Tageszusammenfassung - 02.09.2020

End-of-Day report

Timeframe: Dienstag 01-09-2020 18:00 - Mittwoch 02-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Attackers abuse Google DNS over HTTPS to download malware

More details have emerged on a malware sample that uses Google DNS over HTTPS to retrieve the stage 2 malicious payload.

https://www.bleepingcomputer.com/news/security/attackers-abuse-google-dns-over-https-to-download-malware/

Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st)

LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused.

https://isc.sans.edu/diary/rss/26526

Using assert() to Execute Malware in PHP 7 Environments

Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language - which is likely why attackers are creating malware to target environments which leverage it. During a recent investigation, our team stumbled across some malicious code which is used to inject a .user.ini file into a PHP 7 environment and add zend.assertions = 1.

https://blog.sucuri.net/2020/09/using-assert-to-execute-malware-php-7.html

Cloud firewall management API SNAFU put 500k SonicWall customers at risk

TL;DR I found an IDOR in SonicWall-s cloud management platform API Any user could add themselves to any account at any organisation using it Anyone could create a user account [...]

https://www.pentestpartners.com/security-blog/cloud-firewall-management-api-snafu-put-500k-sonicwall-customers-at-risk/

Erpressungs-Mail mit Bombendrohung massenhaft versendet

Vorsicht vor einer betrügerischen Erpressungs-E-Mail: Kriminelle versenden Nachrichten, in denen sie behaupten, dass eine Bombe im Geschäftsgebäude der EmpfängerInnen platziert wurde. Sollten die Unternehmen, die die Nachrichten erhalten haben, nicht binnen 80 Stunden 20.000 Dollar in Bitcoin bezahlen, soll diese explodieren. Die E-Mail ist frei erfunden und es muss nichts bezahlt werden!

https://www.watchlist-internet.at/news/erpressungs-mail-mit-bombendrohung-massenhaft-versendet/

Vulnerabilities

New Intel microcode updates for Windows 10 fix CPU hardware bugs

Microsoft has released a new batch of Intel microcode updates for Windows 10 2004, 1909, 1903, and older versions to fix hardware bugs in Intel CPUs.

https://www.bleepingcomputer.com/news/microsoft/new-intel-microcode-updates-for-windows-10-fix-cpu-hardware-bugs/

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

Two flaws - one of them yet to be fixed - are afflicting a third-party plugin used by Magento e-commerce websites.

https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-plugin-flaws/158864/

Verschlüsselung: TLS-1.3-Fauxpas gefährdet Embedded-Systeme mit wolfSSL

Aus Sicherheitsgründen sollten Admins die TLS-Programmbibliothek wolfSSL auf den aktuellen Stand bringen.

https://heise.de/-4883741

TYPO3-EXT-SA-2020-017: Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt)

It has been discovered that the extension "Event management and registration" (sf_event_mgt) is susceptible to Information Disclosure and Broken Access Control.

https://typo3.org/security/advisory/typo3-ext-sa-2020-017

TYPO3-EXT-SA-2020-016: Information Disclosure in extension "Localization Manager" (l10nmgr)

It has been discovered that the extension "Localization Manager" (l10nmgr) is susceptible to Information Disclosure.

https://typo3.org/security/advisory/typo3-ext-sa-2020-016

700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site. A patch was released this morning [...]

https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/

Security updates for Wednesday

Security updates have been issued by CentOS (firefox), Mageia (mutt and putty), openSUSE (ldb, samba, libqt5-qtbase, opera, and postgresql10), Red Hat (bash, kernel, and libvncserver), SUSE (apache2, curl, and squid), and Ubuntu (ark, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, [...]

https://lwn.net/Articles/830392/

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.9.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 - 2020.2.0

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-68-9-0-esr-hava-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if11-icam2019-3-0-2020-2-0/

Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-cross-site-scripting-vulnerability-4/

Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Spectrum Scale Transparent Cloud Tiering (177835)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-codec-affects-ibm-spectrum-scale-transparent-cloud-tiering-177835/

Security Bulletin: Code injection vulnerability in IBM Spectrum Protect Operations Center (CVE-2020-4693)

https://www.ibm.com/blogs/psirt/security-bulletin-code-injection-vulnerability-in-ibm-spectrum-protect-operations-center-cve-2020-4693/

Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591)

https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-ibm-spectrum-protect-server-cve-2020-4591-2/

Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-use-of-hard-coded-credentials-vulnerabilities-3/

Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a Java vulnerability (CVE-2020-2654)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transparent-cloud-tiering-is-affected-by-a-java-vulnerability-cve-2020-2654/

Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-os-command-injection-vulnerabilities-8/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-guardium-6/

Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-os-command-injection-vulnerabilities-7/

Tageszusammenfassung - 02.09.2020

End-of-Day report

News

Attackers abuse Google DNS over HTTPS to download malware

Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st)

Using assert() to Execute Malware in PHP 7 Environments

Cloud firewall management API SNAFU put 500k SonicWall customers at risk

Erpressungs-Mail mit Bombendrohung massenhaft versendet

Vulnerabilities

New Intel microcode updates for Windows 10 fix CPU hardware bugs

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

Verschlüsselung: TLS-1.3-Fauxpas gefährdet Embedded-Systeme mit wolfSSL

TYPO3-EXT-SA-2020-017: Multiple vulnerabilities in extension "Event management and registration" (sf_event_mgt)

TYPO3-EXT-SA-2020-016: Information Disclosure in extension "Localization Manager" (l10nmgr)

700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

Security updates for Wednesday

Multiple Vulnerabilities in Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W

Security Advisory - Command Injection Vulnerability in Some Huawei Products

Security Advisory - DoS Vulnerability in Some Huawei Smart Phones

Security Advisory - Information Disclosure Vulnerability in Several Smartphones

Security Advisory - Remote Code Execution vulnerability in Apache Struts 2

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.9.0 ESR) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 - 2020.2.0

Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability

Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Spectrum Scale Transparent Cloud Tiering (177835)

Security Bulletin: Code injection vulnerability in IBM Spectrum Protect Operations Center (CVE-2020-4693)

Security Bulletin: Information Disclosure vulnerability in IBM Spectrum Protect Server (CVE-2020-4591)

Security Bulletin: IBM Security Guardium is affected by Use of Hard-Coded Credentials vulnerabilities

Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by a Java vulnerability (CVE-2020-2654)

Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium

Security Bulletin: IBM Security Guardium is affected by an OS Command Injection vulnerabilities