End-of-Day report
Timeframe: Montag 07-12-2020 18:00 - Mittwoch 09-12-2020 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
News
Credit card stealing malware bundles backdoor for easy reinstall
An almost impossible to remove malware set to automatically activate on Black Friday was deployed on multiple Magento-powered online stores by threat actors according to researchers at Dutch cyber-security company Sansec.
https://www.bleepingcomputer.com/news/security/credit-card-stealing-malware-bundles-backdoor-for-easy-reinstall/
Microsoft fixes new Windows Kerberos security bug in staged rollout
Microsoft has issued security updates to address a Kerberos security feature bypass vulnerability impacting multiple Windows Server versions in a two-phase staged rollout.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-new-windows-kerberos-security-bug-in-staged-rollout/
IT-Security: Hacker klauen Hacking-Werkzeuge von Fireeye
Das Security-Unternehmen versucht nun, das Schlimmste zu verhindern und gibt Tipps gegen die eigenen Angriffswerkzeuge.
https://www.golem.de/news/it-security-hacker-klauen-hacking-werkzeuge-von-fireeye-2012-152688-rss.html
OpenSSL behebt Speicherfehler
Ein Update beseitigt einen Null-Pointer-Zugriff, der laut Advisory zum Absturz führen kann.
https://heise.de/-4985050
Threat Assessment: Egregor Ransomware
Unit 42 shares courses of action that can help mitigate tactics, techniques and procedures used with Egregor ransomware.
https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/
njRAT Spreading Through Active Pastebin Command and Control Tunnel
Malware authors have been leveraging njRAT (AKA Bladabindi), a Remote Access trojan), to download and deliver second-stage payloads from Pastebin.
https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/
Achtung: Kriminelle versenden betrügerische Mails im Namen von FinanzOnline
Derzeit versenden BetrügerInnen zahlreiche E-Mails im Namen des Finanzamtes. Angeblich würden Sie eine Steuerrückerstattung von 1.850 Euro bekommen.
https://www.watchlist-internet.at/news/achtung-kriminelle-versenden-betruegerische-mails-im-namen-von-finanzonline/
Vulnerabilities
Command Injection: NSA warnt vor VMware-Lücke
Der US-Geheimdienst NSA sieht russische Akteure hinter Angriffen auf eine Sicherheitslücke in VMware-Produkten.
https://www.golem.de/news/command-injection-nsa-warnt-vor-vmware-luecke-2012-152673-rss.html
D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws
Critical vulnerabilities discovered by Digital Defense can allow attackers to gain root access and take over devices running same firmware.
https://threatpost.com/d-link-routers-zero-day-flaws/162064/
Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a targets system.
https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html
ZDI-20-1400: (0Day) Realtek RTL8811AU Wi-Fi Driver rtwlane Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Realtek RTL8811AU Wi-Fi driver.
http://www.zerodayinitiative.com/advisories/ZDI-20-1400/
ZDI-20-1399: (0Day) Realtek RTL8811AU Wi-Fi Driver rtwlanu Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of the Realtek RTL8811AU Wi-Fi driver.
http://www.zerodayinitiative.com/advisories/ZDI-20-1399/
Jetzt updaten: Cisco schiebt Update für Security-Manager-Lücke von November nach
Für eine Sicherheitslücke mit "High"-Einstufung im Security Manager stand noch ein Fix aus. Da Proof-of-Concept-Code online ist, sollten Nutzer jetzt handeln.
https://heise.de/-4983238
Patchday: Microsoft stopft kritische Lücken in Exchange Server
Für unter anderem Hyper-V, Office und Windows stehen wichtige Sicherheitsupdates zum Download bereit. Einige Lücken gelten als kritisch.
https://heise.de/-4984254
Kritische Lücke im Python-Framework PyYAML bedroht IBM Spectrum Protect
IBM hat unter anderem für IBM Db2 und Spectrum Protect wichtige Sicherheitsupdates veröffentlicht.
https://heise.de/-4983755
Patchday: Adobe schließt kritische Lücken - aber nicht in Flash
Sicherheitspatches schließen Schadcode-Lücken in Adobe Experience Manager, Lightroom und Prelude.
https://heise.de/-4984303
Patchday: SAP-Updates versperren Angriffswege über teils kritische Lücken
Neben einer NetWeaver-Schwachstelle mit dem CVSS-"Highscore" 10 hat SAP zum Patchday noch zahlreiche weitere Sicherheitsprobleme aus seinen Produkten entfernt.
https://heise.de/-4984262
Security updates for Tuesday
Security updates have been issued by Debian (minidlna, openssl, and trafficserver), Mageia (oniguruma, php-pear, python, python3, and x11vnc), openSUSE (minidlna), Oracle (kernel and net-snmp), Red Hat (kernel, mariadb-galera, microcode_ctl, and net-snmp), Slackware (seamonkey), SUSE (thunderbird and xen), and Ubuntu (xorg-server).
https://lwn.net/Articles/839311/
Security updates for Wednesday
Security updates have been issued by Debian (golang-golang-x-net-dev, python-certbot, and xorg-server), Fedora (resteasy, scap-security-guide, and vips), openSUSE (chromium, python, and rpmlint), SUSE (kernel), and Ubuntu (aptdaemon, curl, gdk-pixbuf, lxml, and openssl, openssl1.0).
https://lwn.net/Articles/839481/
December 2020 Android Updates Patch 46 Vulnerabilities
A total of 46 vulnerabilities were addressed this week with the release of the December 2020 security updates for Android.
https://www.securityweek.com/december-2020-android-updates-patch-46-vulnerabilities
Amnesia:33: TCP/IP-Schwachstellen gefährden Millionen internetfähige Geräte
Die 33 Anfälligkeiten verteilen sich auf vier Open-Source-Bibliotheken. Hersteller integrieren die Bibliotheken wiederum in die Firmware von Routern, Switches, Druckern und vielen anderen Geräten. Oftmals bieten diese keine Option zur Aktualisierung der Gerätesoftware.
https://www.zdnet.de/88390349/amnesia33-tcp-ip-schwachstellen-gefaehrden-millionen-internetfaehige-geraete/
GE Healthcare Imaging and Ultrasound Products
This advisory contains mitigations for Unprotected Transport of Credentials, and Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in select GE Healthcare Imaging and Ultrasound products.
https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01
ICS-CERT Security Advisories - December 8th, 2020
SummaryICS-CERT has released nine security advisories addressing vulnerabilities in ICS-related devices and software.
https://exchange.xforce.ibmcloud.com/collection/7b486a6b0dbeee0d5e268e11454c7e1e
Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-ipc-KfQO9QhK
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
Security Advisory - Information Disclosure Vulnerability in TE Mobile Software
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201209-01-informationleak-en
Security Advisory - CSV Injection Vulnerability in iManager NetEco Product
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20201209-01-csvinjection-en
LibTIFF vulnerability CVE-2018-18557
https://support.f5.com/csp/article/K70117303
Linux kernel vulnerability CVE-2017-10661
https://support.f5.com/csp/article/K04337834
Linux kernel vulnerability CVE-2017-18344
https://support.f5.com/csp/article/K07020416
NGINX Controller Agent vulnerability CVE-2020-27730
https://support.f5.com/csp/article/K43530108
Linux kernel vulnerability CVE-2018-18397
https://support.f5.com/csp/article/K83102920
Linux kernel vulnerability CVE-2018-1120
https://support.f5.com/csp/article/K42202505
Citrix Secure Mail for Android Security Update
https://support.citrix.com/article/CTX286763