End-of-Day report
Timeframe: Dienstag 17-11-2020 18:00 - Mittwoch 18-11-2020 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
When Security Controls Lead to Security Issues, (Wed, Nov 18th)
The job of security professionals is to protect customers assets and, even more, today, customers data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the organizations doors. Sometimes, such solutions have side effects that go to the opposite direction and make customers more vulnerable to attacks.
https://isc.sans.edu/diary/rss/26804
Evasive Maneuvers in Data Stealing Gateways
We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads. During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers. Continue reading Evasive
https://blog.sucuri.net/2020/11/evasive-maneuvers-in-data-stealing-gateways.html
WebNavigator Chromium browser published by search hijackers
A mystery Chromium browser recently made a sudden appearance, and is certainly proving popular. But what is it, and where did it come from?
https://blog.malwarebytes.com/pups/2020/11/webnavigator-chromium-browser-published-by-search-hijackers/
Nibiru ransomware variant decryptor
The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.
https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html
Large-Scale Attacks Target Epsilon Framework Themes
On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites ... For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities.
https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
Vorsicht vor COVID-19-Hilfsfonds: Unterstützungszahlungen in Millionenhöhe sind Betrug!
Die Corona-Krise ist für viele Menschen auch eine finanzielle Krise. Verschiedene Unterstützungsangebote sollen daher helfen, durch diese Zeit zu kommen. Aber Achtung! Werfen Sie einen genauen Blick darauf, wer Ihnen Geld anbietet. Denn: Derzeit werden betrügerische E-Mails von angeblichen COVID-19 Hilfsfonds versendet, in denen hohe Geldbeträge versprochen werden.
https://www.watchlist-internet.at/news/vorsicht-vor-covid-19-hilfsfonds-unterstuetzungszahlungen-in-millionenhoehe-sind-betrug/
Vulnerabilities
iTunes 12.11 for Windows
Foundation
Impact: A local user may be able to read arbitrary files
ImageIO
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
libxml2
Impact: Processing maliciously crafted web content may lead to code execution
libxml2
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Windows Security
Impact: A malicious application may be able to access local users Apple IDs
https://support.apple.com/kb/HT211933
Tails 4.13: Anonymisierendes Betriebssystem bekommt wichtige Sicherheitsupdates
Die neue Version des Debian-basierten Live-Systems umfasst ein wenig Feinschliff an der Oberfläche, vor allem aber wichtige Security-Fixes.
https://heise.de/-4963955
Tor Browser: Desktop-Version 10.0.5 mit Firefox-Sicherheitsupdates verfügbar
Für Windows, Linux und macOS steht eine neue Version des anonymisierenden Webbrowsers bereit. Die Android-Ausgabe soll bald folgen.
https://heise.de/-4964177
Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV
Cisco Secure Web Appliance Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj
Cisco Webex Meetings API Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-meetings-xss-MX56prER
Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4
Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG
Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r
Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd
Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM
Cisco DNA Spaces Connector Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dna-cmd-injection-rrAYzOwc
Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-XSS-NzOPCGEc
Cisco IoT Field Network Director Improper Domain Access Control Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-UPWD-dCRPuQ78
Cisco IoT Field Network Director Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SSI-V2myWX9y
Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SQL-zEkBnL2h
Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-PWH-yCA6M7p
Cisco IoT Field Network Director File Overwrite Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-OVW-SHzOE3Pd
Cisco IoT Field Network Director Improper Access Control Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-LV-hE4Rntet
Cisco IoT Field Network Director Unauthenticated REST API Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F
Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
Cisco IoT Field Network Director Missing API Authentication Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd
Security Advisory - Privilege Escalation Vulnerability in FusionCompute Product
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-01-privilege-en
Security Bulletin: An unspecified vulnerability in Java SE or Oracle Java SE could allow an unauthenticated attacker
https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerability-in-java-se-or-oracle-java-se-could-allow-an-unauthenticated-attacker/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14621)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-decision-optimization-center-cve-2020-14577-cve-2020-14578-cve-2020-14579-cve-2020-14621/
Security Bulletin: App Connect Enterprise Certified Container Dashboard is vulnerable to (CVE-2020-15168)
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-enterprise-certified-container-dashboard-is-vulnerable-to-cve-2020-15168/
Security Bulletin: IBM MQ Appliance is affected by a data corruption vulnerability (CVE-2020-4592)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-data-corruption-vulnerability-cve-2020-4592/
Security Bulletin: IBM MQ is affected by a vulnerability in IBM Runtime Environment Java (deferred from Oracle Jan 2020 CPU) CVE-2020-2654
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-a-vulnerability-in-ibm-runtime-environment-java-deferred-from-oracle-jan-2020-cpu-cve-2020-2654/