End-of-Day report
Timeframe: Donnerstag 05-07-2018 18:00 - Freitag 06-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
News
HNS Botnet Recent Activities
Author: Rootkiter, yegenshenHNS is an IoT botnet (Hide and Seek) originally discovered by BitDefender in January this year. In that report, the researchers pointed out that HNS used CVE-2016-10401, and other vulnerabilities to propagate malicious code and stole user information. The HNS communicates through the P2P mechanism, which is [...]
http://blog.netlab.360.com/hns-botnet-recent-activities-en/
CoinImp Cryptominer and Fully Qualified Domain Names
We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period). E.g. "www.example.com", where "www" is a subdomain, "example" is a second level domain, and "com" is a top level domain. However, very few know that there is also a DNS root domain and it can be also specified in the fully qualified domain names.
https://blog.sucuri.net/2018/07/coinimp-cryptominer-and-fully-qualified-domain-names.html
Schädlinge unterminieren Windows-Zertifikats-System
Immer mehr Trojaner installieren eigene Root-CAs in Windows, um damit ihre Schadprogramme signieren oder Web-Seiten-Aufrufe manipulieren zu können.
http://heise.de/-4100993
Apple stopft WLAN-Lücken auf Macs unter Windows
Mit einem Update sollen zwei Angriffspunkte in den Boot-Camp-Treibern behoben werden, mit denen Macs das Microsoft-Betriebssystem nutzen.
http://heise.de/-4102490
Datenleck bei Domainfactory: Hacker knackt Systeme, lässt Kundendaten mitgehen
Die Systeme des Hosters Domainfactory wurden offensichtlich von einem Hacker kompromittiert, der nun Zugang zu sensiblen Daten der Kunden hat.
http://heise.de/-4102881
IT-Sicherheit - Elektronikhändler e-tec und Ditech wurden Kundendaten gestohlen
Altes Passwort ist abgelaufen und muss neu gesetzt werden, Zahlungsdaten zu Kreditkarten und Kontoverbindungen nicht betroffen
https://derstandard.at/2000082932960/Elektronikhaendler-e-tec-und-Ditech-wurden-Kundendaten-gestohlen
What is it that Makes a Microsoft Executable a Microsoft Executable?
What exactly is it that separates arbitrary code from code that originates from Microsoft? I would wager that the reaction of most people would be to claim, "well... if it's signed by Microsoft, then it comes from Microsoft. What else is there to talk about?"
https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
Vulnerabilities
Cisco 5000 Series Enterprise Network Compute System and Cisco UCS E-Series Servers BIOS Authentication Bypass Vulnerability
A vulnerability in BIOS authentication management of Cisco 5000 Series Enterprise Network Compute System and Cisco Unified Computing (UCS) E-Series Servers could allow an unauthenticated, local attacker to bypass the BIOS authentication and execute actions as an unprivileged user.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-encs-ucs-bios-auth-bypass
WordPress 4.9.7 Security and Maintenance Release
WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.
https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
Stored XSS under CA and CRL certificate view page
Javascript code and HTML tags can be injected into the CN value of CA and CRL certificates via the import CA and CRL certificates feature of the GUI. The injected code may be executed when the GUI administrator views the CA certificate details and browses CRL certificates when CN values are rendered.
https://fortiguard.com/psirt/FG-IR-17-305
Security updates for Friday
Security updates have been issued by Debian (dokuwiki, libsoup2.4, mercurial, php7.0, and phpmyadmin), Fedora (ant, gnupg, libgit2, and libsoup), openSUSE (cairo, git-annex, postgresql95, and zsh), Scientific Linux (firefox), Slackware (mozilla), SUSE (nodejs6 and rubygem-yard), and Ubuntu (AMD microcode, devscripts, and firefox).
https://lwn.net/Articles/759212/
2018-07-06: Vulnerability in Panel Builder 800 - Improper Input Validation
http://search-ext.abb.com/library/Download.aspx?DocumentID=3BSE092089&LanguageCode=en&DocumentPartId=&Action=Launch
IBM Security Bulletin: IBM API Connect is impacted by a resource leakage vulnerability (CVE-2018-1548)
http://www.ibm.com/support/docview.wss?uid=swg22017136
IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities
https://www-01.ibm.com/support/docview.wss?uid=swg22017003
IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg22016892
IBM Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities
http://www-01.ibm.com/support/docview.wss?uid=swg22016895
IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale
https://www-01.ibm.com/support/docview.wss?uid=ibm10716005
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM)
http://www.ibm.com/support/docview.wss?uid=swg22015940
IBM Security Bulletin: Vulnerability in IBM® Java SDK affects IBM SPSS Analytic Server (CVE-2018-2602, CVE-2018-2634)
https://www-prd-trops.events.ibm.com/node/715345
IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server
https://www.ibm.com/support/docview.wss?uid=ibm10713469
PEPPERL+FUCHS Security advisory for MELTDOWN and SPECTRE attacks in ecom mobile Devices
https://cert.vde.com/de-de/advisories/vde-2018-009
PEPPERL+FUCHS Remote Code Execution Vulnerability in HMI Devices
https://cert.vde.com/de-de/advisories/vde-2018-008