End-of-Day report
Timeframe: Mittwoch 02-09-2020 18:00 - Donnerstag 03-09-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Microsoft Defender can ironically be used to download malware
A recent update to Windows 10s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/
Sandbox Evasion Using NTP, (Thu, Sep 3rd)
I'm still hunting for interesting (read: "malicious") Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread to run a malicious shellcode[1]. But before processing the shellcode, it performs suspicious network traffic: [...]
https://isc.sans.edu/diary/rss/26534
Salfram: Robbing the place without removing your name tag
By Holger Unterbrink and Edmund Brumaghin. Threat summary Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Ongoing campaigns are distributing various malware families using the same crypter.
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
Inter: The Magecart Skimming Tool Now on More than 1,500 Sites
Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes. However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of todays most common and widely used digital skimming solutions globally.
https://www.riskiq.com/blog/external-threat-management/inter-skimmer/
New Python-scripted trojan malware targets fintech companies
PyVil RAT is capable of keylogging, taking screenshots and more - and the those behind it have gone to great lengths to keep it as under the radar as possible.
https://www.zdnet.com/article/new-python-scripted-trojan-malware-targets-finance-sector/
Vulnerabilities
Cisco Sicherheitsupdates: Jabber + präparierte Nachricht = Schadcode
Cisco hat Sicherheitsupdates für unter anderem Jabber, IOS XR und Webex Meetings veröffentlicht.
https://heise.de/-4884609
Security updates for Thursday
Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).
https://lwn.net/Articles/830496/
Backdoors left unpatched in MoFi routers
MoFi Network patched only six of ten reported vulnerabilities, leaving three hard-coded undocumented backdoor systems in place.
https://www.zdnet.com/article/backdoors-left-unpatched-in-mofi-routers/
Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in MySQL.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-developer-portal-is-impacted-by-vulnerabilities-in-mysql/
Security Bulletin: IBM Security Guardium is affected by an Information exposure in HTML comments vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-information-exposure-in-html-comments-vulnerability-2/
Security Bulletin: IBM API Connect's Developer Portal is vulnerable to social engineering attacks (CVE-2020-4337)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connects-developer-portal-is-vulnerable-to-social-engineering-attacks-cve-2020-4337/
Security Bulletin: IBM Security Guardium is affected by a Hard-coded passwords vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-hard-coded-passwords-vulnerability-4/
Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-improper-restriction-of-excessive-authentication-attempts-vulnerability-4/
Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-an-oracle-mysql-vulnerability/
Security Bulletin: IBM Security Guardium is affected by a Use of Broken or Risky Cryptographic Algorithm vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-use-of-broken-or-risky-cryptographic-algorithm-vulnerability-2/
Security Bulletin: IBM Security Guardium is affected by a Use of Insufficiently Random Value vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-use-of-insufficiently-random-value-vulnerability-3/
Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-6/
Security Bulletin: IBM Security Guardium is affected by Oracle MySQL vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-oracle-mysql-vulnerabilities-5/