End-of-Day report
Timeframe: Freitag 15-11-2019 18:00 - Montag 18-11-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
New NextCry Ransomware Encrypts Data on NextCloud Linux Servers
On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration. Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers.
https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/
Powershell ConstrainedLanguage Mode
Gastbeitrag vom milCERT - Philipp Thaller und Stefan Bachmair - Bei der Analyse von aktueller Malware stellte sich heraus dass viele der aktuellen Exemplare (inkl. Emotet ) auf die PowerShell angewiesen sind um ihr schadhaftes Potential entfalten zu können. Schränkt man die PowerShell entsprechend ein, ist eine Ausführung des eigentlichen Schadcodes oft gar nicht möglich.
https://cert.at/de/blog/2019/11/201911-powershell-constrainedlanguage
Willhaben warnt vor betrügerischer Phishing-SMS
Wer von der Verkaufsplattform Willhaben eine SMS mit Zahlungsinformationen bekommt, soll den Link keinesfalls anklicken.
https://futurezone.at/apps/willhaben-warnt-vor-betruegerischer-phishing-sms/400678661
pax: Exploit padding oracles for fun and profit
Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to: - Obtain plaintext for a given piece of CBC encrypted data. - Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle.
https://github.com/liamg/pax
RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients
In this blogpost I will describe the process I followed to write a tool that will extract clear-text credentials from the Microsoft RDP client using API hooking. Using this approach, if you are already operating under the privileges of the compromised user (e.g. as a result of a phish) and the user has an RDP session open, you are able to extract the clear-text credentials without privilege escalation.
https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-from-remote-desktop-clients/
Medica 2019: BSI-Leitfaden zur Cyber-Sicherheit von Medizinprodukten
Im Kontext der sicheren Digitalisierung im Gesundheitswesen hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) im Rahmen der Messe "Medica" in Düsseldorf einen neuen Leitfaden "Sicherheit von Medizinprodukten - Leitfaden zur Nutzung des MDS2 aus 2019" (Manufacturer Disclosure Statement for Medical Device Security) veröffentlicht.
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Leitfaden_Med-Produkte_231019.html
Google patches -awesome- XSS vulnerability in Gmail dynamic email feature
The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering.
https://www.zdnet.com/article/google-patches-awesome-xss-vulnerability-in-gmail/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa).
https://lwn.net/Articles/805083/
Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2019-4096)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-websphere-application-server-liberty-affects-ibm-spectrum-protect-operations-center-cve-2019-4096/