[CERT-daily] Tageszusammenfassung - 24.06.2020

Daily end-of-shift report team at cert.at
Wed Jun 24 18:25:17 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 23-06-2020 18:00 − Mittwoch 24-06-2020 18:00
Handler:     Dimitri Robl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ IT-Sicherheit: Etwa 80.000 Drucker sind im Internet offen ansteuerbar ∗∗∗
---------------------------------------------
Die Security-Organisation Shadowserver hat einen globalen IPP-Scan durchgeführt und viele Drucker gefunden, die offen Informationen teilen.
---------------------------------------------
https://www.golem.de/news/it-sicherheit-etwa-80-000-drucker-sind-im-internet-offen-ansteuerbar-2006-149276-rss.html


∗∗∗ What is DNS Poisoning and to Protect Your Enterprise Against it ∗∗∗
---------------------------------------------
Modern enterprise cybersecurity has evolved – that’s a true statement. If we were to travel back in time – say, 10 or 20 years – ago, we would have discovered, much to our stupefaction, that cybersecurity was nothing more than an auxiliary attribution, bestowed upon the (un)fortunate soul who had the (dubious privilege) of fulfilling [...]
---------------------------------------------
https://heimdalsecurity.com/blog/what-is-dns-poisoning/


∗∗∗ Magnitude exploit kit – evolution ∗∗∗
---------------------------------------------
Exploit kits still play a role in today’s threat landscape and continue to evolve. For this blogpost I studied and analyzed the evolution of one of the most sophisticated exploit kits out there – Magnitude EK – for a whole year.
---------------------------------------------
https://securelist.com/magnitude-exploit-kit-evolution/97436/


∗∗∗ Sodinokibi Ransomware Now Scans Networks For PoS Systems ∗∗∗
---------------------------------------------
Attackers are compromising large companies with the Cobalt Strike malware, and then deploying the Sodinokibi ransomware.
---------------------------------------------
https://threatpost.com/sodinokibi-ransomware-now-scans-networks-for-pos-systems/156855/


∗∗∗ Hakbit Ransomware Attack Uses GuLoader, Malicious Microsoft Excel Attachments ∗∗∗
---------------------------------------------
Recent spearphishing emails spread the Hakbit ransomware using malicious Microsoft Excel attachments and the GuLoader dropper.
---------------------------------------------
https://threatpost.com/hackbit-ransomware-attack-uses-guloader-malicious-microsoft-excel-attachments/156826/


∗∗∗ Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th) ∗∗∗
---------------------------------------------
Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm.
---------------------------------------------
https://isc.sans.edu/diary/rss/26276


∗∗∗ Three words you do not want to hear regarding a secure browser called SafePay... Remote. Code. Execution ∗∗∗
---------------------------------------------
How Bitdefenders security software was caught napping by ad-block bod Folks running Bitdefenders Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2020/06/24/bitdefender_safepay_rce/


∗∗∗ WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group ∗∗∗
---------------------------------------------
WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the Evil Corp group in 2020. Evil Corp were previously associated to the Dridex malware and BitPaymer ransomware, the latter came to prominence in the first half of 2017. Recently Evil Corp has changed a number of TTPs related to their operations further described in this article.
---------------------------------------------
https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/


∗∗∗ Gefälschte PayLife-Mails im Umlauf ∗∗∗
---------------------------------------------
Unter verschiedenen Vorwänden versuchen BetrügerInnen derzeit an Zugangs- und Kreditkartendaten von PayLife-KundInnen zu kommen. Kommt man den Aufforderungen in diesen Mails nicht nach, wird mit einer Sperre der Karte oder anderen Einschränkungen gedroht. Folgen Sie dem Link in diesen Mails nicht und laden Sie auch keine „Kartensicherheits-App“ herunter!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-paylife-mails-im-umlauf/


∗∗∗ Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices ∗∗∗
---------------------------------------------
A new hybrid malware capable of cryptojacking and launching DDoS was discovered in the wild, which weve named "Lucifer."
---------------------------------------------
https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/


∗∗∗ This sneaky malware goes to unusual lengths to cover its tracks ∗∗∗
---------------------------------------------
Glupteba creates a backdoor into infected Windows systems - and researchers think itll be offered to cyber criminals as an easy means of distributing other malware.
---------------------------------------------
https://www.zdnet.com/article/this-sneaky-malware-goes-to-unusual-lengths-to-cover-its-tracks/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Kritische Sicherheitslücke bedroht Magento-Shops ∗∗∗
---------------------------------------------
Angreifer könnten Onlineshops auf Magento-Basis attackieren und im schlimmsten Fall komplett übernehmen.
---------------------------------------------
https://heise.de/-4793608


∗∗∗ Kritische Lücke: Helpdesk-App auf Qnap-NAS lädt Angreifer ein ∗∗∗
---------------------------------------------
Qnap hat eine wichtige Aktualisierung für die Support-App Helpdesk veröffentlicht.
---------------------------------------------
https://heise.de/-4794415


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel, ntp, and unbound), Fedora (php-horde-horde and tcpreplay), openSUSE (chromium, java-1_8_0-openj9, mozilla-nspr, mozilla-nss, and opera), Oracle (gnutls, grafana, thunderbird, and unbound), Red Hat (candlepin and satellite, docker, microcode_ctl, openstack-keystone, openstack-manila and openstack-manila, and qemu-kvm-rhev), Scientific Linux (kernel and ntp), Slackware (ntp), SUSE (curl, libreoffice, libssh2_org, and php5), and Ubuntu (curl).
---------------------------------------------
https://lwn.net/Articles/824378/


∗∗∗ VMware Produkte: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0622


∗∗∗ Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-use-of-hard-coded-credentials-vulnerabilities-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in IBM Tivoli Netcool/OMNIbus Probe for Network Node Manager i (CVE-2009-3555) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-ibm-tivoli-netcool-omnibus-probe-for-network-node-manager-i-cve-2009-3555/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-os-command-injection-vulnerabilities-4/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-3/


∗∗∗ Security Bulletin: Speech to Text, Text to Speech ICP WebSphere Application Server Liberty Fix ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-speech-to-text-text-to-speech-icp-websphere-application-server-liberty-fix/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list