[CERT-daily] Tageszusammenfassung - 01.10.2020
Daily end-of-shift report
team at cert.at
Thu Oct 1 18:33:29 CEST 2020
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 30-09-2020 18:00 − Donnerstag 01-10-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Über die Verantwortung, die mit guter JavaScript-Unterstützung einhergeht ∗∗∗
---------------------------------------------
Warum Websites und Apps nicht zwangsläufig "ohne JavaScript funktionieren" müssen - aber sie und wir JavaScript verantwortungsvoller verwenden könnten.
---------------------------------------------
https://heise.de/-4907606
∗∗∗ Keine WhatsApp-Nachrichten für Emojis und Smileys teilen! ∗∗∗
---------------------------------------------
Gehäuft werden WhatsApp-Nachrichten von Kriminellen verschickt, die kostenlose Angebote bewerben und zur weiteren Verbreitung auffordern. Derzeit kursiert eine Betrugsnachricht, die neue Emojis für WhatsApp verspricht, wenn sie 20 mal geteilt wird. Die Nachricht ist fake und führt zu weiteren unseriösen Angeboten.
---------------------------------------------
https://www.watchlist-internet.at/news/keine-whatsapp-nachrichten-fuer-emojis-und-smileys-teilen/
∗∗∗ Phishing mit Captchas ∗∗∗
---------------------------------------------
Eine Flut von Phishing-E-Mails mit dem Ziel Microsoft Office 365 setzt Captchas ein, um die Opfer in ein Gefühl der Sicherheit zu wiegen.
---------------------------------------------
https://www.zdnet.de/88383103/phishing-mit-captchas/
∗∗∗ IOCs turning into IOOIs, (Thu, Oct 1st) ∗∗∗
---------------------------------------------
Remember, back in the days, when the anti-virus vendors looked with derision at some of their competition, exclaiming "But they are using just SIGNATURES. Our tool detects BEHAVIOURS". That was like 15 years ago. Fast forward to today, with many of the same vendors now selling "threat intelligence feeds" for good money, and the most frequent attributes pushed over these feeds are MD5/SHA1 hashes and IP addresses. The main thing that changed is that we now call these items [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/26624
∗∗∗ Network Detection for ZeroLogon (CVE-2020-1472) ∗∗∗
---------------------------------------------
ZeroLogon has quickly become popular and well known because of multiple proofs of concept and exploits implemented in Python, .NET, Powershell, and Mimikatz implemented a module for it. So if you are an attacker or need to test your environment then you have plenty of options. As defenders, we also have options for detection on the network.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/network-detection-for-zerologon-cve-2020-1472/
∗∗∗ Evasive URLs in Spam: Part 2 ∗∗∗
---------------------------------------------
A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/
∗∗∗ Detecting Microsoft 365 and Azure Active Directory Backdoors ∗∗∗
---------------------------------------------
Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA).
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html
∗∗∗ Three immediate steps to take to protect your APIs from security risks ∗∗∗
---------------------------------------------
In one form or another, APIs have been around for years, bringing the benefits of ease of use, efficiency and flexibility to the developer community. The advantage of using APIs for mobile and web apps is that developers can build and deploy functionality and data integrations quickly. API security posture But there is a huge downside to this approach.
---------------------------------------------
https://www.helpnetsecurity.com/2020/10/01/api-security-posture/
∗∗∗ A complete stranger controlled this woman’s home security system, but they’re not the one she’s angry with ∗∗∗
---------------------------------------------
Imagine being contacted by a complete stranger via Facebook, and them telling you that they have complete control over the security system in your new home.
---------------------------------------------
https://www.bitdefender.com/box/blog/iot-news/complete-stranger-controlled-womans-home-security-system-theyre-not-one-shes-angry
∗∗∗ IPStorm botnet expands from Windows to Android, Mac, and Linux ∗∗∗
---------------------------------------------
IPStorm botnet quadruples in size to reach 13,500 infected systems.
---------------------------------------------
https://www.zdnet.com/article/ipstorm-botnet-expands-from-windows-to-android-mac-and-linux/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Flaws Discovered in Popular Industrial Remote Access Systems ∗∗∗
---------------------------------------------
Cybersecurity researchers have found critical security flaws in two popular industrial remote access systems that can be exploited to ban access to industrial production floors, hack into company networks, tamper with data, and even steal sensitive business secrets. The flaws, discovered by Tel Aviv-based OTORIO, were identified in B&R Automations SiteManager and GateManager, and MB Connect [...]
---------------------------------------------
https://thehackernews.com/2020/10/industrial-remote-access.html
∗∗∗ Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow ∗∗∗
---------------------------------------------
The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited to cause a stack-based buffer overflow when a user issues a POST request to connect to a malicious FTP server. Successful exploitation could allow execution of arbitrary code on the affected device or cause denial of service scenario.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php
∗∗∗ Vulnerability Spotlight: Remote code execution bugs in NVIDIA D3D10 driver ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple remote code execution vulnerabilities in the NVIDIA D3D10 driver. This driver supports multiple GPUs that NVIDIA produces. An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V [...]
---------------------------------------------
https://blog.talosintelligence.com/2020/09/vuln-spotlight-nvidia-d3d10-.html
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ruby-json-jwt and ruby-rack-cors), Fedora (xen), SUSE (aspell and tar), and Ubuntu (ruby-gon, ruby-kramdown, and ruby-rack).
---------------------------------------------
https://lwn.net/Articles/833191/
∗∗∗ Broken access control in Platinum Mobile ∗∗∗
---------------------------------------------
https://sec-consult.com/./en/blog/advisories/broken-access-control-in-platinum-mobile/
∗∗∗ Red Hat OpenShift: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0946
∗∗∗ Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-13935) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat-vulnerabilities-affect-ibm-tivoli-application-dependency-discovery-manager-cve-2020-13935/
∗∗∗ Security Bulletin: IBM Cloud Pak System is affected by a vulnerability in VMware component ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-affected-by-a-vulnerability-in-vmware-component-2/
∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affect-ibm-netcool-agile-service-manager/
∗∗∗ Security Bulletin: App Connect Enterprise Certified Container is affected by multiple Node.js vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-is-affected-by-multiple-node-js-vulnerabilities/
∗∗∗ Security Bulletin: A vulnerability in Netty affects IBM Netcool Agile Service Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-affects-ibm-netcool-agile-service-manager/
∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to an information disclosure vulnerability (CVE-2020-4576) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-information-disclosure-vulnerability-cve-2020-4576/
∗∗∗ Security Bulletin: Vulnerability in Apache Commons Codec Affects IBM Sterling Secure Proxy ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-codec-affects-ibm-sterling-secure-proxy/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list