End-of-Day report
Timeframe: Mittwoch 02-12-2020 18:00 - Donnerstag 03-12-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
APT-Gruppen: Turla und Co. tarnen Angriffe durch scheinbar harmlose Aktivitäten
Eine Spionage-Malware der wohl staatlich finanzierten Turla-Gang setzt auf Dropbox zum Datenklau. In einem anderen Fall verschleierte Coin-Mining Schlimmeres.
https://heise.de/-4978541
Studie: Schwachstellen in Open-Source-Software bleiben in der Regel vier Jahre unentdeckt
Patches stehen in der Regel innerhalb von vier Wochen zur Verfügung. Zudem sind nur 17 Prozent der registrierten Sicherheitslücken als "schädlich" einzustufen. GitHub sieht Open-Source-Software als "kritische Infrastruktur" an.
https://www.zdnet.de/88390280/studie-schwachstellen-in-open-source-software-bleiben-in-der-regel-vier-jahre-unentdeckt/
What did DeathStalker hide between two ferns?
While tracking DeathStalker-s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware "PowerPepper".
https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/
Xerox DocuShare Bugs Allow Data Leaks
CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes.
https://threatpost.com/xerox-docushare-bugs/161791/
Another LILIN DVR 0-day being used to spread Mirai
In March, we reported[1] that multiple botnets, including Chalubo, Fbot, Moobot were using a same 0 day vulnerability to attack LILIN DVR devices, the vendor soon fixed the vulnerability. On August 26, 2020, our Anglerfish honeypot detected that another new LILINDVR/ [...]
https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/
Adventures in Anti-Gravity (Part II)
Here we continue to deconstruct a Mac variant of GravityRAT (the cross-platform spyware, known to target the Indian armed forces), focusing on its Electron component.
https://objective-see.com/blog/blog_0x5C.html
TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected
TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known [...]
https://thehackernews.com/2020/12/trickbot-malware-gets-uefibios-bootkit.html
Spamhaus Intelligence API: Free threat intelligence data for security developers
Spamhaus Technology releases its Intelligence API. This is the first time Spamhaus has released its extensive threat intelligence via API, providing enriched data relating to IP addresses exhibiting compromised behaviour. Available free of charge, developers can readily access enhanced data that catalogues IP addresses compromised by malware, worms, Trojan infections, devices controlled by botnets, and third party exploits, such as open proxies. The API features live and historical data, [...]
https://www.helpnetsecurity.com/2020/12/03/spamhaus-intelligence-api/
Open Source Tool Helps Secure Siemens PCS 7 Control Systems
Industrial cybersecurity company OTORIO has released an open source tool designed to help organizations harden Siemens- SIMATIC PCS 7 distributed control systems (DCS).
https://www.securityweek.com/open-source-tool-helps-secure-siemens-pcs-7-control-systems
Vulnerabilities
Google Play Apps Remain Vulnerable to High-Severity Flaw
Patches for a flaw (CVE-2020-8913) in the Google Play Core Library have not been implemented by several popular Google Play apps, including Cisco Teams and Edge.
https://threatpost.com/google-play-apps-remain-vulnerable-to-high-severity-flaw/161785/
iCloud for Windows 11.5
Foundation: A local user may be able to read arbitrary files
ImageIO: Processing a maliciously crafted image may lead to arbitrary code execution
ImageIO: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
libxml2: Processing maliciously crafted web content may lead to code execution
libxml2: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
libxml2: Processing a maliciously crafted file may lead to arbitrary code execution
SQLite: A remote attacker may be able to cause a denial of service
SQLite: A remote attacker may be able to cause arbitrary code execution
SQLite: A remote attacker may be able to leak memory
SQLite: A maliciously crafted SQL query may lead to data corruption
WebKit: Processing maliciously crafted web content may lead to arbitrary code execution
https://support.apple.com/kb/HT211935
Security updates for Thursday
Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).
https://lwn.net/Articles/838870/
Mozilla Foundation Security Advisory 2020-53
In security advisory 2020-53, the Mozilla Foundation describes a stack overflow vulnerability (CVE-2020-26970) patched in Thunderbird 78.5.1. The issue was caused by writing an SMTP server status integer value on the stack designed to only hold one byte. This could potentially corrupt the stack which might be exploitable.
https://exchange.xforce.ibmcloud.com/collection/0f933021879b159a96ec238084392321
Red Hat Enterprise Linux: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K20-1190
Security Bulletin: Vulnerability in PyYAML affects IBM Spectrum Protect Plus Container and Microsoft File Systems Agents (CVE-2020-1747)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-pyyaml-affects-ibm-spectrum-protect-plus-container-and-microsoft-file-systems-agents-cve-2020-1747/
Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a 3rd party cryptographc vulnerability (CVE-2020-4254)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-big-data-intelligence-sonarg-is-affected-by-a-3rd-party-cryptographc-vulnerability-cve-2020-4254/
Security Bulletin: A security bypass vulnerability in Apache Solr (lucene) affects IBM InfoSphere Information Server
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-bypass-vulnerability-in-apache-solr-lucene-affects-ibm-infosphere-information-server/
Security Bulletin: Multiple vulnerabilities in IBM Java affect IBM Netezza Analytics
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-affect-ibm-netezza-analytics/
Security Bulletin: Multiple security vulnerabilities with Administration Console for Content Platform Engine component in IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-4447, CVE-2020-4759
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-with-administration-console-for-content-platform-engine-component-in-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2/