End-of-Day report
Timeframe: Mittwoch 29-04-2020 18:00 - Donnerstag 30-04-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Microsoft Sway abused in PerSwaysion spear-phishing operation
Multiple threat actors running phishing attacks on corporate targets have been counting on Microsoft Sway service to trick victims into giving their Office 365 login credentials.
https://www.bleepingcomputer.com/news/security/microsoft-sway-abused-in-perswaysion-spear-phishing-operation/
-Sarah- verschickt gefälschte HOFER-Umfrage
Unter dem Namen -Sarah- verschicken Kriminelle derzeit willkürlich SMS mit einem Link, der zu einem gefälschten HOFER-Treueprogramm führt. Versprochen werden exklusive Preise, sofern an einer Umfrage zur Kundenzufriedenheit teilgenommen wird. Wir haben uns das vermeintliche Treueprogramm genauer angeschaut. Unser Fazit: Die versprochenen Preise erhalten Sie nicht. Stattdessen hoffen die BetrügerInnen, dass sie ein Abo abschließen. Dieses würde Sie [...]
https://www.watchlist-internet.at/news/sarah-verschickt-gefaelschte-hofer-umfrage/
Cybercriminals are using Google reCAPTCHA to hide their phishing attacks
Security researchers say that they are seeing cybercriminals deploying Google-s reCAPTCHA anti-bot tool in an effort to avoid early detection of their malicious campaigns.
https://hotforsecurity.bitdefender.com/blog/cybercriminal-are-using-google-recaptcha-to-hide-their-phishing-attacks-23156.html
Cybereason warnt vor neuem mobilen Banking-Trojaner
EventBot ist erst seit März 2020 im Umlauf. Die Malware stiehlt Daten von Finanz-Apps und hebelt die 2-Faktor-Authentifizierung auf. Die Hintermänner sind so in der Lage, geschäftliche und private Finanztransaktionen zu kapern.
https://www.zdnet.de/88379272/cybereason-warnt-vor-neuem-mobilen-banking-trojaner/
Vulnerabilities
Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now
The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable.
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/30/salt_automation_tool_vulnerable_to/
WordPress Releases Security Update
WordPress 5.4 and prior versions are affected by multiple vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected website. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 5.4.1.
https://www.us-cert.gov/ncas/current-activity/2020/04/30/wordpress-releases-security-update
macOS: Sandbox-Ausbruch per Editor
In TextEdit steckt ein Bug, mit dem böswillige Apps eigentlich verbotene Kommandos ausführen können.
https://heise.de/-4712045
High Severity Vulnerability Patched in Ninja Forms
On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version.
https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-ninja-forms/
Security updates for Thursday
Security updates have been issued by Arch Linux (chromium, git, and webkit2gtk), Debian (nodejs and tiff), Fedora (libxml2, php-horde-horde, pxz, and sqliteodbc), Oracle (python-twisted-web), Red Hat (chromium-browser, git, and rh-git218-git), Scientific Linux (python-twisted-web), SUSE (ceph, kernel, munge, openldap2, salt, squid, and xen), and Ubuntu (mailman, python3.8, samba, and webkit2gtk).
https://lwn.net/Articles/819064/
Synology-SA-20:08 Cloud Station Backup
A vulnerability allows local users to execute arbitrary code via a susceptible version of Cloud Station Backup.
https://www.synology.com/en-global/support/security/Synology_SA_20_08_Cloud_Station_Backup
Synology-SA-20:07 Synology Calendar
Multiple vulnerabilities allow remote authenticated users to download arbitrary files or hijack the authentication of administrators via a susceptible version of Synology Calendar.
https://www.synology.com/en-global/support/security/Synology_SA_20_07_Synology_Calendar
Synology-SA-20:06 DSM
Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of DSM.
https://www.synology.com/en-global/support/security/Synology_SA_20_06_DSM
Citrix Hypervisor Security Update
An issue has been discovered in Citrix Hypervisor that, if exploited, could potentially allow an attacker on the management network to enumerate valid administrative account usernames. Note that this attack does not disclose the corresponding passwords [...]
https://support.citrix.com/article/CTX272237
Security Advisory - Invalid Pointer Access Vulnerability in Huawei OceanStor Product
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200429-01-invalidpointer-en
Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2020-1938)
https://www.ibm.com/blogs/psirt/security-bulletin-open-source-apache-tomcat-vulnerabilities-affect-ibm-tivoli-application-dependency-discovery-manager-cve-2020-1938/
Security Bulletin: OpenSSL publicly disclosed vulnerability affects MessageGateway (CVE-2019-1551)
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclosed-vulnerability-affects-messagegateway-cve-2019-1551/
Security Bulletin: Publicly disclosed vulnerability found by vFinder in IBM eDiscovery Analyzer
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-found-by-vfinder-in-ibm-ediscovery-analyzer/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-sap-applications/
F5 BIG-IP: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K20-0402
The BIG-IP AFM ACL and IPI features may not function as designed
https://support.f5.com/csp/article/K72423000
Intel QAT cryptography driver vulnerability CVE-2020-5882
https://support.f5.com/csp/article/K43815022
The BIG-IP ASM system may fail to mask a configured sensitive parameter in the Referer header value
https://support.f5.com/csp/article/K33572148
BIG-IP APM logs may contain random data after the APM session ID
https://support.f5.com/csp/article/K43404365
BIG-IP SSL connection Alert Timeout security exposure
https://support.f5.com/csp/article/K25165813
BIG-IP may not detect invalid Transfer-Encoding headers
https://support.f5.com/csp/article/K10701310
HPESBMU03997 rev.1 - HPE Smart Update Manager (SUM), Remote Unauthorized Access
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03997en_us
OpenLDAP: Schwachstelle ermöglicht Denial of Service
http://www.cert-bund.de/advisoryshort/CB-K20-0405