End-of-Day report
Timeframe: Freitag 16-08-2019 18:00 - Montag 19-08-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Router Network Isolation Broken By Covert Data Exfiltration
Software-based network isolation provided by routers is not as efficient as believed, as hackers can smuggle data between the networks for exfiltration.
https://www.bleepingcomputer.com/news/security/router-network-isolation-broken-by-covert-data-exfiltration/
IT threat evolution Q2 2019
Targeted attacks, malware campaigns and other security news in Q2 2019.
https://securelist.com/it-threat-evolution-q2-2019/91994/
The DAA File Format, (Fri, Aug 16th)
In diary entry "Malicious .DAA Attachments", we extracted a malicious executable from a Direct Access Archive file.
https://isc.sans.edu/diary/rss/25246
What Hackers Do after Gaining Access to a Website
A hack or cyber attack is the act of maliciously entering, taking control over, or manipulating by force a web application, server, or file that belongs to someone else.
https://blog.sucuri.net/2019/08/what-hackers-do-after-gaining-access-to-a-website.html
Sicherheitspanne: Kernel-Schwachstelle zurück in iOS 12.4, Jailbreak verfügbar
Zum ersten Mal seit Langem lassen sich Apples Sicherheitsfunktionen in der aktuellen iOS-Version durch einen öffentlich verfügbaren Jailbreak aushebeln.
https://heise.de/-4500038
QxSearch hijacker fakes failed installs
QxSearch is a group of search hijackers that try to make the user think the install failed or was incomplete. Is it that they dont want to be found and removed? Or just bad programming?
https://blog.malwarebytes.com/pups/2019/08/qxsearch-hijacker-fakes-failed-installs/
Gefälschte "Ihr Jahresabonnem-nt Whatsapp"-Mail im Umlauf
Konsument/innen erhalten eine angebliche WhatsApp-E-Mail. Darin heißt es, dass sie ihr Abonnement verlängern müssen. Über einen Link in der Nachricht gelangen Nutzer/innen auf eine gefälschte WhatsApp-Website. Darauf sollen sie ihr Jahresabonnement unter Bekanntgabe ihrer Zahlungsdaten verlängern. Kommen Konsument/innen der Aufforderung nach, werden sie Opfer eines Datendiebstahls und verlieren ihr Geld an Kriminelle.
https://www.watchlist-internet.at/news/gefaelschte-ihr-jahresabonnement-whatsapp-mail-im-umlauf/
Offensive Lateral Movement
Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell is not a new concept anymore and even moderately mature shops will detect on it and shut it down quickly, or any half decent AV product will kill it before a malicious command is ran.
https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f
Vulnerabilities
Drupal: Mehrere Schwachstellen
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Drupal ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Daten zu manipulieren oder Sicherheitsmechanismen zu umgehen.
https://www.cert-bund.de/advisoryshort/CB-K19-0726
Security updates for Monday
Security updates have been issued by CentOS (kernel and openssl), Debian (ffmpeg, golang-1.11, imagemagick, kde4libs, openldap, and python3.4), Fedora (gradle, hostapd, kdelibs3, and mgetty), Gentoo (adobe-flash, hostapd, mariadb, patch, thunderbird, and vlc), Mageia (elfutils, mariadb, mythtv, postgresql, and redis), openSUSE (chromium, kernel, LibreOffice, and zypper, libzypp and libsolv), Oracle (ghostscript), Red Hat (rh-php71-php), SUSE (bzip2, evince, firefox, glib2, glibc, [...]
https://lwn.net/Articles/796640/
Cisco Firepower Threat Defense Software HTTP Filtering Bypass Vulnerability
A vulnerability in the HTTP traffic filtering component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper handling of HTTP requests, including those communicated over a secure HTTPS connection, that contain maliciously crafted headers.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-http
Cisco Firepower Threat Defense Software Stream Reassembly Bypass Vulnerability
A vulnerability in the stream reassembly component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper reassembly of traffic streams.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-srb
Cisco Firepower Threat Defense Software NULL Character Obfuscation Detection Bypass Vulnerability
A vulnerability in the normalization functionality of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to insufficient normalization of a text-based payload.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-null
Cisco Firepower Threat Defense Software Nonstandard Protocol Detection Bypass Vulnerability
A vulnerability in the protocol detection component of Cisco Firepower Threat Defense Software, Cisco FirePOWER Services Software for ASA, and Cisco Firepower Management Center Software could allow an unauthenticated, remote attacker to bypass filtering protections.The vulnerability is due to improper detection of the initial use of a protocol on a nonstandard port.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190816-ftd-nspd
Security Advisory - Four Remote Code Execution Vulnerabilities in Some Microsoft Windows Systems
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190819-01-windows-en