Tageszusammenfassung - 30.09.2020

End-of-Day report

Timeframe: Dienstag 29-09-2020 18:00 - Mittwoch 30-09-2020 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Fake software crack sites used to push Exorcist 2.0 Ransomware

The threat actors behind the Exorcist 2.0 ransomware are using malicious advertising to redirect victims to fake software crack sites that distribute their malware.

https://www.bleepingcomputer.com/news/security/fake-software-crack-sites-used-to-push-exorcist-20-ransomware/

Over 247K Exchange servers unpatched for actively exploited flaw

More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support.

https://www.bleepingcomputer.com/news/security/over-247k-exchange-servers-unpatched-for-actively-exploited-flaw/

Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise

A new report from Microsoft shows it is clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to identify.

https://www.microsoft.com/security/blog/2020/09/29/microsoft-digital-defense-report-2020-cyber-threat-sophistication-rise/

Its 2020 so not only is your mouse config tool a Node.JS Electron app, its also pwnable by an evil webpage

Malicious JavaScript can inject commands to execute Earlier this year, peripheral maker Kensington patched its desktop software to close a vulnerability that could have been exploited by malicious websites to quietly hijack victims computers.

https://go.theregister.com/feed/www.theregister.com/2020/09/30/kensingtonworks_mouse_flaw/

LodaRAT Update: Alive and Well

By Chris Neal. During our continuous monitoring of LodaRAT, Cisco Talos observed changes in the threat that add new functionality. Multiple new versions of LodaRAT have been spotted being used in the wild. These new versions of LodaRAT abandoned their previous obfuscation techniques. Direct interaction with the threat actor was observed during analysis, indicating the actor is actively monitoring infected hosts.

https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html

Achtung! Vermeintliche Gutschein-Codes führen in Abo-Falle

Derzeit tauchen vermehrt gefälschte Gutschein-Codes für verschiedene Anbieter wie Netflix, Steam, Playstation, Google Play oder Amazon auf. Zu finden sind diese Codes in Kommentaren unter verschiedensten YouTube-Videos. Doch anstatt den versprochenen 50 Euro, tappen die Opfer in die Abo-Falle.

https://www.watchlist-internet.at/news/achtung-vermeintliche-gutschein-codes-fuehren-in-abo-falle/

This worm phishing campaign is a game-changer in password theft, account takeovers

The security incident highlights the need for multi-factor authentication in the enterprise.

https://www.zdnet.com/article/this-worm-phishing-campaign-is-a-game-changer-in-password-theft-account-takeovers/

Vulnerabilities

Jetzt patchen! Cisco liefert Sicherheitsupdates für Router nach

Admins sollten professionelle Router von Cisco aus Sicherheitsgründe auf den aktuellen Stand bringen. Angreifer nutzen die Lücken derzeit aus.

https://heise.de/-4916417

FYI: If youre running HP Device Manager, anyone on your network can get admin on your server via backdoor

Hidden database account discovered, patches finally available as well as mitigations HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned.

https://go.theregister.com/feed/www.theregister.com/2020/09/30/hp_device_manager_backdoor_database_account/

Huawei Security Advisories

Huawei hat 16 Security Advisories für verschiedene Produkte veröffentlicht.

https://www.huawei.com/en/psirt/all-bulletins

Security updates for Wednesday

Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, [...]

https://lwn.net/Articles/833120/

Vulnerabilities in Bosch PRAESIDEO and PRAESENSA

BOSCH-SA-538331-BT: Two security vulnerabilities have been uncovered in the web based management interface of the PRAESIDEO Network Controller and the PRAESENSA System Controller. The vulnerabilities will allow a Cross-Site Request Forgery (CSRF) attack and a Cross-site Scripting (XSS) attack. For PRAESIDEO a third vulnerability will allow a replay attack with which authentication can be bypassed. This last vulnerability is present in the web server of the PRAESIDEO Network Controller.

https://psirt.bosch.com/security-advisories/bosch-sa-538331-bt.html

Red Hat Enterprise Linux/WebKitGTK: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Benutzerrechten

https://www.cert-bund.de/advisoryshort/CB-K20-0942

Security Bulletin: Security vulnerability in WebSphere Liberty Server shipped with IBM Global Mailbox (CVE-2020-4329)

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in-websphere-liberty-server-shipped-with-ibm-global-mailbox-cve-2020-4329/

Security Bulletin: Version 5.0.5 of Redis included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability (CVE-2020-14147)

https://www.ibm.com/blogs/psirt/security-bulletin-version-5-0-5-of-redis-included-in-ibm-netcool-operations-insight-1-6-1-x-has-a-security-vulnerability-cve-2020-14147/

Security Bulletin: Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websphere-application-server-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise-2/

Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java- Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise/

Security Bulletin: Multiple vulnerabilities in middleware software affect IBM Cloud Pak for Automation

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-middleware-software-affect-ibm-cloud-pak-for-automation-3/

Security Bulletin: WebSphere Application Server is vulnerable to an information exposure vulnerability (CVE-2020-4629)

https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-an-information-exposure-vulnerability-cve-2020-4629/

Security Bulletin: Version 4.17.15 of Node.js module lodash included in IBM Netcool Operations Insight 1.6.1.x has a security vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-version-4-17-15-of-node-js-module-lodash-included-in-ibm-netcool-operations-insight-1-6-1-x-has-a-security-vulnerability/

Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Commons Codec vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-an-apache-commons-codec-vulnerability/

Security Bulletin: Vulnerability in Apache Commons Codec affects IBM Operations Analytics Predictive Insights

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-codec-affects-ibm-operations-analytics-predictive-insights/

Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-manager-with-openstack-is-affected-by-a-openssl-vulnerability/