Tageszusammenfassung - 23.09.2020

End-of-Day report

Timeframe: Dienstag 22-09-2020 18:00 - Mittwoch 23-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Security-Checkliste Webbrowser

Ihr Browser kommt, auch ohne Surfen auf zwielichtigen Websites, sehr häufig mit Schadcode in Kontakt. Umso wichtiger ist es, ihn maximal sicher einzustellen.

https://heise.de/-4886750


Aufgepasst: Emotet versteckt sich nun in passwortgeschützten Archiven

Die Drahtzieher hinter Emotet haben eine neue Kampagne gestartet, um die Malware zu verbreiten. Dieses Mal haben Sie aber bei einer Sache gepennt.

https://heise.de/-4909712


Betrügerische Kredite von Continental Bank und Eran Finance!

Durch die Auswirkungen der Corona-Krise sind immer mehr Menschen von Finanzhilfen abhängig. Kein Wunder, dass Kredite und Darlehen beliebter werden und dass auch Cyberkriminelle betrügerischen Kredite anbieten. So zum Beispiel der Kreditvermittler royal-eranfinance.com und die Bank continental-groupe.com. Die beiden vermeintlichen Unternehmen arbeiten zusammen. Doch statt Kredite auszuzahlen, stehlen die Unternehmen die Identität der Opfer und verlangen Vorschusszahlungen.

https://www.watchlist-internet.at/news/betruegerische-kredite-von-continental-bank-und-eran-finance/


Case Study: Emotet Thread Hijacking, an Email Attack Technique

Thread hijacking, recently used to distribute Emotet, uses stolen copies of messages collected from infected users' email clients to attack others.

https://unit42.paloaltonetworks.com/emotet-thread-hijacking/


Linux vulnerabilities: How unpatched servers lead to persistent backdoors

Vulnerability management is a challenge Humans make mistakes, software has bugs and some of these bugs are exploitable vulnerabilities. The existence of vulnerabilities in software is not a new problem, but as the volume of software in existence grows, so does the number of exploitable vulnerabilities.

https://resources.infosecinstitute.com/linux-vulnerabilities-how-unpatched-servers-lead-to-persistent-backdoors/


Looking for sophisticated malware in IoT devices

Let's talk about the structure of the firmware of an IoT device in order to get a better understanding of the different components.

https://securelist.com/looking-for-sophisticated-malware-in-iot-devices/98530/


[SANS ISC] Malicious Word Document with Dynamic Content

I published the following diary on isc.sans.edu: "Malicious Word Document with Dynamic Content": Here is another malicious Word document that I spotted while hunting. "Another one?" may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze [...]

https://blog.rootshell.be/2020/09/23/sans-isc-malicious-word-document-with-dynamic-content/

Vulnerabilities

Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin

On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on [...]

https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/


Security updates for Wednesday

Security updates have been issued by openSUSE (libetpan, libqt4, lilypond, otrs, and perl-DBI), Red Hat (kernel-rt), Slackware (seamonkey), SUSE (grafana, libmspack, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and samba), and Ubuntu (debian-lan-config, ldm, libdbi-perl, and netty-3.9).

https://lwn.net/Articles/832276/


Samba Issues Patches for Zerologon Vulnerability

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

https://www.securityweek.com/samba-issues-patches-zerologon-vulnerability


CVE-2020-1472/Zerologon. As an IT manager should I worry?

TL;DR Yes, apply the update from Microsoft.

https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/


Citrix Hypervisor Security Update

Several security issues have been identified in Citrix Hypervisor (formerly Citrix XenServer) that may allow privileged code in a guest VM to cause the host to crash or become unresponsive. In addition, unprivileged code in a PV guest VM may be able to [...]

https://support.citrix.com/article/CTX282314


Security Advisory - Buffer Overflow Vulnerability BootHole in GRUB2 Secure Boot

http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-01-grub2-en


Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Phones

http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200923-01-outofbound-en


Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-4698

https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-4698-2/


Security Bulletin: IBM Maximo Asset Management is vulnerable to path traversal (CVE-2019-4582)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-path-traversal-cve-2019-4582-2/


Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2020-15358)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlite-affects-ibm-cloud-application-performance-managment-r-esponse-time-monitoring-agent-cve-2020-15358/


Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen

https://www.cert-bund.de/advisoryshort/CB-K20-0920


Red Hat Enterprise Linux: Schwachstelle ermöglicht Denial of Service

https://www.cert-bund.de/advisoryshort/CB-K20-0921