Tageszusammenfassung - 04.12.2018

End-of-Day report

Timeframe: Montag 03-12-2018 18:00 - Dienstag 04-12-2018 18:00 Handler: Stephan Richter Co-Handler: n/a

News

KoffeyMaker: notebook vs. ATM

Kaspersky Lab- experts investigated one such toolkit, dubbed KoffeyMaker, in 2017-2018, when a number of Eastern European banks turned to us for assistance after their ATMs were quickly and almost freely raided. It soon became clear that we were dealing with a black box attack.

https://securelist.com/koffeymaker-notebook-vs-atm/89161/

SamSam Ransomware

Original release date: December 03, 2018 The Department of Homeland Security and the Federal Bureau of Investigation have identified cyber threat actors using SamSam ransomware-also known as MSIL/SAMAS.A-to target industries in the United States and worldwide.NCCIC encourages users and administrators to review Alert AA18-337A: SamSam Ransomware and Malware Analysis Reports AR18-337A, AR18-337B, AR18-337C, and AR18-337D for more information. This product is provided subject to this

https://www.us-cert.gov/ncas/current-activity/2018/12/03/SamSam-Ransomware

App-Store-Betrug mit Touch-ID-Geräten

Verschiedene Entwickler versuchen, Nutzer zum Kauf teurer In-App-Angebote zu bringen - mittels "Fingerabdruckklau". Apple reagiert.

http://heise.de/-4239342

Kubernetes: Kritisches Update für Container-Verwaltung

In Kubernetes steckt eine gefährliche Sicherheitslücke, über die unangemeldete Angreifer Code mit Admin-Rechten im Cluster ausführen können.

http://heise.de/-4240804

Gebietskörperschaften erhalten gefälschte Geschäftskorrespondenz

Betrüger/innen schreiben Gebietskörperschaften an und geben sich als Geschäftspartner/innen des Bundes, der Länder oder der Gemeinden aus. Sie erfinden einen Grund, der es angeblich notwendig macht, dass sie die Vertragskopie für ein Rechtsgeschäft erhalten. In diese fügen sie neue Bankdaten ein und fordern die Geldüberweisung auf ein neues Konto. Beamt/innen und Vertragsbedienstete, die die Transaktion durchführen, überweisen Geld an Kriminelle.

https://www.watchlist-internet.at/news/gebietskoerperschaften-erhalten-gefaelschte-geschaeftskorrespondenz/

In Latest Magecart Evolution, Group 11 Stole More Than Just Card Data From Vision Direct

Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report -Inside Magecart.- [-]The post In Latest Magecart Evolution, Group 11 Stole More Than Just Card Data From Vision Direct appeared first on RiskIQ.

https://www.riskiq.com/blog/labs/magecart-vision-direct/

Vulnerabilities

Android Security Bulletin - December 2018

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-12-05 or later address all of these issues.

https://source.android.com/security/bulletin/2018-12-01.html

Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability

Today, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to ensure that these issues are resolved and that an update is [...]

https://blog.talosintelligence.com/2018/12/Netgate-pfsense-command-injection-vulns.html

Security updates for Tuesday

Security updates have been issued by Fedora (glibc, qemu, and tmux), Mageia (messagelib), Oracle (ghostscript), Red Hat (ghostscript, OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, OpenShift Container Platform 3.2, OpenShift Container Platform 3.3, OpenShift Container Platform 3.4, OpenShift Container Platform 3.5, OpenShift Container Platform 3.6, and OpenShift Container Platform 3.8), Slackware (mozilla), and Ubuntu (linux, linux-gcp, linux-kvm, linux-raspi2, linux-hwe, [...]

https://lwn.net/Articles/773826/

Cisco Energy Management Suite Default PostgreSQL Password Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181204-ems-sql-passwrd

TMM vulnerability CVE-2018-5535

https://support.f5.com/csp/article/K19634255

IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2018 - Includes Oracle Oct 2018 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2018-includes-oracle-oct-2018-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/

IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities/

IBM Security Bulletin: IBM WebSphere Portal

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-15/

IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Cloud App Management V2018

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-cloud-app-management-v2018/

IBM Security Bulletin: Transparent Cloud Tiering

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-14/

IBM Security Bulletin: IBM QRadar SIEM is vulnerable to XML External Entity Injection (CVE-2018-1730)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vulnerable-to-xml-external-entity-injection-cve-2018-1730/

IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Cross-Site Scripting (CVE-2018-1728)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vulnerable-to-cross-site-scripting-cve-2018-1728/

IBM Security Bulletin: QRadar Advisor with Watson

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-13/

IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to publicly disclosed vulnerability. (CVE-2018-8034, CVE-2018-8037)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-tomcat-as-used-in-ibm-qradar-siem-is-vulnerable-to-publicly-disclosed-vulnerability-cve-2018-8034-cve-2018-8037/

IBM Security Bulletin: Apache PDFBox as used in IBM QRadar Incident Forensics is vulnerable to Publicly disclosed vulnerability. (CVE-2018-8036)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-pdfbox-as-used-in-ibm-qradar-incident-forensics-is-vulnerable-to-publicly-disclosed-vulnerability-cve-2018-8036/