End-of-Day report
Timeframe: Montag 27-04-2020 18:00 - Dienstag 28-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Achtung Schadsoftware: Bundeskriminalamt warnt vor gefälschter Polizei-Mail
Zurzeit kursiert eine Mail mit dem Betreff "Letzte Einladung der Polizei". Darin werden die Empfänger aufgefordert, mit der Polizei Kontakt aufzunehmen und die Anhänge zu öffnen. Dabei handelt es sich mit hoher Wahrscheinlichkeit um Schadsoftware.
http://www.bmi.gv.at/news.aspx?id=414F7246445856707A58773D
Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)
While going over malicious e-mails caught by our company gateway in March, I noticed that several of those, that carried ACE file attachments, appeared to be from the same sender. That would not be that unusual, but and after going through the historical logs, I found that e-mails from the same address with similar attachments were blocked by the gateway as early as March 2019.
https://isc.sans.edu/diary/rss/26062
Cybercrime: Führungskräfte geduldig ausspionieren und dann ausnehmen
Über Man-in-the-Middle-Attacken greift die "Florentiner Bankengruppe" gezielt Entscheidungsträger an - ein erfolgreiches Spiel auf Zeit.
https://heise.de/-4710607
New Version of Infection Monkey Maps to MITRE ATT&CK Framework
Guardicores open source breach and attack simulation platform Infection Monkey now maps its attack results to the MITRE ATT&CK framework, allowing users to quickly discover internal vulnerabilities and rapidly fix them.
https://www.securityweek.com/new-version-infection-monkey-maps-mitre-attck-framework
Website-BetreiberInnen aufgepasst: Erpressungsmails im Umlauf
Zahlreiche Website-BetreiberInnen erhalten aktuell betrügerische Erpressungsmails. Kriminelle behaupten auf Englisch, sie hätten Ihre Website gehackt und nun Zugriff auf sämtliche Datensätze. Diese drohen sie zu veröffentlichen und Ihre KundInnen über das angebliche Datenleck zu informieren. Damit das nicht geschieht fordern sie 2000 USD in Form von Bitcoins. Gehen Sie nicht darauf ein, es handelt sich um ein betrügerisches Spam-E-Mail!
https://www.watchlist-internet.at/news/website-betreiberinnen-aufgepasst-erpressungsmails-im-umlauf/
Anatomy of Formjacking Attacks
A detailed look at the fast-growing crime of formjacking, where cybercriminals hack a website to collect sensitive user information and steal credit card numbers.
https://unit42.paloaltonetworks.com/anatomy-of-formjacking-attacks/
Vulnerabilities
Security Bulletins Posted
Adobe has published security bulletins for Adobe Bridge (APSB20-19) and Adobe Illustrator (APSB20-20). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided -AS IS- with no warranties and confers no rights.
https://blogs.adobe.com/psirt/?p=1864
High-Severity Vulnerabilities Patched in LearnPress
On March 16, 2020, LearnPress - WordPress LMS Plugin, a WordPress plugin with over 80,000 installations, patched a high-severity vulnerability that allowed subscriber-level users to elevate their permissions to those of an -LP Instructor-, a custom role with capabilities similar to the WordPress -author- role, including the ability to upload files and create posts containing [...]
https://www.wordfence.com/blog/2020/04/high-severity-vulnerabilities-patched-in-learnpress/
Security updates for Tuesday
Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, qemu-kvm, and thunderbird), Debian (qemu and ruby-json), Fedora (chromium, haproxy, and libssh), openSUSE (cacti, cacti-spine and teeworlds), Oracle (kernel), SUSE (apache2, git, kernel, ovmf, and xen), and Ubuntu (cups, file-roller, and re2c).
https://lwn.net/Articles/818821/
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0005
Date Reported: April 27, 2020 Advisory ID: WSA-2020-0005 CVE identifiers: CVE-2020-3885, CVE-2020-3894,CVE-2020-3895, CVE-2020-3897,CVE-2020-3899, CVE-2020-3900,CVE-2020-3901, CVE-2020-3902. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2020-3885 Versions affected: WebKitGTK before 2.28.0 and WPE WebKit before2.28.0. Credit to Ryan Pickren (ryanpickren.com). Impact: A file URL may be incorrectly processed. Description: Alogic issue was addressed with improved [...]
https://webkitgtk.org/security/WSA-2020-0005.html
IntelMQ Manager release 2.1.1 fixes critical security issue
The IntelMQ Manager version 2.1.1 released yesterday fixes a Remote Code Execution flaw (CWE-78: OS Command Injection). The documentation for version 2.1.1 and installation instructions can be found on our GitHub repository. Always run IntelMQ Manager instances in private networks with proper authentication & TLS. Further, restrict access to the tool to web-browsers which can only access internal web-sites, as workaround for existing CSRF issues. See also our security considerations with [...]
https://cert.at/en/blog/2020/4/intelmq-manager-release-211-fixes-critical-security-issue
Security Bulletin: CVE-2019-1552 vulnerability in OpenSSL affect IBM Workload Scheduler
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-1552-vulnerability-in-openssl-affect-ibm-workload-scheduler/
Security Bulletin: WebSphere Application Server is vulnerable to a denial of service that affect TXSeries for Multiplatforms
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-denial-of-service-that-affect-txseries-for-multiplatforms/
Security Bulletin: Information disclosure in WebSphere Application Server (CVE-2020-4329)
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in-websphere-application-server-cve-2020-4329/
Security Bulletin: NVIDIA Windows and Linux GPU Display drivers are have resolved several security vulnerabilities as described below.
https://www.ibm.com/blogs/psirt/security-bulletin-nvidia-windows-and-linux-gpu-display-drivers-are-have-resolved-several-security-vulnerabilities-as-described-below/
Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563)
https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat-vulnerabilities-affect-ibm-tivoli-application-dependency-discovery-manager-taddmcve-2019-12418-cve-2019-17563-2/
Security Bulletin: WebSphere Application Server is vulnerable to a denial of service that affect IBM CICS TX on Cloud
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-denial-of-service-that-affect-ibm-cics-tx-on-cloud/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect TXSeries for Multiplatforms
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-txseries-for-multiplatforms/
Security Bulletin: Vulnerability in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows(IBM SDK, Java Technology Edition Quarterly CPU - Jan 2020)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affect-db2-recovery-expert-for-linux-unix-and-windowsibm-sdk-java-technology-edition-quarterly-cpu-jan-2020-2/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM CICS TX on Cloud
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cics-tx-on-cloud/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2020 CPU (CVE-2020-2583, CVE-2019-4732)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-for-multiplatforms-jan-2020-cpu-cve-2020-2583-cve-2019-4732/
HPESBHF03970 rev.1 - HPE Products with Intel Ethernet 700 Series Processors, Local Escalation of Privilege, Local Denial of Service
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03970en_us
Samba: Mehrere Schwachstellen ermöglichen Denial of Service
http://www.cert-bund.de/advisoryshort/CB-K20-0377