End-of-Day report
Timeframe: Freitag 23-10-2020 18:00 - Dienstag 27-10-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Vorsicht: Betrügerisches FinanzOnline-E-Mail im Umlauf
Aktuell sind gefälschte E-Mails im Namen des Finanzamtes unterwegs. In der E-Mail werden Sie über Ihre Steuerrückerstattung informiert und aufgefordert, die Transaktion zu genehmigen. Klicken Sie aber keinesfalls auf den Link, Sie landen auf einer gefälschten FinanzOnline-Website, die es Kriminellen ermöglicht, persönliche Daten sowie Kreditkartendaten abzugreifen!
https://www.watchlist-internet.at/news/vorsicht-betruegerisches-finanzonline-e-mail-im-umlauf/
Industrieanlagen mit OPC UA systematisch schlecht konfiguriert
Forscher des Fraunhofer FKIE und der RWTH Aachen haben das Internet nach Steuerungen auf Basis des Standards OPC UA durchsucht. 92% waren unsicher eingerichtet.
https://heise.de/-4939199
Sicherheitsupdate: Angreifer attackieren Microsofts Webbrowser Edge
Die Entwickler von Microsoft haben im Webbrowser Edge mehrere Sicherheitslücken geschlossen.
https://heise.de/-4940091
Malware Emotet versteckt sich hinter gefälschtem Upgrade für Microsoft Word
Eine neue Kampagne gaukelt Opfern vor, sie benötigen ein Upgrade mit neuen Funktionen für Microsoft Word. Tatsächlich sollen sie die Sicherheitsvorkehrungen zum Schutz vor gefährlichen Makros deaktivieren. Die schädlichen Dokumente verteilen die Hintermänner weiterhin per E-Mail.
https://www.zdnet.de/88389137/malware-emotet-versteckt-sich-hinter-gefaelschtem-upgrade-fuer-microsoft-word/
KashmirBlack: Botnet attackiert WordPress, Joomla und Drupal
Die Hintermänner nutzen bekannte Schwachstellen in CMS-Plattformen und Plug-ins. Darüber schleusen sie einen Cryptominer ein. Laut Imperva verfügt das Botnet inzwischen über eine "massive Infrastruktur".
https://www.zdnet.de/88389169/kashmirblack-botnet-attackiert-wordpress-joomla-und-drupal/
New RAT malware gets commands via Discord, has ransomware feature
The new Abaddon remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC. Even worse, a ransomware feature is being developed for the malware.
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
Massive Nitro data breach impacts Microsoft, Google, Apple, more
A massive data breach suffered by the Nitro PDF service impacts many well-known organizations, including Google, Apple, Microsoft, Chase, and Citibank.
https://www.bleepingcomputer.com/news/security/massive-nitro-data-breach-impacts-microsoft-google-apple-more/
Study of the ShadowPad APT backdoor and its relation to PlugX
In July 2020, we released a study of targeted attacks on state institutions in Kazakhstan and Kyrgyzstan with a detailed analysis of malware found in compromised networks. During the investigation, Doctor Web specialists analyzed and described several groups of trojan programs, including new samples of trojan families already encountered by our virus analysts, as well as previously unknown trojans.
https://news.drweb.com/show/?i=14048&lng=en&c=9
Majority of Microsoft 365 Admins Don-t Enable MFA
Beyond admins, researchers say that 97 percent of all total Microsoft 365 users do not use multi-factor authentication.
https://threatpost.com/microsoft-365-admins-mfa/160592/
LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes
Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers.
https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/
Excel 4 Macros: "Abnormal Sheet Visibility", (Mon, Oct 26th)
Excel 4 macros are composed of formulas (commands) and values stored inside a sheet.
https://isc.sans.edu/diary/rss/26726
Password Security & Password Managers
In the spirit of National Cyber Security Awareness Month (NCSAM), let-s talk about a security basic that many people overlook: passwords. These are one of the most fundamental aspects of website security, yet we too often see webmasters taking a lax approach to secure passwords. In fact, the online security provider TeamPassword found that last year the most commonly leaked password was 123456. That edges out some real gems including qwerty and the always-popular password.
https://blog.sucuri.net/2020/10/password-security-password-managers.html
P.A.S. Fork v. 1.0 - A Web Shell Revival
A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it-s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily available) PHP web shells do the job, there-s no need to code an entirely new tool.
https://blog.sucuri.net/2020/10/p-a-s-fork-v-1-0-a-web-shell-revival.html
Vulnerabilities
VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location
Overview
Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
Description
CVE-2020-10143
Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create [...]
https://kb.cert.org/vuls/id/760767
Security updates for Tuesday
Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown).
https://lwn.net/Articles/835401
HPE/Aruba: Kritische Lücken in SSMC, AirWave Glass und weiteren Produkten
Jetzt updaten: Unter anderem kann eine Lücke mit Höchstwertung in der StoreServ Management Console Angreifern unbefugte Remote-Zugriffe leicht machen.
https://heise.de/-4938532
NVIDIA Patches Code Execution Flaws in GeForce Experience
Patches released by NVIDIA last week for the GeForce Experience software address two arbitrary code execution bugs assessed with a severity rating of high.
https://www.securityweek.com/nvidia-patches-code-execution-flaws-geforce-experience
Trend Micro AntiVirus for Mac: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K20-1047
Red Hat OpenShift: Schwachstelle ermöglicht Denial of Service
https://www.cert-bund.de/advisoryshort/CB-K20-1045
Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-developer-portal-is-vulnerable-to-social-engineering-attacks-cve-2020-4337-2/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-platform-symphony-and-ibm-spectrum-symphony-3/
Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2020-8169, CVE-2020-8177)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-affect-powersc-cve-2020-8169-cve-2020-8177/
Security Bulletin: Vulnerabilities in NTPv4 affect AIX (CVE-2020-11868, CVE-2020-13817, and CVE-2020-15025)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ntpv4-affect-aix-cve-2020-11868-cve-2020-13817-and-cve-2020-15025/
Security Bulletin: CVE-2020-15190 for Tensorflow in Watson Machine Learning Community Edition
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-15190-for-tensorflow-in-watson-machine-learning-community-edition/