[CERT-daily] Tageszusammenfassung - 19.08.2019

Daily end-of-shift report team at cert.at
Mon Aug 19 18:18:51 CEST 2019


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 16-08-2019 18:00 − Montag 19-08-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Router Network Isolation Broken By Covert Data Exfiltration ∗∗∗
---------------------------------------------
Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/router-network-isolation-broken-by-covert-data-exfiltration/


∗∗∗ IT threat evolution Q2 2019 ∗∗∗
---------------------------------------------
Targeted attacks, malware campaigns and other security news in Q2 2019.
---------------------------------------------
https://securelist.com/it-threat-evolution-q2-2019/91994/


∗∗∗ The DAA File Format, (Fri, Aug 16th) ∗∗∗
---------------------------------------------
In diary entry "Malicious .DAA Attachments", we extracted a malicious executable from a Direct Access Archive file.
---------------------------------------------
https://isc.sans.edu/diary/rss/25246


∗∗∗ What Hackers Do after Gaining Access to a Website ∗∗∗
---------------------------------------------
A hack or cyber attack is the act of maliciously entering, taking control over, or manipulating by force a web application, server, or file that belongs to someone else.
---------------------------------------------
https://blog.sucuri.net/2019/08/what-hackers-do-after-gaining-access-to-a-website.html


∗∗∗ Sicherheitspanne: Kernel-Schwachstelle zurück in iOS 12.4, Jailbreak verfügbar ∗∗∗
---------------------------------------------
Zum ersten Mal seit Langem lassen sich Apples Sicherheitsfunktionen in der aktuellen iOS-Version durch einen öffentlich verfügbaren Jailbreak aushebeln.
---------------------------------------------
https://heise.de/-4500038


∗∗∗ QxSearch hijacker fakes failed installs ∗∗∗
---------------------------------------------
QxSearch is a group of search hijackers that try to make the user think the install failed or was incomplete. Is it that they dont want to be found and removed? Or just bad programming?
---------------------------------------------
https://blog.malwarebytes.com/pups/2019/08/qxsearch-hijacker-fakes-failed-installs/


∗∗∗ Gefälschte "Ihr Jahresabonnemеnt Whatsapp"-Mail im Umlauf ∗∗∗
---------------------------------------------
Konsument/innen erhalten eine angebliche WhatsApp-E-Mail. Darin heißt es, dass sie ihr Abonnement verlängern müssen. Über einen Link in der Nachricht gelangen Nutzer/innen auf eine gefälschte WhatsApp-Website. Darauf sollen sie ihr Jahresabonnement unter Bekanntgabe ihrer Zahlungsdaten verlängern. Kommen Konsument/innen der Aufforderung nach, werden sie Opfer eines Datendiebstahls und verlieren ihr Geld an Kriminelle.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-ihr-jahresabonnement-whatsapp-mail-im-umlauf/


∗∗∗ Offensive Lateral Movement ∗∗∗
---------------------------------------------
Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell is not a new concept anymore and even moderately mature shops will detect on it and shut it down quickly, or any half decent AV product will kill it before a malicious command is ran.
---------------------------------------------
https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder Sicherheitsmechanismen zu umgehen.
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K19-0726


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, [...]
---------------------------------------------
https://lwn.net/Articles/796640/


∗∗∗ Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper handling of HTTP requests, including those communicated over a secure HTTPS connection, that contain maliciously crafted headers.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-http


∗∗∗ Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the stream reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper reassembly of traffic streams.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-srb


∗∗∗ Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection Bypass Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the normalization functionality of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to insufficient normalization of a text-based payload.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-null


∗∗∗ Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper detection of the initial use of a protocol on a nonstandard port.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-nspd


∗∗∗ Security Advisory - Four Remote Code Execution Vulnerabilities in Some Microsoft Windows Systems ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190819-01-windows-en

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list