[CERT-daily] Tageszusammenfassung - 10.11.2020
Daily end-of-shift report
team at cert.at
Tue Nov 10 19:48:22 CET 2020
=====================
= End-of-Day report =
=====================
Timeframe: Montag 09-11-2020 18:00 − Dienstag 10-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ PLATYPUS - With Great Power comes Great Leakage ∗∗∗
---------------------------------------------
With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processors power consumption to infer data and extract cryptographic keys.
---------------------------------------------
https://platypusattack.com/
∗∗∗ wetransfer.com: So nutzen Sie den kostenlosen Dienst sicher ∗∗∗
---------------------------------------------
wetransfer.com - ein beliebter Dienst, um kostenlos und unkompliziert viele Dateien oder Ordner zu teilen. Beim Empfang eines E-Mails von wetransfer.com raten wir jedoch zur Vorsicht, denn Kriminelle versenden im Design des Datenversanddienstes Phishing-E-Mails oder gefährliche E-Mails mit Schadsoftware. Also: Zuerst kontrollieren, dann klicken!
---------------------------------------------
https://www.watchlist-internet.at/news/wetransfercom-so-nutzen-sie-den-kostenlosen-dienst-sicher/
∗∗∗ Plötzliche Abkündigung: Avira stellt Business-Sicherheitsprodukte Ende 2021 ein ∗∗∗
---------------------------------------------
Avira weist Geschäftskunden derzeit auf die Einstellung des B2B-Bereichs hin: Bestehende Lizenzen verlieren demnach zum 01.01.22 ihre Gültigkeit.
---------------------------------------------
https://heise.de/-4952577
∗∗∗ Microsoft Teams Users Under Attack in 'FakeUpdates' Malware Campaign ∗∗∗
---------------------------------------------
Microsoft warns that cybercriminals are using Cobalt Strike to infect entire networks beyond the infection point, according to a report.
---------------------------------------------
https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/
∗∗∗ Code Comments Reveal SCP-173 Malware ∗∗∗
---------------------------------------------
We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code - for example, a short description of a feature or functionality for other developers to reference. Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes.
---------------------------------------------
https://blog.sucuri.net/2020/11/code-comments-reveal-scp-173-malware.html
∗∗∗ WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques ∗∗∗
---------------------------------------------
Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW (Windows on Windows) system was coined. This layer, which will be referred to as 'WOW64' from here on out, is responsible for translating all Windows API calls from 32-bit userspace to the 64-bit operating system
---------------------------------------------
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
∗∗∗ Snakes and Ladder Logic ∗∗∗
---------------------------------------------
A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn’t run everything as root in PLC and RTUs.
---------------------------------------------
https://www.pentestpartners.com/security-blog/snakes-and-ladder-logic/
∗∗∗ Npm package caught stealing sensitive Discord and browser files ∗∗∗
---------------------------------------------
Malicious code was found hidden inside a JavaScript library named Discord.dll.
---------------------------------------------
https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord-and-browser-files/
∗∗∗ IoT security is a mess. These guidelines could help fix that ∗∗∗
---------------------------------------------
New guidelines from ENISA recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure.
---------------------------------------------
https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Ultimate Member Plug-in gefährdet Wordpress-Seiten ∗∗∗
---------------------------------------------
Admin-Lücken im Plug-in Ultimate Member bedrohen über 100.000 Wordpress-Websites. Eine abgesicherte Version ist verfügbar.
---------------------------------------------
https://heise.de/-4952685
∗∗∗ Remote-Code-Execution-Lücke in Firefox, Firefox ESR und Thunderbird ∗∗∗
---------------------------------------------
Mozilla hat eine kritische Schwachstelle in seinen Webbrowsern und seinem Mail-Client geschlossen.
---------------------------------------------
https://heise.de/-4953356
∗∗∗ SAP Patchday November 2020 ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden.
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K20-1090
∗∗∗ Security Bulletins Posted ∗∗∗
---------------------------------------------
Adobe has published security bulletins for Adobe Connect (APSB20-69) and Adobe Reader Mobile (APSB20-71). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided "AS IS" with no warranties and confers no rights.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1942
∗∗∗ Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper resource allocation when an affected device processes network traffic in software switching mode (punted).
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cp-dos-ej8VB9QY
∗∗∗ SSA-492828: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK Controller ∗∗∗
---------------------------------------------
A vulnerability in S7-300 might allow an attacker to cause a Denial-of-Service condition on port 102 of the affected devices by sending specially crafted packets. Siemens is preparing updates and recommends specific countermeasures until fixes are available.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-492828.txt
∗∗∗ SSA-431802: Multiple Vulnerabilities in SCALANCE W1750D ∗∗∗
---------------------------------------------
Siemens SCALANCE W1750D is a brandlabled device. Aruba has released a related security advisory (ARUBA-PSA-2016-004) [0] disclosing vulnerabilities in its Aruba Instant product line. The advisory contains multiple related vulnerabilities that are summarized in CVE-2016-2031.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-431802.txt
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif).
---------------------------------------------
https://lwn.net/Articles/836770/
∗∗∗ IPAS: Security Advisories for November 2020 ∗∗∗
---------------------------------------------
Hello, It’s the second Tuesday in November and today we are releasing 40 security advisories. If this seems like a large number of advisories for Intel to be releasing, you’re right. However, there are two primary reasons for this. First, as I mentioned in August, we are aligning public disclosures, as much as possible, to [...]
---------------------------------------------
https://blogs.intel.com/technology/2020/11/ipas-security-advisories-for-november-2020/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list