End-of-Day report
Timeframe: Montag 15-07-2019 18:00 - Dienstag 16-07-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Topinambour & Windows event logs
TL;DR:
* Block outgoing SMB traffic if you can
* Hunt or Monitor for event ID 106 in "Microsoft-Windows-TaskScheduler%4Operational.evtx"
* Think about enabling "Audit Process creation" in "Security.evtx" and command line logging
* Hunt or monitor for event ID 4688 in "Security.evtx"
http://www.cert.at/services/blog/20190716140317-2501_en.html
VU#129209: LLVMs Arm stack protection feature can be rendered ineffective
When the stack protection feature is rendered ineffective, it leaves the function vulnerable to stack-based buffer overflows. It is possible that the return address could be overwritten due to a local buffer overflow and is not caught when the cookie is checked at the end. It is also possible that the cookie itself could be overwritten since it resides on the stack, causing an unintended value to pass the check.
https://kb.cert.org/vuls/id/129209
Analysis: Server-side polymorphism & PowerShell backdoors
Malware actors very rarely stick to the same script for extended periods of time. They constantly modify and update their attack methods. Recently we have observed malware that uses server-side polymorphism to hide its payload, which consists of a backdoor fully written in PowerShell.
https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors
FBI Releases Master Decryption Keys for GandCrab Ransomware
In an FBI Flash Alert, the FBI has released the master decryption keys for the Gandcrab Ransomware versions 4, 5, 5.0.4, 5.1, and 5.2. Using these keys, any individual or organization can create and release their very own GandCrab decryptor.
https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/
iOS 13: Bug in Beta gibt Passwörter frei
Wer eine Vorabversion von iOS oder iPadOS einsetzt, sollte vorsichtig mit den Geräten umgehen. Ein Fehler erlaubt Angreifern, Zugangsdaten einzusehen.
https://heise.de/-4471743
Is -REvil- the New GandCrab Ransomware?
The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program known variously as "REvil," "Sodin," and "Sodinokibi."
https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/
Extenbro DNS-Changer Used in Adware Campaign
A recently observed DNS-changer Trojan is being used in an adware campaign to prevent users from accessing security-related websites, Malwarebytes reveals.
https://www.securityweek.com/extenbro-dns-changer-used-adware-campaign
Betrügerische Amazon Marketplace-Shops stehlen Geld!
Verbraucher/innen können beim Online-Shopping über Amazon auch bei Drittanbieter/innen Bestellungen tätigen. Uns erreichen zahlreiche Meldungen von Personen, die von betrügerischen Marketplace-Shops zu Überweisungen auf externe Konten aufgefordert wurden. Das Geld darf nicht bezahlt werden! Es handelt sich um Betrug und Überweisungen sind verloren.
https://www.watchlist-internet.at/news/betruegerische-amazon-marketplace-shops-stehlen-geld/
Finger weg von notebooksbilliger-angebot.net
Im Online-Shop notebooksbilliger-angebot.net finden Sie vor allem günstige Laptops, Tablets und Smartphones. Echte Schnäppchen werden Sie dort jedoch keine ergattern, denn es handelt sich um einen Fake-Shop. Ihre Bestellung wird trotz Bezahlung nie geliefert. Wir raten, unbekannte Shops immer genauer unter die Lupe zu nehmen!
https://www.watchlist-internet.at/news/finger-weg-von-notebooksbilliger-angebotnet/
Vulnerabilities
Vuln: Symantec Norton Password Manager CVE-2019-9700 IP Address Spoofing Vulnerability
An attacker can exploit this issue to spoof an IP address which may lead to a false sense of trust, allowing the attacker to perform malicious activities. Other attacks may also be possible. Versions prior to Symantec Norton Password Manager 6.3.0.2082 are vulnerable.
http://www.securityfocus.com/bid/108676
Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet
API blunder exposes data, fix incoming from Lenovo Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.
http://go.theregister.com/feed/www.theregister.co.uk/2019/07/16/iomega_nas_boxes/
Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu
The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software.
https://thehackernews.com/2019/07/zoom-ringcentral-vulnerabilities.html
Moodle CVE-2019-10187 Security Bypass Vulnerability
Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. Moodle 3.7, 3.6 through 3.6.4, 3.5 through 3.5.6 and prior unsupported versions are vulnerable.
https://www.securityfocus.com/bid/109174/discuss
Security updates for Tuesday
Security updates have been issued by Fedora (expat and radare2), Oracle (thunderbird), Red Hat (389-ds-base, keepalived, libssh2, perl, and vim), Scientific Linux (thunderbird), SUSE (bzip2, kernel, podofo, systemd, webkit2gtk3, and xrdp), and Ubuntu (bash, nss, redis, squid, squid3, and Zipios).
https://lwn.net/Articles/793852/
Cisco Content Security Management Appliance Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sma-xss
IBM Security Bulletin: IBM has released Unified Extensible Firmware Interface (UEFI) fixes in response to TianoCore EDK II BIOS Vulnerability (CVE-2018-12182)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-released-unified-extensible-firmware-interface-uefi-fixes-in-response-to-tianocore-edk-ii-bios-vulnerability-cve-2018-12182/
IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to File Path Traversal (CVE-2019-4430)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-file-path-traversal-cve-2019-4430/
IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerability CVE-2019-12086
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-jackson-databind-vulnerability-cve-2019-12086/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Event Streams
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-event-streams/
IBM Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Business Developer.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-business-developer/
IBM Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java- Technology Edition affect IBM Tivoli Netcool Configuration Manager (CVE-2018-1890, CVE-2019-2426)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-current-releases-of-the-ibm-sdk-java-technology-edition-affect-ibm-tivoli-netcool-configuration-manager-cve-2018-1890-cve-2019-2426/
IBM Security Bulletin: Multiple Mozilla Firefox vulnerabilities in IBM SONAS
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-mozilla-firefox-vulnerabilities-in-ibm-sonas-7/
IBM Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WAS vulnerability.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-asset-analyzer-raa-is-affected-by-a-was-vulnerability-2/
Linux kernel vulnerability CVE-2019-11599
https://support.f5.com/csp/article/K51674118