End-of-Day report
Timeframe: Donnerstag 30-07-2020 18:00 - Freitag 31-07-2020 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
News
Office 365 phishing abuses Google Ads to bypass email filters
An Office 365 phishing campaign abused Google Ads to bypass secure email gateways (SEGs), redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials.
https://www.bleepingcomputer.com/news/security/office-365-phishing-abuses-google-ads-to-bypass-email-filters/
One Byte to rule them all
Posted by Brandon Azad, Project Zero. For the last several years, nearly all iOS kernel exploits have followed the same high-level flow: memory corruption and fake Mach ports are used to gain access to the kernel task port, which provides an ideal kernel read/write primitive to userspace.
https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.html
WastedLocker: technical analysis
According to currently available information, in the attack on Garmin a targeted build of the Trojan WastedLocker was used. We have performed technical analysis of the Trojan sample.
https://securelist.com/wastedlocker-technical-analysis/97944/
Obscured by Clouds: Insights into Office 365 Attacks and How MandiantManaged Defense Investigates
With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them.
http://www.fireeye.com/blog/threat-research/2020/07/insights-into-office-365-attacks-and-how-managed-defense-investigates.html
Malspam campaign caught using GuLoader after service relaunch
We discovered a spam campaign distributing GuLoader in the aftermath of the services relaunch.
https://blog.malwarebytes.com/threat-analysis/2020/07/malspam-campaign-caught-using-guloader-after-service-relaunch/
New infection chain of njRAT variant
Recently, 360 Security Center has detected that a variant of the remote access tool njRAT is active.
https://blog.360totalsecurity.com/en/new-infection-chain-of-njrat-variant/
Umfragen von appdoctor.me führen zu Geldwäsche in Ihrem Namen!
Es klingt so verlockend: Einfach kurz eine App testen und schon hat man 35 Euro verdient. Doch leider steckt hinter solchen Umfrageplattformen und Jobangeboten oftmals Betrug. So auch auf der Webseite appdoctor.me, auf der App-TesterInnen gesucht werden. Geld wird Ihnen hier jedoch nicht ausbezahlt. Stattdessen eröffnen die Kriminellen ein Konto in Ihrem Namen, um dort Geldwäsche zu betreiben.
https://www.watchlist-internet.at/news/umfragen-von-appdoctorme-fuehren-zu-geldwaesche-in-ihrem-namen/
Vulnerabilities
KDE archive tool flaw let hackers take over Linux accounts
A vulnerability exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victims computers simply by tricking them into downloading an archive and extracting it.
https://www.bleepingcomputer.com/news/security/kde-archive-tool-flaw-let-hackers-take-over-linux-accounts/
If you own one of these 45 Netgear devices, replace it: Gear maker wont patch vulnerable gear despite live proof-of-concept code
Thats one way of speeding up the tech refresh cycle. Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability - despite security researchers having published proof-of-concept exploit code.
https://go.theregister.com/feed/www.theregister.com/2020/07/30/netgear_abandons_45_routers_vuln_patching/
Ripple20 impact onDistribution Automation products
On the 16th of June 2020, a series of vulnerabilities affecting a TCP/IP library from Treck Inc. were made public by JSOF Tech in Jerusalem, Israel. The products listed in this document have integrated this library and thus are affected by the vulnerabilities listed in this document.
https://search.abb.com/library/Download.aspx?DocumentID=2NGA000473&LanguageCode=en&DocumentPartId=&Action=Launch
Security updates for Thursday
Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).
https://lwn.net/Articles/827572/
Forscher legt zwei Zero-Day-Lücken im Tor-Netzwerk und -Browser offen
Internet Service Provider können unter Umständen alle Verbindungen zum Tor-Netzwerk blockieren. Der Forscher wirft dem Tor Project vor, die von ihm gemeldeten Schwachstellen nicht zu beseitigen. Er kündigt zudem die Offenlegung weiterer Bugs an.
https://www.zdnet.de/88381926/forscher-legt-zwei-zero-day-luecken-im-tor-netzwerk-und-browser-offen/
iTunes 12.10.8 for Windows
https://support.apple.com/kb/HT211293
Security Bulletin: IBM i2 Analysts' Notebook Memory vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analysts-notebook-memory-vulnerabilities/
Security Bulletin: A security vulnerability has been identified in Apache CXF, which is shipped with IBM Tivoli Network Manager (CVE-2020-1954).
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-apache-cxf-which-is-shipped-with-ibm-tivoli-network-manager-cve-2020-1954/
Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-websphere-application-server-for-ibm-cloud-private-vm-quickstarter/
Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities/