End-of-Day report
Timeframe: Dienstag 10-11-2020 18:00 - Mittwoch 11-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Targeted ransomware: it-s not just about encrypting your data!
When we talk about ransomware, we need to draw a line between what it used to be and what it currently is. Why? Because nowadays ransomware is not just about encrypting data - it-s primarily about data exfiltration.
https://securelist.com/targeted-ransomware-encrypting-data/99255/
Decrypting OpenSSH sessions for fun and profit
A while ago we had a forensics case in which a Linux server was compromised and a modified OpenSSH binary was loaded into the memory of a webserver. The modified OpenSSH binary was used as a backdoor to the system for the attackers.
https://blog.fox-it.com/2020/11/11/decrypting-openssh-sessions-for-fun-and-profit/
So kaufen Sie Weihnachtsgeschenke sicher im Internet ein!
Damit die Weihnachtsvorfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie unseriöse Online-Shops erkennen.
https://www.watchlist-internet.at/news/so-kaufen-sie-weihnachtsgeschenke-sicher-im-internet-ein/
Play Store identified as main distribution vector for most Android malware
Mammoth research project using Symantec (now NortonLifeLock) telemetry confirms what everyone suspected.
https://www.zdnet.com/article/play-store-identified-as-main-distribution-vector-for-most-android-malware/
Neuer Android-Trojaner spioniert 153 mobile Anwendungen aus
Darunter sind auch vier Apps deutscher Banken. Die Verbreitung erfolgt über Links in Spam-E-Mails. Mithilfe der Android-Bedienungshilfen nistet sich der Trojaner dauerhaft auf einem Gerät ein und erlaubt dessen Fernsteuerung.
https://www.zdnet.de/88389654/neuer-android-trojaner-spioniert-153-mobile-anwendungen-aus/
Vulnerabilities
NVIDIA fixes severe flaw in GeForce NOW cloud gaming service
NVIDIA released a security update for the GeForce Now cloud gaming Windows app to address a vulnerability that could allow attackers to execute arbitrary code or escalate privileges on systems running unpatched software.
https://www.bleepingcomputer.com/news/security/nvidia-fixes-severe-flaw-in-geforce-now-cloud-gaming-service/
VU#231329: Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks
The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area.
https://kb.cert.org/vuls/id/231329
VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location
Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
https://kb.cert.org/vuls/id/760767
Security updates for Wednesday
Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2,
https://lwn.net/Articles/836897/
Patchday: Microsoft schließt Kernel-Lücke in Windows
Es sind über 100 Sicherheitsupdates für Microsoft Office, Windows & Co. erschienen. Eine Lücke nutzen Angreifer derzeit aktiv aus.
https://heise.de/-4954195
Security Advisory - Command Injection Vulnerability in Some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201111-02-injection-en
XSA-351
https://xenbits.xen.org/xsa/advisory-351.html
Citrix Systems Virtual Apps and Desktops: Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten
http://www.cert-bund.de/advisoryshort/CB-K20-1107