End-of-Day report
Timeframe: Donnerstag 05-09-2019 18:00 - Freitag 06-09-2019 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
GootKit Malware Bypasses Windows Defender by Setting Path Exclusions
As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.
https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
[SANS ISC] PowerShell Script with a builtin DLL
I published the following diary on isc.sans.edu: -PowerShell Script with a builtin DLL-: Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution [...]
https://blog.rootshell.be/2019/09/06/sans-isc-powershell-script-with-a-builtin-dll/
Thousands of servers infected with new Lilocked (Lilu) ransomware
Researchers spot new ransomware targeting Linux-based servers.
https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/
Vulnerabilities
Buffer Overflow: Exim-Sicherheitslücke beim Verarbeiten von TLS-Namen
Im Mailserver Exim wurde eine Sicherheitslücke gefunden, die Angreifern das Ausführen von Code ermöglicht. Ein Update steht bereit.
https://www.golem.de/news/buffer-overflow-exim-sicherheitsluecke-beim-verarbeiten-von-tls-namen-1909-143700-rss.html
BD Pyxis
This medical advisory contains mitigations for a session fixation vulnerability reported in BD-s Pyxis medication management platform.
https://www.us-cert.gov/ics/advisories/icsma-19-248-01
Red Lion Controls Crimson
This advisory includes mitigations for use after free, improper restriction of operations within the bounds of a memory buffer, pointer issues, and use of hard-coded cryptographic key vulnerabilities in the Red Lion Controls Crimson software.
https://www.us-cert.gov/ics/advisories/icsa-19-248-01
MS-ISAC Releases Advisory on PHP Vulnerabilities
Original release date: September 5, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.
https://www.us-cert.gov/ncas/current-activity/2019/09/05/ms-isac-releases-advisory-php-vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow).
https://lwn.net/Articles/798600/
Nagios Enterprises Nagios XI: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten
http://www.cert-bund.de/advisoryshort/CB-K19-0790