[CERT-daily] Tageszusammenfassung - 23.04.2018

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 20-04-2018 18:00 − Montag 23-04-2018 18:00
Handler:     Alexander Riepl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Datenleck bei Sicherheitskonferenz ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in der App zur RSA Sicherheitskonferenz ermöglichte es, die Namen von Konferenzteilnehmern auszulesen.
---------------------------------------------
https://futurezone.at/digital-life/datenleck-bei-sicherheitskonferenz/400024765


∗∗∗ UMCI: Project Zero veröffentlicht Windows-10-Sicherheitslücke ∗∗∗
---------------------------------------------
Wieder einmal haben sich Google und Microsoft über die Veröffentlichung einer Sicherheitslücke gestritten. Der Fehler in .Net ermöglicht es einem Angreifer, trotz enger Beschränkungen Code unter Windows 10 S oder auf UMCI-Systemen auszuführen. (Project Zero, Google)
---------------------------------------------
https://www.golem.de/news/umci-project-zero-veroeffentlicht-windows-10-sicherheitsluecke-1804-133994-rss.html


∗∗∗ Chinese web giant finds Windows zero-day, stays shtum on specifics ∗∗∗
---------------------------------------------
Quihoo 360 plays the responsible disclosure game Chinese company Quihoo 360 says its found a Windows zero-day in the wild, but because its notified Microsoft, its not telling anyone else how it works.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2018/04/23/quihoo_360_yes_we_found_a_windows_0day_no_you_cant_know_what/


∗∗∗ Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant ∗∗∗
---------------------------------------------
We came across a new version of a cryptocurrency-mining RETADUP worm (detected by Trend Micro as WORM_RETADUP.G) through feedback from our managed detection and response-related monitoring. This new variant is coded in AutoHotKey, an open-source scripting language used in Windows for creating hotkeys (i.e., keyboard shortcuts, macros, software automation). AutoHotKey is relatively similar to the script automation utility AutoIt, from which RETADUP’s earlier variants were based on and used [...]
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/3PgT2t0-HwE/


∗∗∗ Loading Kernel Shellcode ∗∗∗
---------------------------------------------
In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around packing or obfuscation and quickly identify the structures, system routines, and processes that a kernel shellcode sample is accessing. This post begins a series centered on kernel software analysis, and [...]
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gunicorn, libreoffice, libsdl2-image, ruby1.8, and ruby1.9.1), Fedora (java-1.8.0-openjdk, jgraphx, memcached, nghttp2, perl, perl-Module-CoreList, and roundcubemail), Gentoo (clamav, librelp, mbedtls, quagga, tenshi, and unadf), Mageia (freeplane, libcdio, libtiff, thunderbird, and zsh), openSUSE (cfitsio, chromium, mbedtls, and nextcloud), and Red Hat (chromium-browser, kernel, and rh-perl524-perl).
---------------------------------------------
https://lwn.net/Articles/752544/


∗∗∗ FortiClient insecure VPN credential storage and encryption ∗∗∗
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-214


∗∗∗ IBM Security Bulletin: IBM Content Manager Enterprise Edition Resource Manager is affected by a Remote Code Execution Cross-site Scripting vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/docview.wss?uid=swg22014917


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affect IBM Cloud Application Performance Management Private 8.1.4. and IBM Cloud Application Performance Management ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22015278


∗∗∗ Multiple Stored XSS Vulnerabilities in WSO2 Carbon and WSO2 Dashboard Server ∗∗∗
---------------------------------------------
https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerabilities-in-wso2-carbon-and-dashboard-server/index.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily