End-of-Day report
Timeframe: Mittwoch 29-05-2019 18:00 - Freitag 31-05-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Analyzing First Stage Shellcode, (Thu, May 30th)
Yesterday, reader Alex submitted a PowerShell script he downloaded from a website. Xavier, handler on duty, showed him the script launched shellcode that tried to establish a TCP connection.
https://isc.sans.edu/diary/rss/24984
Retrieving Second Stage Payload with Ncat, (Fri, May 31st)
In diary entry "Analyzing First Stage Shellcode", I show how to analyze first stage shellcode when you have no access to the server with the second stage payload.
https://isc.sans.edu/diary/rss/24988
HiddenWasp Malware Stings Targeted Linux Systems
Intezer has discovered a new, sophisticated malware that they have named "HiddenWasp", targeting Linux systems.
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
Über 50.000 Datenbank-Server über Uralt-Windows-Bug mit Krypto-Minern infiziert
Mit raffinierten Methoden haben Hacker zehntausende schlecht gesicherte Windows-Server gekapert und schürfen dort heimlich Monero.
https://heise.de/-4435622
Your threat model is wrong
Several subjects have come up with the past week that all come down to the same thing: your threat model is wrong. Instead of addressing the the threat that exists, youve morphed the threat into something else that youd rather deal with, or which is easier to understand.
https://blog.erratasec.com/2019/05/your-threat-model-is-wrong.html
Vulnerabilities
Convert Plus Plugin Flaw Lets Attackers Become a Wordpress Admin
A critical vulnerability in Convert Plus, a commercial plugin for WordPress websites estimated to have 100,000 active installations, allows an unauthenticated attacker to create accounts with administrator privileges.
https://www.bleepingcomputer.com/news/security/convert-plus-plugin-flaw-lets-attackers-become-a-wordpress-admin/
AVEVA Vijeo Citect and CitectSCADA
This advisory includes mitigations for an insufficiently protected credentials vulnerability reported in AVEVA's Vijeo Citect and CitectSCADA supervisory control and data acquisition software.
https://ics-cert.us-cert.gov/advisories/ICSA-19-150-01
Security updates for Thursday
Security updates have been issued by CentOS (firefox and libvirt), Debian (openjdk-8 and tomcat7), Fedora (drupal7-entity), Mageia (kernel), openSUSE (bluez, gnutls, and libu2f-host), Oracle (bind), Red Hat (bind), Scientific Linux (bind), SUSE (axis, libtasn1, and rmt-server), and Ubuntu (sudo).
https://lwn.net/Articles/789849/
Security updates for Friday
Security updates have been issued by Debian (miniupnpd and qemu), Fedora (drupal7-entity and xen), openSUSE (kernel), Oracle (bind and firefox), Red Hat (go-toolset-1.11-golang), SUSE (cronie, evolution, firefox, gnome-shell, java-1_7_0-openjdk, jpeg, and mailman), and Ubuntu (corosync, evolution-data-server, gnutls28, and libseccomp).
https://lwn.net/Articles/789995/
Security Advisory 2019-08: Security Update for OTRS Framework
https://community.otrs.com/security-advisory-2019-08-security-update-for-otrs-framework/
Security Advisory 2019-09: Security Update for OTRS Framework
https://community.otrs.com/security-advisory-2019-09-security-update-for-otrs-framework/
HPESBNS03925 rev.1 - HPE Nonstop Maintenance Entity family of products, Local Disclosure of Information
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03925en_us
AirPort Base Station Firmware Update 7.9.1
https://support.apple.com/kb/HT210090
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-process-designer-used-in-ibm-business-automation-workflow-and-ibm-business-process-manager/
IBM Security Bulletin: IBM Watson Knowledge Catalog (with Information Server) is affected by a Cryptographic vulnerability
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-watson-knowledge-catalog-with-information-server-is-affected-by-a-cryptographic-vulnerability/
IBM Security Bulletin: IBM InfoSphere Information Server containers are vulnerable to privilege escalation
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-information-server-containers-are-vulnerable-to-privilege-escalation/
IBM Security Bulletin: Vulnerabilities in IBM Java SDK (January 2019) affecting IBM Application Delivery Intelligence for IBM Z V5.1.0, V5.0.5 and V5.0.4
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ibm-java-sdk-january-2019-affecting-ibm-application-delivery-intelligence-for-ibm-z-v5-1-0-v5-0-5-and-v5-0-4/
IBM Security Bulletin: Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 & 8, IBM SDK, Java Technology Edition Version 8 and Eclipse OpenJ9 Affect Transformation Extender
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ibm-runtime-environments-java-technology-edition-versions-7-8-ibm-sdk-java-technology-edition-version-8-and-eclipse-openj9-affect-transformation-extender/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems (April 2019 updates)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-os-images-for-red-hat-linux-systems-april-2019-updates/
IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Tivoli Storage Manager FastBack (CVE-2018-12547)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-tivoli-storage-manager-fastback-cve-2018-12547/
IBM Security Bulletin: A security vulnerability has been identified in OpenSSL, which is shipped with IBM Tivoli Network Manager IP Edition (CVE-2018-5407)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerability-has-been-identified-in-openssl-which-is-shipped-with-ibm-tivoli-network-manager-ip-edition-cve-2018-5407/
IBM Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Access Manager Appliance
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vulnerabilities-have-been-fixed-in-the-ibm-security-access-manager-appliance-2/
IBM Security Bulletin: A vulnerability in Apache Commons Compress may affect IBM Cloud App Management V2018
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-apache-commons-compress-may-affect-ibm-cloud-app-management-v2018/
IBM Security Bulletin: Multiple open source vulnerabilities affect IBM PureApplication System
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-open-source-vulnerabilities-affect-ibm-pureapplication-system/