End-of-Day report
Timeframe: Donnerstag 19-11-2020 18:00 - Freitag 20-11-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
IAM-Driven Biometrics: The Security Issues with Biometric Identity and Access Management
The increase of cybersecurity incidents brings along a higher demand for enhanced security protections. Thus, in the attempt of preventing unauthorized third parties from accessing their accounts and sensitive data, companies are increasingly turning to biometric authentication. Contemporary Identity and Access Management (IAM) technologies have moved beyond basic login methods based on usernames and passwords.
https://heimdalsecurity.com/blog/iam-driven-biometrics/
[SANS ISC] Malicious Python Code and LittleSnitch Detection
I published the following diary on isc.sans.edu: -Malicious Python Code and LittleSnitch Detection-: We all run plenty of security tools on our endpoints. Their goal is to protect us by preventing infection (or trying to prevent it). But all those security tools are present on our devices like normal applications
https://blog.rootshell.be/2020/11/20/sans-isc-malicious-python-code-and-littlesnitch-detection/
The malware that usually installs ransomware and you need to remove right away
[...] This article focuses on the known malware strains that have been used over the past two years to install ransomware. [...] Once any of these malware strains are detected, system administrators should drop everything, take systems offline, and audit and remove the malware as a top priority. ZDNet will keep the list up to date going forward.
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
Exploiting dynamic rendering engines to take control of web apps
tl;dr: - Dynamic rendering is a technique used to serve prerendered web site pages to crawlers (e.g., Google search engine, Slack or Twitter bots, etc.) - The most popular open source applications for dynamic rendering are Rendertron and Prerender; both of which may introduce vulnerabilities to a network if used improperly.
https://r2c.dev/blog/2020/exploiting-dynamic-rendering-engines-to-take-control-of-web-apps/
Consul by HashiCorp: from Infoleak to RCE
Consul is a software first released in 2014 for DNS-based service discovery. It provides distributed key-value storage, segmentation, and configuration. Registered services and nodes can be queried using a DNS interface or an HTTP interface. [...] An attacker can use public access to the system to obtain information about the infrastructure and its configuration.
https://lab.wallarm.com/consul-by-hashicorp-from-infoleak-to-rce/
WordPress Malware Setting Up SEO Shops
While recently looking over my honeypots, I discovered an infection where a malicious actor added a storefront on top of my existing WordPress installation. For background, this particular honeypot is a full instance of WordPress running on a Docker image. The administrator credentials are intentionally weak, in order to give those with malicious intent easy access. This way I can examine what attacks the vulnerable site will undergo and what the login access will be used for.
https://blogs.akamai.com/sitr/2020/11/wordpress-malware-setting-up-seo-shops.html
Purgalicious VBA: Macro Obfuscation With VBA Purging
Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in February 2020.
http://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html
Demystifying two common misconceptions with e-commerce security
HTTPS and iframe containers augment security, but are not a panacea for online shoppers and merchants.
https://blog.malwarebytes.com/cybercrime/2020/11/demystifying-two-common-misconceptions-with-e-commerce-security/
Vorsicht: Zahlreiche Fake-Shops werben mit Black Friday Deals
In einer Woche ist es soweit: Der Black Friday lässt das Herz von Schnäppchenjägern höherschlagen. Ab Montag beginnt die Cyber Week, bei denen sich KonsumentInnen schon vor dem Black Friday über Rabatte im Online-Handel freuen können. Doch seien Sie vorsichtig auf der Schnäppchenjagd. Denn zu dieser Zeit macht nicht nur der Online-Handel ein gutes Geschäft, sondern auch BetrügerInnen.
https://www.watchlist-internet.at/news/vorsicht-zahlreiche-fake-shops-werben-mit-black-friday-deals/
IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
IAMFinder is a custom open-source tool that can identify users and IAM roles in AWS accounts, showing where to harden IAM configurations.
https://unit42.paloaltonetworks.com/iamfinder/
Vulnerabilities
About the security content of macOS Big Sur 11.0.1
The macOS Big Sur 11.0.1 software update is available for Mac mini (M1, 2020), MacBook Air (M1, 2020), and MacBook Air (13-inch, 2020), and together with macOS 11.0 includes the security content listed in this advisory.
https://support.apple.com/en-us/HT211982
VMSA-2020-0026 VMware ESXi, Workstation and Fusion updates address use-after-free and privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005)
Multiple vulnerabilities in VMware ESXi, Workstation and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
VMSA-2020-0023 Updates
Updated security advisory to add Workstation 15.x version in the response matrix of section 3(c) and 3(d).
https://www.vmware.com/security/advisories/VMSA-2020-0023.html
VMSA-2020-0020 Updates
Updated security advisory to add Fusion 11.x version in the response matrix of section 3(a) and Workstation 15.x version in the response matrix of section 3(b), 3(c) & 3(d).
https://www.vmware.com/security/advisories/VMSA-2020-0020.html
Security updates for Friday
Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).
https://lwn.net/Articles/837915/
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance
A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
https://support.citrix.com/article/CTX267027
Security Bulletin: Cryptographic Vulnerability Affects Map Editor in IBM Sterling B2B Integrator (CVE-2020-4937)
https://www.ibm.com/blogs/psirt/security-bulletin-cryptographic-vulnerability-affects-map-editor-in-ibm-sterling-b2b-integrator-cve-2020-4937/
Security Bulletin: Vulnerability CVE-2020-4788 in the IBM Power9 processor affects IBM i
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2020-4788-in-the-ibm-power9-processor-affects-ibm-i/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-business-developer-2/
Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerabilities-from-kernel-affect-ibm-netezza-host-management-10/
Security Bulletin: InfoSphere Master Data Management 11.6 affected due to vulnerability in OpenSSL
https://www.ibm.com/blogs/psirt/security-bulletin-infosphere-master-data-management-11-6-affected-due-to-vulnerability-in-openssl/
Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie/
Security Bulletin: IBM has released AIX and VIOS iFixes in response to a vulnerability in IBM POWER9 (CVE-2020-4788)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-released-aix-and-vios-ifixes-in-response-to-a-vulnerability-in-ibm-power9-cve-2020-4788/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2020 - Includes Oracle Apr 2020 CPU minus CVE-2020-2773 affects IBM MQ
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-apr-2020-includes-oracle-apr-2020-cpu-minus-cve-2020-2773-affects-ibm-mq/