End-of-Day report
Timeframe: Donnerstag 10-12-2020 18:00 - Donnerstag 10-12-2020 18:00
Handler: Stephan Richter
Co-Handler: Dimitri Robl
News
Qbot malware switched to stealthy new Windows autostart method
A new Qbot malware version now activates its persistence mechanism right before infected Windows devices shutdown and it automatically removes any traces when the system restarts or wakes up from sleep.
https://www.bleepingcomputer.com/news/security/qbot-malware-switched-to-stealthy-new-windows-autostart-method/
Adobe Flash Player: Jetzt ist endgültig Schluss
Seit Jahren wird das Ende des Adobe Flash Players verkündet. Im Januar 2021 soll es nun aber tatsächlich so weit sein.
https://www.golem.de/news/adobe-flash-player-jetzt-ist-endgueltig-schluss-2012-152739.html
Python Backdoor Talking to a C2 Through Ngrok, (Thu, Dec 10th)
I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most services available on the Internet, it has been abused by attackers for a long time.
https://isc.sans.edu/diary/rss/26866
PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
PGMiner is a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution vulnerability.The post PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL appeared first on Unit42.
https://unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/
Hackers are selling more than 85,000 SQL databases on a dark web portal
Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesnt want to pay the ransom demand.
https://www.zdnet.com/article/hackers-are-selling-more-than-85000-sql-databases-on-a-dark-web-portal/
Proof-of-concept exploit code published for new Kerberos Bronze Bit attack
The Kerberos Bronze Bit attack can allow intruders to bypass authentication and access sensitive network services.
https://www.zdnet.com/article/proof-of-concept-exploit-code-published-for-new-kerberos-bronze-bit-attack/
Vulnerabilities
Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites
On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator-s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin-s publisher, ...Read MoreThe post Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress
https://www.wordfence.com/blog/2020/12/reflected-xss-in-pagelayer-plugin-affects-over-200000-wordpress-sites/
Security updates for Thursday
Security updates have been issued by Arch Linux (ant, cimg, containerd, libproxy, libproxy-mozjs, libproxy-webkit, libslirp, python-lxml, tomcat8, tomcat9, and xorg-server), CentOS (firefox and thunderbird), Debian (apt, linux-4.19, python-apt, and sqlite3), Fedora (ceph, chromium, containerd, matrix-synapse, mingw-openjpeg2, openjpeg2, python-authlib, python-canonicaljson, and spice-gtk), Mageia (chromium-browser-stable), openSUSE (chromium and pngcheck), Slackware (curl), SUSE (clamav, curl,
https://lwn.net/Articles/839668/
Serious Vulnerabilities in Dualog Connection Suite
TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL [-]The post Serious Vulnerabilities in Dualog Connection Suite first appeared on Pen Test Partners.
https://www.pentestpartners.com/security-blog/serious-vulnerabilities-in-dualog-connection-suite/
Medtronic MyCareLink
This advisory contains mitigations for Improper Authentication, Heap-based Buffer Overflow, and Time-of-check Time-of-use Race Condition vulnerabilities in the Medtronic MyCareLink Patient Reader.
https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01
Mitsubishi Electric MELSEC iQ-F Series
This advisory contains mitigations for an Improper Check or Handling of Exceptional Conditions vulnerability in Mitsubishi Electrics MELSEC iQ-F series FX5U(C) CPU modules.
https://us-cert.cisa.gov/ics/advisories/icsa-20-345-01
Host Engineering H2-ECOM100 Module
This advisory contains mitigations for an Improper Input Validation vulnerability in the Host Engineering ECOM100 Module, an Ethernet communications module for PLC systems.
https://us-cert.cisa.gov/ics/advisories/icsa-20-345-02
Gafgyt Using Pulse Secure Vulnerability
SummaryA vulnerability in Pulse Secures Connect VPN framework is allowing for exploitation by Gafgyt. Avira details how this exploit works in a new blog.Threat TypeMalware, VulnerabilityOverviewAvira Labs has observed an increase in IoT malware binaries. These binaries have the capability to exploit CVE-2020-8218. This increase led to the discovery of a new variant of Gafgyt. Its functionality is mostly the same as the original Gafgyt with some inclusion of functionality from other malware
https://exchange.xforce.ibmcloud.com/collection/02145e80d8a7b87b486015b358849987
Cisco Jabber Desktop and Mobile Client Software Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO
Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise V11 ( CVE-2020-8244)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-v11-cve-2020-8244/
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect (CVE-2019-1552)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect-cve-2019-1552/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-node-js/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Codec
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-apache-commons-codec/
Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js- in IBM Cloud
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-sdk-for-node-js-in-ibm-cloud-4/
Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-apache-struts-affect-ibm-sterling-file-gateway-cve-2019-0233-cve-2019-0230-3/
Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-hibernate-validator-affects-liberty-for-java-for-ibm-cloud-cve-2020-10693/
Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow (CVE-2020-4701)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-buffer-overflow-cve-2020-4701-3/
Security Bulletin: JRE vulnerability (CVEID: 178768) impacts IBM Aspera High-Speed Transfer Server/IBM Aspera High-Speed Transfer Endpoint version 3.9.6.2 and earlier
https://www.ibm.com/blogs/psirt/security-bulletin-jre-vulnerability-cveid-178768-impacts-ibm-aspera-high-speed-transfer-server-ibm-aspera-high-speed-transfer-endpoint-version-3-9-6-2-and-earlier/
Security Bulletin: Vulnerability in ksu affects AIX (CVE-2020-4829)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ksu-affects-aix-cve-2020-4829/
Symantec Messaging Gateway: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K20-1222