[CERT-daily] Tageszusammenfassung - 03.07.2020

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 02-07-2020 18:00 − Freitag 03-07-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Unternehmen aufgepasst: Versand gefährlicher Mails im Namen des Bundeskanzleramts ∗∗∗
---------------------------------------------
„Die Entscheidung, Ihr Unternehmen aufgrund von Covid-19 zu schließen“ – unter diesem Betreff werden derzeit betrügerische Mails verschickt, die sich gezielt an Unternehmerinnen und Unternehmer richten. Die Kriminellen, die hinter dieser E-Mail stehen, geben sich dabei als Bundeskanzleramt aus und verschicken Schadsoftware. Öffnen Sie daher auf keinen Fall den Anhang!
---------------------------------------------
https://www.watchlist-internet.at/news/unternehmen-aufgepasst-versand-gefaehrlicher-mails-im-namen-des-bundeskanzleramts/


∗∗∗ Ransomware EKANS nimmt Industriekontrollsysteme ins Visier ∗∗∗
---------------------------------------------
Die Schadsoftware funktioniert trotz zahlreicher Programmierfehler. Eine neue Variante verschlüsselt nicht nur Dateien, sie verändert auch die Einstellungen von Industriekontrollsystemen. EKANS ist zudem auf bestimmte Ziele ausgerichtet und greift Opfer nicht wahllos an.
---------------------------------------------
https://www.zdnet.de/88381196/ransomware-ekans-nimmt-industriekontrollsysteme-ins-visier/


∗∗∗ Still Scanning IP Addresses? You’re Doing it Wrong ∗∗∗
---------------------------------------------
The traditional approach to a vulnerability scan or penetration test is to find the IP addresses that you want tested, throw them in and kick things off. But doing a test based purely on IP addresses is a bad idea and can often miss things.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/still-scanning-ip-addresses-you-re-doing-it-wrong/


∗∗∗ GoldenSpy Chapter 3: New and Improved Uninstaller ∗∗∗
---------------------------------------------
This blog shows our analysis of a new binary, now being distributed by Intelligent Tax software, that is identical in operations to the original GoldenSpy Uninstallers, but specifically designed to evade detection by the YARA rule provided in our blog.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/


∗∗∗ Dangerous Website Backups ∗∗∗
---------------------------------------------
It’s a well-known fact that website backups are important for mitigating a plethora of site issues. They can help restore a site after a compromise or even facilitate the investigative process by providing a clean code base to compare the current site state to. However, if a backup is not set up correctly, it can have the opposite effect — and may instead impose a security threat to your website.
---------------------------------------------
https://blog.sucuri.net/2020/07/dangerous-website-backups.html


∗∗∗ Living Off Windows Land – A New Native File "downldr" ∗∗∗
---------------------------------------------
There are only a couple of default system-signed executables that let you download a file from a Web Server, and every security product and threat hunter specifically looks for them for signs of misuse or abuse by threat actors.
---------------------------------------------
https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/


∗∗∗ Try2Cry: Ransomware tries to worm ∗∗∗
---------------------------------------------
Try2Cry ransomware adopts USB flash drive spreading using LNK files. The last ransomware that did the same was the infamous Spora. The code of Try2Cry looks oddly familiar, though.
---------------------------------------------
https://www.gdatasoftware.com/blog/2020/07/36200-ransomware-tries-to-worm



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Would you like some RCE with your Guacamole? ∗∗∗
---------------------------------------------
[...] Apache Guacamole is a popular infrastructure for remote work, with more than 10 Million docker downloads worldwide. In our research, we discovered that Apache Guacamole is vulnerable to several critical Reverse RDP Vulnerabilities, and is also impacted by a few new vulnerabilities found in FreeRDP. In short, these vulnerabilities allow an attacker, who has already successfully compromised a computer inside the organization, to launch an attack on the Guacamole gateway when an unsuspecting [...]
---------------------------------------------
https://research.checkpoint.com/2020/apache-guacamole-rce/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (docker.io and imagemagick), Fedora (alpine, firefox, hostapd, and mutt), openSUSE (opera), Red Hat (rh-nginx116-nginx), SUSE (ntp, python3, and systemd), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, [...]
---------------------------------------------
https://lwn.net/Articles/825212/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.7 ESR ) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-68-7-esr-hava-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-1-0/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.6.1 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-68-6-1-esr-hava-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-1-0/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.6.1 ESR + CVE-2020-6820) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-68-6-1-esr-cve-2020-6820-hava-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-1-0/


∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to a Prototype Pollution vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-vulnerable-to-a-prototype-pollution-vulnerability/


∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities/


∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0664


∗∗∗ Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0666

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily