[CERT-daily] Tageszusammenfassung - 24.04.2019

Daily end-of-shift report team at cert.at
Wed Apr 24 18:08:47 CEST 2019


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 23-04-2019 18:00 − Mittwoch 24-04-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Malware Hosted in Google Sites Sends Data to MySQL Server ∗∗∗
---------------------------------------------
Security researchers found malware hosted on the Google Sites platform for building websites. The threat is a dropper for an information stealer that sends data to a MySQL server controlled by the attacker.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-hosted-in-google-sites-sends-data-to-mysql-server/


∗∗∗ Qbot Malware Dropped via Context-Aware Phishing Campaign ∗∗∗
---------------------------------------------
A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qbot-malware-dropped-via-context-aware-phishing-campaign/


∗∗∗ Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators ∗∗∗
---------------------------------------------
Ever been in an internal security assessment or penetration test, and need to list all domain admins?
First of all, why would you need to do that?  All to often, you'll find that way too many people have domain admins - you know, "just in case"
---------------------------------------------
https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Rooting+out+Unwanted+Domain+Administrators/24874/


∗∗∗ Sighting of Mythical New Shadowserver Website Confirmed! ∗∗∗
---------------------------------------------
After over a decade over operations, the Shadowserver Foundation finally launches a shiny new website. The new site hopefully better explains to the public our values, free services and constituents, and what we continue to do to improve the overall security of the Internet. Our team, focus and mission remain otherwise unchanged. But we may hopefully spare ourselves the occasional embarrassing question!
---------------------------------------------
https://www.shadowserver.org/news/sighting-of-mythical-new-shadowserver-website-confirmed/


∗∗∗ DNSpionage brings out the Karkoff ∗∗∗
---------------------------------------------
Cisco Talos publishes new information about the still ongoing DNSpionage campaign.
---------------------------------------------
https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html


∗∗∗ BSI warnt vor gezielten Ransomware-Angriffen auf Unternehmen ∗∗∗
---------------------------------------------
Derzeit registriert das Bundesamt für Sicherheit in der Informationstechnik (BSI) verstärkt Netzwerkkompromittierungen bei Unternehmen, die mit der manuellen und gezielten Ausführung eines Verschlüsselungstrojaners (Ransomware) enden. Dabei verschaffen sich die Angreifer mittels breit angelegter Spam-Kampagnen wie Emotet zunächst Zugang zu einzelnen Unternehmensnetzwerken [...]
---------------------------------------------
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/BSI_warnt_vor_Ransomware-Angriffen-240419.html


∗∗∗ CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis ∗∗∗
---------------------------------------------
In the previous installment, we wrote about how string hashing was used in CARBANAK to manage Windows API resolution throughout the entire codebase. But the authors used this same string hashing algorithm for another task as well. In this installment, we’ll pick up where we left off and write about CARBANAK’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html


∗∗∗ Honeypot types deployed in SISSDEN ∗∗∗
---------------------------------------------
The SISSDEN sensor network is composed of VPS provider hosted nodes (procured at a cost from the VPS providers) and nodes donated to the project by third-parties acting as endpoints. These VPS nodes are not the actual honeypots themselves. Instead, they act as transparent layer 2 tunnels to the [...]
---------------------------------------------
https://sissden.eu/blog/honeypots-deployed



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Fujifilm FCR Capsula X/Carbon X ∗∗∗
---------------------------------------------
This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s FCR Capsula X and Carbon X Computed Radiography cassette readers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSMA-19-113-01


∗∗∗ Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers ∗∗∗
---------------------------------------------
This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 controllers.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-19-113-01


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (dovecot, flashplugin, ghostscript, and jenkins), Fedora (glpi, hostapd, python-urllib3, and znc), openSUSE (apache2, audiofile, libqt5-qtvirtualkeyboard, php5, and SDL2), Scientific Linux (kernel), SUSE (curl and dovecot23), and Ubuntu (advancecomp and freeradius).
---------------------------------------------
https://lwn.net/Articles/786629/


∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in cURL (CVE-2018-16840 CVE-2018-16842) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-curl-cve-2018-16840-cve-2018-16842/


∗∗∗ IBM Security Bulletin: API Connect V5 is impacted by vulnerabilities in Bootstrap (CVE-2018-14040 CVE-2018-14041 CVE-2018-14042) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v5-is-impacted-by-vulnerabilities-in-bootstrap-cve-2018-14040-cve-2018-14041-cve-2018-14042/


∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale (CVE-2018-10237) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-spectrum-scale-cve-2018-10237/


∗∗∗ IBM Security Bulletin: Multiple Websphere Vulnerabilities Impact IBM Control Center (CVE-2018-3169, CVE-2014-7810, CVE-2018-1767) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-websphere-vulnerabilities-impact-ibm-control-center-cve-2018-3169-cve-2014-7810-cve-2018-1767/


∗∗∗ IBM Security Bulletin: IBM InfoSphere Data Quality Exception Console is affected by a Reflected XSS (Cross-Site Scripting) vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-data-quality-exception-console-is-affected-by-a-reflected-xss-cross-site-scripting-vulnerability/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, and Ruby on Rails affect BigFix Compliance ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-sdk-and-ruby-on-rails-affect-bigfix-compliance/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Build Forge (CVE-2018-1890;CVE-2019-2426;CVE-2018-3139;CVE-2018-3180;CVE-2018-12547) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-rational-build-forge-cve-2018-1890cve-2019-2426cve-2018-3139cve-2018-3180cve-2018-12547/


∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libjpeg ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-libjpeg/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list