End-of-Day report
Timeframe: Donnerstag 06-06-2019 18:00 - Freitag 07-06-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
SandboxEscaper Debuts ByeBear Windows Patch Bypass
SandboxEscaper is back, with a second bypass for the recent CVE-2019-0841 Windows patch.
https://threatpost.com/sandboxescaper-byebear-windows-bypass/145470/
Keep an Eye on Your WMI Logs, (Thu, Jun 6th)
WMI ("Windows Management Instrumentation")[1] is, like Microsoft says, "the infrastructure for management data and operations on Windows-based operating systems". Personally, I like to make a (very) rough comparison between WMI and SNMP: You can query information about a system (read) but also alter it (write). WMI is present on Windows systems since the version Windows 2000. As you can imagine, when a tool is available by default on all systems, [...]
https://isc.sans.edu/diary/rss/25012
The EU Cybersecurity Act: a new Era dawns on ENISA
Today, 7th June 2019, the EU Cybersecurity Act was published in the Official Journal of the European Union.
https://www.enisa.europa.eu/news/enisa-news/the-eu-cybersecurity-act-a-new-era-dawns-on-enisa
Bloodhound walkthrough. A Tool for Many Tradecrafts
A walkthrough on how to set up and use BloodHound BloodHound (
https://github.com/BloodHoundAD/BloodHound) is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and [...]
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets. As part of this ongoing research, we-ve recently discovered a new variant of Mirai that[...]
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/
A botnet is brute-forcing over 1.5 million RDP servers all over the world
Furthermore, statistics show that despite BlueKeep, most RDP attacks today are brute-force attempts.
https://www.zdnet.com/article/a-botnet-is-brute-forcing-over-1-5-million-rdp-servers-all-over-the-world/
Vulnerabilities
Optergy Proton Enterprise Building Management System
This advisory includes mitigations for information exposure, cross-site request forgery, unrestricted upload of file with dangerous type, open redirect, hidden functionality, exposed dangerous method or function, and use of hard-coded credentials vulnerabilities reported in Optergy-s Proton/Enterprise Building Management System.
https://ics-cert.us-cert.gov/advisories/ICSA-19-157-01
Panasonic Control FPWIN Pro
This advisory includes mitigations for heap-based buffer overflow and type confusion vulnerabilities reported in Panasonics Control FPWIN Pro PLC programming software.
https://ics-cert.us-cert.gov/advisories/ICSA-19-157-02
Security updates for Friday
Security updates have been issued by Debian (evolution and qemu), Fedora (cyrus-imapd and hostapd), Gentoo (exim), openSUSE (exim), Red Hat (qpid-proton), SUSE (bind, libvirt, mariadb, mariadb-connector-c, python, and rubygem-rack), and Ubuntu (firefox, jinja2, and linux-lts-xenial, linux-aws).
https://lwn.net/Articles/790647/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-infosphere-information-server/
IBM Security Bulletin: IBM API Connect-s Developer Portal is impacted by vulnerabilities in PHP (CVE-2019-11035 CVE-2019-11034)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-developer-portal-is-impacted-by-vulnerabilities-in-php-cve-2019-11035-cve-2019-11034/
IBM Security Bulletin: Secure Gateway is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-secure-gateway-is-affected-by-multiple-vulnerabilities/
IBM Security Bulletin: IBM API Connect V5 is impacted by Cross Site Scripting vulnerability (CVE-2016-10531 CVE-2018-3721 CVE-2017-0268)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-v5-is-impacted-by-cross-site-scripting-vulnerability-cve-2016-10531-cve-2018-3721-cve-2017-0268/
Intel UEFI vulnerability CVE-2019-0119
https://support.f5.com/csp/article/K85585101
Intel Xeon access control vulnerability CVE-2019-0126
https://support.f5.com/csp/article/K37428370