End-of-Day report
Timeframe: Freitag 17-08-2018 18:00 - Montag 20-08-2018 18:00
Handler: Alexander Riepl
Co-Handler: Stephan Richter
News
The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma
The biggest news was the release of the Princess Evolution RaaS and a new variant of the Dharma ransomware utilizing the .cmb extension for encrypted files. Otherwise, it was mostly small variants released that will not likely have many victims.
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-17th-2018-princess-evolution-and-dharma/
New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles
A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting.
https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/
New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations
Security researchers have discovered a new exploitation technique that they say can bypass the kernel protection measures present in the Windows operating systems.
https://www.bleepingcomputer.com/news/security/new-turning-tables-technique-bypasses-all-windows-kernel-mitigations/
Malspam Campaign Targets Banks Using Microsoft Publisher
Its very unusual for malware authors to utilize publishing software like Microsoft Publisher which is mainly used for fancy documents and desktop publishing tasks. So when we saw an email sample with a .pub attachment (Microsoft Office Publisher file) and [...]
https://www.trustwave.com/Resources/SpiderLabs-Blog/Malspam-Campaign-Targets-Banks-Using-Microsoft-Publisher/
Fake Plugins with Popuplink.js Redirect to Scam Sites
Since July, we've been observing a massive WordPress infection that is responsible for unwanted redirects to scam and ad sites. This infection involves the tiny.cc URL shortener, a fake plugin that has been called either "index" or "wp_update", and a malicious popuplink.js file.
https://blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-scam-sites.html
Fax-Lücke in HP-Druckern: Mac-Nutzer weiter angreifbar
Firmware-Updates für eine schwere Lücke in seinen Multifunktionsdruckern liefert Hewlett-Packard zum Teil nur für Windows. Es gibt aber Abhilfe.
http://heise.de/-4141384
Firefox-Add-on "Web Security": Entwickler räumen Fehler ein
Das Firefox-Add-on "Web Security" sammelte zu viele Daten und übertrug sie unverschlüsselt. Das war ein Fehler, räumen die Entwickler ein und geloben Besserung.
http://heise.de/-4141593
Banker Trojan, "TrickBot", is preparing for the next global outbreak by using new techniques
Recently, 360 Security Center detected a new variant of "TrickBot" banker Trojan. Compared to the previous "TrickBot", the functions of the latest "TrickBot" are all [...]
https://blog.360totalsecurity.com/en/banker-trojan-trickbot-is-preparing-for-the-next-global-outbreak-by-using-new-techniques/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (confuse, jetty9, kamailio, kernel, libxcursor, and mutt), Fedora (blktrace, docker-latest, libgit2, and yubico-piv-tool), Mageia (chromium-browser-stable, flash-player-plugin, kernel, kernel-linus, kernel-tmb, microcode, openslp, and wpa_supplicant), openSUSE (apache2, curl, GraphicsMagick, perl-Archive-Zip, and xen), Oracle (kernel and mariadb), Red Hat (rh-postgresql95-postgresql), Slackware (ntp and samba), SUSE (apache2, curl, kernel, [...]
https://lwn.net/Articles/763045/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
http://www.ibm.com/support/docview.wss?uid=swg22016776
IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a systemd vulnerability (CVE-2018-1049)
http://www.ibm.com/support/docview.wss?uid=ibm10728209
Linux kernel vulnerability (FragmentSmack) CVE-2018-5391
https://support.f5.com/csp/article/K74374841
HPESBHF03850 rev.5 - Certain HPE Products using Intel-based Processors, Local Disclosure of Information, Speculative Execution Side Channel Vulnerabilities
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03850en_us