[CERT-daily] Tageszusammenfassung - 13.07.2020

Daily end-of-shift report team at cert.at
Mon Jul 13 18:20:55 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 10-07-2020 18:00 − Montag 13-07-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Malware adds online sandbox detection to evade analysis ∗∗∗
---------------------------------------------
Malware developers are now checking if their malware is running in the Any.Run malware analysis service to prevent their malware from being easily analyzed by researchers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-adds-anyrun-sandbox-detection-to-evade-analysis/


∗∗∗ Hidden Miners ∗∗∗
---------------------------------------------
It is always a good idea to have multiple options when it comes to making a profit. This is especially true for criminals. Having a backdoor is nice, but having the backdoored system directly make money is even better.
---------------------------------------------
https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners


∗∗∗ Scanning Home Internet Facing Devices to Exploit, (Sat, Jul 11th) ∗∗∗
---------------------------------------------
In the past 45 days, I noticed a surge of activity in my honeypot logs for home router exploitation. This is a summary of the various hosts and IP addresses with potential exploit packages available for download. What is also interesting is the fact that most URL were only IP based, no hostname associated with them.
---------------------------------------------
https://isc.sans.edu/diary/rss/26340


∗∗∗ Injecting Magecart into Magento Global Config ∗∗∗
---------------------------------------------
At the beginning of June 2020, we were contacted about a Magento website breach that caused a leak of credit card numbers. A thorough analysis of the website identified the webpage’s footer had malicious code added to it.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/


∗∗∗ Introducing Winbindex - the Windows Binaries Index ∗∗∗
---------------------------------------------
I indexed all Windows files which appear in Windows update packages, and created a website which allows to quickly view information about the files and download some of them from Microsoft servers. The files that can be downloaded are executable files (currently exe, dll and sys files).
---------------------------------------------
https://m417z.com/Introducing-Winbindex-the-Windows-Binaries-Index/


∗∗∗ Threat spotlight: WastedLocker, customized ransomware ∗∗∗
---------------------------------------------
WastedLocker ransomware, attributed to the Russian Evil Corp gang, is such a targeted threat, you might call it a custom-built ransomware family.
---------------------------------------------
https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/


∗∗∗ TrickBot Malware Warning Victims of Infection by Mistake ∗∗∗
---------------------------------------------
Security researchers observed some variants of the TrickBot malware family mistakenly warning victims that they had suffered an infection. Advanced Intel’s Vitali Kremez traced the mistake to “password-stealing grabber.dll.” This module is responsible for stealing browser credentials and cookies from Google Chrome, Microsoft Edge and other web browsers that are stored on a victim’s machine.
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/trickbot-malware-warning-victims-of-infection-by-mistake/


∗∗∗ TrickBots new API-Hammering explained ∗∗∗
---------------------------------------------
As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works.
---------------------------------------------
http://blog.joesecurity.org/2020/07/trickbots-new-api-hammering-explained.html


∗∗∗ Researchers create magstripe versions from EMV and contactless cards ∗∗∗
---------------------------------------------
Banking industry loophole reported more than a decade ago still remains open and ripe for exploitation today.
---------------------------------------------
https://www.zdnet.com/article/researchers-create-magstripe-versions-of-emv-and-contactless-cards/


∗∗∗ This botnet has surged back into action spreading a new ransomware campaign via phishing emails ∗∗∗
---------------------------------------------
Theres been a big jump in Phorpiex botnet activity - but its a trojan malware attack that was the most common malware campaign in June.
---------------------------------------------
https://www.zdnet.com/article/this-botnet-has-surged-back-into-action-spreading-a-new-ransomware-campaign-via-phishing-emails/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Popular TP-Link Family of Kasa Security Cams Vulnerable to Attack ∗∗∗
---------------------------------------------
Researcher warns the highly-rated Kasa family of security cameras have bugs that gives hackers access to private video feeds and settings.
---------------------------------------------
https://threatpost.com/popular-tp-link-family-of-kasa-security-cams-vulnerable-to-attack/157371/


∗∗∗ macOS-Sicherheitslücke: Komplettes Dateisystem ohne Zugriffsrechte auslesbar ∗∗∗
---------------------------------------------
In mount_apfs steckte ein Bug, der Apples Systemschutz zumindest read-only aushebeln konnte. Ein Fix ist da, doch der ist eher ungewöhnlich.
---------------------------------------------
https://heise.de/-4841670


∗∗∗ Remote Code Execution Vulnerability in Zoom Client for Windows (0day) ∗∗∗
---------------------------------------------
[Update 7/13/2020: Zoom only took one (!) day to issue a new version of Client for Windows that fixes this vulnerability, which is remarkable. We have reviewed their fix and can confirm that it efficiently resolves the vulnerability.
---------------------------------------------
https://blog.0patch.com/2020/07/remote-code-execution-vulnerability-in.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, mailman, openjpeg2, ruby-rack, squid3, tomcat8, and xen), Fedora (botan2, kernel, LibRaw, mingw-OpenEXR, mingw-podofo, podofo, seamonkey, squid, and webkit2gtk3), Mageia (ffmpeg, mbedtls, mediawiki, and xpdf), Oracle (kernel), Red Hat (bind, dbus, jbig2dec, and rh-nodejs12-nodejs), and SUSE (graphviz and xen).
---------------------------------------------
https://lwn.net/Articles/826038/


∗∗∗ Sophos XG Firewall: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0686


∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0688


∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0687


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.8 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 – 2020.1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-68-8-esr-hava-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-1-0/


∗∗∗ Security Bulletin: Addressing the Sqlite Vulnerability CVE-2020-11656, CVE-2020-11655 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-addressing-the-sqlite-vulnerability-cve-2020-11656-cve-2020-11655/


∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-sdk-java-technology-edition-affects-ibm-performance-management-products-7/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM StoredIQ InstaScan ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-storediq-instascan-2/


∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM StoredIQ InstaScan (CVE-2019-17495) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-storediq-instascan-cve-2019-17495/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM StoredIQ InstaScan ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-storediq-instascan/


∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-sdk-java-technology-edition-affects-ibm-performance-management-products-6/


∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-sdk-java-technology-edition-affects-ibm-performance-management-products-5/


∗∗∗ Security Bulletin: Vulnerability identified in Apache ActiveMQ used in Cloud Pak System (CVE-2020-1941) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-identified-in-apache-activemq-used-in-cloud-pak-system-cve-2020-1941-2/


∗∗∗ Security Bulletin: IBM StoredIQ is affected by a vulnerability in NGINX (CVE-2019-20372) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-storediq-is-affected-by-a-vulnerability-in-nginx-cve-2019-20372/


∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM StoredIQ (CVE-2019-17495) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-storediq-cve-2019-17495/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list