End-of-Day report
Timeframe: Mittwoch 24-04-2019 18:00 - Donnerstag 25-04-2019 18:00
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
ExtraPulsar backdoor based on leaked NSA code - what you need to know
A US security researcher has come up with an open-source Windows backdoor loosely based on NSA attack code that leaked back in 2017.
https://nakedsecurity.sophos.com/2019/04/25/extrapulsar-backdoor-based-on-leaked-nsa-code-what-you-need-to-know/
Android-App "WiFi Finder" leakte private WLAN-Passwörter
Auf über 100.000 Handys half WiFi Finder beim Verbinden mit öffentlichen Hotspots. In vielen Fällen sammelte die App aber auch private Zugangsdaten.
https://heise.de/-4405783
Jetzt patchen! Erpressungstrojaner Gandcrab frisst sich durch Confluence-Lücke
Die Angriffe auf Confluence weiten sich aus. Derzeit versuchen Angreifer verwundbare Systeme mit der Ransomware Gandcrab zu infizieren.
https://heise.de/-4407102
JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan
Malware loaders are playing an increasingly important role in malware distribution. They give adversaries the ability to gain an initial foothold on a system and are typically used to deliver various malware payloads following successful compromise. These attacks are popping up more frequently, as we covered in July with Smoke Loader and Brushaloader earlier this year.
https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
Erpressungs-E-Mail von mir selbst
Momentan versenden Kriminelle E-Mails, in denen Sie behaupten Ihre Webcam gehackt und Sie beobachtet zu haben. Sie hätten angeblich Videomaterial, das Sie beim Masturbieren zeigt. Ihnen droht eine Veröffentlichung des Films, wenn Sie nicht einen bestimmten Geldbetrag in Form von Bitcoins überweisen. Weiters scheint es so, als hätten die Kriminellen die E-Mail von Ihrem Account aus an Sie selbst versendet. Bleiben Sie ruhig, es handelt sich um einen Betrugsversuch!
https://www.watchlist-internet.at/news/erpressungs-e-mail-von-mir-selbst/
Vulnerabilities
Unpatched Vulnerability Alert - WebLogic Zero Day, (Thu, Apr 25th)
The news today is full of a new deserialization vulnerability in Oracle WebLogic. This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected). The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war. A successful attack gets the attacker remote code exec on the vulnerable server.
https://isc.sans.edu/diary/rss/24880
Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores
Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware. On some devices, Qualcomms TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys.
https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-keystore/
New security release versions of BIND are available: 9.11.6-P1, 9.12.4-P1, and 9.14.1
CVE-2018-5743: Limiting simultaneous TCP clients is ineffective CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used
https://lists.isc.org/pipermail/bind-announce/2019-April/001126.html
Security updates for Thursday
Security updates have been issued by Debian (putty and systemd), Fedora (kernel, kernel-headers, and kernel-tools), Gentoo (ming and qemu), openSUSE (openexr and slurm), SUSE (ImageMagick, jasper, ntfs-3g_ntfsprogs, openssh, and webkit2gtk3), and Ubuntu (php5 and tcpflow).
https://lwn.net/Articles/786749/
TIBCO Security Advisories
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-activematrix-bpm-2019-11203
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-activematrix-bpm-2019-8995
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-activematrix-bpm-2019-8994
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8993
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8992
https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-april-24-2019-tibco-active-matrix-service-grid-2019-8991
BIND vulnerability CVE-2018-5743
https://support.f5.com/csp/article/K74009656
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by information disclosure vulnerability (CVE-2019-6157)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-information-disclosure-vulnerability-cve-2019-6157/
IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2019-4047)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerability-affects-the-lifecycle-query-engine-lqe-that-is-shipped-with-jazz-reporting-service-cve-2019-4047/
IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2018-2004)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerability-affects-the-report-builder-that-is-shipped-with-jazz-reporting-service-cve-2018-2004/
IBM Security Bulletin: API Connect V2018 is impacted by weak cryptographic algorithms (CVE-2018-2007)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-impacted-by-weak-cryptographic-algorithms-cve-2018-2007/
IBM Security Bulletin: IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-siteprotector-system-is-affected-by-apache-http-server-vulnerabilities-3/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-security-siteprotector-system-6/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in GNU C Library (CVE-2017-15804 CVE-2017-15670 CVE-2015-5180)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-gnu-c-library-cve-2017-15804-cve-2017-15670-cve-2015-5180/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in xorg-x11
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerabilities-in-xorg-x11/
IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability in cURL (CVE-2018-14618)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-analysis-dsa-preboot-is-affected-by-vulnerability-in-curl-cve-2018-14618/
IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2018-11236)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-management-module-ii-imm2-is-affected-by-vulnerability-in-gnu-c-library-cve-2018-11236/