Tageszusammenfassung - 23.04.2019

End-of-Day report

Timeframe: Freitag 19-04-2019 18:00 - Dienstag 23-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

Operation ShadowHammer: a high-profile supply chain attack

In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility. Now it is time to share more details about the research with our readers.

https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

IT Security Guidelines for Transport Layer Security (TLS)

These guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). TLS is the most popular protocol to secure connections on the Internet.

https://www.ncsc.nl/english/current-topics/factsheets/it-security-guidelines-for-transport-layer-security-tls.html

Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts

We recently discovered malicious Microsoft Software Installation (MSI) files that download and execute other files, and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations.The post Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and

https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/

CARBANAK Week Part One: A Rare Occurrence

It is very unusual for FLARE to analyze a prolifically-used, privately-developed backdoor only to later have the source code and operator tools fall into our laps. Yet this is the extraordinary circumstance that sets the stage for CARBANAK Week, a four-part blog series that commences with this post. CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry

http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html

So erkennen Sie Fake-Shops bevor es zu spät ist!

Auf der Schnäppchenjagd im Internet stoßen Konsument/innen häufig auf Online-Shops, die trotz Bezahlung keine Ware liefern. Kurz gesagt: Fake-Shops. Diese Webseiten werden von Kriminellen betrieben, die es ausschließlich auf das Geld ihrer Opfer abgesehen haben. Bezahlungen erfolgen per Vorkasse und die überwiesenen Beträge sind verloren. Das Erkennen von Fake-Shops ist oft schwierig, mit unseren Tipps aber nicht unmöglich!

https://www.watchlist-internet.at/news/so-erkennen-sie-fake-shops-bevor-es-zu-spaet-ist/

Trojanized TeamViewer used in government, embassy attacks across Europe

The remote desktop software is being weaponized to gain access to victim systems.

https://www.zdnet.com/article/trojanized-teamviewer-used-in-government-political-attacks-across-europe/

Vulnerabilities

Security updates for Monday

Security updates have been issued by CentOS (java-1.8.0-openjdk and java-11-openjdk), Debian (clamav, debian-security-support, and drupal7), Fedora (egl-wayland, elementary-camera, elementary-code, elementary-terminal, ephemeral, geocode-glib, gnome-characters, gnome-shell-extension-gsconnect, group-service, libmodulemd, libxmlb, mate-user-admin, mesa, meson, mpris-scrobbler, reportd, switchboard-plug-display, switchboard-plug-pantheon-shell, wingpanel, and wireshark), openSUSE (blueman and glibc), Red Hat (java-1.7.0-openjdk).

https://lwn.net/Articles/786458/

Security updates for Tuesday

Security updates have been issued by CentOS (java-1.7.0-openjdk), Debian (ghostscript and wget), Gentoo (apache, glib, opendkim, and sqlite), Red Hat (kernel, kernel-alt, kernel-rt, ovmf, polkit, and python27-python), Scientific Linux (java-1.7.0-openjdk), and SUSE (php72).

https://lwn.net/Articles/786538/

IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-1901)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-websphere-application-server-affects-ibm-spectrum-scale-packaged-in-ibm-elastic-storage-server-cve-2018-1901/

IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-node-js-affect-ibm-integration-bus-ibm-app-connect-enterprise-v11-2/

IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2017-15804)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-vulnerability-in-gnu-c-library-cve-2017-15804/

IBM Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2014-7810)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-are-affected-by-a-websphere-application-server-vulnerability-cve-2014-7810/

IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211 CVE-2019-0220)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-http-server-cve-2019-0211-cve-2019-0220/

IBM Security Bulletin: Potential vulnerability related to Unsafe Deserialization in Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2019-0192)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-vulnerability-related-to-unsafe-deserialization-in-apache-solr-shipped-with-ibm-operations-analytics-log-analysis-cve-2019-0192/

IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2019-4146, CVE-2019-4222)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-vulnerabilities-affect-ibm-sterling-b2b-integrator-cve-2019-4146-cve-2019-4222/

IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities CVE-2018-5744 CVE-2019-6465 and CVE-2018-5745.

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-networking-bind-vulnerabilities-cve-2018-5744-cve-2019-6465-and-cve-2018-5745/

IBM Security Bulletin: Security Bulletin: IBM Content Navigator is affected by an open redirect vulnerability

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm-content-navigator-is-affected-by-an-open-redirect-vulnerability/

IBM Security Bulletin: Multiple Cross-Site Scripting Vulnerabilities Affect IBM Sterling B2B Integrator

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-cross-site-scripting-vulnerabilities-affect-ibm-sterling-b2b-integrator/

IBM Security Bulletin: Public disclosed vulnerability from SQLite CVE-2018-20346

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-public-disclosed-vulnerability-from-sqlite-cve-2018-20346/

IBM Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting.

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator-is-vulnerable-to-cross-site-scripting/

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-guardium-data-redaction-5/

IBM Security Bulletin: Weak Cryptographic Algorithm Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-1720)

https://www.ibm.com/blogs/psirt/ibm-security-bulletin-weak-cryptographic-algorithm-vulnerability-affects-ibm-sterling-b2b-integrator-cve-2018-1720/