End-of-Day report
Timeframe: Montag 30-11-2020 18:00 - Dienstag 01-12-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Banking-Malware Gootkit ist zurück und hat es auf PCs in Deutschland abgesehen
Das CERT-Bund und verschiedene Sicherheitsforscher warnen vor Trojaner-Attacken. Infektionen sind aber nicht ohne Weiteres möglich.
https://heise.de/-4976043
FBI warns of BEC scammers using email auto-forwarding in attacks
The FBI is warning U.S. companies about scammers actively abusing auto-forwarding rules on web-based email clients to increase the likelihood of successful Business Email Compromise (BEC) attacks.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-using-email-auto-forwarding-in-attacks/
Critical Oracle WebLogic flaw actively exploited by DarkIRC malware
A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago.
https://www.bleepingcomputer.com/news/security/critical-oracle-weblogic-flaw-actively-exploited-by-darkirc-malware/
IceRat evades antivirus by running PHP on Java VM
IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware.
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp
How prevalent is DNS spoofing? Could a repeat of the Dyn/Mirai DDoS attack have the same results?
Two separate groups of academics have recently released research papers based on research into the Domain Name System (DNS). One has found that the overwhelming majority of popular site operators haven-t learned from the 2016 Dyn/Mirai incident/attack and set up a backup DNS server, and the other has shown that the rate of DNS spoofing, though still very small, has more than doubled in less than seven years.
https://www.helpnetsecurity.com/2020/12/01/dns-spoofing/
Xanthe - Docker aware miner
Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways. Cisco Talos recently discovered a cryptocurrency-mining botnet attack were calling "Xanthe," which attempted to compromise one of Ciscos security honeypots for tracking Docker-related threats.
https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html
Docker malware is now common, so devs need to take Docker security seriously
Three years after the first malware attacks targeting Docker, developers are still misconfiguring and exposing their Docker servers online.
https://www.zdnet.com/article/docker-malware-is-now-common-so-devs-need-to-take-docker-security-seriously/
Vulnerabilities
GO SMS Pro Vulnerable to File Theft: Part 2
Last week we released an advisory about an SMS app called GO SMS Pro. Media files sent via text in the app are stored insecurely on a publicly accessible server. With some very minor scripting, it is trivial to throw a wide net around that content. While its not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you. [...] It seems like GOMO is attempting to fix the issue, but a complete fix is still not available in the app.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/go-sms-pro-vulnerable-to-file-theft-part-2/
Multiple (RCE) Vulnerabilities in Micro Focus Operations Bridge Manager
After analysing OBM, I found a mountain of critical security vulnerabilities that when combined result in a complete compromise of the application:
- Use of Hard-coded Credentials
- Insecure Java Deserialization (an incredible total of 41 of them)
- Use of Outdated and Insecure Java Libraries
- Incorrect Default Folder Permissions (resulting in Privilege Escalation to SYSTEM)
All of these vulnerabilities affect the latest version, 2020.05, and possibly earlier versions. Both Windows and Linux installations are affected, except for the privilege escalation, which only affects Windows.
https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0009
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...]
Impact: Processing maliciously crafted web content may lead toarbitrary code execution.
https://webkitgtk.org/security/WSA-2020-0009.html
QNAP QTS: Mehrere Schwachstellen ermöglichen Codeausführung
https://www.cert-bund.de/advisoryshort/CB-K20-1181
Foxit Phantom PDF Suite: Schwachstelle ermöglicht nicht spezifizierten Angriff
https://www.cert-bund.de/advisoryshort/CB-K20-1180
HCL Domino: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K20-1177
Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-buffer-overflow-cve-2020-4701-2/
Security Bulletin: Information disclosure vulnerability may affect IBM Business Automation Workflow - CVE-2020-4900
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-may-affect-ibm-business-automation-workflow-cve-2020-4900-2/
Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-cloud-pak-for-data-streams-flows-2/
Security Bulletin: Node.js module upgrade for IBM Cloud Pak for Data Streams Flows
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-module-upgrade-for-ibm-cloud-pak-for-data-streams-flows/
Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Application Server affects IBM Voice Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-ibm-websphere-application-server-affects-ibm-voice-gateway/
Security Bulletin: A security vulnerability in Node.js affects IBM Voice Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-affects-ibm-voice-gateway/
Security Bulletin: Node.js upgrade for IBM Cloud Pak for Data Streams Flows
https://www.ibm.com/blogs/psirt/security-bulletin-node-js-upgrade-for-ibm-cloud-pak-for-data-streams-flows/
Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-ibm-java-sdk-affects-ibm-voice-gateway-3/
Security Bulletin: IBM® Db2® could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. (CVE-2020-4739)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-authenticated-attacker-to-execute-arbitrary-code-on-the-system-caused-by-dll-search-order-hijacking-vulnerability-in-microsoft-windows-clie-3/