End-of-Day report
Timeframe: Montag 02-12-2019 18:00 - Dienstag 03-12-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Strandhogg: Sicherheitslücke in Android wird aktiv ausgenutzt
Unter Android können sich Schad-Apps als legitime Apps tarnen und weitere Berechtigungen anfordern. Die Strandhogg genannte Sicherheitslücke wird bereits aktiv ausgenutzt und eignet sich beispielsweise für Banking-Trojaner. Einen Patch gibt es nicht.
...
Die Sicherheitsfirma Lookout konnte bereits 36 Apps ausfindig machen, die die Sicherheitslücke ausnutzen. Die betroffenen Apps nennt die Sicherheitsfirma allerdings nicht. Diese seien zum Teil auch im Google Play Store zu finden gewesen, allerdings hätten sie die Schadsoftware nicht enthalten, sondern diese erst nach der Installation nachgeladen - sogenannte Dropper-Apps. Google hat die betroffenen Apps nach einem Hinweis aus dem Play Store gelöscht.
https://www.golem.de/news/strandhogg-sicherheitsluecke-in-android-wird-aktiv-ausgenutzt-1912-145322-rss.html
Network traffic analysis for Incident Response (IR): TLS decryption
e post Network traffic analysis for Incident Response (IR): TLS decryption appeared first on Infosec Resources.Network traffic analysis
Over the years, the use of TLS has grown dramatically, with over half of websites using HTTPS by default. However, situations exist where it is useful to be able to decrypt this traffic. For example, many organizations perform deep packet inspection (DPI) in order to detect and block potentially malicious traffic.
https://resources.infosecinstitute.com/network-traffic-analysis-for-incident-response-ir-tls-decryption/
Another Fake Google Domain: fonts[.]googlesapi[.]com
Our Remediation team lead Ben Martin recently found a fake Google domain that is pretty convincing to the naked eye. The malicious domain was abusing the URL shortener service is.gd: shortened URLs were being injected into the posts table of the client-s WordPress database. Whenever the infected WordPress page loads, the actual content is obscured behind the is.gd shortener, which obtains content from the fake Google domain: fonts[.]googlesapi[.]com
https://blog.sucuri.net/2019/12/another-fake-google-domain-fonts-googlesapi-com.html
Ursnif infection with Dridex
Todays diary reviews an Ursnif infection from this campaign that I generated in my lab environment on Monday, December 2nd.
https://isc.sans.edu/diary/rss/25566
Anruf von Microsoft? - Legen Sie sofort auf!
Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und erklären besorgten NutzerInnen, ihr Computer sei von einem Trojaner befallen. Mit diesem Vorwand versuchen Kriminelle sich Zugriff auf den Computer zu verschaffen und anschließend sensible Zugangsdaten zu stehlen oder wertvolle Daten zu löschen. Es handelt sich um eine Betrugsmasche, Microsoft würde niemals persönlich anrufen!
https://www.watchlist-internet.at/news/anruf-von-microsoft-legen-sie-sofort-auf/
A decade of malware: Top botnets of the 2010s
ZDNet goes over the list of biggest malware botnets of the past decade, from Necurs to Mirai.
https://www.zdnet.com/article/a-decade-of-malware-top-botnets-of-the-2010s/
Vulnerabilities
Multiple MOTEX products vulnerable to privilege escalation
LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. An user who can login to the PC where the vulnerable product is installed may obtain unauthorized privileges and execute arbitrary code.
https://jvn.jp/en/jp/JVN49068796/
Patchday: Google serviert Sicherheitspatches für Android und seine Pixel-Serie
Verschiedene Android-Versionen sind über kritische Sicherheitslücken attackierbar. Nun gibt es Sicherheitsupdates.
https://heise.de/-4602506
Multiple vulnerabilites in Fronius Solar Inverter Series (CVE-2019-19229, CVE-2019-19228)
The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. (CVE-2019-19229, CVE-2019-19228)
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-solar-inverter-series-cve-2019-19229-cve-2019-19228/
Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead
EmbedThis- GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition.
https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-EmbedThis-GoAhead.html
Vulnerability Spotlight: Accusoft ImageGear PNG IHDR width code execution vulnerability
Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.
https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft-PNG-dec-19.html
Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System
Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization.
https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-injection-dec-19.html
Security updates for Tuesday
Security updates have been issued by Arch Linux (intel-ucode and libtiff), Debian (exiv2), Oracle (SDL), Red Hat (kernel, patch, and python-jinja2), and Ubuntu (graphicsmagick, linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp...)
https://lwn.net/Articles/806202/
Kaspersky Internet Security: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
Ein lokaler Angreifer kann eine Schwachstelle in Kaspersky Internet Security und Kaspersky Total Security ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen.
http://www.cert-bund.de/advisoryshort/CB-K19-1035
Trend Micro Internet Security: Schwachstelle ermöglicht Privilegieneskalation
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Trend Micro Internet Security und Trend Micro AntiVirus ausnutzen, um seine Privilegien zu erhöhen.
http://www.cert-bund.de/advisoryshort/CB-K19-1034
Security Bulletin: IBM Cloud Pak System is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-vulnerable-to-intel-microarchitectural-data-sampling-mds-vulnerabilites/
Security Bulletin: Vulnerability in Google Guava affects IBM Cloud Pak System (CVE-2018-10237)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-guava-affects-ibm-cloud-pak-system-cve-2018-10237/
Security Bulletin: Vulnerability from Apache HttpComponents affects IBM Cloud Pak System (CVE-2011-1498, CVE-2015-5262)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache-httpcomponents-affects-ibm-cloud-pak-system-cve-2011-1498-cve-2015-5262/
Security Bulletin: Multiple cross-site scripting vulnerabilities in Cloud Pak System
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scripting-vulnerabilities-in-cloud-pak-system/
Security Bulletin: Cross-site scripting vulnerability in IBM Cloud Pak System (CVE-2019-4098)
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-in-ibm-cloud-pak-system-cve-2019-4098/
BIND vulnerability CVE-2019-6477
https://support.f5.com/csp/article/K15840535?utm_source=f5support&utm_medium=RSS