[CERT-daily] Tageszusammenfassung - 31.03.2020

Daily end-of-shift report team at cert.at
Tue Mar 31 18:26:00 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 30-03-2020 18:00 − Dienstag 31-03-2020 18:00
Handler:     Robert Waldner
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Networking Basics for Reverse Engineers ∗∗∗
---------------------------------------------
This article will define network reverse engineering, list tools used by reverse engineers for reverse engineering and then highlight the network basics required by such engineers. The article will illustrate, through the lens of an attacker, how to expose the vulnerability of a network protocol and exploit the vulnerability, and then discuss how to [...]
---------------------------------------------
https://resources.infosecinstitute.com/networking-basics-for-reverse-engineers/


∗∗∗ OWASP Firmware Security Testing Methodology ∗∗∗
---------------------------------------------
FSTM is composed of nine stages tailored to enable security researchers, software developers, hobbyists, and Information Security professionals with conducting firmware security assessments.
---------------------------------------------
https://scriptingxss.gitbook.io/firmware-security-testing-methodology/


∗∗∗ They told me I could be anything, so I became a Kubernetes node - Using K3s for command and control on compromised Linux hosts ∗∗∗
---------------------------------------------
In their RSA 2020 talk Advanced Persistence Threats: The Future of Kubernetes Attacks, Ian Coldwater and Brad Geesaman demonstrated that K3s, a lightweight version of Kubernetes, can be used to backdoor compromised Kubernetes clusters. This post describes how K3s can also serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines.
---------------------------------------------
https://blog.christophetd.fr/using-k3s-for-command-and-control-on-compromised-linux-hosts/


∗∗∗ Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit ∗∗∗
---------------------------------------------
While following reports on these infections, we stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, we found ourselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service.
---------------------------------------------
https://www.perimeterx.com/resources/blog/2020/skimming-as-a-service-anatomy-of-a-magecart-attack-toolkit/


∗∗∗ Microsoft fixt Windows 10 VPN-Bug mit optionalen Sonderupdates ∗∗∗
---------------------------------------------
Microsoft bringt Windows-10-Updates, die einen Fehler beim Internetzugang beheben sollen, speziell wenn VPN-Software mit Proxy-Konfigurationen verwendet wird.
---------------------------------------------
https://heise.de/-4694177


∗∗∗ Industrial Controllers Still Vulnerable to Stuxnet-Style Attacks ∗∗∗
---------------------------------------------
Researchers demonstrated recently that hackers could launch a Stuxnet-style attack against Schneider Electric’s Modicon programmable logic controllers (PLCs), but it’s believed that products from other vendors could also be vulnerable to the same type of attack.
---------------------------------------------
https://www.securityweek.com/industrial-controllers-still-vulnerable-stuxnet-style-attacks


∗∗∗ FBI Warns of Ongoing Kwampirs Attacks Targeting Global Industries ∗∗∗
---------------------------------------------
A malicious campaign is targeting organizations from a broad range of industries with a piece of malware known as Kwampirs, the Federal Bureau of Investigation warns.
---------------------------------------------
https://www.securityweek.com/fbi-warns-ongoing-kwampirs-attacks-targeting-global-industries


∗∗∗ Vorsicht vor Gewinnspielen, die Kreditkartendaten erfordern ∗∗∗
---------------------------------------------
Kriminelle geben sich als bekannte Unternehmen aus und verbreiten über unterschiedliche Kanäle gefälschte Gewinnspiele. Sie täuschen den TeilnehmerInnen vor, ein iPhone 11 Pro, einen E-Scooter oder Weber Grill gewonnen zu haben. Für den Versand des Gewinnes werden jedoch 1-3 Euro, die per Kreditkarte bezahlt werden müssen, verlangt. Vorsicht: Es handelt sich um eine Abo-Falle. Kriminelle buchen monatlich bis zu 90 Euro ab. Ihren angeblichen Gewinn erhalten Sie [...]
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gewinnspielen-die-kreditkartendaten-erfordern/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin ∗∗∗
---------------------------------------------
On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site.
---------------------------------------------
https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux-raspi2, linux-raspi2-5.3, and Timeshift).
---------------------------------------------
https://lwn.net/Articles/816368/


∗∗∗ VU#962085: Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/962085


∗∗∗ VU#944837: Vertiv Avocent UMG-4000 vulnerable to command injection and cross-site scripting vulnerabilities ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/944837


∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200108-finesse-xss


∗∗∗ PEPPERL+FUCHS Kr00k vulnerabilities in Broadcom Wi-Fi chipsets ∗∗∗
---------------------------------------------
https://cert.vde.com/de-de/advisories/vde-2020-014


∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4237) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forgery-vulnerability-in-ibm-tivoli-netcool-impact-cve-2020-4237/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-linux-kernel-affect-ibm-spectrum-protect-plus-2/


∗∗∗ Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4238) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forgery-vulnerability-in-ibm-tivoli-netcool-impact-cve-2020-4238/


∗∗∗ Security Bulletin: Denial of service vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4236) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-ibm-tivoli-netcool-impact-cve-2020-4236/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities/


∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in TLS (CVE-2019-6485) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-manager-is-affected-by-a-vulnerability-in-tls-cve-2019-6485/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-kernel-vulnerability-3/


∗∗∗ Security Bulletin: Potential information disclosure vulnerability in IBM Tivoli Netcool Impact (CVE-2020-4239) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-potential-information-disclosure-vulnerability-in-ibm-tivoli-netcool-impact-cve-2020-4239/


∗∗∗ Security Bulletin: Directory Traversal vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4240, CVE-2020-4209) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-vulnerabilities-in-ibm-spectrum-protect-plus-cve-2020-4240-cve-2020-4209/


∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Protect Plus (CVE-2019-15606, CVE-2019-15604, CVE-2019-15605, CVE-2019-9511, CVE-2019-9516, CVE-2019-9512, CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9513, CVE-2019-9514) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-spectrum-protect-plus-cve-2019-15606-cve-2019-15604-cve-2019-15605-cve-2019-9511-cve-2019-9516-cve-2019-9512-cve-2019-9517-cve-2019-951/


∗∗∗ Security Bulletin: Buffer overflow vulnerability affecting certain Aspera applications ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-buffer-overflow-vulnerability-affecting-certain-aspera-applications/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list