------------------------------------------
https://blog.malwarebytes.com/malwarebytes-news/2018/07/mac-malware-targets…
∗∗∗ Smoking Guns - Smoke Loader learned new tricks ∗∗∗
---------------------------------------------
This post is authored by Ben Baker and Holger Unterbrink OverviewCisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to ..
---------------------------------------------
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learne…
∗∗∗ Kontrolle erlangt - Hacker integrierten bei Gentoo Linux gefährlichen Löschbefehl ∗∗∗
---------------------------------------------
Github-Repo übernommen und Befehl untergejubelt – mittlerweile haben die Entwickler aber wieder Kontrolle
---------------------------------------------
https://derstandard.at/2000082722326/Hacker-integrierten-bei-Gentoo-Linux-g…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (drupal7-backup_migrate, firefox, and podman), Red Hat (python), Scientific Linux (glibc, kernel, libvirt, pcs, samba, samba4, sssd and ding-libs, and zsh), and Ubuntu (kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-hwe, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, linux-oem, and zziplib).
---------------------------------------------
https://lwn.net/Articles/758940/
∗∗∗ Multiple vulnerabilities from IBM Security Bulletin ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ DSA-2018-122: RSA Certificate Manager Path Traversal Vulnerability ∗∗∗
---------------------------------------------
https://www.securitytracker.com/id/1041211
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-06-2018 18:00 − Montag 02-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Clipboard Hijacker Malware Monitors 2.3 Million Bitcoin Addresses ∗∗∗
---------------------------------------------
While we have covered cryptocurrency clipboard hijackers in the past, most of the previous samples monitored for 400-600 thousand cryptocurrency addresses. This week BleepingComputer noticed a sample of this type of malware that monitors for a over 2.3 million cryptocurrency addresses!
---------------------------------------------
https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-m…
∗∗∗ DNS Poisoning or BGP Hijacking Suspected Behind Trezor Wallet Phishing Incident ∗∗∗
---------------------------------------------
The team behind the Trezor multi-cryptocurrency wallet service has discovered a phishing attack against some of its users that took place over the weekend.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dns-poisoning-or-bgp-hijacki…
∗∗∗ Newer Diameter Telephony Protocol Just As Vulnerable As SS7 ∗∗∗
---------------------------------------------
Security researchers say the Diameter protocol used with todays 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/newer-diameter-telephony-pro…
∗∗∗ Taking apart a double zero-day sample discovered in joint hunt with ESET ∗∗∗
---------------------------------------------
In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher Anton Cherpanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same Read more
---------------------------------------------
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-…
∗∗∗ Boffins want to stop Network Time Protocols time-travelling exploits ∗∗∗
---------------------------------------------
Ancient protocols key vulnerability is fixable Among the many problems that exist in the venerable Network Time Protocol is its vulnerability to timing attacks: turning servers into time-travellers can play all kinds of havoc with important systems.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2018/07/02/ntp_revisio…
∗∗∗ The principle of least privilege: A strategy of limiting access to what is essential ∗∗∗
---------------------------------------------
The principle of least privilege is a security strategy applicable to different areas, which is based on the idea of only granting those permissions that are necessary for the performance of a certain activity
---------------------------------------------
https://www.welivesecurity.com/2018/07/02/principle-least-privilege-strateg…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium-browser, mosquitto, python-pysaml2, simplesamlphp, tiff, and tomcat7), Fedora (kernel, libgxps, nodejs, and phpMyAdmin), Mageia (ansible, firefox, java-1.8.0-openjdk, libcrypt, libgcrypt, ncurses, phpmyadmin, taglib, and webkit2), openSUSE (GraphicsMagick, ImageMagick, mailman, Opera, and rubygem-sprockets), and SUSE (ImageMagick, kernel, mariadb, and python-paramiko).
---------------------------------------------
https://lwn.net/Articles/758845/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-06-2018 18:00 − Freitag 29-06-2018 18:00
Handler: Olaf Schwarz
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ File-Wiping Malware Placed Inside Gentoo Linux Code After GitHub Account Hack ∗∗∗
---------------------------------------------
An unknown hacker has temporarily taken control over the GitHub account of the Gentoo Linux organization and embedded malicious code inside the operating systems distributions that would delete user files.
---------------------------------------------
https://www.bleepingcomputer.com/news/linux/file-wiping-malware-placed-insi…
∗∗∗ Samsung-Smartphones schicken unbemerkt Fotos an Kontakte ∗∗∗
---------------------------------------------
Ein Fehler in Samsung-Handys schickt zufällig verschiedene Fotos an im Telefonbuch gespeicherte Kontakte.
---------------------------------------------
https://futurezone.at/produkte/samsung-smartphones-schicken-unbemerkt-fotos…
∗∗∗ Überwachungskameras schickten Videos an falsche Nutzer ∗∗∗
---------------------------------------------
Bereits zum zweiten Mal wird ein Fall bekannt, in denen Kameras des Herstellers Swann Security Videobilder an die falschen Nutzer senden.
---------------------------------------------
https://futurezone.at/digital-life/ueberwachungskameras-schickten-videos-an…
∗∗∗ RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique ∗∗∗
---------------------------------------------
Through FireEye Dynamic Threat Intelligence (DTI), we observed RIG Exploit Kit (EK) delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner (similar activity has been reported by Trend Micro). Apart from leveraging a relatively lesser known injection technique, the attack chain has some other interesting properties that we will touch on in this blog post.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2018/06/rig-ek-delivering-moner…
∗∗∗ Rampage: Neuer Rowhammer-Angriff betrifft alle Android-Handys seit 2011 ∗∗∗
---------------------------------------------
Mit einer neuen Technik lässt sich der Speicher von Android-Geräten manipulieren. Der Angreifer wird so auf die harte Art zum Admin.
---------------------------------------------
http://heise.de/-4094782
=====================
= Vulnerabilities =
=====================
∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗
---------------------------------------------
This advisory includes mitigation recommendations for hard-coded password and exposed dangerous method or function vulnerabilities reported in Medtronics MyCareLink Patient Monitors.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-18-179-01
∗∗∗ VMSA-2018-0016 ∗∗∗
---------------------------------------------
VMware ESXi, and Workstation updates address multiple out-of-bounds read vulnerabilities
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2018-0016.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (firefox), Debian (firefox-esr, lava-server, libgcrypt20, mariadb-10.0, and zendframework), Fedora (firefox, podman, webkitgtk4, and xen), openSUSE (procps and unixODBC), Oracle (pki-core), Red Hat (firefox), SUSE (kernel, procps, and tomcat6), and Ubuntu (file and nasm).
---------------------------------------------
https://lwn.net/Articles/758656/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-06-2018 18:00 − Donnerstag 28-06-2018 18:00
Handler: Olaf Schwarz
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Windows Defender Detecting Legitimate Files as Trojan:Win32/Bluteal.B!rfn ∗∗∗
---------------------------------------------
Recently there have been a lot of reports of Windows Defender suddenly detecting files as Trojan:Win32/Bluteal.B!rfn. The detected files range from CPU miners, which would make sense, to legitimate Windows files, which do not.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/windows-defender-detecting-l…
∗∗∗ Schneller Mobilfunk: Sicherheitslücken in LTE ∗∗∗
---------------------------------------------
Um die Lücken auszunutzen, braucht man viel Know-how und ausgeklügelte Hardware. Aber mit hinreichend Aufwand könnten darüber Geheimnisträger attackiert werden.
---------------------------------------------
http://heise.de/-4093507
∗∗∗ Jetzt patchen! Exploit für Cisco ASA im Umlauf ∗∗∗
---------------------------------------------
In Ciscos System für unter anderem Firewalls Adaptive Security Aplliance klafft eine Sicherheitslücke, die Angreifer bald ausnutzen könnten.
---------------------------------------------
http://heise.de/-4093948
∗∗∗ Spectre-Sicherheitslücken: Browser trotz Patches nicht sicher ∗∗∗
---------------------------------------------
Die Patches, die Chrome, Edge und Safari gegen Spectre V1 bekamen, verhindern Angriffe auf die Lücke nicht vollständig. Lediglich Firefox ist im Moment sicher.
---------------------------------------------
http://heise.de/-4094014
∗∗∗ UPnP als Tarnung: Verwundbare Router helfen DDoS-Angreifern ∗∗∗
---------------------------------------------
Der neueste Trick von DDoS-Angreifern ist das Tarnen von Traffic mithilfe unachtsamer Heim-Router und deren UPnP-Möglichkeiten.
---------------------------------------------
http://heise.de/-4094140
∗∗∗ Datendiebstahl mit angeblichen Deutsche Bahn-Gewinnspiel ∗∗∗
---------------------------------------------
Konsument/innen erhalten eine angebliche Benachrichtigung der Deutschen Bahn. Darin heißt es, dass sie ein Einjahresticket 1. Klasse für 2 Personen gewinnen können. Die Teilnahme am Gewinnspiel setzt die Bekanntgabe von persönlichen Daten voraus. Sie soll auf einer gefälschten Deutsche Bahn-Website erfolgen. Gewinnspiel-Teilnehmer/innen übermitteln ihre Angaben an Kriminelle. Das Gewinnspiel gibt es nicht.
---------------------------------------------
https://www.watchlist-internet.at/news/datendiebstahl-mit-angeblichen-deuts…
∗∗∗ Efail: HTML Mails have no Security Concept and are to blame ∗∗∗
---------------------------------------------
I recently wrote down my thoughts about why I think deprecated cryptographic standards are to blame for the Efail vulnerability in OpenPGP and S/MIME. However I promised that Ill also cover the other huge part that made a bug like Efail possible: HTML mails.
---------------------------------------------
https://blog.hboeck.de:443/archives/894-Efail-HTML-Mails-have-no-Security-C…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (exiv2, firefox-esr, graphicsmagick, php-horde-crypt, ruby-passenger, tomcat7, and xen), Fedora (dcraw, file, kernel-tools, and mupdf), openSUSE (firefox and tiff), Oracle (kernel, libvirt, pki-core, and qemu-kvm), Red Hat (patch), SUSE (jpeg, python-Django, tiff, and unixODBC), and Ubuntu (jasper).
---------------------------------------------
https://lwn.net/Articles/758550/
∗∗∗ Linux kernel vulnerability CVE-2012-6701 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K13213573
∗∗∗ Linux kernel vulnerability CVE-2017-7889 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K80440915
∗∗∗ TMM vulnerability CVE-2018-5528 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K27044729
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 26-06-2018 18:00 − Mittwoch 27-06-2018 18:00
Handler: Olaf Schwarz
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ NSA Exploit "DoublePulsar" Patched to Work on Windows IoT Systems ∗∗∗
---------------------------------------------
An infosec researcher who uses the online pseudonym of Capt. Meelo has modified an NSA hacking tool known as DoublePulsar to work on the Windows IoT operating system (formerly known as Windows Embedded).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nsa-exploit-doublepulsar-pat…
∗∗∗ Codeausführung: Wordpress schließt Sicherheitslücke nicht ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in Wordpress erlaubt angemeldeten Nutzern, die Installation zu übernehmen und Code auszuführen. Wordpress wusste von dem Problem seit November 2017, hat es aber bisher nicht gefixt. (Wordpress, PHP)
---------------------------------------------
https://www.golem.de/news/codeausfuehrung-wordpress-schliesst-sicherheitslu…
∗∗∗ Datenleck bei FastBooking: Hacker klauen Daten von über 124.000 Hotelgästen ∗∗∗
---------------------------------------------
Hacker haben Daten vom Server eines Booking-Providers kopiert. Die Firma schweigt zum Ausmaß – eine Hotelkette warnte derweil fast 125.000 betroffene Gäste.
---------------------------------------------
http://heise.de/-4093080
∗∗∗ Top Tools for Security Analysts in 2018 ∗∗∗
---------------------------------------------
Last spring, after discussing the tools and tech used by our team, we published a list of 51 Tools for Security Analysts. The article was well-received, and the comments offered some great suggestions to top it all off. In the spirit of that list we’d like to offer our updated 2018 edition, featuring the Defiant [...]
---------------------------------------------
https://www.wordfence.com/blog/2018/06/top-tools-for-security-analysts-in-2…
∗∗∗ Achtung vor Apple-ID Phishing-Versuch ∗∗∗
---------------------------------------------
InternetnutzerInnen erhalten vermehrt Nachrichten per E-Mail, in denen sie darüber informiert werden, dass angeblich ihre Apple-ID in China für einen Zugriff auf die iCloud verwendet wurde. Die EmpfängerInnen werden in weiterer Folge dazu aufgefordert einem Link zu folgen, sofern sie nicht selbst in China auf ihr Konto zugegriffen haben. Betroffene sollten der Aufforderung auf keinen Fall nachkommen, denn die Versender sind hinter ihren Daten her.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-apple-id-phishing-versuc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (cantata and qutebrowser), Debian (imagemagick, php5, and redis), Fedora (cri-o and libgxps), Oracle (glibc, kernel, libvirt, samba, samba4, sssd and ding-libs, and zsh), Red Hat (ansible, dpdk, kernel, kernel-alt, kernel-rt, libvirt, pki-core, podman, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (kernel, libvirt, pki-core, and qemu-kvm), SUSE (firefox, gcc43, and kernel), and Ubuntu (openssl).
---------------------------------------------
https://lwn.net/Articles/758442/
∗∗∗ TMM vulnerability CVE-2018-5528 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K27044729
∗∗∗ SSL Forward Proxy vulnerability CVE-2018-5527 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K20134942
∗∗∗ HPESBHF03844 rev.1 - HPE Integrated Lights-Out 4, 5 (iLO 4, 5), Remote Unauthorized Modification of Information ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 25-06-2018 18:00 − Dienstag 26-06-2018 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ WPA3: Neuer WLAN-Verschlüsselungsstandard verabschiedet ∗∗∗
---------------------------------------------
Die Wi-Fi Alliance hat mit WPA3 einen neuen Verschlüsselungsstandard für drahtlose Netze vorgestellt. Darin werden einige Macken von früheren Standards ausgebessert, wie etwa Offline-Passwort-Angriffe unterbunden und Forward Secrecy eingeführt.
---------------------------------------------
https://www.golem.de/news/wpa3-neuer-wlan-verschluesselungsstandard-verabsc…
∗∗∗ Sicherheit von Industrieanlagen: BSI veröffentlicht Snort-Regeln für SIS-Netzwerke ∗∗∗
---------------------------------------------
Zum besseren Schutz vor Cyber-Angriffen mit Schadsoftware wie "Triton/Trisis/HatMan" hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) sogenannte Snort-Regeln für das TriStation-Kommunikationsprotokoll der Firma Schneider Electric veröffentlicht.
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/RAPSN_SETS_…
∗∗∗ Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor ∗∗∗
---------------------------------------------
This blog post was authored by Edmund Brumaghin, Earl Carter and Andrew Williams.Executive summaryCisco Talos has analyzed Thanatos, a ransomware variant that is being distributed via multiple malware campaigns that have been conducted over the past few months. As a result of our research, we have released a new, free decryption tool to help victims recover from this malware.
---------------------------------------------
http://feedproxy.google.com/~r/feedburner/Talos/~3/_YSxzYWrMgs/ThanatosDecr…
=====================
= Vulnerabilities =
=====================
∗∗∗ [20180602] - Core - XSS vulnerability in language switcher module ∗∗∗
---------------------------------------------
Severity: Low
Versions: 1.6.0 through 3.8.8
Exploit type: XSS
Number: CVE-2018-12711
In some cases the link of the current language might contain unescaped HTML special characters. This may lead to reflective XSS via injection of arbitrary parameters and/or values on the current page url. Affected Installs Joomla! CMS versions 1.6.0 through 3.8.8
Solution: Upgrade to version 3.8.9
---------------------------------------------
https://developer.joomla.org/security-centre/740-20180602-core-xss-vulnerab…
∗∗∗ [20180601] - Core - Local File Inclusion with PHP 5.3 ∗∗∗
---------------------------------------------
Severity: Low
Versions: 2.5.0 through 3.8.8
Exploit type: LFI
CVE Number: CVE-2018-12712
Our autoload code checks classnames to be valid, using the "class_exists" function in PHP. In PHP 5.3 this function validates invalid names as valid, which can result in a Local File Inclusion.
Affected Installs: Joomla! CMS versions 2.5.0 through 3.8.8
Solution: Upgrade to version 3.8.9
---------------------------------------------
https://developer.joomla.org/security-centre/741-20180601-core-local-file-i…
∗∗∗ Bugtraq: KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability ∗∗∗
---------------------------------------------
A hardcoded service token can be used to bypass authentication. Built-in functionality can be exploited to deploy and execute a malicious deb file containing a backdoor. A weak sudoers configuration can then be abused to escalate privileges to root.
---------------------------------------------
http://www.securityfocus.com/archive/1/542101
∗∗∗ SSA-159860 (Last Update: 2018-06-26): Access Control Vulnerability in IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC ∗∗∗
---------------------------------------------
IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC products are affected by a security vulnerability which could allow an attacker to either exfiltrate limited data from the system or to execute code with operating system user permissions.Siemens has released updates for several affected products, and recommends that customers update to the new version.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-159860.txt
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Slackware (firefox), SUSE (gpg2 and zlib), and Ubuntu (openssl, openssl1.0).
---------------------------------------------
https://lwn.net/Articles/758310/
∗∗∗ Security Advisory - Side-Channel Vulnerability Variants 3a and 4 ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180615-…
∗∗∗ HPESBHF03843 rev.1 - HPE Moonshot Provisioning Manager, Remote Bypass of Security Restrictions, Local Arbitrary File Modification ∗∗∗
---------------------------------------------
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 22-06-2018 18:00 − Montag 25-06-2018 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Changes in WebAssembly Could Render Meltdown and Spectre Browser Patches Useless ∗∗∗
---------------------------------------------
"Once Wasm gets support for threads with shared memory (which is already on the Wasm roadmap), very accurate [JavaScript] timers can be created," Bergbom says, "that may render browser mitigations of certain CPU side channel attacks non-working."
---------------------------------------------
https://www.bleepingcomputer.com/news/security/changes-in-webassembly-could…
∗∗∗ ST18-001: Securing Network Infrastructure Devices ∗∗∗
---------------------------------------------
Network infrastructure devices are ideal targets for malicious cyber actors. Most or all organizational and customer traffic must traverse these critical devices.An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key
---------------------------------------------
https://www.us-cert.gov/ncas/tips/ST18-001
∗∗∗ iOS: Verwirrung um Brute-Force-Hack der Gerätesperre ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher behauptet, einen Trick gefunden zu haben, mit dem sich iPhone und iPad knacken lassen. Apple widerspricht dem.
---------------------------------------------
http://heise.de/-4090901
∗∗∗ Offene Firebase-Datenbanken: Tausende Apps leaken Passwörter, Nutzerdaten etc. ∗∗∗
---------------------------------------------
Dritte könnten mit vergleichsweise wenig Aufwand private Daten von Millionen App-Nutzern einsehen, warnen Sicherheitsforscher.
---------------------------------------------
http://heise.de/-4090963
∗∗∗ Leck in Intel-Prozessoren: TLBleed-Lücke verrät geheime Schlüssel ∗∗∗
---------------------------------------------
Forscher nutzen Hyper-Threading und den Transaction Lookaside Buffer (TLB) von Intel-Prozessoren, um geschützte Informationen per Seitenkanal abzuschöpfen.
---------------------------------------------
http://heise.de/-4091114
∗∗∗ Aufgepasst: Phishing-Mails schüren WannaCry-Panik ∗∗∗
---------------------------------------------
Aktuell gehen E-Mails um, die behaupten, der Rechner des Empfängers sei mit einem Verschlüsselungstrojaner infiziert.
---------------------------------------------
http://heise.de/-4091746
∗∗∗ Gefälschte Pichler Werkzeug GmbH-Rechnung verbreitet Schadsoftware ∗∗∗
---------------------------------------------
Unternehmen erhalten per E-Mail eine gefälschte Bestellbestätigung der Pichler Werkzeug GmbH aus Innsbruck. Darin heißt es, dass sie ein unterzeichnetes Formular zurück an die Absenderin retournieren sollen. Das Formular befindet sich angeblich in einer GZ-Datei. In Wahrheit verbirgt sie Schadsoftware. Empfänger/innen dürfen den Dateianhang nicht öffnen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-pichler-werkzeug-gmbh-re…
=====================
= Vulnerabilities =
=====================
∗∗∗ [20180507] - Core - Session deletion race condition ∗∗∗
---------------------------------------------
CVE Number: CVE-2018-11324
A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated.
Affected Installs: Joomla! CMS versions 3.0.0 through 3.8.7
Solution: Upgrade to version 3.8.8
---------------------------------------------
https://developer.joomla.org/security-centre/735-20180507-core-session-dele…
∗∗∗ Bluetooth-Lücke: Patch für "smartes" Vorhängeschloss Tapplock ∗∗∗
---------------------------------------------
Sicherheitsforscher knacken das Schloss Tapplock über Bluetooth in wenigen Sekunden. Auch rohe Gewalt kann das Schloss unter Umständen öffnen.
---------------------------------------------
http://heise.de/-4091406
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (git), Debian (bouncycastle and lava-server), Fedora (ansible, epiphany, kernel, kernel-tools, matrix-synapse, mingw-podofo, pass, podofo, python-prometheus_client, redis, rubygem-sinatra, and thunderbird-enigmail), Gentoo (file and pnp4nagios), Mageia (file, glibc, kernel, librsvg, and libvorbis), openSUSE (go1.9, mariadb, phpMyAdmin, and redis), and SUSE (firefox, kernel modules packages, and python).
---------------------------------------------
https://lwn.net/Articles/758211/
∗∗∗ Synology-SA-18:33 DSM ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote authenticated users to execute arbitrary OS commands or obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_18_33
∗∗∗ FortiOS SSL VPN webportal user credentials present in plain text in client side javascript file ∗∗∗
---------------------------------------------
https://fortiguard.com/psirt/%20FG-IR-18-027
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily