[CERT-daily] Tageszusammenfassung - 17.04.2020

Daily end-of-shift report team at cert.at
Fri Apr 17 18:34:17 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 16-04-2020 18:00 − Freitag 17-04-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Fehlerhaftes Update legt Virenschutz in Windows 10 lahm ∗∗∗
---------------------------------------------
Die MS-Virenwächter fielen nach einem Update aus. Die betroffenen Programme können manuell aktualisiert werden.
---------------------------------------------
https://futurezone.at/produkte/fehlerhaftes-update-legt-virenschutz-in-windows-10-lahm/400815785


∗∗∗ Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th) ∗∗∗
---------------------------------------------
STI student David Brown published an STI research paper in January with some interesting ideas to prevent living off the land attacks with AppLocker. Living off the land attacks use existing Windows binaries instead of downloading specific attack tools. This post-compromise technique is very difficult to block. AppLocker isn't really designed to block these attacks because AppLocker by default does allow standard Windows binaries to run.
---------------------------------------------
https://isc.sans.edu/diary/rss/26032


∗∗∗ Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th) ∗∗∗
---------------------------------------------
Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it's the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let's have a look at it.
---------------------------------------------
https://isc.sans.edu/diary/rss/26030


∗∗∗ Excel Malspam: Password Protected ... Not! ∗∗∗
---------------------------------------------
Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/excel-malspam-password-protected-not/


∗∗∗ Web Skimmer with a Domain Name Generator ∗∗∗
---------------------------------------------
Our security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a Magento database. The malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to hxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed one interesting feature of the script — instead of using one predefined domain, it generates domain names based on the current date.
---------------------------------------------
https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html


∗∗∗ Continued Threat Actor Exploitation Post Pulse Secure VPN Patching ∗∗∗
---------------------------------------------
[...] This Alert provides an update to Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability, which advised organizations to immediately patch [...]
---------------------------------------------
https://www.us-cert.gov/ncas/alerts/aa20-107a


∗∗∗ Sophos zieht problematisches Firmware-Update 9.703 für UTM zurück ∗∗∗
---------------------------------------------
Achtung, nicht installieren: Das Firmware-Update 9.703 für Sophos UTM-Appliances wurde vom Hersteller wegen gravierender Probleme wieder zurückgezogen.
---------------------------------------------
https://heise.de/-4704634


∗∗∗ New AgentTesla variant steals WiFi credentials ∗∗∗
---------------------------------------------
The popular infostealer AgentTesla recently added a new feature that can steal WiFi usernames and passwords, which can potentially be used to spread the malware.
---------------------------------------------
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Apple Releases Security Update for Xcode ∗∗∗
---------------------------------------------
Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 11.4.1 and apply the necessary update.
---------------------------------------------
https://www.us-cert.gov/ncas/current-activity/2020/04/17/apple-releases-security-update-xcode


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (apache and chromium), Debian (webkit2gtk), Fedora (firefox, nss, and thunderbird), Mageia (chromium-browser-stable and git), openSUSE (gnuhealth), Oracle (thunderbird), Red Hat (kernel-alt, thunderbird, and tigervnc), Scientific Linux (thunderbird), Slackware (openvpn), and SUSE (freeradius-server and libqt4).
---------------------------------------------
https://lwn.net/Articles/817720/


∗∗∗ Foxit Reader und Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0344


∗∗∗ Security Bulletin: IBM TRIRIGA Application Platform discloses error messages that could aid an attacker formulate future attacks (CVE-2020-4277) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-application-platform-discloses-error-messages-that-could-aid-an-attacker-formulate-future-attacks-cve-2020-4277/


∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-js-included-in-ibm-cloud-event-management-2-5-0-has-several-security-vulnerabilities-2/


∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server and Liberty affects IBM Cloud App Management (CVE-2019-4441) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-and-liberty-affects-ibm-cloud-app-management-cve-2019-4441/


∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect for Enterprise Resource Planning on Windows (CVE-2019-4732) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-ibm-spectrum-protect-for-enterprise-resource-planning-on-windows-cve-2019-4732-2/


∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Insecure Permissions (CVE-2019-4446) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-insecure-permissions-cve-2019-4446/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct FTP+ ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-connectdirect-ftp/


∗∗∗ Security Bulletin: Version 10.16.3 of Node.js included in IBM Cloud Event Management 2.5.0 has several security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-version-10-16-3-of-node-js-included-in-ibm-cloud-event-management-2-5-0-has-several-security-vulnerabilities/


∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4749) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-cross-site-scripting-cve-2019-4749/


∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4644) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-cross-site-scripting-cve-2019-4644/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list