End-of-Day report
Timeframe: Donnerstag 19-07-2018 18:00 - Freitag 20-07-2018 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
News
Calisto Trojan for macOS
As researchers we interesting in developmental prototypes of malware that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.
https://securelist.com/calisto-trojan-for-macos/86543/
Reporting Malicious Websites in 2018, (Thu, Jul 19th)
Back in 2010 I wrote up a quick diary on how to report malicious websites at the end of your incident reponse process (
https://isc.sans.edu/forums/diary/How+Do+I+Report+Malicious+Websites/8719/). John C, a reader, asked for an update. Let's see how munch has changed in the past 8 years...
https://isc.sans.edu/diary/rss/23892
Sicherheitsupdates: VMware Horizon View Agent könnte Anmeldeinformationen leaken
Wichtige Patches schließen Sicherheitslücken in verschiedenen Anwendungen von VMware.
http://heise.de/-4116871
TLS 1.2: Client-Zertifikate als Tracking-Falle
Kombiniert mit TLS 1.2 lassen sich Client-Zertifikate zum Tracking missbrauchen. So ließen sich etwa die Aktivitäten von Millionen iPhone-Nutzern mitverfolgen.
http://heise.de/-4117357
The danger of third parties: ads, pipelines, and plugins
We take a look at the perils of the tools and services embedded into the websites you use on a daily basis, thanks to the development help of third parties.
https://blog.malwarebytes.com/101/2018/07/third-party-dangers-ads-pipelines-and-plugins/
Hunting for Bad Apples - Part 2
In the previous post in this series, I introduced the use case of an attacker persisting via a LaunchAgent/Daemon, and a few osquery queries to detect such activity. In this post, I will discuss hunting for activity resulting from attackers using the tactic of defense evasion on MacOS systems, and corresponding techniques.
https://posts.specterops.io/hunting-for-bad-apples-part-2-6f2d01b1f7d3
Vulnerabilities
AVEVA InduSoft Web Studio and InTouch Machine Edition
This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in AVEVAs InduSoft Web Studio and InTouch Machine Edition.
https://ics-cert.us-cert.gov/advisories/ICSA-18-200-01
AVEVA InTouch
This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in AVEVAs InTouch HMI software.
https://ics-cert.us-cert.gov/advisories/ICSA-18-200-02
Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600
This advisory includes mitigation recommendations for information exposure, authentication bypass using an alternate path or channel, unprotected storage of credentials, cleartext transmission of sensitive information vulnerabilities in the Echelon SmartServer 1, SmartServer 2, i.LON 100, i.LON 600 products.
https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03
HPESBHF03864 rev.1 - HPE Intelligent Management Center (iMC PLAT), Remote Code Execution
A security vulnerability in HPE Intelligent Management Center (iMC) PLAT 7.3 E0506P07. The vulnerability could be exploited to allow remote execution of code.
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03864en_us
Security updates for Friday
Security updates have been issued by Debian (dnsmasq, linux-base, and openjpeg2), Fedora (libgit2, libtomcrypt, openslp, and perl-Archive-Zip), and openSUSE (gdk-pixbuf, libopenmpt, mercurial, perl, php7, polkit, and rsyslog).
https://lwn.net/Articles/760450/
Sophos UTM: Mehrere Schwachstellen ermöglichen u. a. einen Denial-of-Service-Angriff
https://adv-archiv.dfn-cert.de/adv/2018-1441/
Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes
https://adv-archiv.dfn-cert.de/adv/2018-1434/
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in Libidn2 (CVE-2017-14062)
http://www-01.ibm.com/support/docview.wss?uid=ibm10717427
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2017-12133)
http://www-01.ibm.com/support/docview.wss?uid=ibm10717425
IBM Security Bulletin: Vulnerability in OpenSSH affects IBM SAN Volume Controller, IBM Storwize and IBM FlashSystem products (CVE-2016-10708)
http://www.ibm.com/support/docview.wss?uid=ibm10717661
IBM Security Bulletin: Malformed message headers could cause message transmission to be blocked through channels resulting in denial of service in IBM MQ(CVE-2018-1503)
http://www.ibm.com/support/docview.wss?uid=swg22015617
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in GNU C Library
http://www-01.ibm.com/support/docview.wss?uid=ibm10717429
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in libxml/libxml2
http://www-01.ibm.com/support/docview.wss?uid=ibm10717431
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in dhcp
http://www.ibm.com/support/docview.wss?uid=ibm10717433
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in Ncurses (CVE-2017-13733)
http://www-01.ibm.com/support/docview.wss?uid=ibm10717423
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in cURL/libcURL (CVE-2016-7141)
http://www-01.ibm.com/support/docview.wss?uid=ibm10717421