===================== = End-of-Day report = =====================

Timeframe: Freitag 15-11-2019 18:00 − Montag 18-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a

===================== = News = =====================

∗∗∗ New NextCry Ransomware Encrypts Data on NextCloud Linux Servers ∗∗∗ --------------------------------------------- On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration. Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encryp...

∗∗∗ Powershell ConstrainedLanguage Mode ∗∗∗ --------------------------------------------- Gastbeitrag vom milCERT - Philipp Thaller und Stefan Bachmair - Bei der Analyse von aktueller Malware stellte sich heraus dass viele der aktuellen Exemplare (inkl. Emotet ) auf die PowerShell angewiesen sind um ihr schadhaftes Potential entfalten zu können. Schränkt man die PowerShell entsprechend ein, ist eine Ausführung des eigentlichen Schadcodes oft gar nicht möglich. --------------------------------------------- https://cert.at/de/blog/2019/11/201911-powershell-constrainedlanguage

∗∗∗ Willhaben warnt vor betrügerischer Phishing-SMS ∗∗∗ --------------------------------------------- Wer von der Verkaufsplattform Willhaben eine SMS mit Zahlungsinformationen bekommt, soll den Link keinesfalls anklicken. --------------------------------------------- https://futurezone.at/apps/willhaben-warnt-vor-betruegerischer-phishing-sms/...

∗∗∗ pax: Exploit padding oracles for fun and profit ∗∗∗ --------------------------------------------- Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to: - Obtain plaintext for a given piece of CBC encrypted data. - Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle. --------------------------------------------- https://github.com/liamg/pax

∗∗∗ RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients ∗∗∗ --------------------------------------------- In this blogpost I will describe the process I followed to write a tool that will extract clear-text credentials from the Microsoft RDP client using API hooking. Using this approach, if you are already operating under the privileges of the compromised user (e.g. as a result of a phish) and the user has an RDP session open, you are able to extract the clear-text credentials without privilege escalation. --------------------------------------------- https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-f...

∗∗∗ Medica 2019: BSI-Leitfaden zur Cyber-Sicherheit von Medizinprodukten ∗∗∗ --------------------------------------------- Im Kontext der sicheren Digitalisierung im Gesundheitswesen hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) im Rahmen der Messe "Medica" in Düsseldorf einen neuen Leitfaden "Sicherheit von Medizinprodukten – Leitfaden zur Nutzung des MDS2 aus 2019" (Manufacturer Disclosure Statement for Medical Device Security) veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Leitfaden_Me...

∗∗∗ Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature ∗∗∗ --------------------------------------------- The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering. --------------------------------------------- https://www.zdnet.com/article/google-patches-awesome-xss-vulnerability-in-gm...

===================== = Vulnerabilities = =====================

∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa). --------------------------------------------- https://lwn.net/Articles/805083/

∗∗∗ Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2019-4096) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerab...