End-of-Day report
Timeframe: Mittwoch 27-03-2019 18:00 - Donnerstag 28-03-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
Analysis of LockerGoga Ransomware
We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we-ll provide some technical details of the new variant-s functionalities, as well as some Indicators of Compromise (IOCs). Overview Compared to other ransomware variants that use Window-s CRT library functions, this new variant relies heavily [-]
https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/
[SANS ISC] Running your Own Passive DNS Service
I published the following diary on isc.sans.edu: -Running your Own Passive DNS Service-: Passive DNS is not new but remains a very interesting component to have in your hunting arsenal. As defined by CIRCL, a passive DNS is -a database storing historical DNS records from various resources.
https://blog.rootshell.be/2019/03/28/sans-isc-running-your-own-passive-dns-service/
Unseriöse Installateur- und Elektrodienste erkennen
Bei Problemen mit verstopften Abflüssen, kaputten Heizungen oder anfälligen Wartungen wenden Sie sich besser nicht an sanitaerhilfe.at oder installateur-top1.at. Es handelt sich um unseriöse Unternehmen, die sich weder an ihre Versprechungen halten noch Schäden beheben. Obendrein wird ein überteuerter Betrag kassiert.
https://www.watchlist-internet.at/news/unserioese-installateur-und-elektrodienste-erkennen/
Vulnerabilities
Cisco Botches Fix for RV320, RV325 Routers, Just Blocks curl User Agent
Ciscos RV320 and RV325 router models for small offices and small businesses remain vulnerable to two high-severity flaws two months after the vendor announced the availability of patches. The fixes failed their purpose and attackers can still chain the bugs to take control of the devices.
https://www.bleepingcomputer.com/news/security/cisco-botches-fix-for-rv320-rv325-routers-just-blocks-curl-user-agent/
Multiple "0day" Verwundbarkeiten in HPE Intelligent Management Center
Die Zero Day Iniative (ZDI) hat heute über mehrere ungepatchte Verwundbarkeiten in HPE Intelligent Management Center berichtet.
Es wird empfohlen, Kommunikation mit HPE Intelligent Management Center entsprechend nur von vertrauenswürdigen Geräten aus zu ermöglichen.
https://www.zerodayinitiative.com/advisories/ZDI-19-294/
https://www.zerodayinitiative.com/advisories/ZDI-19-295/
https://www.zerodayinitiative.com/advisories/ZDI-19-296/
https://www.zerodayinitiative.com/advisories/ZDI-19-297/
https://www.zerodayinitiative.com/advisories/ZDI-19-298/
https://www.zerodayinitiative.com/advisories/ZDI-19-299/
https://www.zerodayinitiative.com/advisories/ZDI-19-300/
https://www.zerodayinitiative.com/advisories/ZDI-19-301/
https://www.zerodayinitiative.com/advisories/ZDI-19-302/
https://www.zerodayinitiative.com/advisories/ZDI-19-303/
Apple watchOS 5.2
This document describes the security content of watchOS 5.2.
https://support.apple.com/kb/HT209602
Sicherheitsupdates: Kritische Lücken in Onlineshop-Software Magento
Viele Magento-Versionen weisen Schlupflöcher für Schadcode auf und gefährden so Onlineshops. Abgesicherte Ausgaben schließen die Schwachstellen.
http://heise.de/-4354925
Security updates for Thursday
Security updates have been issued by Debian (kernel and wpa), Fedora (firefox and pdns), Gentoo (apache, cabextract, chromium, gd, nasm, sdl2-image, and zeromq), openSUSE (GraphicsMagick and lftp), Red Hat (thunderbird), Scientific Linux (firefox), Slackware (gnutls), and SUSE (ImageMagick).
https://lwn.net/Articles/784251/
ZDI-19-293: Advantech WebAccess Node tv_enua Improper Access Control Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-19-293/
ZDI-19-292: Advantech WebAccess Node spchapi Improper Access Control Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-19-292/
IBM Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench affected by Spring vulnerability (CVE-2018-15756)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-test-control-panel-component-in-rational-test-virtualization-server-and-rational-test-workbench-affected-by-spring-vulnerability-cve-2018-15756/
IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by glibc vulnerabilities (CVE-2018-19591)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventia-network-active-bypass-is-affected-by-glibc-vulnerabilities-cve-2018-19591/
IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0734)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventia-network-active-bypass-is-affected-by-openssl-vulnerabilities-cve-2018-0734/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-directory-server-tivoli-rational-directory-administrator-8/
IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-8039)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-spectrum-scale-packaged-in-ibm-elastic-storage-server-cve-2018-8039/
IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0732)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventia-network-active-bypass-is-affected-by-openssl-vulnerabilities-cve-2018-0732/
IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0737)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventia-network-active-bypass-is-affected-by-openssl-vulnerabilities-cve-2018-0737/