End-of-Day report
Timeframe: Freitag 28-08-2020 18:00 - Montag 31-08-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Emotet malwares new Red Dawn attachment is just as dangerous
The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever.
https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Finding The Original Maldoc, (Sun, Aug 30th)
Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV.
https://isc.sans.edu/diary/rss/26520
Persistent WordPress User Injection
Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress. The following code was detected at the bottom of the theme-s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to -administrator:-
https://blog.sucuri.net/2020/08/persistent-wordpress-user-injection.html
Its Not Just an Unusual Login: Why Pay Attention to Threats Facing SaaS and Cloud?
There is a whole category of cyber-attacks largely untouched by the media. With breaking threat discoveries usually focused on targeted spear-phishing campaigns or widespread ransomware, cyber-attacks targeting cloud and SaaS are often overlooked.
https://www.securityweek.com/its-not-just-unusual-login-why-pay-attention-threats-facing-saas-and-cloud
Cisco warns of actively exploited IOS XR zero-day
Cisco said it discovered the attacks last week during a support case the companys support team was called in to investigate.
https://www.zdnet.com/article/cisco-warns-of-actively-exploited-ios-xr-zero-day/
Malware in Spiele-API
Eine Javascript-Malware auf dem npm-Portal, einem Teil von Github, täuschte vor, eine Schnittstelle zum Partyspiel "Fallguys: Ultimate Knockout" zu sein.
https://www.zdnet.de/88382359/malware-in-spiele-api/
Vulnerabilities
Critical Slack Bug Allows Access to Private Channels, Conversations
The RCE bug affects versions below 4.4 of the Slack desktop app.
https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/
Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability
A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, [...]
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
IBM Security Bulletins
released on 2020-08-28 and 2020-08-29
https://www.ibm.com/blogs/psirt/2020/08/
Security updates for Friday
Security updates have been issued by Debian (bind9 and squid), Fedora (libX11 and wireshark), Gentoo (libX11 and redis), Mageia (firefox, libx11, qt4 and qt5base, and x11-server), openSUSE (gettext-runtime, inn, and webkit2gtk3), Oracle (firefox), SUSE (libqt5-qtbase, openvpn, openvpn-openssl1, postgresql10, and targetcli-fb), and Ubuntu (chrony, nss, and squid).
https://lwn.net/Articles/829847/
Security updates for Monday
Security updates have been issued by Debian (bacula, bind9, freerdp, libvncserver, lilypond, mupdf, ndpi, openexr, php-horde, php-horde-core, php-horde-gollem, php-horde-kronolith, ros-actionlib, thunderbird, and xorg-server), Fedora (golang-github-ulikunitz-xz and qt), Gentoo (bind, chrony, ghostscript-gpl, kleopatra, openjdk, and targetcli-fb), Mageia (ark, evolution-data-server, fossil, kernel, kernel-linus, and thunderbird), openSUSE (apache2, graphviz, grub2, inn, librepo, and [...]
https://lwn.net/Articles/830137/
Trend Micro Apex One: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K20-0854