[CERT-daily] Tageszusammenfassung - 06.09.2019

Fri Sep 6 18:13:28 CEST 2019

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 05-09-2019 18:00 − Freitag 06-09-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ GootKit Malware Bypasses Windows Defender by Setting Path Exclusions ∗∗∗
---------------------------------------------
As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/


∗∗∗ [SANS ISC] PowerShell Script with a builtin DLL ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “PowerShell Script with a builtin DLL“: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution [...]
---------------------------------------------
https://blog.rootshell.be/2019/09/06/sans-isc-powershell-script-with-a-builtin-dll/


∗∗∗ Thousands of servers infected with new Lilocked (Lilu) ransomware ∗∗∗
---------------------------------------------
Researchers spot new ransomware targeting Linux-based servers.
---------------------------------------------
https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Buffer Overflow: Exim-Sicherheitslücke beim Verarbeiten von TLS-Namen ∗∗∗
---------------------------------------------
Im Mailserver Exim wurde eine Sicherheitslücke gefunden, die Angreifern das Ausführen von Code ermöglicht. Ein Update steht bereit.
---------------------------------------------
https://www.golem.de/news/buffer-overflow-exim-sicherheitsluecke-beim-verarbeiten-von-tls-namen-1909-143700-rss.html


∗∗∗ BD Pyxis ∗∗∗
---------------------------------------------
This medical advisory contains mitigations for a session fixation vulnerability reported in BD’s Pyxis medication management platform.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsma-19-248-01


∗∗∗ Red Lion Controls Crimson ∗∗∗
---------------------------------------------
This advisory includes mitigations for use after free, improper restriction of operations within the bounds of a memory buffer, pointer issues, and use of hard-coded cryptographic key vulnerabilities in the Red Lion Controls Crimson software.
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsa-19-248-01


∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerabilities ∗∗∗
---------------------------------------------
Original release date: September 5, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2019/09/05/ms-isac-releases-advisory-php-vulnerabilities


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow).
---------------------------------------------
https://lwn.net/Articles/798600/


∗∗∗ Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-0790

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily