End-of-Day report
Timeframe: Dienstag 07-04-2020 18:00 - Mittwoch 08-04-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Web server security: Infrastructure components
Cybercriminals understand that your website is not only the face of your organization, but often also its weakest link. With just one misconfigured port, malicious spearphishing email or unpatched vulnerability, an attacker can deploy a range of techniques and tools to enter and then move undetected throughout a network to find a valuable target.
https://resources.infosecinstitute.com/web-server-security-infrastructure-components/
FIN6 and TrickBot Combine Forces in -Anchor- Attacks
FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware.
https://threatpost.com/fin6-and-trickbot-combine-forces-in-anchor-attacks/154508/
Microsoft shares new threat intelligence, security guidance during global crisis
Our threat intelligence shows that COVID-19 themed threats are retreads of existing attacks that have been slightly altered to tie to the pandemic. We-re seeing a changing of lures, not a surge in attacks. These attacks are settling into the normal ebb and flow of the threat environment.
https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/
DDG botnet, round X, is there an ending?
DDG is a mining botnet that we first blogged about in Jan 2018, we reported back then that it had made a profit somewhere between 5.8million and 9.8million RMB(about 820,000 to 1.4Million US dollar ), [...]
https://blog.netlab.360.com/an-update-on-the-ddg-botnet/
COVID-19 Exploited by Malicious Cyber Actors
This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom-s National Cyber Security Centre (NCSC). This alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for [...]
https://www.us-cert.gov/ncas/alerts/aa20-099a
New dark_nexus IoT Botnet Puts Others to Shame
Bitdefender researchers have recently found a new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we-ve seen.
https://labs.bitdefender.com/2020/04/new-dark_nexus-iot-botnet-puts-others-to-shame/
Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation
This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won-t always successfully execute in a VM. I use IDA Pro-s Bochs integration in IDB mode to sidestep tedious debugging scenarios and get quick results.
http://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html
These hackers have been quietly targeting Linux servers for years
Researchers at Blackberry detail a newly uncovered hacking campaign that has been operating successfully against unpatched open-source servers for the best part of a decade.
https://www.zdnet.com/article/these-hackers-have-been-quietly-targeting-linux-servers-for-years/
Vulnerabilities
Advantech WebAccess/NMS
This advisory contains mitigations for multiple vulnerabilities in Advantechs WebAccess/NMS network management system.
https://www.us-cert.gov/ics/advisories/icsa-20-098-01
GE Digital CIMPLICITY
This advisory contains mitigations for a privilege escalation vulnerability in GE Digital CIMPLICITY HMI/SCADA products.
https://www.us-cert.gov/ics/advisories/icsa-20-098-02
HMS Networks eWON Flexy and Cosy
This advisory contains mitigations for a cross-site scripting vulnerability in HMS Networks eWON Flexy and Cosy Industrial VPN routers.
https://www.us-cert.gov/ics/advisories/icsa-20-098-03
Fuji Electric V-Server Lite
This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server Lite data collection and management service.
https://www.us-cert.gov/ics/advisories/icsa-20-098-04
KUKA.Sim Pro
https://www.us-cert.gov/ics/advisories/icsa-20-098-05
Security updates for Wednesday
Security updates have been issued by Arch Linux (firefox), Debian (chromium and firefox-esr), Oracle (ipmitool and telnet), Red Hat (firefox and qemu-kvm), Scientific Linux (firefox, krb5-appl, and qemu-kvm), Slackware (firefox), SUSE (gmp, gnutls, libnettle and runc), and Ubuntu (firefox, gnutls28, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, and linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, [...]
https://lwn.net/Articles/817059/
Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
http://www.cert-bund.de/advisoryshort/CB-K20-0294
Security Advisory - Information Disclosure Vulnerability about SWAPGS Instruction
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200408-01-swapgs-en
Security Bulletin: IBM Security Information Queue could reveal sensitive data in application error messages (CVE-2020-4164)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-could-reveal-sensitive-data-in-application-error-messages-cve-2020-4164/
Security Bulletin: Resilient is vulnerable to using Python component with known vulnerabilities in RHEL 7
https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-to-using-python-component-with-known-vulnerabilities-in-rhel-7/
Security Bulletin: Insufficient command validation in IBM Security Information Queue (CVE-2020-4282)
https://www.ibm.com/blogs/psirt/security-bulletin-insufficient-command-validation-in-ibm-security-information-queue-cve-2020-4282/
Security Bulletin: Multiple cross-site scripting vulnerabilities affect IBM DOORS Next Generation
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scripting-vulnerabilities-affect-ibm-doors-next-generation/
Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-has-insufficient-session-expiration-cve-2020-4284/
Security Bulletin: IBM Security Information Queue uses components with known vulnerabilities (CVE-2019-8331, CVE-2019-11358)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-uses-components-with-known-vulnerabilities-cve-2019-8331-cve-2019-11358/
Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-does-not-invalidate-sessions-after-logout-cve-2020-4291/
Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-queue-does-not-prevent-a-products-owner-from-being-modified-cve-2020-4290/
Security Bulletin: Multiple vulnerabilities affect IBM Quality Manager (RQM)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-quality-manager-rqm/
Security Bulletin: A vulnerability in SQLite affects IBM Cloud Application Performance Management Response Time Monitoring Agent (CVE-2019-19925, CVE-2019-19645, CVE-2019-19924, CVE-2019-19923, CVE-2019-19880, CVE-2019-19646, CVE-2019-19926)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-sqlite-affects-ibm-cloud-application-performance-management-response-time-monitoring-agent-cve-2019-19925-cve-2019-19645-cve-2019-19924-cve-2019-19923-cve-20/