[CERT-daily] Tageszusammenfassung - 07.01.2020
Daily end-of-shift report
team at cert.at
Tue Jan 7 18:12:16 CET 2020
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-01-2020 18:00 − Dienstag 07-01-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗
---------------------------------------------
Für ein internationales Projekt suchen wir eine/n erfahrene/n Pythonentwickler/in (Vollzeit) zum ehestmöglichen Einstieg. Details finden sich auf unserer Jobs-Seite.
---------------------------------------------
https://cert.at/de/ueber-uns/jobs/
∗∗∗ Fake Windows 10 Desktop Used in New Police Browser Lock Scam ∗∗∗
---------------------------------------------
Scammers have taken an old browser scam and invigorated it using a clever and new tactic that takes advantage of your web browsers full-screen mode to show a fake Windows 10 desktop stating your computer is locked.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-windows-10-desktop-used-in-new-police-browser-lock-scam/
∗∗∗ Android-Schadsoftware: Die Tricks mit der Google-Sicherheitslücke ∗∗∗
---------------------------------------------
Sicherheitsforscher haben Schad-Apps im Play Store gefunden, die über eine Google lange bekannte Android-Sicherheitslücke und weitere Tricks Nutzer ausspionierten. Die im Oktober aktiv ausgenutzte Lücke hatte Google eineinhalb Jahre vorher selbst entdeckt.
---------------------------------------------
https://www.golem.de/news/android-schadsoftware-die-tricks-mit-der-google-sicherheitsluecke-2001-145925-rss.html
∗∗∗ A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th) ∗∗∗
---------------------------------------------
For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of.
---------------------------------------------
https://isc.sans.edu/diary/rss/25686
∗∗∗ The Hidden Cost of Ransomware: Wholesale Password Theft ∗∗∗
---------------------------------------------
Moral of the story: Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.
---------------------------------------------
https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/
∗∗∗ Breaking PHPs mt_rand() with 2 values and no bruteforce ∗∗∗
---------------------------------------------
.. one of our researchers was adamant that it was possible to recover the Mersenne Twister seed using only two outputs of the mt_rand() function, and without any kind of bruteforce. Nevertheless, we were unable to find any information supporting this theory, and his notes on the matter were long lost. After crunching the numbers a little bit, and years after the PRNG-prediction circus, we proved him right.
---------------------------------------------
https://www.ambionics.io/blog/php-mt-rand-prediction
∗∗∗ SSH Client Auditing & Hardening ∗∗∗
---------------------------------------------
Its been known for years now that SSH servers can (and should) be hardened by removing weak default algorithms. For example, recent versions of OpenSSH ship with algorithms suspected suspected of being back-doored by the NSA (i.e.: ECDSA with the NIST P-curves), along with other algorithms with sub-128bit security levels. But did you know that client software can be hardened too?
---------------------------------------------
https://www.positronsecurity.com/blog/2020-01-07-ssh-client-auditing-and-hardening/
∗∗∗ SSH Pentesting Guide ∗∗∗
---------------------------------------------
In this guide, I will:
* Quickly introduce the SSH protocol and implementations.
* Expose some common configuration mistakes then showcase some attacks on the protocol & implementations.
* Present some SSH pentesting & blue team tools.
* Give a standard reference for security guidelines
---------------------------------------------
https://community.turgensec.com/ssh-hacking-guide/
∗∗∗ First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust [PDF] ∗∗∗
---------------------------------------------
In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1..
---------------------------------------------
https://eprint.iacr.org/2020/014.pdf
∗∗∗ Jetzt patchen! Ransomware-Attacken auf VPN-Server mit Pulse Connect Secure ∗∗∗
---------------------------------------------
Erneut nehmen Angreifer VPN-Server mit Pulse Connect Secure ins Visier und nutzen eine kritische Sicherheitslücke aus. Ein Patch ist schon länger verfügbar.
---------------------------------------------
https://heise.de/-4629452
∗∗∗ Versteckte Kosten bei Übernachtungsgutscheinen von Geoplus ∗∗∗
---------------------------------------------
Wie zahlreiche InternetnutzerInnen erhalten Sie womöglich E-Mails von Geoplus, in denen Sie zur Teilnahme an einer europäischen Studie eingeladen werden. Dafür verspricht man Ihnen einen Gutschein für bis zu fünf kostenlose Übernachtungen in über 500 Hotels in 14 Ländern. Achtung: Von „kostenlos“ kann nicht die Rede sein, denn beim Einlösen der Gutscheine müssen Sie Zahlung von Pflichtverpflegungssätzen leisten.
---------------------------------------------
https://www.watchlist-internet.at/news/versteckte-kosten-bei-uebernachtungsgutscheinen-von-geoplus/
∗∗∗ What is the random oracle model and why should you care? (Part 5) ∗∗∗
---------------------------------------------
This is part five of a series on the Random Oracle Model. See here for the previous posts: Part 1: An introduction Part 2: The ROM formalized, a scheme and a proof sketch Part 3: How we abuse the ROM to make our security proofs work Part 4: Some more examples of where the ROM … Continue reading What is the random oracle model and why should you care? (Part 5) →
---------------------------------------------
https://blog.cryptographyengineering.com/2020/01/05/what-is-the-random-oracle-model-and-why-should-you-care-part-5/
∗∗∗ Half of the websites using WebAssembly use it for malicious purposes ∗∗∗
---------------------------------------------
In an academic research project that was carried out last year, four researchers from the Technical University in Braunschweig, Germany, looked at WebAssembly's use on the Alexa Top 1 Million popular sites on the internet, in an attempt to gauge the popularity of this new technology.
---------------------------------------------
https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/
=====================
= Vulnerabilities =
=====================
∗∗∗ Android Security Bulletin—January 2020 ∗∗∗
---------------------------------------------
The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
---------------------------------------------
https://source.android.com/security/bulletin/2020-01-01.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen).
---------------------------------------------
https://lwn.net/Articles/808621/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, cyrus-imapd, drupal7-l10n_update, drupal7-webform, htmldoc, nethack, php, and singularity), Mageia (advancecomp, apache-commons-compress-, cyrus-imapd, cyrus-sasl, dia, freeimage, freeradius, igraph, jhead, jss, libdwarf, libextractor, libxml2, mediawiki, memcached, mozjs60, openconnect, openssl, putty, python-ecdsa, python-werkzeug, shadowsocks-libev, and upx), Oracle (container-tools:1.0 and container-tools:ol8), and Red Hat
---------------------------------------------
https://lwn.net/Articles/808803/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (nss and pillow), Red Hat (java-1.8.0-ibm and kernel), Slackware (firefox), SUSE (virglrenderer), and Ubuntu (linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-kvm, linux-oracle, linux-raspi2, and linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/808881/
∗∗∗ Security Vulnerabilities fixed in Firefox 72 ∗∗∗
---------------------------------------------
Severity: high
CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
CVE-2019-17017: Type Confusion in XPCVariant.cpp
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/
∗∗∗ Security Bulletin: Multiple Vulnerabilities in Liberty affect IBM WIoTP MessageGateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-liberty-affect-ibm-wiotp-messagegateway/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-messagesight/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-financial-transaction-manager-for-corporate-payment-services-for-multi-platform/
∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-check-services-is-affected-by-a-potential-cross-site-scripting-xss-vulnerability-cve-2018-15494/
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Check Services for Multi-Platform ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-financial-transaction-manager-for-check-services-for-multi-platform/
∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-for-corporate-payment-services-is-affected-by-a-potential-cross-site-scripting-xss-vulnerability-cve-2018-15494/
∗∗∗ Security Bulletin: Security Vulnerabilties have been addressed in IBM Cognos Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilties-have-been-addressed-in-ibm-cognos-analytics/
∗∗∗ Security Bulletin: Information Exposure vulnerability found on IBM Security Secret Server (CVE-2019-4634) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-vulnerability-found-on-ibm-security-secret-server-cve-2019-4634/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list