End-of-Day report
Timeframe: Freitag 20-07-2018 18:00 - Montag 23-07-2018 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Half a Billion IoT Devices Vulnerable to DNS Rebinding Attacks
Armis, the cyber-security firm that discovered the BlueBorne vulnerabilities in the Bluetooth protocol, warns that nearly half a billion of todays "smart" devices are vulnerable to a decade-old attack known as DNS rebinding.
https://www.bleepingcomputer.com/news/security/half-a-billion-iot-devices-vulnerable-to-dns-rebinding-attacks/
Academics Announce New Protections Against Spectre and Rowhammer Attacks
Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer.
https://www.bleepingcomputer.com/news/security/academics-announce-new-protections-against-spectre-and-rowhammer-attacks/
Weblogic Exploit Code Made Public (CVE-2018-2893), (Fri, Jul 20th)
[UPDATE] We do see first exploit attempts. The exploit attempts to download additional code from %%ip:185.159.128.200%% . We are still looking at details, but it looks like the code attempts to install a backdoor. The initial exploit came from %%ip:5.8.54.27%%.
https://isc.sans.edu/diary/rss/23896
Maldoc analysis with standard Linux tools, (Sun, Jul 22nd)
I received a malicious Word document (Richiesta.doc MD5 2f87105fea2d4bae72ebc00efc6ede56) with heavily obfuscated VBA code: just a few functional lines of code, the rest is junk code.
https://isc.sans.edu/diary/rss/23900
TA18-201A: Emotet Malware
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.
https://www.us-cert.gov/ncas/alerts/TA18-201A
TeamViewer reagiert auf Passwort-Leck
Das Fernwartungs-Tool TeamViewer wird vergesslich: Künftig merkt es sich Passwörter nur noch fünf Minuten, um Angriffe zu erschweren.
http://heise.de/-4118201
Erpressung durch Passwortdiebstahl und Masturbationsvideo
InternetuserInnen erhalten momentan vermehrt E-Mails in denen sie dazu aufgefordert werden, Geld dafür zu bezahlen, dass ein heimlich per Webcam aufgenommenes Masturbationsvideo von ihnen nicht veröffentlicht wird. Um zu einer Zahlung zu bewegen, wird auch ein altes Passwort der betroffenen Personen in der Mail angegeben. EmpfängerInnen der Nachricht sollten ihre Passwörter ändern aber das Geld auf keinen Fall bezahlen, denn die Masturbationsvideos existieren nicht.
https://www.watchlist-internet.at/news/erpressung-durch-passwortdiebstahl-und-masturbationsvideo/
Nicht im Fake-Shop fitolino.net einkaufen
Der Online-Shop fitolino.net vertreibt günstige Produkte für den Haushalt und den Garten. Konsument/innen, die bei dem Anbieter einkaufen, verlieren ihr Geld, denn trotz Bezahlung gibt es keine Ware. Darüber hinaus verfügen Kriminelle über Daten ihrer Opfer, die sie für Verbrechen unter fremden Namen nützen können.
https://www.watchlist-internet.at/news/nicht-im-fake-shop-fitolinonet-einkaufen/
Vulnerabilities
National Instruments Linux Driver Remote Code Injection
Topic: National Instruments Linux Driver Remote Code Injection Risk: High Text:Hello folks, ive recently discovered a critical vulnerability in the National Instruments Linux driver package, which open [...]
https://cxsecurity.com/issue/WLB-2018070204
OpenSSL vulnerability CVE-2018-0732
OpenSSL vulnerability CVE-2018-0732. Security Advisory. Security Advisory Description. During key agreement in a TLS [...]
https://support.f5.com/csp/article/K21665601
Security updates for Monday
Security updates have been issued by Arch Linux (apache, networkmanager-vpnc, and znc), Debian (gosa, opencv, and slurm-llnl), Fedora (evolution, evolution-data-server, evolution-ews, gnome-bluetooth, libtomcrypt, podman, python-cryptography, and rust), Gentoo (passenger), Red Hat (java-1.8.0-openjdk and openslp), Slackware (php), SUSE (openssl-1_1, procps, python, rsyslog, rubygem-passenger, and xen), and Ubuntu (mutt).
https://lwn.net/Articles/760583/
Synology-SA-18:37 Photo Station
A vulnerability allows remote attackers to hijack web sessions via a susceptible version of Synology Photo Station.
https://www.synology.com/en-global/support/security/Synology_SA_18_37
VU#304725: Bluetooth implementations may not sufficiently validate elliptic curve parameters during Diffie-Hellman key exchange
http://www.kb.cert.org/vuls/id/304725
Bugtraq: Sourcetree - Remote Code Execution vulnerabilities - CVE-2018-11235
http://www.securityfocus.com/archive/1/542174
Apache Tomcat: Mehrere Schwachstellen ermöglichen u. a. das Erlangen von Benutzerrechten
https://adv-archiv.dfn-cert.de/adv/2018-1443/
Apple macOS: Mehrere Schwachstellen ermöglichen u. a. die komplette Systemübernahme
https://adv-archiv.dfn-cert.de/adv/2018-1059/
IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private
http://www-01.ibm.com/support/docview.wss?uid=ibm10716653
IBM Security Bulletin: A Security Vulnerability affects IBM® Cloud Private (-CVE-2018-8012)***
http://www-01.ibm.com/support/docview.wss?uid=ibm10716659
IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private (-CVE-2017-3738, CVE-2017-3736)***
https://www-prd-trops.events.ibm.com/node/716657
IBM Security Bulletin: Rational Software Architect Design Manager is vulnerable to cross-site scripting (CVE-2018-1400)
http://www-01.ibm.com/support/docview.wss?uid=ibm10717617
RSA Archer Flaws Let Remote Authenticated Users Conduct Cross-Site Scripting Attacks and Gain Elevated Privileges via a REST API
http://www.securitytracker.com/id/1041359