[CERT-daily] Tageszusammenfassung - 03.04.2019

Daily end-of-shift report team at cert.at
Wed Apr 3 19:05:45 CEST 2019 

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 02-04-2019 18:00 − Mittwoch 03-04-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Malware Campaigns Sharing Network Resources: r00ts.ninja ∗∗∗
---------------------------------------------
We recently noticed an interesting example of network infrastructure resources being used over a period of time by more than one large scale malware campaign (e.g redirected traffic, cryptomining). This was discovered when reviewing sources of the various malicious domains used in a recent WordPress plugin exploit wave.
---------------------------------------------
https://blog.sucuri.net/2019/04/malware-campaigns-sharing-network-resources-r00ts-ninja.html


∗∗∗ Hijacked Email Reply Chains ∗∗∗
---------------------------------------------
Although phishing has been around in various forms since the 1980s, our research shows it continues to evolve—and remains a major threat. These days, phishing tactics have gotten so sophisticated, it can be difficult to spot a scam—particularly in the case of hijacked email reply chains. Let's look at a concrete example.
---------------------------------------------
https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/


∗∗∗ Xwo - A Python-based bot scanner ∗∗∗
---------------------------------------------
Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it "Xwo" - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.
---------------------------------------------
https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner


∗∗∗ Vorsicht vor kostenpflichtigen Ping-Anrufen mit der Vorwahl +676! ∗∗∗
---------------------------------------------
Konsument/innen erhalten momentan gehäuft Ping-Anrufe von Nummern mit der Vorwahl +676 oder 00676. Wer verpasste Anrufe derartiger Nummern auf dem Mobiltelefon findet, darf nicht zurückrufen! Es handelt sich um die Ländervorwahl des Inselstaats Tonga und ein Rückruf kann hohe Kosten verursachen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-kostenpflichtigen-ping-anrufen-mit-der-vorwahl-676/


∗∗∗ T-POT integration to SISSDEN ∗∗∗
---------------------------------------------
The primary data collection mechanism at the heart of the SISSDEN project is a sensor network of honeypots. The sensor network is composed of VPS provider hosted nodes and nodes donated to the project by third-parties acting as endpoints. These VPS nodes/endpoints are not the actual honeypots [...]
---------------------------------------------
https://sissden.eu/blog/tpot-integration


∗∗∗ Bashlite IoT malware upgrade lets it target WeMo home automation devices ∗∗∗
---------------------------------------------
New Bashlite version not widely detected, but was spotted infecting devices in the wild.
---------------------------------------------
https://www.zdnet.com/article/bashlite-iot-malware-upgrade-lets-it-target-wemo-home-automation-devices/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Advantech WebAccess/SCADA ∗∗∗
---------------------------------------------
This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advantechs WebAccess SCADA software platform.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2), Fedora (edk2 and tomcat), openSUSE (ansible, ghostscript, lftp, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, libssh2_org, openssl-1_0_0, openwsman, pdns, perl-Email-Address, putty, python-azure-agent, python-cryptography, python-pyOpenSSL, python-Flask, thunderbird, tor, unzip, and wireshark), Scientific Linux (freerdp), Slackware (wget), SUSE (bluez, file, firefox, libsndfile, netpbm, thunderbird, and xen), and Ubuntu [...]
---------------------------------------------
https://lwn.net/Articles/784806/


∗∗∗ FortiSandbox reflected XSS in the file scan component ∗∗∗
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-18-024


∗∗∗ IBM Security Bulletin: Vulnerabilities affect NVIDIA GPU Display Drivers for Linux and Windows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-affect-nvidia-gpu-display-drivers-for-linux-and-windows/


∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – CVE-2019-4143 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-cve-2019-4143/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-performance-management-products-2/


∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-3139, CVE-2018-3180, CVE-2018-12457, CVE-2019-2426) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center-cve-2018-3139-cve-2018-3180-cve-2018-12457-cve-2019-2426/


∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect for Virtual Environments (CVE-2018-3139, CVE-2018-3180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-ibm-spectrum-protect-for-virtual-environments-cve-2018-3139-cve-2018-3180/


∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Backup-Archive Client on Windows and Macintosh (CVE-2018-3139, CVE-2018-3180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ibm-java-runtime-affect-the-ibm-spectrum-protect-backup-archive-client-on-windows-and-macintosh-cve-2018-3139-cve-2018-3180/


∗∗∗ IBM Security Bulletin: Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901) affects IBM Security AppScan Enterprise ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-privilege-escalation-vulnerability-in-websphere-application-server-cve-2018-1901-affects-ibm-security-appscan-enterprise/


∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect for Space Management (CVE-2018-1882) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-via-trace-file-affects-ibm-spectrum-protect-for-space-management-cve-2018-1882/


∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2018-1882) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-via-trace-file-affects-ibm-spectrum-protect-backup-archive-client-and-ibm-spectrum-protect-for-virtual-environments-cve-2018-1882/


∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server OpenID Connect affects IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-openid-connect-affects-ibm-performance-management-products/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list