End-of-Day report
Timeframe: Montag 22-10-2018 18:00 - Dienstag 23-10-2018 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Malicious Powershell using a Decoy Picture
I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of the string: [...]
https://isc.sans.edu/forums/diary/Malicious+Powershell+using+a+Decoy+Picture/24234/
Jetzt patchen! Scanner und Exploits für kritische libssh-Lücke aufgetaucht
Da das Angriffsrisiko wächst, sollten Admins zügig die aktuelle libssh-Version auf Servern installieren.
http://heise.de/-4198976
Serverless botnets could soon become reality
We have been accustomed to think about botnets as a network of compromised machines - personal devices, IoT devices, servers - waiting for their masters' orders to begin their attack, but Protego researchers say that many compromised machines are definitely not a requirement: botnets can quite as easily be comprised of serverless functions.
https://www.helpnetsecurity.com/2018/10/23/serverless-botnets/
Who Is Agent Tesla?
A powerful, easy-to-use password stealing program known as Agent Tesla has been infecting computers since 2014, but recently this malware strain has seen a surge in popularity - attracting more than 6,300 customers who pay monthly fees to license the software. Although Agent Tesla includes a multitude of features designed to help it remain undetected on host computers, the malwares apparent creator seems to have done little to hide his real-life identity.
https://krebsonsecurity.com/2018/10/who-is-agent-tesla/
Betrug mit Euro-Lottosystem & Goggins-Transport
Konsument/innen erhalten eine betrügerische E-Mail, in der es heißt, dass sie bei einem Euro-Lottosystem 97.000 Euro gewonnen haben. Sie sollen Geld an Goggings-Transport bezahlen, damit sie den Preis ausbezahlt bekommen. Es folgen weitere Zahlungsaufforderungen. Mit jeder Bezahlung verliert das Opfer Geld, denn den Gewinn gibt es nicht.
https://www.watchlist-internet.at/news/betrug-mit-euro-lottosystem-goggins-transport/
Konsolen-kobold.de liefert keine Ware!
Kaufen Sie nicht auf konsolen-kobold.de ein. Die dort angebotenen Playstations, Xboxen, Nintendos und Spiele sind zwar verlockend günstig, werden aber auch nicht geliefert! Bezahlt wird per Vorkasse und Ihr Geld ist somit weg.
https://www.watchlist-internet.at/news/konsolen-koboldde-liefert-keine-ware/
CVE-2018-8414: A Case Study in Responsible Disclosure
The process of vulnerability disclosure can be riddled with frustrations, concerns about ethics, and communication failure. I have had tons of bugs go well. I have had tons of bugs go poorly.
https://posts.specterops.io/cve-2018-8414-a-case-study-in-responsible-disclosure-ff74c39615ba
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by CentOS (java-1.8.0-openjdk), Fedora (mosquitto), openSUSE (binutils, clamav, exiv2, fuse, haproxy, singularity, and zziplib), Slackware (firefox), SUSE (apache-pdfbox, net-snmp, pam_pkcs11, postgresql94, rpm, tiff, and wireshark), and Ubuntu (kernel, libssh, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, net-snmp, paramiko, requests, and texlive-bin).
https://lwn.net/Articles/769300/
IBM Security Bulletin: IBM BladeCenter Switch Modules are affected by information disclosure vulnerability (CVE-2014-8730)
https://www-01.ibm.com/support/docview.wss?uid=ibm10736107
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSLP (CVE-2017-17833)
http://www.ibm.com/support/docview.wss?uid=ibm10735359
IBM Security Bulletin: Vulnerabilities in GNU OpenSSL affect IBM Netezza Analytics
https://www-01.ibm.com/support/docview.wss?uid=ibm10734825
IBM Security Bulletin: IBM WebSphere Commerce could allow a remote attacker to obtain sensitive information (CVE-2018-1811)
https://www-01.ibm.com/support/docview.wss?uid=ibm10735589
IBM Security Bulletin: An Information Disclosure Vulnerability affects WebSphere Commerce (CVE-2018-1809)
https://www-01.ibm.com/support/docview.wss?uid=ibm10732972
IBM Security Bulletin: A authenticated open redirect vulnerability affects IBM WebSphere Commerce Accelerator Tool (CVE-2018-1807)
https://www-01.ibm.com/support/docview.wss?uid=ibm10735581
IBM Security Bulletin: An Information Disclosure Vulnerability affects WebSphere Commerce (CVE-2018-1806)
https://www-01.ibm.com/support/docview.wss?uid=ibm10733149
IBM Security Bulletin: A cross site scripting vulnerability affects IBM WebSphere Commerce Accelerator tool (CVE-2018-1541)
https://www-01.ibm.com/support/docview.wss?uid=ibm10731225
IPsec IKEv1 vulnerability CVE-2018-5389
https://support.f5.com/csp/article/K42378447
Linux kernel vulnerability CVE-2018-14634
https://support.f5.com/csp/article/K20934447