End-of-Day report
Timeframe: Freitag 21-08-2020 18:00 - Montag 24-08-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Ransomware attackiert VPN und RDP
Ransomware wird immer gefährlicher. Hacker nutzen vor allem das Remote Desktop Protocol (RDP), und Virtual Private Networks (VPN) als Einfallstore. E-Mail-Phishing verliert dagegen an Bedeutung.
https://www.zdnet.de/88382240/ransomware-attackiert-vpn-und-rdp/
DarkSide: New targeted ransomware demands million dollar ransoms
A new ransomware operation named DarkSide began attacking organizations earlier this month with customized attacks that have already earned them million-dollar payouts.
https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/
Lifting the veil on DeathStalker, a mercenary triumvirate
DeathStalker is a unique threat group that appears to target law firms and companies in the financial sector. They don-t deploy ransomware or steal payment information to resell it, their interest in gathering sensitive business information [...]
https://securelist.com/deathstalker-mercenary-triumvirate/98177/
Hunting for Risky Rules in Office 365
When an attacker compromises an Office 365 mailbox, one of the most common activities that we see is new inbox rules being created - therefore finding these rules is a good way to identify compromised accounts and mailboxes.
https://blog.rothe.uk/risky-rules-in-office365/
Bypassing MassLogger Anti-Analysis - a Man-in-the-Middle Approach
The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis.
https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html
Protect your organization in the age of Magecart
The continuing wave of attacks by cybercriminal groups known under the umbrella term Magecart perfectly illustrates just how unprepared many e-commerce operations are from a security point of view. It all really boils down to timing. If the e-commerce world was able to detect such Magecart attacks in a matter of seconds (rather than weeks or months), then we could see an end to Magecart stealing all of the cybercrime headlines.
https://www.helpnetsecurity.com/2020/08/24/protect-your-organization-in-the-age-of-magecart/
Vulnerabilities
WordPress WooCommerce stores under attack, patch now
Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations.
https://www.bleepingcomputer.com/news/security/wordpress-woocommerce-stores-under-attack-patch-now/
Xen Security Advisory CVE-2020-14364 / XSA-335
An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when USBDevice->setup_len exceeds the USBDevice->data_buf[4096], in do_token_{in,out} routines.
https://xenbits.xen.org/xsa/advisory-335.html
Sicherheitsupdate: VMware App Volumes abgesichert
Angreifer könnten die Anwendungsmanagement-Software App Volumes von VMware attackieren.
https://heise.de/-4876962
VMSA-2020-0018
VMware ESXi, vCenter Server, and Cloud Foundation updates address a partial denial of service vulnerability (CVE-2020-3976)
https://www.vmware.com/security/advisories/VMSA-2020-0018.html
Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution
The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process.
https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html
Security updates for Monday
Security updates have been issued by Debian (firejail, icingaweb2, inetutils, libjackson-json-java, proftpd-dfsg, python2.7, software-properties, and sqlite3), Fedora (chrony), Mageia (chrony), openSUSE (dovecot23, postgresql12, and python), Slackware (bind), SUSE (gettext-runtime and SUSE Manager Server 3.2), and Ubuntu (bind9).
https://lwn.net/Articles/829486/
Synology-SA-20:19 ISC BIND
CVE-2020-8622 allows remote authenticated users to conduct denial-of-service attacks via a susceptible version of DNS Server. None of Synologys products are affected by CVE-2020-8620, CVE-2020-8621, CVE-2020-8623, or CVE-2020-8624 as these vulnerabilities only affect ISC BIND 9.9.12 and later.
https://www.synology.com/en-global/support/security/Synology_SA_20_19
Citrix Hypervisor Security Update
Two issues have been identified in Citrix Hypervisor that may, in certain configurations, allow privileged code in an HVM guest VM to execute code in the control domain, potentially compromising the host.
https://support.citrix.com/article/CTX280451
Squid: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K20-0838
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2020 - CVE-2020-2601 affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jan-2020-cve-2020-2601-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2020 - Includes Oracle Jan 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-jan-2020-includes-oracle-jan-2020-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/
Security Bulletin: A vulnerability has been identified in IBM Elastic Storager Server where an attacker can cause a denial of service (CVE-2020-4383)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-elastic-storager-server-where-an-attacker-can-cause-a-denial-of-service-cve-2020-4383/
Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-connectdirect-for-unix-2/
Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-kernel-affects-ibm-netezza-host-management-3/
Security Bulletin: IBM Security Guardium Insights is affected by a ClickJacking vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-clickjacking-vulnerability/
Security Bulletin: IBM Security Guardium Insights is affected by a Components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-components-with-known-vulnerabilities-2/
Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct for UNIX
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-connectdirect-for-unix/
Security Bulletin: IBM Security Guardium Insights is affected by a components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-components-with-known-vulnerabilities/
Security Bulletin: IBM Security Guardium Insights is affected by an Open Redirect vulnerabilitiy
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-an-open-redirect-vulnerabilitiy/
Security Bulletin: Vulnerability in Bash affects IBM Spectrum Protect Plus (CVE-2019-9924)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bash-affects-ibm-spectrum-protect-plus-cve-2019-9924-3/
Security Bulletin: IBM Cloud Private is vulnerable to multiple node.js vulnerabilities (CVE-2020-11080, CVE-2020-10531, CVE-2020-8172, CVE-2020-8174)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-multiple-node-js-vulnerabilities-cve-2020-11080-cve-2020-10531-cve-2020-8172-cve-2020-8174/
Security Bulletin: Multiple Java vulnerabilities affect IBM Spectrum Protect Plus (CVE-2020-2805, CVE-2020-2803, CVE-2020-2830, CVE-2020-2781, CVE-2020-2800. CVE-2020-2757, CVE-2020-2756, CVE-2020-2755, CVE-2020-2754)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabilities-affect-ibm-spectrum-protect-plus-cve-2020-2805-cve-2020-2803-cve-2020-2830-cve-2020-2781-cve-2020-2800-cve-2020-2757-cve-2020-2756-cve-2020-275-2/