End-of-Day report
Timeframe: Mittwoch 11-12-2019 18:00 - Donnerstag 12-12-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
(Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
Cryptocurrencies values are increasing again, which may explain why the number of stealthy techniques to deliver them have also increased this year. We found another campaign using process hollowing and a dropper component to evade detection and analysis, and can potentially be used for other malware payloads.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/wSpVXlrw0Ok/
Code & Data Reuse in the Malware Ecosystem
In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, its tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, its a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc...
https://isc.sans.edu/forums/diary/Code+Data+Reuse+in+the+Malware+Ecosystem/25598/
Winbox in the Wild
I-ve written, ad nauseam, about MikroTik routers. I-ve detailed vulnerabilities, post exploitation, and the protocol used by Winbox to communicate to the router on port 8291: [...]
https://medium.com/tenable-techblog/winbox-in-the-wild-9a2ee4946add?source=rss68728ef067324
The little-known ways mobile device sensors can be exploited by cybercriminals
Mobile device sensors offer great utility to users-from taking pictures and commanding voice assistants to determining which direction to flip your screen. However, they harbor little-known vulnerabilities that could be exploited by crafty cybercriminals.
https://blog.malwarebytes.com/iot/2019/12/the-little-known-ways-mobile-device-sensors-can-be-exploited-by-cybercriminals/
Gefälschte Post-SMS zur Zahlung für wartende Pakete
Warten Sie gerade auf ein Paket? In der Weihnachtszeit ist das nicht unwahrscheinlich! Kriminelle nützen das und versenden gefälschte SMS mit dem Absendenamen -PST- oder -POST-. Sie sollen eine Zahlung über 2,99 Euro bestätigen indem Sie einem Link folgen. Sie landen auf einer gefälschten Post-Website. Geben Sie Ihre Daten hier nicht ein - man versucht sie Ihnen zu stehlen!
https://www.watchlist-internet.at/news/gefaelschte-post-sms-zur-zahlung-fuer-wartende-pakete/
What I Learned from Reverse Engineering Windows Containers
Our researcher provides an overview on containers - starting with their Linux history - and shows the different implementations of containers in Windows, how they work, the security pitfalls that may occur, as well as the internal implementation of objects that are necessary for Containers in Windows.
https://unit42.paloaltonetworks.com/what-i-learned-from-reverse-engineering-windows-containers/
Microsoft details the most clever phishing techniques it saw in 2019
This years most clever phishing tricks include hijacking Google search results and abusing 404 error pages.
https://www.zdnet.com/article/microsoft-details-the-most-clever-phishing-techniques-it-saw-in-2019/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by CentOS (firefox and nss-softokn), Fedora (samba), Oracle (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), Scientific Linux (thunderbird), SUSE (firefox), and Ubuntu (librabbitmq and samba).
https://lwn.net/Articles/807186/
Synology-SA-19:40 Samba AD DC
CVE-2019-14861 and CVE-2019-11479 allow remote authenticated users to conduct denial-of-service attacks or bypass security constraints via a susceptible version of Synology Directory Server.
https://www.synology.com/en-global/support/security/Synology_SA_19_40
Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
https://www.drupal.org/sa-contrib-2019-096
Modal Page - Moderately critical - Access bypass - SA-CONTRIB-2019-094
https://www.drupal.org/sa-contrib-2019-094
Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093
https://www.drupal.org/sa-contrib-2019-093
Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092
https://www.drupal.org/sa-contrib-2019-092
Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095
https://www.drupal.org/sa-contrib-2019-095
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
BIG-IP TMM vulnerability CVE-2019-6671
https://support.f5.com/csp/article/K39225055
TMOS vulnerability CVE-2019-6664
https://support.f5.com/csp/article/K03126093
HPESBHF03973 rev.1 - HPE Servers with certain Intel Processors, Local Disclosure of Information, Local Escalation of Privilege
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03973en_us
Red Hat OpenShift Service Mesh: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K19-1067
OpenBSD: Schwachstelle ermöglicht Privilegieneskalation
http://www.cert-bund.de/advisoryshort/CB-K19-1070
Linux Kernel und hostapd: Mehrere Schwachstellen ermöglichen Denial of Service
http://www.cert-bund.de/advisoryshort/CB-K19-1071