[CERT-daily] Tageszusammenfassung - 22.07.2020

Daily end-of-shift report team at cert.at
Wed Jul 22 18:51:43 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 21-07-2020 18:00 − Mittwoch 22-07-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Cybercrime: Der Kampf um die Router ∗∗∗
---------------------------------------------
Router sind für Cyber-Kriminelle eine wichtige Ressource. Das rechtfertigt auch außergewöhnliche Maßnahmen.
---------------------------------------------
https://heise.de/-4848764


∗∗∗ Arbeiterkammer warnt: Bewertungen können zur Falle werden! ∗∗∗
---------------------------------------------
Gesucht: italienische Pizzeria. Gefunden: Pizzeria mit top Bewertungen! Vorsicht! Auch bei Online-Bewertungen gibt es Betrug. So kaufen Unternehmen Fake-Bewertungen, die die Unternehmen besser dastehen lassen sollen als sie sind. Gleichzeitig müssen auch Sie bei Bewertungen darauf achten, was Sie schreiben. Ansonsten könnte eine Klage drohen. Arbeiterkammer (AK) und Internet Ombudsmann haben rechtliche Fragen bei Bewertungsplattformen unter die Lupe genommen.
---------------------------------------------
https://www.watchlist-internet.at/news/arbeiterkammer-warnt-bewertungen-koennen-zur-falle-werden/


∗∗∗ Phishing-Kampagne nutzt Googles Cloud-Dienste zum Diebstahl von Office-365-Anmeldedaten ∗∗∗
---------------------------------------------
Die Hacker hosten auf Google Drive eine speziell gestaltete PDF-Datei. Die Google Cloud stellt für den Angriff auch eine Phishing-Website bereit. Ähnliche Attacken missbrauchen auch Cloud-Dienste anderer Anbieter wie Microsoft Azur.
---------------------------------------------
https://www.zdnet.de/88381697/phishing-kampagne-nutzt-googles-cloud-dienste-zum-diebstahl-von-office-365-anmeldedaten/


∗∗∗ Emotet botnet is now heavily spreading QakBot malware ∗∗∗
---------------------------------------------
Researchers tracking Emotet botnet noticed that the malware started to push QakBot banking trojan at an unusually high rate, replacing the longtime TrickBot payload.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/


∗∗∗ Format String Vulnerabilities ∗∗∗
---------------------------------------------
C++ and strings The C++ programming language has a couple of different variable types designed to manage text data. These include C strings, which are defined as arrays of characters, and the C++ string data type. These types of variables can be used for a variety of different purposes. The most visible is printing messages [...]
---------------------------------------------
https://resources.infosecinstitute.com/format-string-vulnerabilities/


∗∗∗ Command Injection Vulnerabilities ∗∗∗
---------------------------------------------
What is a command injection vulnerability? Many applications are not designed to be wholly self-contained. They often access external systems as well, including databases, application programming interfaces (APIs) and others. Some applications are designed to run commands within the terminal of the system that they are running on. For example, a program may wish to [...]
---------------------------------------------
https://resources.infosecinstitute.com/command-injection-vulnerabilities/


∗∗∗ How to configure Internet Options for Local Group Policy ∗∗∗
---------------------------------------------
Does this sound familiar? “Welcome to Monopoly!” “All right, now we’re going to go with auctions if you don’t buy.” “Why? That’s so annoying!” “Because if we don’t, it takes forever.” “All right, fine, but I want money if I land on Free Parking.” “Fine, if that’s what it takes. But I want ‘even [...]
---------------------------------------------
https://resources.infosecinstitute.com/how-to-configure-internet-options-for-local-group-policy/


∗∗∗ MATA: Multi-platform targeted malware framework ∗∗∗
---------------------------------------------
The MATA malware framework possesses several components, such as loader, orchestrator and plugins. The framework is able to target Windows, Linux and macOS operating systems.
---------------------------------------------
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/


∗∗∗ A few IoCs related to CVE-2020-5092, (Wed, Jul 22nd) ∗∗∗
---------------------------------------------
I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5092. As I responded I captured a number if indicators of compromise. While I have not had a lot of time to dig into them, hopefully they will be of use to somebody.
---------------------------------------------
https://isc.sans.edu/diary/rss/26378


∗∗∗ Malicious Magento User Creator ∗∗∗
---------------------------------------------
We recently found a simple malicious script leveraging Magento’s internal functions to create a new admin user with the admin role “Inchoo” ⁠— probably referring to a Croatian Magento consulting company. The script is simple but very effective and can easily be overlooked as another Magento file without closer inspection. It’s based on a sample that has been circulating the Internet since 2012 and provides a boilerplate for attackers to easily specify user [...]
---------------------------------------------
https://blog.sucuri.net/2020/07/malicious-magento-user-creator.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Shadow Attacks: Forscher hebeln PDF-Signaturprüfung erneut aus ∗∗∗
---------------------------------------------
2019 umgingen Forscher von der Ruhr-Universität Bochum die Signatur-Überprüfung von PDF-Software. Nun entwickelten sie erfolgreich drei neue Angriffe.
---------------------------------------------
https://heise.de/-4849183


∗∗∗ Jetzt updaten: Exploit-Code für Patchday-Lücke in SharePoint Server verfügbar ∗∗∗
---------------------------------------------
Gegen eine kritische Lücke in SharePoint Server, Visual Studio und dem .NET Framework gibt es seit dem MS-Patchday Updates. Die Gefahr eines Angriffs steigt.
---------------------------------------------
https://heise.de/-4849584


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (librsvg and squid), Fedora (mailman, mingw-LibRaw, php-horde-kronolith, and targetcli), openSUSE (openconnect), Red Hat (cloud-init, container-tools:rhel8, dbus, java-1.8.0-openjdk, java-11-openjdk, jbig2dec, kernel, kpatch-patch, mod_auth_openidc:2.3, nodejs:10, openstack-keystone, rh-nodejs10-nodejs, sane-backends, thunderbird, and virt:rhel), SUSE (webkit2gtk3 and xrdp), and Ubuntu (evolution-data-server, linux, linux-aws, linux-aws-hwe, [...]
---------------------------------------------
https://lwn.net/Articles/826713/


∗∗∗ Raining SYSTEM Shells with Citrix Workspace app ∗∗∗
---------------------------------------------
TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/


∗∗∗ Security Advisory - fastjson Injection Vulnerability in Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200722-01-json-en


∗∗∗ Security Bulletin: Multiple Vulnerabilities in jackson-databind shipped with IBM Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-jackson-databind-shipped-with-ibm-cloud-pak-system/


∗∗∗ Security Bulletin: IBM Verify Gateway does not hide a cryptographic key in one of its binary files (CVE-2020-4385) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-not-hide-a-cryptographic-key-in-one-of-its-binary-files-cve-2020-4385/


∗∗∗ Security Bulletin: IBM WebSphere Application Server Network Deployment security vulnerability in IBM Content Foundation on Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-network-deployment-security-vulnerability-in-ibm-content-foundation-on-cloud/


∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-security-vulnerability-in-ibm-content-foundation-on-cloud/


∗∗∗ Security Bulletin: SB0003748 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-sb0003748/


∗∗∗ Security Bulletin: SB0003749 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-sb0003749/


∗∗∗ Security Bulletin: WebSphere Application Server security vulnerability in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-security-vulnerability-in-filenet-content-manager/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-z-tpf-3/


∗∗∗ Security Bulletin: IBM Verify Gateway does not hide client secrets when debug tracing is active (CVE-2020-4372) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-not-hide-client-secrets-when-debug-tracing-is-active-cve-2020-4372/


∗∗∗ Security Bulletin: IBM Verify Gateway PAM components default to cleartext storage of client secret (CVE-2020-4369) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-pam-components-default-to-cleartext-storage-of-client-secret-cve-2020-4369/


∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0746


∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0745

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list