End-of-Day report
Timeframe: Dienstag 21-01-2020 18:00 - Mittwoch 22-01-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Actively Exploited IE 11 Zero-Day Bug Gets Temporary Patch
A micropatch implementing Microsofts workaround for the actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer is now available via the 0patch platform until an official fix will be released.
https://www.bleepingcomputer.com/news/security/actively-exploited-ie-11-zero-day-bug-gets-temporary-patch/
sLoad launches version 2.0, Starslord
sLoad has launched version 2.0. With the new version, sLoad, which is a PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has added an anti-analysis trick and the ability to track the stage of infection for every affected machine.
https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/
FireEye and Citrix Tool Scans for Indicators of Compromise Related to CVE-2019-19781
[...] To help organizations identify compromised systems associated with CVE-2019-19781, FireEye and Citrix worked together to release a new tool that searches for indicators of compromise (IoC) associated with attacker activity observed by FireEye Mandiant. This tool is freely accessible in both the Citrix and FireEye GitHub repositories.
https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html
Aktuelle Welle: Ursnif-Trojaner versteckt sich in Zip-Archiven
Derzeit sind mal wieder vermehrt E-Mails mit gefährlichem Dateianhang in Umlauf. Der Schädling namens Ursnif hat es unter anderem auf Account-Daten abgesehen.
https://heise.de/-4643571
Achtung: Gekaperte WhatsApp-Kontakte verlangen Verifizierungscode
Einige WhatsApp-UserInnen berichten von eigenen Kontakten, die per WhatsApp einen Verifizierungscode verlangen. Die Profile dieser Kontakte wurden bereits über die gleiche Betrugsmasche übernommen. Wer auf die Nachrichten der vermeintlichen Bekannten und Familienmitglieder mit den angeforderten Codes antwortet, verliert das eigene WhatsApp-Profil an Kriminelle.
https://www.watchlist-internet.at/news/achtung-gekaperte-whatsapp-kontakte-verlangen-verifizierungscode/
In enterprise attack wave, NetWire Trojan now buries itself in disk image files
Enterprise companies are being targeted by a business email scam harnessing the Trojan.
https://www.zdnet.com/article/in-new-enterprise-attack-wave-netwire-rat-trojan-buries-itself-in-image-files/
Vulnerabilities
Honeywell Maxpro VMS & NVR
This advisory contains mitigations for deserialization of untrusted data and SQL injection vulnerabilities in Honeywells MAXPRO VMS & NVR video management systems.
https://www.us-cert.gov/ics/advisories/icsa-20-021-01
Bitdefender BOX 2 bootstrap download_image command injection vulnerability
An exploitable command injection vulnerability exists in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. An unauthenticated attacker should impersonate a remote nimbus server to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0919
Sicherheitsupdate: AMD-Treiber und VMware können ein gefährlicher Cocktail sein
Angreifer könnten mit einem präparierten Pixel Shader eine AMD-Treiber-Lücke ausnutzen, um aus einer VM auszubrechen.
https://heise.de/-4643294
Security updates for Wednesday
Security updates have been issued by Debian (tiff and transfig), Fedora (thunderbird-enigmail), Mageia (ffmpeg and sox), openSUSE (fontforge, python3, and tigervnc), Oracle (python-reportlab), Red Hat (apache-commons-beanutils, java-1.8.0-openjdk, kernel, kernel-alt, libarchive, openslp, openvswitch2.11, openvswitch2.12, and python-reportlab), Scientific Linux (java-1.8.0-openjdk and python-reportlab), SUSE (samba and tigervnc), and Ubuntu (python-pysaml2).
https://lwn.net/Articles/810282/
Cisco Security Advisories
https://tools.cisco.com/security/center/publicationListing.x
IBM Security Bulletins (High Severity)
https://www.ibm.com/blogs/psirt/tag/psirthigh/
Security Bulletin: IBM Integration Bus Hyper visor Edition V9.0 require customer action for security vulnerabilities in Red Hat Linux
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-hyper-visor-edition-v9-0-require-customer-action-for-security-vulnerabilities-in-red-hat-linux-5/
Security Advisory - Improper Authorization Vulnerability in Several Huawei Smart Phones
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200122-01-phone-en
Security Advisory - Two Integer Overflow Vulnerabilities in LDAP of Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200115-01-ldap-en
Security Advisory - Insufficient Verification Vulnerability in Some Huawei products
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200122-02-osca-en