[CERT-daily] Tageszusammenfassung - 17.07.2019

Wed Jul 17 18:34:30 CEST 2019

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 16-07-2019 18:00 − Mittwoch 17-07-2019 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Newly identified StrongPity operations ∗∗∗
---------------------------------------------
Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples - we assess the campaign operated from the second half of 2018 into today (July 2019). This post details new malware and new infrastructure which is used to control compromised machines.
---------------------------------------------
https://www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations


∗∗∗ American Express Customers Targeted by Novel Phishing Attack ∗∗∗
---------------------------------------------
The phishing campaign targeted both corporate and consumer cardholders with phishing emails full of grammatical errors but with a small but deadly twist: instead of using the regular hyperlink to the landing page trick, this one used a base HTML element to hide the malicious URL from antispam solutions. This allows the attackers to specify the base URL that should be used for all relative URLs within the phishing message, effectively splitting up the phishing landing page in two separate pieces.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/american-express-customers-targeted-by-novel-phishing-attack/


∗∗∗ Analyzis of DNS TXT Records, (Wed, Jul 17th) ∗∗∗
---------------------------------------------
At the Internet Storm Center, we already mentioned so many times that the domain name system is a goldmine for threat hunting or OSINT. A particular type of DNS record is the TXT record (or text record). It's is a type of resource record used to provide the ability to associate free text with a host or other name. ...  I extracted a long list of domain names from different DNS servers logs and malicious domains lists. Then I queried TXT records for each of them. Results have been loaded into a Splunk instance to search for some juicy stuff. What did I find?
---------------------------------------------
https://isc.sans.edu/diary/rss/25142


∗∗∗ EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users ∗∗∗
---------------------------------------------
researchers at security firm Intezer Labs recently discovered a new Linux backdoor implant that appears to be under development and testing phase but already includes several malicious modules to spy on Linux desktop users. ... EvilGnome malware masquerades itself as a legit GNOME extension, a program that lets Linux users extend the functionality of their desktops.
---------------------------------------------
https://thehackernews.com/2019/07/linux-gnome-spyware.html


∗∗∗ Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks ∗∗∗
---------------------------------------------
In our analysis, we observed that a user account with less privilege can gain administrator rights over the automation server if jobs are built on the master machine (i.e., the main Jenkins server), a setup enabled by default. An exploit for this can be easily written using shell spawn — a default build step.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/PObGTrIqU0M/


∗∗∗ Fehler in PowerShell Core: Angreifer könnten Windows Defender austricksen ∗∗∗
---------------------------------------------
Microsoft hat einen als "wichtig" eingestuften Sicherheitspatch für PowerShell Core veröffentlicht. Ein Angriff gelingt aber nicht ohne Weiteres.
---------------------------------------------
https://heise.de/-4473123


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Oracle Critical Patch Update Advisory - July 2019 ∗∗∗
---------------------------------------------
This Critical Patch Update contains 319 new security fixes
---------------------------------------------
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libreoffice), Red Hat (thunderbird), SUSE (ardana and crowbar, firefox, libgcrypt, and xrdp), and Ubuntu (nss, squid3, and wavpack).
---------------------------------------------
https://lwn.net/Articles/793966/


∗∗∗ LibreOffice: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen oder Sicherheitsvorkehrungen zu umgehen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0611


∗∗∗ Security Advisory - Information Disclosure Vulnerability on Secure Input ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190717-01-input-en


∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Apache ZooKeeper vulnerability CVE-2019-0201 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-apache-zookeeper-vulnerability-cve-2019-0201/


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-integration-designer-4/


∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by kubectl vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-kubectl-vulnerabilities/


∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Go vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-go-vulnerabilities-2/


∗∗∗ IBM Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9 and IBM BigFix Inventory v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ruby-on-rails-affect-ibm-license-metric-tool-v9-and-ibm-bigfix-inventory-v9/


∗∗∗ IBM Security Bulletin: Vulnerability in systemd affects Power Hardware Management Console (CVE-2019-6454) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-systemd-affects-power-hardware-management-console-cve-2019-6454/


∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by WebSphere Liberty Profile vulnerability CVE-2019-4046 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-websphere-liberty-profile-vulnerability-cve-2019-4046/


∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111) Security Bulletin ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-openssh-affect-aix-cve-2018-20685-cve-2018-6109-cve-2018-6110-cve-2018-6111-security-bulletin/


∗∗∗ IBM Security Bulletin: IBM RackSwitch firmware products are affected by vulnerability in OpenSSL (CVE-2018-0734) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-vulnerability-in-openssl-cve-2018-0734/


∗∗∗ IBM Security Bulletin: IBM Flex System switch firmware products are affected by vulnerability in OpenSSL (CVE-2018-0734) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-switch-firmware-products-are-affected-by-vulnerability-in-openssl-cve-2018-0734/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily