End-of-Day report
Timeframe: Freitag 18-09-2020 18:00 - Montag 21-09-2020 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Google App Engine: Redirect-Feature begünstigt Phishing und Malware-Verbreitung
Googles Cloud-Anwendungsplattform App Engine bietet Kriminellen beim Generieren schädlicher Links viel Freiraum, den diese im Zuge aktiver Angriffe auskosten.
https://heise.de/-4906593
iOS 14: Private WLAN-Adressen können für Probleme sorgen
iOS 14 sattelt iPhones automatisch auf zufällige MAC-Adressen um. Das führt in Heim- und Firmennetzen unter Umständen zu Verbindungsstörungen.
https://heise.de/-4907542
uMatrix wird nicht weiterentwickelt: Repository steht auf "archived"
Die Browser-Erweiterung uMatrix ist auf GitHub als archiviert markiert worden. Damit endet die Weiterentwicklung der Firewall.
https://heise.de/-4906711
Windows 10 Health Report: September 2020 issues, Defender fiasco, & more
This Windows 10 Health Report provides an overview of the problems people are encountering in September 2020 due to new cumulative updates or changes made in the operating system.
https://www.bleepingcomputer.com/news/microsoft/windows-10-health-report-september-2020-issues-defender-fiasco-and-more/
Slightly broken overlay phishing, (Mon, Sep 21st)
At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes - sometimes the phishing authors "cut out the middleman" and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.
https://isc.sans.edu/diary/rss/26586
The Hidden PHP Malware that Reinfects Cleaned Files
Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection - especially if you lack access to necessary logs, which is usually the case for shared hosting services. Some of the more common causes of reinfections are issues like cross- site contamination or unpatched website software security vulnerabilities that get re-exploited.
https://blog.sucuri.net/2020/09/the-hidden-php-malware-that-reinfects-cleaned-files.html
One Part Steganography, Four Redirectors, and a Splash of C2!
What do you get when you combine Google Images, QR Codes, and Remote Command Execution? This silly project of mine Id like to share with you all, of course! Building off of my security research from my last couple of blogs, I decided to use my research using dynamic web content to proxy traffic over third party image providers, and try to find a valid bi-directional method for sending data between a NATd client and a public server.
https://medium.com/@curtbraz/one-part-steganography-four-redirectors-and-a-splash-of-c2-e13e5a65daa9
Is domain name abuse something companies should worry about?
Should you worry about domain name abuse? For the most part it depends on what kind of company you are and what you expect to encounter.
https://blog.malwarebytes.com/business-2/2020/09/is-domain-name-abuse-something-companies-should-worry-about/
The Return of Raining SYSTEM Shells with Citrix Workspace app
TL;DR Back in July I documented a new Citrix Workspace vulnerability that allowed attackers to remotely execute arbitrary commands under the SYSTEM account. Well after some further investigation on the [...]
https://www.pentestpartners.com/security-blog/the-return-of-raining-system-shells-with-citrix-workspace-app/
Code execution, defense evasion are top tactics used in critical attacks against corporate endpoints
Cisco examines MITRE ATT&CK data to suggest the threat vectors enterprise security staff should focus their efforts on.
https://www.zdnet.com/article/defense-evasion-code-execution-are-the-top-attack-tactics-used-against-corporate-endpoints/
Rückblick auf das zweite Drittel 2020
Anders als das erste Jahresdrittel, begann das zweite wesentlich weniger dramatisch, was IT-Sicherheit angeht. Neben Citrix, dem auch im 2. Jahresdrittel unsere erste anlassbezogene Aussendung zu verdanken war, kam auch eine andere alte Schwachstelle zu neuem "Ruhm".
https://cert.at/de/blog/2020/9/ruckblick-auf-das-zweite-drittel-2020
Vulnerabilities
Sicherheitslücke: Mobiler Firefox-Browser führte Befehle aus dem WLAN aus
Im gleichen WLAN konnten Angreifer den mobilen Firefox-Browser unter Android beliebige Webseiten oder andere Apps öffnen lassen - ohne Nutzerinteraktion.
https://www.golem.de/news/sicherheitsluecke-mobiler-firefox-browser-fuehrte-befehle-aus-dem-wlan-aus-2009-150987-rss.html
Micropatch for Zerologon, the "perfect" Windows vulnerability (CVE-2020-1472)
The Zerologon vulnerability allows an attacker with network access to a Windows Domain Controller to quickly and reliably take complete control of the Windows domain. As such, it is a perfect vulnerability for any attacker and a nightmare for defenders.
https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html
Security updates for Monday
Security updates have been issued by Debian (inspircd and modsecurity), Fedora (chromium, cryptsetup, gnutls, mingw-libxml2, and seamonkey), openSUSE (ark, chromium, claws-mail, docker-distribution, fossil, hylafax+, inn, knot, libetpan, libjpeg-turbo, libqt4, librepo, libvirt, libxml2, lilypond, mumble, openldap2, otrs, pdns-recursor, perl-DBI, python-Flask-Cors, singularity, slurm_18_08, and virtualbox), SUSE (jasper, less, ovmf, and rubygem-actionview-4_2), and Ubuntu (sa-exim).
https://lwn.net/Articles/832080/
MISP 2.4.132 released (security fix CVE-2020-25766 and bugs fixed)
A new version of MISP (2.4.132) has been released with several bugs fixed including an important security fix CVE-2020-25766.
https://www.misp-project.org/2020/09/21/MISP.2.4.132.released.html
B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php
B-swiss 3 Digital Signage System 3.6.5 Database Disclosure
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php
Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4579)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-http-2-in-ibm-datapower-gateway-cve-2020-4579/
Security Bulletin: IBM Business Automation Content Analyzer is affected by Insecure Cookie vulnerability
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-business-automation-content-analyzer-is-affected-by-insecure-cookie-vulnerability/
Security Bulletin: Denial of Service with HTTP/2 in IBM DataPower Gateway (CVE-2020-4581)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-with-http-2-in-ibm-datapower-gateway-cve-2020-4581/
Security Bulletin: Denial of Service in IBM DataPower Gateway (CVE-2020-4580)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-in-ibm-datapower-gateway-cve-2020-4580/
Security Bulletin: Vulnerability in bind (CVE-2020-8616 and CVE-2020-8617).
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve-2020-8616-and-cve-2020-8617/
Security Bulletin: Vulnerability in ntp (CVE-2020-11868 and CVE-2020-13817).
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ntp-cve-2020-11868-and-cve-2020-13817/