End-of-Day report
Timeframe: Dienstag 16-07-2019 18:00 - Mittwoch 17-07-2019 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Newly identified StrongPity operations
Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as -StrongPity-. Based on compilation times, infrastructure, and public distribution of samples - we assess the campaign operated from the second half of 2018 into today (July 2019). This post details new malware and new infrastructure which is used to control compromised machines.
https://www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations
American Express Customers Targeted by Novel Phishing Attack
The phishing campaign targeted both corporate and consumer cardholders with phishing emails full of grammatical errors but with a small but deadly twist: instead of using the regular hyperlink to the landing page trick, this one used a base HTML element to hide the malicious URL from antispam solutions. This allows the attackers to specify the base URL that should be used for all relative URLs within the phishing message, effectively splitting up the phishing landing page in two separate pieces.
https://www.bleepingcomputer.com/news/security/american-express-customers-targeted-by-novel-phishing-attack/
Analyzis of DNS TXT Records, (Wed, Jul 17th)
At the Internet Storm Center, we already mentioned so many times that the domain name system is a goldmine for threat hunting or OSINT. A particular type of DNS record is the TXT record (or text record). It's is a type of resource record used to provide the ability to associate free text with a host or other name. ... I extracted a long list of domain names from different DNS servers logs and malicious domains lists. Then I queried TXT records for each of them. Results have been loaded into a Splunk instance to search for some juicy stuff. What did I find?
https://isc.sans.edu/diary/rss/25142
EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users
researchers at security firm Intezer Labs recently discovered a new Linux backdoor implant that appears to be under development and testing phase but already includes several malicious modules to spy on Linux desktop users. ... EvilGnome malware masquerades itself as a legit GNOME extension, a program that lets Linux users extend the functionality of their desktops.
https://thehackernews.com/2019/07/linux-gnome-spyware.html
Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks
In our analysis, we observed that a user account with less privilege can gain administrator rights over the automation server if jobs are built on the master machine (i.e., the main Jenkins server), a setup enabled by default. An exploit for this can be easily written using shell spawn - a default build step.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/PObGTrIqU0M/
Fehler in PowerShell Core: Angreifer könnten Windows Defender austricksen
Microsoft hat einen als "wichtig" eingestuften Sicherheitspatch für PowerShell Core veröffentlicht. Ein Angriff gelingt aber nicht ohne Weiteres.
https://heise.de/-4473123
Vulnerabilities
Oracle Critical Patch Update Advisory - July 2019
This Critical Patch Update contains 319 new security fixes
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Security updates for Wednesday
Security updates have been issued by Debian (libreoffice), Red Hat (thunderbird), SUSE (ardana and crowbar, firefox, libgcrypt, and xrdp), and Ubuntu (nss, squid3, and wavpack).
https://lwn.net/Articles/793966/
LibreOffice: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen oder Sicherheitsvorkehrungen zu umgehen.
http://www.cert-bund.de/advisoryshort/CB-K19-0611
Security Advisory - Information Disclosure Vulnerability on Secure Input
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190717-01-input-en
IBM Security Bulletin: IBM Event Streams is affected by Apache ZooKeeper vulnerability CVE-2019-0201
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-apache-zookeeper-vulnerability-cve-2019-0201/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-integration-designer-4/
IBM Security Bulletin: IBM Event Streams is affected by kubectl vulnerabilities
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-kubectl-vulnerabilities/
IBM Security Bulletin: IBM Event Streams is affected by Go vulnerabilities
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-go-vulnerabilities-2/
IBM Security Bulletin: Vulnerabilities in Ruby on Rails affect IBM License Metric Tool v9 and IBM BigFix Inventory v9.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ruby-on-rails-affect-ibm-license-metric-tool-v9-and-ibm-bigfix-inventory-v9/
IBM Security Bulletin: Vulnerability in systemd affects Power Hardware Management Console (CVE-2019-6454)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-systemd-affects-power-hardware-management-console-cve-2019-6454/
IBM Security Bulletin: IBM Event Streams is affected by WebSphere Liberty Profile vulnerability CVE-2019-4046
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-affected-by-websphere-liberty-profile-vulnerability-cve-2019-4046/
IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111) Security Bulletin
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-openssh-affect-aix-cve-2018-20685-cve-2018-6109-cve-2018-6110-cve-2018-6111-security-bulletin/
IBM Security Bulletin: IBM RackSwitch firmware products are affected by vulnerability in OpenSSL (CVE-2018-0734)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-vulnerability-in-openssl-cve-2018-0734/
IBM Security Bulletin: IBM Flex System switch firmware products are affected by vulnerability in OpenSSL (CVE-2018-0734)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-switch-firmware-products-are-affected-by-vulnerability-in-openssl-cve-2018-0734/