Tageszusammenfassung - 24.11.2020

End-of-Day report

Timeframe: Montag 23-11-2020 18:00 - Dienstag 24-11-2020 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Warten auf Patches: Kritische VMware-Lücke gefährdet Linux- und Windows-Systeme

Software von VMware ist über eine Zero-Day-Lücke attackierbar. Bislang gibt es nur Workarounds zur Absicherung.

Betrügerische Trading-Plattformen: Kriminelle werben mit Kommentaren bei YouTube-Videos

In den Kommentaren zahlreicher beliebter YouTube-Videos - darunter Last Christmas von Wham! - finden sich Tipps, wie man mit Bitcoin-Handel im Internet reich werden kann. Verpackt in einer hochemotionalen Geschichte berichtet ein Nutzer, wie ihm eine Lyra Holt Dean beim Handel unterstützte. Im Kommentar gibt er auch ihre E-Mail-Adresse an. Schreiben Sie keinesfalls an diese Adresse, es handelt sich um Betrug!

https://www.watchlist-internet.at/news/betruegerische-trading-plattformen-kriminelle-werben-mit-kommentaren-bei-youtube-videos/

Lookalike domains and how to outfox them

Our approach is more complex than simply registering lookalike domains to the company and enables real-time blocking of attacks that use such domains as soon as they appear.

https://securelist.com/lookalike-domains-and-how-to-outfox-them/99539/

Blackrota, a heavily obfuscated backdoor written in Go

Recently, a malicious backdoor program written in the Go language that exploits an unauthorized access vulnerability in the Docker Remote API was caught by the our Anglerfish honeypot. We named it Blackrota, giventhat its C2 domain name is [...]

https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/

Hidden SEO Spam Link Injections on WordPress Sites

Often when a website is injected with SEO spam, the owner is completely unaware of the issue until they begin to receive warnings from search engines or blacklists. This is by design - attackers intentionally try to prevent detection by arranging injected links so they are not visible to average human traffic. One of the techniques attackers use is to -push- the injected SEO spam links off the visible portion of the website.

https://blog.sucuri.net/2020/11/hidden-seo-spam-link-injections-on-wordpress-sites.html

MedusaLocker Ransomware Analysis

The Cybereason Nocturnus Team has published an analysis of the MedusaLocker ransomware. MedusaLocker targets Windows systems and first appeared in 2019. Since then, it has reportedly been involved in many attacks targeting a number of industry sectors, but especially the healthcare sector.

https://exchange.xforce.ibmcloud.com/collection/9b5a2bd4954b29920abc8f39f0a0077a

Vulnerabilities

Citrix Hypervisor Security Update

A security issue has been identified that may allow privileged code running in a guest VM to compromise the host. This issue is limited to only those guest VMs where the host administrator has explicitly assigned a PCI passthrough device to the guest VM.

https://support.citrix.com/article/CTX286511

Xen Security Advisory XSA-355 - stack corruption from XSA-346 change

A malicious or buggy HVM or PVH guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Privilege escalation as well as information leaks cannot be excluded.

https://xenbits.xen.org/xsa/advisory-355.html

Security updates for Tuesday

Security updates have been issued by Fedora (chromium, microcode_ctl, and seamonkey), Mageia (f2fs-tools, italc, python-cryptography, python-pillow, tcpreplay, and vino), Oracle (thunderbird), Red Hat (bind, kernel, microcode_ctl, net-snmp, and Red Hat Virtualization), Scientific Linux (net-snmp and thunderbird), SUSE (kernel and mariadb), and Ubuntu (atftp, libextractor, pdfresurrect, and pulseaudio).

https://lwn.net/Articles/838255/

Synology-SA-20:25 Safe Access

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Safe Access.

https://www.synology.com/en-global/support/security/Synology_SA_20_25

Red Hat JBoss Enterprise Application Platform: Schwachstelle ermöglicht SQL-Injection

https://www.cert-bund.de/advisoryshort/CB-K20-1161

OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

https://www.cert-bund.de/advisoryshort/CB-K20-1159

Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Codec.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vulnerable-to-apache-commons-codec/

Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - IBM SDK, Java Technology Edition v8.0.6.11

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-using-components-with-known-vulnerabilities-ibm-sdk-java-technology-edition-v8-0-6-11/

Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-vulnerable-to-arbitrary-code-execution-and-security-bypass-in-drupal-cve-2020-13664-cve-2020-13665-3/