End-of-Day report
Timeframe: Montag 09-11-2020 18:00 - Dienstag 10-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
PLATYPUS - With Great Power comes Great Leakage
With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processors power consumption to infer data and extract cryptographic keys.
https://platypusattack.com/
wetransfer.com: So nutzen Sie den kostenlosen Dienst sicher
wetransfer.com - ein beliebter Dienst, um kostenlos und unkompliziert viele Dateien oder Ordner zu teilen. Beim Empfang eines E-Mails von wetransfer.com raten wir jedoch zur Vorsicht, denn Kriminelle versenden im Design des Datenversanddienstes Phishing-E-Mails oder gefährliche E-Mails mit Schadsoftware. Also: Zuerst kontrollieren, dann klicken!
https://www.watchlist-internet.at/news/wetransfercom-so-nutzen-sie-den-kostenlosen-dienst-sicher/
Plötzliche Abkündigung: Avira stellt Business-Sicherheitsprodukte Ende 2021 ein
Avira weist Geschäftskunden derzeit auf die Einstellung des B2B-Bereichs hin: Bestehende Lizenzen verlieren demnach zum 01.01.22 ihre Gültigkeit.
https://heise.de/-4952577
Microsoft Teams Users Under Attack in 'FakeUpdates' Malware Campaign
Microsoft warns that cybercriminals are using Cobalt Strike to infect entire networks beyond the infection point, according to a report.
https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/
Code Comments Reveal SCP-173 Malware
We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code - for example, a short description of a feature or functionality for other developers to reference. Oftentimes, hackers aren-t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes.
https://blog.sucuri.net/2020/11/code-comments-reveal-scp-173-malware.html
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques
Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW (Windows on Windows) system was coined. This layer, which will be referred to as 'WOW64' from here on out, is responsible for translating all Windows API calls from 32-bit userspace to the 64-bit operating system
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
Snakes and Ladder Logic
A click to a reverse shell in OpenPLC and ladder logic OR Why you shouldn-t run everything as root in PLC and RTUs.
https://www.pentestpartners.com/security-blog/snakes-and-ladder-logic/
Npm package caught stealing sensitive Discord and browser files
Malicious code was found hidden inside a JavaScript library named Discord.dll.
https://www.zdnet.com/article/npm-package-caught-stealing-sensitive-discord-and-browser-files/
IoT security is a mess. These guidelines could help fix that
New guidelines from ENISA recommend that all stages of the IoT device lifecycle need to be considered to help ensure devices are secure.
https://www.zdnet.com/article/iot-security-is-a-mess-these-guidelines-could-help-fix-that/
Vulnerabilities
Sicherheitsupdate: Ultimate Member Plug-in gefährdet Wordpress-Seiten
Admin-Lücken im Plug-in Ultimate Member bedrohen über 100.000 Wordpress-Websites. Eine abgesicherte Version ist verfügbar.
https://heise.de/-4952685
Remote-Code-Execution-Lücke in Firefox, Firefox ESR und Thunderbird
Mozilla hat eine kritische Schwachstelle in seinen Webbrowsern und seinem Mail-Client geschlossen.
https://heise.de/-4953356
SAP Patchday November 2020
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in SAP Produkten und Anwendungskomponenten ausnutzen, um die Vertraulichkeit, Verfügbarkeit und die Integrität der Anwendungen zu gefährden.
https://www.cert-bund.de/advisoryshort/CB-K20-1090
Security Bulletins Posted
Adobe has published security bulletins for Adobe Connect (APSB20-69) and Adobe Reader Mobile (APSB20-71). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided "AS IS" with no warranties and confers no rights.
https://blogs.adobe.com/psirt/?p=1942
Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability
A vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper resource allocation when an affected device processes network traffic in software switching mode (punted).
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cp-dos-ej8VB9QY
SSA-492828: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK Controller
A vulnerability in S7-300 might allow an attacker to cause a Denial-of-Service condition on port 102 of the affected devices by sending specially crafted packets. Siemens is preparing updates and recommends specific countermeasures until fixes are available.
https://cert-portal.siemens.com/productcert/txt/ssa-492828.txt
SSA-431802: Multiple Vulnerabilities in SCALANCE W1750D
Siemens SCALANCE W1750D is a brandlabled device. Aruba has released a related security advisory (ARUBA-PSA-2016-004) [0] disclosing vulnerabilities in its Aruba Instant product line. The advisory contains multiple related vulnerabilities that are summarized in CVE-2016-2031.
https://cert-portal.siemens.com/productcert/txt/ssa-431802.txt
Security updates for Tuesday
Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif).
https://lwn.net/Articles/836770/
IPAS: Security Advisories for November 2020
Hello, It-s the second Tuesday in November and today we are releasing 40 security advisories. If this seems like a large number of advisories for Intel to be releasing, you-re right. However, there are two primary reasons for this. First, as I mentioned in August, we are aligning public disclosures, as much as possible, to [...]
https://blogs.intel.com/technology/2020/11/ipas-security-advisories-for-november-2020/