End-of-Day report
Timeframe: Montag 16-09-2019 18:00 - Dienstag 17-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Emotet Revived with Large Spam Campaigns Around the World
Less than a month after reactivating its command and control (C2) servers, the Emotet botnet has come to like by spewing spam messages to countries around the globe.
https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-spam-campaigns-around-the-world/
Misuse of WordPress update_option() function Leads to Website Infections
In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress- update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website. Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code.
https://blog.sucuri.net/2019/09/misuse-of-wordpress-update_option-function-leads-to-website-infections.html
Explaining Server Side Template Injections
[...] Exploiting SSTI in strange cases will be the next post I make. Any and all feedback is appreciated
https://0x00sec.org/t/explaining-server-side-template-injections/16297
2019 CWE Top 25 Most Dangerous Software Errors
The Common Weakness Enumeration (CWE-) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working.
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
Investigating Gaps in your Windows Event Logs
I recently TAd the SANS SEC 504 class (Hacker Tools, Techniques, Exploits, and Incident Handling) , and one of the topics we covered was attackers "editing" windows event logs to cover their tracks, especially the Windows Security Event Log.
https://isc.sans.edu/forums/diary/Investigating+Gaps+in+your+Windows+Event+Logs/25328/
Phishing: BAWAG PSK fordert keine Datenbestätigung per E-Mail
Kriminelle geben sich als BAWAG PSK Bank aus und behaupten, dass Online-Banking-NutzerInnen aufgrund der EU-Zahlungsrichtlinie ihre Daten bestätigen müssen. Angeblich sei auch das Konto gesperrt. Es handelt sich jedoch um einen Vorwand, um an Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den Button, Sie gelangen zu einer gefälschten Login-Seite!
https://www.watchlist-internet.at/news/phishing-bawag-psk-fordert-keine-datenbestaetigung-per-e-mail/
MISP 2.4.116 released (aka the new decaying feature)
A new version of MISP (2.4.116) has been release, including a long awaited major new feature that deals with decaying indicators in addition to a new ATT&CK sightings export and a new sync priority capability.
https://www.misp-project.org/2019/09/17/MISP.2.4.116.released.html
Gootkit malware crew left their database exposed online without a password
Even cyber-criminal gangs cant secure their MongoDB servers properly.
https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/
Vulnerabilities
Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira
Ben Taylor of Cisco ASIG discovered these vulnerabilities.Atlassian-s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and [...]
https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-sept-19.html
Security updates for Tuesday
Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2).
https://lwn.net/Articles/799509/
SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices
Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0.
https://www.securityweek.com/sohopelessly-broken-20-125-vulnerabilities-found-routers-nas-devices
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
Apache HTTPD vulnerability CVE-2019-10098
https://support.f5.com/csp/article/K25126370