End-of-Day report
Timeframe: Donnerstag 25-04-2019 18:00 - Freitag 26-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Getting in the Zone: dumping Active Directory DNS using adidnsdump
Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any [...]
https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/
Service Accounts Redux - Collecting Service Accounts with PowerShell
Back in 2015 I wrote up a "find the service accounts" story -
https://isc.sans.edu/forums/diary/Windows+Service+Accounts+Why+Theyre+Evil+and+Why+Pentesters+Love+them/20029/ (yes, it really has been that long). The approach I wrote up then used WMIC. Those scripts saw a lot of use back in the day, but dont reflect the fastest or most efficient way to collect this information - I thought today was a good day to cover how to do this much quicker in PowerShell.
https://isc.sans.edu/forums/diary/Service+Accounts+Redux+Collecting+Service+Accounts+with+PowerShell/24882/
Statistik: Deutlich mehr Malware für den Mac
Laut Angaben des Sicherheitsunternehmens Malwarebytes nehmen die Angriffe auf macOS-User zu. Besonders Adware wird zum Problem.
https://heise.de/-4408038
Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450
Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator's password and expose user credentials, among [...]
https://blog.talosintelligence.com/2019/04/vulnerability-sierra-airlink.html
Vorsicht vor Betrugs-Mails mit vermeintlichen Rechnungen
Konsument/innen und Unternehmen erhalten E-Mails, die auf Links zu angeblichen Rechnungen verweisen. Die Betroffenen werden beispielsweise aufgefordert die Rechnungen zu bezahlen oder deren Inhalt zu überprüfen. Wer den Links folgt landet auf betrügerischen Websites, die versuchen, Systeme mit Schadsoftware zu infizieren.
https://www.watchlist-internet.at/news/vorsicht-vor-betrugs-mails-mit-vermeintlichen-rechnungen/
An inside look at how credential stuffing operations work
Data breaches, custom software, proxies, IoT botnets, and hacking forums -- all play a role.
https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/
Vulnerabilities
Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension
If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company - called "Plugin Vulnerabilities" - that recently gone rogue in order to protest against moderators of the WordPress's official support forum has once [...]
https://thehackernews.com/2019/04/wordpress-woocommerce-security.html
Security updates for Friday
Security updates have been issued by Debian (gpac and mercurial), Fedora (kernel-headers and kernel-tools), openSUSE (GraphicsMagick, kauth, lxc, lxcfs, python, qemu, and xmltooling), SUSE (freeradius-server, ImageMagick, libvirt, samba, and wireshark), and Ubuntu (bind9).
https://lwn.net/Articles/786884/
Synology-SA-19:20 ISC BIND
CVE-2018-5743 allows remote attackers to conduct denial-of-service attacks via a susceptible version of DNS Server.DNS Server is not affected by CVE-2019-6947 and CVE-2019-6948 as these vulnerabilities only affect ISC BIND 9.10.5 and later.
https://www.synology.com/en-global/support/security/Synology_SA_19_20
Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190424-01-frp-en
IBM Cognos Business Intelligence: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K19-0354
IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2019 - Includes Oracle Jan 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jan-2019-includes-oracle-jan-2019-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM® Java Runtime and Liberty affect IBM BigFix Remote Control
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-and-liberty-affect-ibm-bigfix-remote-control/
IBM Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-20346)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulneraqbility-in-sqlite-affects-ibm-cloud-application-performance-managment-r-esponse-time-monitoring-agent-cve-2018-20346/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability GNU C Library (CVE-2018-16429)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerability-gnu-c-library-cve-2018-16429/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libTIFF
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-libtiff-2/
IBM Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerabilities (CVE-2018-0734)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-manager-with-openstack-is-affected-by-a-openssl-vulnerabilities-cve-2018-0734/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Manager with OpenStack
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cloud-manager-with-openstack-3/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libtirpc (CVE-2018-14622 CVE-2018-14621)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-libtirpc-cve-2018-14622-cve-2018-14621/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSH
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-openssh/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL (CVE-2018-0732 CVE-2018-0737)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-openssl-cve-2018-0732-cve-2018-0737/