End-of-Day report
Timeframe: Montag 11-11-2019 18:00 - Dienstag 12-11-2019 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Threat Alert: TCP Amplification Attacks
TCP reflection attacks, such as SYN-ACK reflection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link.
https://blog.radware.com/security/2019/11/threat-alert-tcp-reflection-attacks/
Tech Support Scammers Exploiting Unpatched Firefox Bug
Mozilla is working on addressing a Firefox bug that has been exploited by tech support scammers to lock the browser when users visit specially crafted websites.
https://www.securityweek.com/tech-support-scammers-exploiting-unpatched-firefox-bug
Netflix: Vorsicht vor betrügerischen Phishing-Mails
Aktuell häufen sich Meldungen über betrügerische E-Mails, die angeblich von Netflix stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Netflix die Nutzungsgebühr nicht abbuchen kann und daher den Account vorübergehend gesperrt hat. Kriminelle fordern Netflix-NutzerInnen auf, die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing!
https://www.watchlist-internet.at/news/netflix-vorsicht-vor-betruegerischen-phishing-mails/
This unusual new ransomware is going after servers
The previously undetected server-encrypting malware has been detailed in research by cyber security analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in written in the PureBasic programming language.
...
It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack.
https://www.zdnet.com/article/this-unusual-new-ransomware-is-going-after-servers/
Vulnerabilities
McAfee Patches Privilege Escalation Flaw in Antivirus Software
McAfee patched a security vulnerability discovered in all editions of its Antivirus software for Windows and enabling potential attackers to escalate privileges and execute code using SYSTEM privileges.
https://www.bleepingcomputer.com/news/security/mcafee-patches-privilege-escalation-flaw-in-antivirus-software/
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability
A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce
Adobe Security Bulletins
Adobe has published security bulletins for Adobe Animate CC (APSB19-34), Adobe Illustrator CC (APSB19-36), Adobe Media Encoder (APSB19-52) and Adobe Bridge CC (APSB19-53).
https://blogs.adobe.com/psirt/?p=1801
Sicherheitsupdate: Magento-Onlineshops von Schadcode-Attacken gefährdet
Wer einen Onlineshop mit Magento-Software betreibt, sollte aus Sicherheitsgründen zügig die aktuelle Version installieren.
https://heise.de/-4584383
Security updates for Tuesday
Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar).
https://lwn.net/Articles/804412/
Synology-SA-19:38 Synology Assistant
A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Assistant.
https://www.synology.com/en-global/support/security/Synology_SA_19_38
SAP Security Patch Day - November 2019
On 12th of November 2019, SAP Security Patch Day saw the release of 12 Security Notes. There are 3 updates to previously released Patch Day Security Notes.
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528880390
Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache ActiveMQ vulnerability (CVE-2018-11775)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-an-apache-activemq-vulnerability-cve-2018-11775/
Security Bulletin: Incorrect permissions on restored files and directories on Windows using IBM Spectrum Protect Plus (CVE-2019-4652)
https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-restored-files-and-directories-on-windows-using-ibm-spectrum-protect-plus-cve-2019-4652/
Security Bulletin: Multiple vulnerabilities in Java affect IBM Spectrum Protect Plus
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-java-affect-ibm-spectrum-protect-plus/
Security Bulletin: IBM Tivoli Netcool Impact Configuration and Deployment Management Clickjacking
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-configuration-and-deployment-management-clickjacking/
Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2015-9251)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-a-jquery-vulnerability-cve-2015-9251/
Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2019-11358)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-a-jquery-vulnerability-cve-2019-11358/
SSA-686531 (Last Update: 2019-11-12): Hardware based manufacturing access on S7-1200
https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf
SSA-616472 (Last Update: 2019-11-12): ZombieLoad and Microarchitectural Data Sampling Vulnerabilities in Industrial Products
https://cert-portal.siemens.com/productcert/pdf/ssa-616472.pdf
SSA-898181 (Last Update: 2019-11-12): Desigo PX Web Remote Denial of Service Vulnerability
https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
SSA-434032 (Last Update: 2019-11-12): Vulnerability in Mentor Nucleus Networking Module
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf
Multiple tcpdump vulnerabilities
https://support.f5.com/csp/article/K44551633