Tageszusammenfassung - 18.11.2020
End-of-Day report
Timeframe: Dienstag 17-11-2020 18:00 - Mittwoch 18-11-2020 18:00 Handler: Dimitri Robl Co-Handler: Robert WaldnerNews
When Security Controls Lead to Security Issues, (Wed, Nov 18th)
The job of security professionals is to protect customers assets and, even more, today, customers data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the organizations doors. Sometimes, such solutions have side effects that go to the opposite direction and make customers more vulnerable to attacks.https://isc.sans.edu/diary/rss/26804
Evasive Maneuvers in Data Stealing Gateways
We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads. During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers. Continue reading Evasivehttps://blog.sucuri.net/2020/11/evasive-maneuvers-in-data-stealing-gateways.html
WebNavigator Chromium browser published by search hijackers
A mystery Chromium browser recently made a sudden appearance, and is certainly proving popular. But what is it, and where did it come from?Nibiru ransomware variant decryptor
The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html
Large-Scale Attacks Target Epsilon Framework Themes
On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites ... For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities.https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
Vorsicht vor COVID-19-Hilfsfonds: Unterstützungszahlungen in Millionenhöhe sind Betrug!
Die Corona-Krise ist für viele Menschen auch eine finanzielle Krise. Verschiedene Unterstützungsangebote sollen daher helfen, durch diese Zeit zu kommen. Aber Achtung! Werfen Sie einen genauen Blick darauf, wer Ihnen Geld anbietet. Denn: Derzeit werden betrügerische E-Mails von angeblichen COVID-19 Hilfsfonds versendet, in denen hohe Geldbeträge versprochen werden.Vulnerabilities
iTunes 12.11 for Windows
Foundation Impact: A local user may be able to read arbitrary files ImageIO Impact: Processing a maliciously crafted image may lead to arbitrary code execution libxml2 Impact: Processing maliciously crafted web content may lead to code execution libxml2 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution WebKit Impact: Processing maliciously crafted web content may lead to arbitrary code execution Windows Security Impact: A malicious application may be able to access local users Apple IDshttps://support.apple.com/kb/HT211933
Tails 4.13: Anonymisierendes Betriebssystem bekommt wichtige Sicherheitsupdates
Die neue Version des Debian-basierten Live-Systems umfasst ein wenig Feinschliff an der Oberfläche, vor allem aber wichtige Security-Fixes.Tor Browser: Desktop-Version 10.0.5 mit Firefox-Sicherheitsupdates verfügbar
Für Windows, Linux und macOS steht eine neue Version des anonymisierenden Webbrowsers bereit. Die Android-Ausgabe soll bald folgen.Cisco Expressway Software Unauthorized Access Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-Expressway-8J3yZ7hV
Cisco Secure Web Appliance Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-nPzWZrQj
Cisco Webex Meetings API Cross-Site Scripting Vulnerability
Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability
Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability
Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability
Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd
Cisco Telepresence CE Software and RoomOS Software Unauthorized Token Generation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tp-uathracc-jWNESUfM
Cisco DNA Spaces Connector Command Injection Vulnerability
Cisco IoT Field Network Director Cross-Site Scripting Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-XSS-NzOPCGEc
Cisco IoT Field Network Director Improper Domain Access Control Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-UPWD-dCRPuQ78
Cisco IoT Field Network Director Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SSI-V2myWX9y
Cisco IoT Field Network REST API Insufficient Input Validation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-SQL-zEkBnL2h
Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-PWH-yCA6M7p
Cisco IoT Field Network Director File Overwrite Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-OVW-SHzOE3Pd
Cisco IoT Field Network Director Improper Access Control Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-LV-hE4Rntet
Cisco IoT Field Network Director Unauthenticated REST API Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-BCK-GHkPNZ5F
Cisco IoT Field Network Director SOAP API Authorization Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-AUTH-vEypBmmR
Cisco IoT Field Network Director Missing API Authentication Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-FND-APIA-xZntFS2V
Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-api-rce-UXwpeDHd
Security Advisory - Privilege Escalation Vulnerability in FusionCompute Product
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201118-01-privilege-en