Tageszusammenfassung - 31.08.2020

End-of-Day report

Timeframe: Freitag 28-08-2020 18:00 - Montag 31-08-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Emotet malwares new Red Dawn attachment is just as dangerous

The Emotet botnet has begun to use a new template for their malicious attachments, and it is just as dangerous as ever.

https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/


Finding The Original Maldoc, (Sun, Aug 30th)

Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV.

https://isc.sans.edu/diary/rss/26520


Persistent WordPress User Injection

Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress. The following code was detected at the bottom of the theme-s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to -administrator:-

https://blog.sucuri.net/2020/08/persistent-wordpress-user-injection.html


Its Not Just an Unusual Login: Why Pay Attention to Threats Facing SaaS and Cloud?

There is a whole category of cyber-attacks largely untouched by the media. With breaking threat discoveries usually focused on targeted spear-phishing campaigns or widespread ransomware, cyber-attacks targeting cloud and SaaS are often overlooked.

https://www.securityweek.com/its-not-just-unusual-login-why-pay-attention-threats-facing-saas-and-cloud


Cisco warns of actively exploited IOS XR zero-day

Cisco said it discovered the attacks last week during a support case the companys support team was called in to investigate.

https://www.zdnet.com/article/cisco-warns-of-actively-exploited-ios-xr-zero-day/


Malware in Spiele-API

Eine Javascript-Malware auf dem npm-Portal, einem Teil von Github, täuschte vor, eine Schnittstelle zum Partyspiel "Fallguys: Ultimate Knockout" zu sein.

https://www.zdnet.de/88382359/malware-in-spiele-api/

Vulnerabilities

Critical Slack Bug Allows Access to Private Channels, Conversations

The RCE bug affects versions below 4.4 of the Slack desktop app.

https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/


Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, [...]

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz


IBM Security Bulletins

released on 2020-08-28 and 2020-08-29

https://www.ibm.com/blogs/psirt/2020/08/


Security updates for Friday

Security updates have been issued by Debian (bind9 and squid), Fedora (libX11 and wireshark), Gentoo (libX11 and redis), Mageia (firefox, libx11, qt4 and qt5base, and x11-server), openSUSE (gettext-runtime, inn, and webkit2gtk3), Oracle (firefox), SUSE (libqt5-qtbase, openvpn, openvpn-openssl1, postgresql10, and targetcli-fb), and Ubuntu (chrony, nss, and squid).

https://lwn.net/Articles/829847/


Security updates for Monday

Security updates have been issued by Debian (bacula, bind9, freerdp, libvncserver, lilypond, mupdf, ndpi, openexr, php-horde, php-horde-core, php-horde-gollem, php-horde-kronolith, ros-actionlib, thunderbird, and xorg-server), Fedora (golang-github-ulikunitz-xz and qt), Gentoo (bind, chrony, ghostscript-gpl, kleopatra, openjdk, and targetcli-fb), Mageia (ark, evolution-data-server, fossil, kernel, kernel-linus, and thunderbird), openSUSE (apache2, graphviz, grub2, inn, librepo, and [...]

https://lwn.net/Articles/830137/


Trend Micro Apex One: Mehrere Schwachstellen

http://www.cert-bund.de/advisoryshort/CB-K20-0854