End-of-Day report
Timeframe: Donnerstag 04-06-2020 18:00 - Freitag 05-06-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Ongoing eCh0raix ransomware campaign targets QNAP NAS devices
After remaining relatively quiet over the past few months, the threat actors behind the eCh0raix Ransomware have launched a brand new campaign targeting QNAP storage devices.
https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/
Understanding the Payload-Less Email Attacks Evading Your Security Team
Business email compromise (BEC) attacks represent a small percentage of email attacks, but disproportionately represent the greatest financial risk.
https://threatpost.com/understanding-payload-less-email-attacks/156299/
Botnet blasts WordPress sites with configuration download attacks
A million sites attacked by 20,000 different computers.
https://nakedsecurity.sophos.com/2020/06/05/botnet-blasts-wordpress-sites-with-configuration-download-attacks/
Not so FastCGI!, (Fri, Jun 5th)
This past month, we've seen some new and different scans targeting tcp ports between 8000 and 10,000. The first occurrence was on 30 April 2020 and originated from ip address 23.95.67.187 and containing payload: [...]
https://isc.sans.edu/diary/rss/26208
IBM Releases Open Source Toolkits for Processing Data While Encrypted
IBM this week announced the availability of open source toolkits that allow for data to be processed while it-s still encrypted.
https://www.securityweek.com/ibm-releases-open-source-toolkits-processing-data-while-encrypted
Achtung: Gewinn24.de fordert hohe Geldsummen am Telefon
-Guten Tag, Inkassobüro XY spricht. Sie haben einen Abo-Vertrag mit Gewinn24 abgeschlossen und sind mit Ihrer Zahlung im Rückstand-. So oder so ähnlich beginnen BetrügerInnen, die im Auftrag von Gewinn24.de anrufen, das Telefongespräch. Ein vermeintliches Inkassobüro erklärt am Telefon, dass die Kosten für ein Abo mit Gewinn24.de nicht bezahlt wurden. Die Opfer wissen jedoch selten von so einem Abo. Das ist auch nicht verwunderlich: [...]
https://www.watchlist-internet.at/news/achtung-gewinn24de-fordert-hohe-geldsummen-am-telefon/
New Sandbox Evasions spot in VBS samples
While hidden Macro 4.0 samples are on the rise, we recently spotted some very interesting evasive VBS samples. In this short blog post, we will look at sample files#_56117.vbs, MD5: 147091e61ec59f67ab598d26f15ad0e7 and outline some of the evasive tricks.
http://blog.joesecurity.org/2020/06/new-evasive-vbs-samples-spot.html
Ransomware nimmt Windows- und Linux-Systeme mit neuartigem Angriff ins Visier
Die Hintermänner programmieren die Erpressersoftware in Java. Die Verteilung erfolgt über eine Java-Image-Datei. Sicherheitsforschern zufolge hilft das Vorgehen bei der Verschleierung der Aktivitäten der Malware.
https://www.zdnet.de/88380548/ransomware-nimmt-windows-und-linux-systeme-mit-neuartigem-angriff-ins-visier/
Vulnerabilities
Security: Sicherheitslücken betreffen praktisch alle Qnap-NAS-Systeme
Gleich drei Security-Probleme sind von Qnap gemeldet worden. Das Unternehmen rät zu einem sofortigen Update des Betriebssystems.
https://www.golem.de/news/security-sicherheitsluecken-betreffen-praktisch-alle-qnap-nas-systeme-2006-148930-rss.html
Security updates for Friday
Security updates have been issued by CentOS (bind, firefox, and freerdp), Debian (netqmail and python-django), Fedora (cacti, cacti-spine, dbus, firefox, gjs, mbedtls, mozjs68, and perl), Oracle (freerdp and kernel), Scientific Linux (bind and firefox), Slackware (mozilla), SUSE (krb5-appl, libcroco, libexif, libreoffice, libxml2, qemu, transfig, and vim), and Ubuntu (firefox, freerdp, and python-django).
https://lwn.net/Articles/822342/
Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4449)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-information-exposure-vulnerability-cve-2020-4449/
Security Bulletin: Session is not invalidated After Logout
https://www.ibm.com/blogs/psirt/security-bulletin-session-is-not-invalidated-after-logout/
Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND (CVE-2020-4448)
https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vulnerability-in-websphere-application-server-nd-cve-2020-4448/
Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by multiple vulnerabilities in libssh2
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-multiple-vulnerabilities-in-libssh2/
Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server that is installed with IBM SPSS Analytic Server (CVE-2019-12406)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-cxf-affects-websphere-application-server-that-is-installed-with-ibm-spss-analytic-server-cve-2019-12406/
Security Bulletin: WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2020-4450)
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-remote-code-execution-vulnerability-cve-2020-4450/
Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by a vulnerability in libssh2 (CVE-2016-0787)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-a-vulnerability-in-libssh2-cve-2016-0787-2/