[CERT-daily] Tageszusammenfassung - 08.07.2020

Wed Jul 8 18:16:25 CEST 2020

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 07-07-2020 18:00 − Mittwoch 08-07-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ „Ihre Site wurde gehackt“: Unternehmen werden per Mail erpresst ∗∗∗
---------------------------------------------
Zahlen Sie 3.000 USD in Form von Bitcoins oder der Ruf Ihres Unternehmens wird geschädigt. Damit drohen BetrügerInnen in einer aktuellen Welle von Erpressungsmails. Anstatt zu bezahlen, sollten Sie diese Mails einfach ignorieren!
---------------------------------------------
https://www.watchlist-internet.at/news/ihre-site-wurde-gehackt-unternehmen-werden-per-mail-erpresst/


∗∗∗ Redirect auction ∗∗∗
---------------------------------------------
Weve already looked at links under old YouTube videos or in Wikipedia articles which at some point turned bad and began pointing to partner program pages, phishing sites, or even malware. It was as if the attackers were purposely buying up domains, but such a scenario always seemed to us too complicated.
---------------------------------------------
https://securelist.com/redirect-auction/96944/


∗∗∗ F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th) ∗∗∗
---------------------------------------------
While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].
---------------------------------------------
https://isc.sans.edu/diary/rss/26322


∗∗∗ Configuring a Windows Domain to Dynamically Analyze an ObfuscatedLateral Movement Tool ∗∗∗
---------------------------------------------
We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated memory dump for static analysis. Statically analyzing a large virtualized sample can take anywhere from several days to several weeks. Bypassing this time-consuming step presented an opportunity for collaboration between the FLARE reverse engineering team and [...]
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2020/07/configuring-windows-domain-dynamically-analyze-obfuscated-lateral-movement-tool.html


∗∗∗ Mac ThiefQuest malware may not be ransomware after all ∗∗∗
---------------------------------------------
We discovered a new Mac malware, ThiefQuest, that appeared to be ransomware at first glance. However, once we dug in deeper, we found out its true identity—and intention.
---------------------------------------------
https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/


∗∗∗ Ransomware Characteristics and Attack Chains – What you Need to Know about Recent Campaigns ∗∗∗
---------------------------------------------
Ransomware has been around for decades going back all the way to 1989. Since then it has only magnified in scope and complexity. Now at a time when working remotely is becoming more universal and the world is trying to overcome the Covid-19 pandemic, ransomware has never been more prominent.
---------------------------------------------
https://www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Mitigating critical F5 BIG-IP RCE flaw not enough, bypass found ∗∗∗
---------------------------------------------
F5 BIG-IP customers who only applied recommended mitigations and havent yet patched their devices against the unauthenticated remote code execution (RCE) CVE-2020-5902 vulnerability are now advised to update them against a recently found bypass.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mitigating-critical-f5-big-ip-rce-flaw-not-enough-bypass-found/


∗∗∗ VMSA-2020-0016 ∗∗∗
---------------------------------------------
VMware SD-WAN by VeloCloud updates address SQL-injection vulnerability (CVE-2020-3973)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0016.html


∗∗∗ Multiple Critical Vulnerabilities in Multiple Rittal Products Based on Same Software ∗∗∗
---------------------------------------------
Several devices from the manufacturer Rittal are vulnerable to Privilege Escalation, Least Privilege or Command Injection vulnerabilities. In addition, root backdoors and incorrectly configured system files are present on the devices.
---------------------------------------------
https://sec-consult.com/./en/blog/advisories/multiple-critical-vulnerabilities-in-multiple-rittal-products-based-on-same-software/


∗∗∗ Critical Vulnerabilities Patched in Adning Advertising Plugin ∗∗∗
---------------------------------------------
On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could [...]
---------------------------------------------
https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (roundcube), Fedora (chromium, firefox, and ngircd), Oracle (firefox and thunderbird), Scientific Linux (firefox), Slackware (seamonkey), SUSE (djvulibre, ffmpeg, firefox, freetds, gd, gstreamer-plugins-base, icu, java-11-openjdk, libEMF, libexif, librsvg, LibVNCServer, libvpx, Mesa, nasm, nmap, opencv, osc, perl, php7, python-ecdsa, SDL2, texlive-filesystem, and thunderbird), and Ubuntu (cinder, python-os-brick).
---------------------------------------------
https://lwn.net/Articles/825587/


∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Contract Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-server-security-vulnerabilities-affect-ibm-emptoris-contract-management-2/


∗∗∗ Security Bulletin: Third party vulnerable library Jackson-Databind affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-third-party-vulnerable-library-jackson-databind-affects-ibm-engineering-lifecycle-optimization-publishing/


∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Program Management ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-server-security-vulnerabilities-affect-ibm-emptoris-program-management-2/


∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Strategic Supply Management Platform ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-server-security-vulnerabilities-affect-ibm-emptoris-strategic-supply-management-platform-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Open Source used in IBM Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-open-source-used-in-ibm-cloud-pak-system/


∗∗∗ Security Bulletin: Vulnerability in OpenSSL library affect OS Pattern Kit used in IBM Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-library-affect-os-pattern-kit-used-in-ibm-cloud-pak-system/


∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Supplier Lifecycle Mgmt ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-server-security-vulnerabilities-affect-ibm-emptoris-supplier-lifecycle-mgmt-2/


∗∗∗ Security Bulletin: Multiple DB2 Database Server Security Vulnerabilities Affect IBM Emptoris Sourcing ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-db2-database-server-security-vulnerabilities-affect-ibm-emptoris-sourcing-2/


∗∗∗ Security Bulletin: Carbon Black Response application add on to IBM QRadar SIEM is vulnerable to cross site scripting (CVE-2020-4275) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-carbon-black-response-application-add-on-to-ibm-qradar-siem-is-vulnerable-to-cross-site-scripting-cve-2020-4275/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily