[CERT-daily] Tageszusammenfassung - 07.12.2017

Thu Dec 7 18:14:40 CET 2017

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 06-12-2017 18:00 − Donnerstag 07-12-2017 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ "Process Doppelgänging" Attack Works on All Windows Versions ∗∗∗
---------------------------------------------
Today, at the Black Hat Europe 2017 security conference in London, two security researchers from cyber-security firm enSilo have described a new code injection technique called "Process Doppelgänging." [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/


∗∗∗ Firmware-Bug: Codeausführung in deaktivierter Intel-ME möglich ∗∗∗
---------------------------------------------
Sicherheitsforscher demonstrieren einen Angriff auf Intels ME zum Ausführen von beliebigem Code, gegen den weder das sogenannte Kill-Bit noch die von Google geplanten Sicherheitsmaßnahmen für seine Server helfen. Theoretisch lassen sich Geräte so auch aus der Ferne angreifen.
---------------------------------------------
https://www.golem.de/news/firmware-bug-codeausfuehrung-in-deaktivierter-intel-me-moeglich-1712-131543-rss.html


∗∗∗ Apple Issues Security Updates for MacOS, iOS, TvOS, WatchOS, and Safari ∗∗∗
---------------------------------------------
Catalin Cimpanu, writing for BleepingComputer: Over the course of the last four days, Apple has released updates to address security issues for several products, such as macOS High Sierra, Safari, watchOS, tvOS, and iOS. The most relevant security update is the one to macOS, as it also permanently fixes the bug that allowed attackers to access macOS root accounts without having to type a password. Apple issued a patch for the bug the next day after it was discovered, but because the patch was [...]
---------------------------------------------
https://apple.slashdot.org/story/17/12/06/2137251/apple-issues-security-updates-for-macos-ios-tvos-watchos-and-safari


∗∗∗ VB2017 paper: Modern reconnaissance phase on APT – protection layer ∗∗∗
---------------------------------------------
During recent research, Cisco Talos researchers observed the ways in which APT actors are evolving and how a reconnaissance phase is included in the infection vector in order to protect valuable zero-day exploits or malware frameworks. At VB2017 in Madrid, two of those researchers, Paul Rascagneres and Warren Mercer, presented a paper detailing five case studies that demonstrate how the infection vector is evolving.
---------------------------------------------
https://www.virusbulletin.com:443/blog/2017/11/vb2017-paper-modern-reconnaissance-phase-apt-protection-layer/


∗∗∗ 37 Sicherheitslücken in Chrome geschlossen ∗∗∗
---------------------------------------------
Googles Webbrowser Chrome ist in der abgesicherten Version 63.0.3239.84 für Linux, macOS und Windows erschienen. Im Menüpunkt "Hilfe" kann man unter "Über Google Chrome" die installierte Ausgabe prüfen und das Update anstoßen.
---------------------------------------------
https://heise.de/-3912131


∗∗∗ Sysinternals Sysmon suspicious activity guide ∗∗∗
---------------------------------------------
Sysmon tool from Sysinternals provides a comprehensive monitoring about activities in the operating system level. Sysmon is running in the background all the time, and is writing events to the event log. You can find the Sysmon events under the Microsoft-Windows-Sysmon/Operational event log. This guide will help you to investigate and appropriately handle these events.
---------------------------------------------
https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/


∗∗∗ Penetration Testing Apache Thrift Applications ∗∗∗
---------------------------------------------
... Apache Thrift, which is used to easily build RPC clients and servers regardless of programming languages used on each side. The web interception tool of choice at MDSec is Burp Suite, so it follows suit that we wanted to continue using Burp during the assessment. Unfortunately, there are no Burp extensions out there (at least that we know of) for Thrift encoded data, so we decided to make our own.
---------------------------------------------
https://www.mdsec.co.uk/2017/12/penetration-testing-apache-thrift-applications/


∗∗∗ November 2017: The Month in Ransomware ∗∗∗
---------------------------------------------
November didn’t shape up to be revolutionary in terms of ransomware, but the shenanigans of cyber-extortionists continued to be a major concern. The reputation of the Hidden Tear PoC ransomware project hit another low as it spawned a bunch of new real-life spinoffs. The crooks who created the strain dubbed Ordinypt [...]
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2017-month-ransomware/


∗∗∗ StorageCrypt: Ransomware infiziert NAS-Geräte via SambaCry-Lücke ∗∗∗
---------------------------------------------
Viele Netzwerkspeicher (NAS) weisen noch immer die SMB-Lücke SambaCry auf. Ein aktueller Verschlüsselungstrojaner macht sich das zunutze. NAS-Besitzer sollten zügig patchen.
---------------------------------------------
https://heise.de/-3912498


=====================
=  Vulnerabilities  =
=====================

∗∗∗ OpenSSL Security Advisory [07 Dec 2017] ∗∗∗
---------------------------------------------
Read/write after SSL object in error state (CVE-2017-3737)
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
---------------------------------------------
https://www.openssl.org/news/secadv/20171207.txt


∗∗∗ DFN-CERT-2017-2213: Microsoft Malware Protection Engine: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-2213/


∗∗∗ Huawei Security Advisories ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM API Connect (CVE-2017-1000381, CVE-2017-11499) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22009964


∗∗∗ IBM Security Bulletin: Potential information leakage vulnerability in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22010627


∗∗∗ [R1]Nessus 6.11.3 Fixes Multiple Third-party Vulnerabilities ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2017-15


Next End-of-Day report on 2017-12-11

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily