End-of-Day report
Timeframe: Montag 14-09-2020 18:00 - Dienstag 15-09-2020 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Windows 10 'Finger' command can be abused to download or steal files
The list of native executables in Windows that can download or run malicious code keeps growing as another one has been reported recently.
https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/
Sicherheitslücke: Mit acht Nullen zum Active-Directory-Admin
Die Sicherheitslücke Zerologon nutzt einen Fehler in Netlogon aus und involviert die Zahl Null auf kreative Weise - um Passwörter zu ändern.
https://www.golem.de/news/sicherheitsluecke-mit-acht-nullen-zum-active-directory-admin-2009-150869-rss.html
Erfolgreiche Angriffskampagne trifft Online-Shops auf Basis von Magento 1
Der Support für Version 1.x der Onlineshop-Software Magento endete im Juni 2020. Eine aktuelle "Magecart"-Angriffskampagne zielt nun auf veraltete Shops.
https://heise.de/-4894269
Shitrix-Nachwehen: Citrix-Systeme mit unbemerkten Backdoors
Auf Citrix ADC und Netscaler Gateways sind offenbar über die Shitrix-Lücke Anfang des Jahres Backdoors installiert worden, durch die Ransomware gelangen kann.
https://heise.de/-4901590
Erpressungs-E-Mails: Kriminelle hätten Beweise, dass Sie fremdgehen
Werden Sie per E-Mail erpresst? Behauptet der Erpresser, einen Virus auf Ihrem Smartphone installiert zu haben, der Ihre Aktivitäten überwacht? Hat er angeblich Beweismaterial, dass Sie beim Fremdgehen zeigt? Fordert man für Stillschweigen die Überweisung von Bitcoins? Dann: Machen Sie sich keine Sorgen! Es handelt sich um ein betrügerisches E-Mail, das aktuell massenhaft versendet wird!
https://www.watchlist-internet.at/news/erpressungs-e-mails-kriminelle-haetten-beweise-dass-sie-fremdgehen/
Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits
We captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends.
https://unit42.paloaltonetworks.com/network-attack-trends/
MITRE releases emulation plan for FIN6 hacking group, more to follow
New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders.
https://www.zdnet.com/article/mitre-releases-emulation-plan-for-fin6-hacking-group-more-to-follow/
Hackers are getting more hands-on with their attacks. Thats not a good sign
Both nation-state backed hackers and cyber criminals asking trying to take advantage of the rise in remote working, and getting more sophisticated in their approach.
https://www.zdnet.com/article/hackers-are-getting-more-hands-on-with-their-attacks-thats-not-a-good-sign/
Vulnerabilities
MFA Bypass Bugs Opened Microsoft 365 to Attack
Vulnerabilities 'that have existed for years' in WS-Trust could be exploited to attack other services such as Azure and Visual Studio.
https://threatpost.com/flaws-in-microsoft-365s-mfa-access-cloud-apps/159240/
VMware VMSA-2020-0020 (Sep 14)
VMware Workstation, Fusion and Horizon Client updates address multiple security vulnerabilities (CVE-2020-3980, CVE-2020-3986, CVE-2020-3987, CVE-2020-3988, CVE-2020-3989, CVE-2020-3990)
https://www.vmware.com/security/advisories/VMSA-2020-0020.html
Notfallpatch für Adobe Media Encoder verfügbar
Angreifer könnten Media Encoder von Adobe attackieren und Informationen leaken.
https://heise.de/-4901833
Vulnerability Spotlight: Memory corruption in Google PDFium
Google Chromes PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access.
https://blog.talosintelligence.com/2020/09/vuln-spotlight-google-pdfium-sept-2020.html
Security updates for Tuesday
Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp).
https://lwn.net/Articles/831592/
Synology-SA-20:20 Photo Station
Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Photo Station.
https://www.synology.com/en-global/support/security/Synology_SA_20_20
Security Bulletin: IBM Maximo Asset Management is vulnerable to Java Deserialization (CVE-2020-4521)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-java-deserialization-cve-2020-4521/
Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-missing-security-control-vulnerability-2/
Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL Injection (CVE-2019-4671)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-sql-injection-cve-2019-4671/
Security Bulletin: Docker vulnerability affects IBM Spectrum Protect Plus (CVE-2020-13401)
https://www.ibm.com/blogs/psirt/security-bulletin-docker-vulnerability-affects-ibm-spectrum-protect-plus-cve-2020-13401/
Security Bulletin: Linux Kernel vulnerability affects IBM Spectrum Protect Plus (187206)
https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerability-affects-ibm-spectrum-protect-plus-187206/
Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site request forgery (CVE-2020-4526)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-cross-site-request-forgery-cve-2020-4526/
Security Bulletin: Directory Traversal and Execution of Arbitrary Code vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4711, CVE-2020-4703)
https://www.ibm.com/blogs/psirt/security-bulletin-directory-traversal-and-execution-of-arbitrary-code-vulnerabilities-in-ibm-spectrum-protect-plus-cve-2020-4711-cve-2020-4703/
Security Bulletin: Cacheable HTTPS Response vulnerability in IBM Tivoli Business Service Manager (CVE-2020-4344)
https://www.ibm.com/blogs/psirt/security-bulletin-cacheable-https-response-vulnerability-in-ibm-tivoli-business-service-manager-cve-2020-4344/
Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2020-14577)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-affects-ibm-tivoli-business-service-manager-cve-2020-14577/
Security Bulletin: Improper DLL loading vulnerability affecting Aspera Connect 3.9.9 and earlier
https://www.ibm.com/blogs/psirt/security-bulletin-improper-dll-loading-vulnerability-affecting-aspera-connect-3-9-9-and-earlier-3/