[CERT-daily] Tageszusammenfassung - 25.04.2019

Daily end-of-shift report team at cert.at
Thu Apr 25 18:11:39 CEST 2019


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 24-04-2019 18:00 − Donnerstag 25-04-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ ExtraPulsar backdoor based on leaked NSA code – what you need to know ∗∗∗
---------------------------------------------
A US security researcher has come up with an open-source Windows backdoor loosely based on NSA attack code that leaked back in 2017.
---------------------------------------------
https://nakedsecurity.sophos.com/2019/04/25/extrapulsar-backdoor-based-on-leaked-nsa-code-what-you-need-to-know/


∗∗∗ Android-App "WiFi Finder" leakte private WLAN-Passwörter ∗∗∗
---------------------------------------------
Auf über 100.000 Handys half WiFi Finder beim Verbinden mit öffentlichen Hotspots. In vielen Fällen sammelte die App aber auch private Zugangsdaten.
---------------------------------------------
https://heise.de/-4405783


∗∗∗ Jetzt patchen! Erpressungstrojaner Gandcrab frisst sich durch Confluence-Lücke ∗∗∗
---------------------------------------------
Die Angriffe auf Confluence weiten sich aus. Derzeit versuchen Angreifer verwundbare Systeme mit der Ransomware Gandcrab zu infizieren.
---------------------------------------------
https://heise.de/-4407102


∗∗∗ JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan ∗∗∗
---------------------------------------------
Malware loaders are playing an increasingly important role in malware distribution. They give adversaries the ability to gain an initial foothold on a system and are typically used to deliver various malware payloads following successful compromise. These attacks are popping up more frequently, as we covered in July with Smoke Loader and Brushaloader earlier this year.
---------------------------------------------
https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html


∗∗∗ Erpressungs-E-Mail von mir selbst ∗∗∗
---------------------------------------------
Momentan versenden Kriminelle E-Mails, in denen Sie behaupten Ihre Webcam gehackt und Sie beobachtet zu haben. Sie hätten angeblich Videomaterial, das Sie beim Masturbieren zeigt. Ihnen droht eine Veröffentlichung des Films, wenn Sie nicht einen bestimmten Geldbetrag in Form von Bitcoins überweisen. Weiters scheint es so, als hätten die Kriminellen die E-Mail von Ihrem Account aus an Sie selbst versendet. Bleiben Sie ruhig, es handelt sich um einen Betrugsversuch!
---------------------------------------------
https://www.watchlist-internet.at/news/erpressungs-e-mail-von-mir-selbst/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Unpatched Vulnerability Alert - WebLogic Zero Day, (Thu, Apr 25th) ∗∗∗
---------------------------------------------
The news today is full of a new deserialization vulnerability in Oracle WebLogic. This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected). The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war. A successful attack gets the attacker remote code exec on the vulnerable server.
---------------------------------------------
https://isc.sans.edu/diary/rss/24880


∗∗∗ Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores ∗∗∗
---------------------------------------------
Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware. On some devices, Qualcomms TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys.
---------------------------------------------
https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-keystore/


∗∗∗ New security release versions of BIND are available: 9.11.6-P1, 9.12.4-P1, and 9.14.1 ∗∗∗
---------------------------------------------
CVE-2018-5743: Limiting simultaneous TCP clients is ineffective CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used
---------------------------------------------
https://lists.isc.org/pipermail/bind-announce/2019-April/001126.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (putty and systemd), Fedora (kernel, kernel-headers, and kernel-tools), Gentoo (ming and qemu), openSUSE (openexr and slurm), SUSE (ImageMagick, jasper, ntfs-3g_ntfsprogs, openssh, and webkit2gtk3), and Ubuntu (php5 and tcpflow).
---------------------------------------------
https://lwn.net/Articles/786749/


∗∗∗ TIBCO Security Advisories ∗∗∗
---------------------------------------------
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-activematrix-bpm-2019-11203
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-activematrix-bpm-2019-8995
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-activematrix-bpm-2019-8994
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8993
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8991


∗∗∗ BIND vulnerability CVE-2018-5743 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K74009656


∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by information disclosure vulnerability (CVE-2019-6157) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-information-disclosure-vulnerability-cve-2019-6157/


∗∗∗ IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2019-4047) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerability-affects-the-lifecycle-query-engine-lqe-that-is-shipped-with-jazz-reporting-service-cve-2019-4047/


∗∗∗ IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2018-2004) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerability-affects-the-report-builder-that-is-shipped-with-jazz-reporting-service-cve-2018-2004/


∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by weak cryptographic algorithms (CVE-2018-2007) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-impacted-by-weak-cryptographic-algorithms-cve-2018-2007/


∗∗∗ IBM Security Bulletin: IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-siteprotector-system-is-affected-by-apache-http-server-vulnerabilities-3/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-security-siteprotector-system-6/


∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in GNU C Library (CVE-2017-15804 CVE-2017-15670 CVE-2015-5180) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-gnu-c-library-cve-2017-15804-cve-2017-15670-cve-2015-5180/


∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in xorg-x11 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-xorg-x11/


∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability in cURL (CVE-2018-14618) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerability-in-curl-cve-2018-14618/


∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2018-11236) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-vulnerability-in-gnu-c-library-cve-2018-11236/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list