End-of-Day report
Timeframe: Montag 24-02-2020 18:00 - Dienstag 25-02-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Network Traffic Analysis for IR - Discovering RATs
Discovering RATs is not an easy task, as they neither show up on running processes nor slow down the computer speed. Nevertheless, incident response (IR) teams can perform a network traffic analysis to discover RATs.
https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-discovering-rats/
VB2019 paper: Static analysis methods for detection of Microsoft Office exploits
Today we publish the VB2019 paper and presentation by McAfee researcher Chintan Shah in which he described static analysis methods for the detection of Microsoft Office exploits.
https://www.virusbulletin.com:443/blog/2020/02/vb2019-paper-static-analysis-methods-detection-microsoft-office-exploits/
Fünf Jahre Updates: BSI definiert Anforderungen an sichere Smartphones
Das BSI bringt einen Katalog von Smartphone-Sicherheitskriterien heraus, die später ins IT-Sicherheitskennzeichen einfließen könnten.
https://heise.de/-4667637
ENISA publishes procurement guidelines for cybersecurity in hospitals
The Procurement Guidelines for Cybersecurity in Hospitals published by the Agency is designed to support the healthcare sector in taking informative decisions on cybersecurity when purchasing new hospital assets. It provides the information to be included in the procurement requests that hospitals publish in order to obtain IT equipment.
https://www.helpnetsecurity.com/2020/02/25/cybersecurity-procurement-hospitals/
PayPal accounts abused en-masse for unauthorized payments
Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account.
...
On February 25, 07:30am ET, PayPal told ZDNet that they have addressed the issue being exploited over the weekend.
https://www.zdnet.com/article/paypal-accounts-are-getting-abused-en-masse-for-unauthorized-payments/
Vulnerabilities
Signature Validation Bypass Leading to RCE In Electron-Updater
As part of a security engagement for one of our customers, we have reviewed the update mechanism performed by Electron Builder, and discovered an overall lack of secure coding practices. In particular, we identified a vulnerability that can be leveraged to bypass the signature verification check hence leading to remote command execution.
https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypass.html
McAfees WebAdvisor für Chrome und Firefox kann Hacker einladen
Es gibt wichtige Sicherheitsupdates für McAfees Webbrowser-Erweiterung WebAdvisor.
https://heise.de/-4667767
Zyxel Fixes 0day in Network Storage Devices
The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.
However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel-s advice for those users is simply -do not leave the product directly exposed to the internet.-
https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/
Multiple Cross-site Scripting (XSS) Vulnerabilities in PHP-Fusion CMS
Business recommendation: Update to the latest version of PHP-Fusion.
https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xss-vulnerabilities-in-php-fusion-cms/
Security updates for Tuesday
Security updates have been issued by Debian (curl and otrs2), Fedora (NetworkManager-ssh and python-psutil), Mageia (ipmitool, libgd, libxml2_2, nextcloud, radare2, and upx), openSUSE (inn and sudo), Oracle (kernel, ksh, python-pillow, and thunderbird), Red Hat (curl, kernel, nodejs:10, nodejs:12, procps-ng, rh-nodejs10-nodejs, ruby, and systemd), SUSE (dpdk, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libexif, libvpx, nodejs10, nodejs8, openssl1, pdsh, slurm_18_08, python-azure-agent, python3, webkit2gtk3), Ubuntu (libapache2-mod-auth-mellon, libpam-radius-auth, rsync).
https://lwn.net/Articles/813250/
D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung
D-LINK Router DIR-867, D-LINK Router DIR-878, D-LINK Router DIR-882
Ein anonymer Angreifer aus dem angrenzenden Netzbereich kann mehrere Schwachstellen in D-LINK Routern ausnutzen, um beliebigen Programmcode auszuführen.
http://www.cert-bund.de/advisoryshort/CB-K20-0159
Security Bulletin: IBM QRadar Advisor With Watson App for IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2019-4557)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-watson-app-for-ibm-qradar-siem-uses-weaker-than-expected-cryptographic-algorithms-cve-2019-4557-2/
Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affect-financial-transaction-manager-for-corporate-payment-services/
Security Bulletin: IBM QRadar Advisor With Watson App for IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2019-4557)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-watson-app-for-ibm-qradar-siem-uses-weaker-than-expected-cryptographic-algorithms-cve-2019-4557/
Linux sudo process vulnerability CVE-2019-18634
https://support.f5.com/csp/article/K91327225?utm_source=f5support&utm_medium=RSS
PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks
https://cert.vde.com/de-de/advisories/vde-2020-002