Tageszusammenfassung - 19.12.2019

End-of-Day report

Timeframe: Mittwoch 18-12-2019 18:00 - Donnerstag 19-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Emotet Gang Changes Tactics Ahead of the Winter Holidays

With the end of the year approaching fast, the authors of Emotet have made some changes that may increase their revenue for the holidays.

https://www.bleepingcomputer.com/news/security/emotet-gang-changes-tactics-ahead-of-the-winter-holidays/

TP-Link Routers Give Cyberattackers an Open Door to Business Networks

Remote attackers can easily compromise the device and pivot to move laterally through the LAN or WAN.

https://threatpost.com/tp-link-routers-cyberattackers-open-door/151254/

Microsoft Updates November Security Updates with SharePoint Bug

Microsoft has added a fresh CVE to its security portal, linking it to the existing November security updates (the patch itself was already included in the updates, but not specifically named). The CVE describes a vulnerability in SharePoint Server. According to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks.

https://threatpost.com/microsoft-issues-out-of-band-update-sharepoint-bug/151260/

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

Microsoft Defender ATP data scientists and threat hunters collaborate to use a data science-driven approach to detecting RDP brute force attacks to protect customers against real-world threats.

https://www.microsoft.com/security/blog/2019/12/18/data-science-for-cybersecurity-a-probabilistic-time-series-model-for-detecting-rdp-inbound-brute-force-attacks/

How Websites Are Used to Spread Emotet Malware

In past posts, we-ve discussed the more popular reasons why hackers target smaller websites. Today, we-ll focus instead on how hackers use compromised websites to spread dangerous malware like Emotet to end user victims.

https://blog.sucuri.net/2019/12/how-websites-are-used-to-spread-emotet-malware.html

Zero Day Vulnerability in Deutsche Bahn Ticket Machine Series System uncovered

Whitehat in action discovers Kiosk Escape & Escalation via Windows PasswordAgent

https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered

Erpressung 2.0: Ransomware-Gangs wollen sensible Firmendaten veröffentlichen

Die Macher von Maze und Sodinokibi läuten womöglich einen unerfreulichen Trend ein: Sie wollen sensible Dokumente infizierter Unternehmen online stellen.

https://heise.de/-4619041

Gefälschte Krone.at-Werbung lockt auf Facebook mit gratis iPhones

Achtung: Auf Facebook kursieren Werbeschaltungen im Namen der Kronen Zeitung. Darin wird behauptet, dass die größte Apple-Lagerhalle gebrannt hat und nun 2173 unbeschädigte iPhones in Österreich verschenkt werden. Das ist frei erfunden und die Werbung stammt nicht von der Kronen Zeitung. Wer sich hier anmeldet, tappt in eine Abo-Falle!

https://www.watchlist-internet.at/news/gefaelschte-kroneat-werbung-lockt-auf-facebook-mit-gratis-iphones/

30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world

In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels.

https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/

Vulnerabilities

Drupal Releases Security Updates

Original release date: December 19, 2019Drupal has released security updates to address vulnerabilities in Drupal 7.x, 8.7.x, and 8.8.x. An attacker could exploit some of these vulnerabilities to modify data on an affected website.

https://www.us-cert.gov/ncas/current-activity/2019/12/19/drupal-releases-security-updates

Security updates for Thursday

Security updates have been issued by Arch Linux (git, libgit2, and shadow), Debian (debian-edu-config and python-django), Fedora (python-django), Mageia (apache-commons-beanutils, fence-agents, flightcrew, freerdp, htmldoc, libssh, pacemaker, rsyslog, samba, and sssd), Oracle (freetype and kernel), Scientific Linux (freetype and kernel), SUSE (firefox, spectre-meltdown-checker, thunderbird, xen, and zziplib), and Ubuntu (python-django).

https://lwn.net/Articles/807711/

Synology-SA-19:42 WordPress

Multiple vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML or bypass security constraint via a susceptible version of WordPress.

https://www.synology.com/en-global/support/security/Synology_SA_19_42

Security Bulletin: IBM API Connect is impacted by a vulnerability in libexpat

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-a-vulnerability-in-libexpat/

Security Bulletin: Multiple Vulnerabilities in GnuTLS affects IBM Watson Studio Local

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnutls-affects-ibm-watson-studio-local/

Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-libpng-affects-ibm-watson-studio-local/

Security Bulletin: Vulnerability in jQuery affects IBM Watson Studio Local

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-affects-ibm-watson-studio-local/

Security Bulletin: Multiple Vulnerabilities in libxml2 affects IBM Watson Studio Local

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-libxml2-affects-ibm-watson-studio-local/