[CERT-daily] Tageszusammenfassung - 03.09.2020

Daily end-of-shift report team at cert.at
Thu Sep 3 18:12:31 CEST 2020


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 02-09-2020 18:00 − Donnerstag 03-09-2020 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Microsoft Defender can ironically be used to download malware ∗∗∗
---------------------------------------------
A recent update to Windows 10s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/


∗∗∗ Sandbox Evasion Using NTP, (Thu, Sep 3rd) ∗∗∗
---------------------------------------------
I'm still hunting for interesting (read: "malicious") Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread to run a malicious shellcode[1]. But before processing the shellcode, it performs suspicious network traffic: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/26534


∗∗∗ Salfram: Robbing the place without removing your name tag ∗∗∗
---------------------------------------------
By Holger Unterbrink and Edmund Brumaghin. Threat summary Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter.
---------------------------------------------
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html


∗∗∗ Inter: The Magecart Skimming Tool Now on More than 1,500 Sites ∗∗∗
---------------------------------------------
Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes.  However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common and widely used digital skimming solutions globally.
---------------------------------------------
https://www.riskiq.com/blog/external-threat-management/inter-skimmer/


∗∗∗ New Python-scripted trojan malware targets fintech companies ∗∗∗
---------------------------------------------
PyVil RAT is capable of keylogging, taking screenshots and more - and the those behind it have gone to great lengths to keep it as under the radar as possible.
---------------------------------------------
https://www.zdnet.com/article/new-python-scripted-trojan-malware-targets-finance-sector/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Sicherheitsupdates: Jabber + präparierte Nachricht = Schadcode ∗∗∗
---------------------------------------------
Cisco hat Sicherheitsupdates für unter anderem Jabber, IOS XR und Webex Meetings veröffentlicht.
---------------------------------------------
https://heise.de/-4884609


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).
---------------------------------------------
https://lwn.net/Articles/830496/


∗∗∗ Backdoors left unpatched in MoFi routers ∗∗∗
---------------------------------------------
MoFi Network patched only six of ten reported vulnerabilities, leaving three hard-coded undocumented backdoor systems in place.
---------------------------------------------
https://www.zdnet.com/article/backdoors-left-unpatched-in-mofi-routers/


∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-developer-portal-is-impacted-by-vulnerabilities-in-mysql/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-information-exposure-in-html-comments-vulnerability-2/


∗∗∗ Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-developer-portal-is-vulnerable-to-social-engineering-attacks-cve-2020-4337/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Hard-coded passwords vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-hard-coded-passwords-vulnerability-4/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-improper-restriction-of-excessive-authentication-attempts-vulnerability-4/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-oracle-mysql-vulnerability/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-use-of-broken-or-risky-cryptographic-algorithm-vulnerability-2/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Use of Insufficiently Random Value vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-use-of-insufficiently-random-value-vulnerability-3/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-6/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-5/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list