End-of-Day report
Timeframe: Montag 20-04-2020 18:00 - Dienstag 21-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Windows 10 SMBGhost RCE exploit demoed by researchers
A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 wormable pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security.
https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-exploit-demoed-by-researchers/
SpectX: Log Parser for DFIR, (Tue, Apr 21st)
I hope this finds you all safe, healthy, and sheltered to the best of your ability. In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases.
https://isc.sans.edu/diary/rss/26040
Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
Recently, we wrote an article about more than 8,000 unsecured Redis instances found in the cloud. In this article, we expound on how these instances can be abused to perform remote code execution (RCE), as demonstrated by malware samples captured in the wild.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/l3TOyRDK1yA/
Grouping Linux IoT Malware Samples With Trend Micro ELF Hash
We created Trend Micro ELF Hash (telfhash), an open-source clustering algorithm that effectively clusters Linux IoT malware created using ELF files.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tFHtqxisecc/
Kerberos Tickets on Linux Red Teams
At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own, but the best value is obtaining data, such as Kerberos tickets, that will facilitate lateral movement techniques.
http://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
Unsichere Deserialisierung gefährdet Steam-Spiele
Viele Videospiele, die .Net oder Unity verwenden, sind angreifbar und führen Schadcode aus. Steam bietet die Möglichkeit einer wurmähnlichen Infektion.
https://heise.de/-4706122
46% of SMBs have been targeted by ransomware, 73% have paid the ransom
Ransomware attacks are not at all unusual in the SMB community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom, Infrascale reveals. Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack.
https://www.helpnetsecurity.com/2020/04/21/paying-ransom/
BSI aktualisiert den Mindeststandard TLS
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat zum 9. April 2020 den "Mindeststandard zur Verwendung von Transport Layer Security (TLS)" aktualisiert.
https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/AktualisierterMST_TLS_210420.html
Microsoft Will Not Patch Security Bypass Flaw Abusing MSTSC
A DLL side-loading vulnerability related to the Microsoft Terminal Services Client (MSTSC) can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges.
https://www.securityweek.com/microsoft-will-not-patch-security-bypass-flaw-abusing-mstsc
Zahlungsaufforderungen von angeblichen Streamingdiensten sind Fake
bodaflix.de, ebaflix.de, teraflix.de, nodaflix.de - angeblich kostenlose Streamingdienste. Nach einer Registrierung erhalten Sie jedoch eine Zahlungsaufforderung über 395,88 Euro. Wird diese ignoriert, folgen meist weitere Zahlungsaufforderungen und Mahnungen von vermeintlichen Inkassobüros. Überweisen Sie kein Geld und antworten Sie auch nicht! Es handelt sich um ein betrügerisches Schreiben.
https://www.watchlist-internet.at/news/zahlungsaufforderungen-von-angeblichen-streamingdiensten-sind-fake/
Hey there! Are you using WhatsApp? Your account may be hackable
Can someone take control of your WhatsApp account by just knowing your phone number? We ran a small test to find out.
https://www.welivesecurity.com/2020/04/20/hey-there-using-whatsapp-your-account-hackable/
Vulnerabilities
P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting
The controller suffers from CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a [...]
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
[R2] Tenable.sc 5.14.0 Fixes Multiple Vulnerabilities
Tenable.sc leverages third-party software to help provide underlying functionality. One third-party component (jQuery) was found to contain vulnerabilities, and updated versions have been made available by the providers.
https://www.tenable.com/security/tns-2020-02
Versionsverwaltung: Erneute Sicherheitswarnung für Git
Updates beheben eine Schwachstelle in Git, die der jüngsten ähnelt und ebenfalls die Credential-Helper-Programme betrifft.
https://heise.de/-4706272
Security updates for Tuesday
Security updates have been issued by Arch Linux (webkit2gtk), Debian (awl, git, and openssl), Red Hat (chromium-browser, git, http-parser, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, qemu-kvm-ma, rh-git218-git, and rh-maven35-jackson-databind), Scientific Linux (advancecomp, avahi, bash, bind, bluez, cups, curl, dovecot, doxygen, evolution, expat, file, firefox, gettext, git, GNOME, httpd, ImageMagick, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, kernel, lftp, [...]
https://lwn.net/Articles/818223/
High-Severity Vulnerability in OpenSSL Allows DoS Attacks
An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks.
https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos-attacks
[20200403] - Core - Incorrect access control in com_users access level deletion function
https://developer.joomla.org/security-centre/811-20200403-core-incorrect-access-control-in-com-users-access-level-deletion-function.html
[20200402] - Core - Missing checks for the root usergroup in usergroup table
https://developer.joomla.org/security-centre/810-20200402-core-missing-checks-for-the-root-usergroup-in-usergroup-table.html
[20200401] - Core - Incorrect access control in com_users access level editing function
https://developer.joomla.org/security-centre/809-20200401-core-incorrect-access-control-in-com-users-access-level-editing-function.html
2020-04-21: SECURITY ABB Central Licensing System Vulnerabilities, impact on System 800xA, Compact HMI and Control Builder Safe
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121230&LanguageCode=en&DocumentPartId=&Action=Launch
2020-04-21: SECURITY Multiple Vulnerabilities in ABB Central Licensing System
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121231&LanguageCode=en&DocumentPartId=&Action=Launch
2020-04-21: SECURITY Inter process communication vulnerability in System 800xA
https://search.abb.com/library/Download.aspx?DocumentID=2PAA121236&LanguageCode=en&DocumentPartId=&Action=Launch
Security Bulletin: A denial of service vulnerability in IBM WebSphere Liberty Profile affects IBM Spectrum Conductor and IBM Spectrum Conductor with Spark
https://www.ibm.com/blogs/psirt/security-bulletin-a-denial-of-service-vulnerability-in-ibm-websphere-liberty-profile-affects-ibm-spectrum-conductor-and-ibm-spectrum-conductor-with-spark/