End-of-Day report
Timeframe: Freitag 20-12-2019 18:00 - Montag 23-12-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
FBI Issues Alert For LockerGoga and MegaCortex Ransomware
The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware.
https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/
Mozi, Another Botnet Using DHT
Mozi Botnet relies on the DHT protocol to build a P2P network, and uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network. The sample spreads via Telnet with weak passwords and some known exploits
https://blog.netlab.360.com/mozi-another-botnet-using-dht/
Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd)
I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros.
https://isc.sans.edu/diary/rss/25634
Leveraging Disk Imaging Tools to Deliver RATs
This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-disk-imaging-tools-to-deliver-rats/
Looking into Attacks and Techniques Used Against WordPress Sites
This blog post lists different kinds of attacks against WordPress, by way of payload examples we observed in the wild, and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mjE1ckQKGtA/
Geknackte Zwei-Faktor-Anmeldung: Warum Software Token keine gute Idee sind
Eine mutmaßlich chinesische Hackergruppe, deren Angriffe bis 2011 zurückgehen, soll einen neuartigen Angriff auf RSA-Software-Token entdeckt haben.
https://heise.de/-4622748
Jetzt updaten: Cisco ASA 5500-X Series Firewalls aus der Ferne angreifbar
Eine bereits seit 2018 bekannte ASA-Schwachstelle wird derzeit möglicherweise aktiv ausgenutzt.
https://heise.de/-4621541
Vorsicht vor GMX-Phishing-Mails
Zahlreiche LeserInnen melden uns momentan gefährliche Phishing-Mails, mit denen Kriminelle versuchen, an GMX-Konten zu gelangen. GMX-UserInnen müssen sich daher in Acht nehmen, wenn sie plötzlich wegen einer angeblichen Kontosperre, zu einem Login aufgefordert werden. Die Daten und E-Mail-Konten landen in den Händen Krimineller und können für Verbrechen unter fremder Identität genützt werden!
https://www.watchlist-internet.at/news/vorsicht-vor-gmx-phishing-mails/
War Never Changes: Attacks Against WPA3-s Enhanced Open - Part 2: Understanding OWE
https://posts.specterops.io/war-never-changes-attacks-against-wpa3s-enhanced-open-part-2-understanding-owe-90fdc29126a1
Vulnerabilities
Patch now: Published Citrix applications leave networks of potentially 80,000 firms at risk from attackers
Unauthorised users able to perform arbitrary code execution A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.
https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/23/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access/
Sicherheitslücke in Twitter-App für Android
Über eine Sicherheitslücke in der Twitter-App für Android lässt sich bösartiger Code einschleusen, der private Daten auslesen kann. Ein Update steht bereit.
https://heise.de/-4621735
Security updates for Monday
Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel).
https://lwn.net/Articles/808026/
Synology-SA-19:43 Drupal
A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Drupal.
https://www.synology.com/en-global/support/security/Synology_SA_19_43
F5 Security Advisories
https://support.f5.com/csp/new-updated-articles
Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-libpng-affects-ibm-watson-studio-local-2/
Security Bulletin: Input Validation Vulnerability in Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerability-in-watson-studio-local/
Security Bulletin: Multiple Vulnerabilities In Redis affects Watson Studio Local (CVE-2018-12453, CVE-2018-12326, CVE-2018-11218)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-redis-affects-watson-studio-local-cve-2018-12453-cve-2018-12326-cve-2018-11218/
Security Bulletin: JWT Token Check Vulnerability in Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-jwt-token-check-vulnerability-in-watson-studio-local/
Security Bulletin: Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-kubernetes-affects-ibm-watson-studio-local/
Security Bulletin: Watson Studio Local Key Storage Vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-watson-studio-local-key-storage-vulnerability/
Security Bulletin: Multiple Vulnerabilities in GNU binutils affects IBM Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affects-ibm-watson-studio-local/
Security Bulletin: Multiple Vulnerabilities in GNU Binutils affects Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affects-watson-studio-local/
Security Bulletin: Internal SSL Communication Vulerability in Watson Studio Local (PSIRT-ADV0011800)
https://www.ibm.com/blogs/psirt/security-bulletin-internal-ssl-communication-vulerability-in-watson-studio-local-psirt-adv0011800/
Security Bulletin: Multiple Vulnerabilities in OpenSSL affects IBM Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affects-ibm-watson-studio-local/
Security Bulletin: Vulnerabilities in Samba affects IBM Watson Studio Local
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-affects-ibm-watson-studio-local/