Tageszusammenfassung - 17.01.2020

End-of-Day report

Timeframe: Donnerstag 16-01-2020 18:00 - Freitag 17-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection

The TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it infects users without displaying any visible prompts.

https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/


Dutch Govt Suggests Turning Off Citrix ADC Devices, Mitigations May Fail

Mitigation recommendations for CVE-2019-19781, a currently unpatched critical flaw affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway, do not have the expected effect on all product versions.

https://www.bleepingcomputer.com/news/security/dutch-govt-suggests-turning-off-citrix-adc-devices-mitigations-may-fail/


FTCODE Ransomware - New Version Includes Stealing Capabilities

Recently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called -FTCODE,- which targets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a document file that contained malicious macros. In the recent campaign, the ransomware is being downloaded using VBScript.

https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities


404 Exploit Not Found: Vigilante Deploying Mitigation for CitrixNetScaler Vulnerability While Maintaining Backdoor

As noted in Rough Patch: I Promise Itll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we-ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that-s been deploying a [...]

http://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html


Hinweise auf mögliche Verwundbarkeiten der Medizin-Telematik

Open-Source-Bibliotheken, die im Telematik-Konnektor von T-Systems zum Einsatz kommen, weisen hunderte bekannter Sicherheitslücken auf.

https://heise.de/-4635791


WeLeakInfo, the site which sold access to passwords stolen in data breaches, is brought down by the FBI

Law enforcement agencies have seized control of the domain of WeLeakInfo, a website offering cheap access to billions of personal credentials stolen from approximately 10,000 data breaches.

https://www.grahamcluley.com/weleakinfo-seized/

Vulnerabilities

Schneider Electric Modicon Controllers

This advisory contains mitigations for several improper check for unusual or exceptional conditions vulnerabilities in Schneider Electric Modicon PLC controllers.

https://www.us-cert.gov/ics/advisories/icsa-20-016-01


Security updates for Friday

Security updates have been issued by Arch Linux (chromium), Fedora (gnulib, ImageMagick, jetty, ocsinventory-agent, phpMyAdmin, python-django, rubygem-rmagick, thunderbird, and xar), Mageia (e2fsprogs, kernel, and libjpeg), openSUSE (icingaweb2), Oracle (git, java-11-openjdk, and thunderbird), Red Hat (.NET Core), Scientific Linux (git, java-11-openjdk, and thunderbird), SUSE (fontforge and LibreOffice), and Ubuntu (kamailio and thunderbird).

https://lwn.net/Articles/809916/


HPESBNS03981 rev.1 - HPE ViewPoint on NonStop, Local Disclosure of Sensitive Information

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03981en_us


HPESBNS03976 rev.1 - HPE NonStop using Sudo

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03976en_us


Pivotal Spring Framework: Mehrere Schwachstellen

http://www.cert-bund.de/advisoryshort/CB-K20-0057


Trend Micro Produkte: Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten

http://www.cert-bund.de/advisoryshort/CB-K20-0055


Linux Kernel: Schwachstelle ermöglicht Offenlegung von Informationen

http://www.cert-bund.de/advisoryshort/CB-K20-0058