End-of-Day report
Timeframe:   Montag 17-06-2019 18:00 - Dienstag 18-06-2019 18:00
Handler:     Dimitri Robl
Co-Handler:  Robert Waldner
      News       
Security Alert: Booking.Com Fake Emails Infect Computers with Sodinokibi Ransomware
A new spam campaign pretending to be from Booking.com is now targeting users. The emails carry a document containing macro code. If someone clicks on the document, opens it, and allows the execution of the macro code, a loader will be spawned. This will download and run ransomware of the Sodinokibi class.
https://heimdalsecurity.com/blog/booking-com-fake-emails-sodinokibi-ransomware/
Plurox: Modular backdoor
The analysis showed the Backdoor.Win32.Plurox to have a few quite unpleasant features. What-s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins.
https://securelist.com/plurox-modular-backdoor/91213/
Malware sidesteps Google permissions policy with new 2FA bypass technique
When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.
We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google-s recent restrictions. As a bonus, this technique also works to obtain OTPs from some email-based 2FA systems.
https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/
Sharing the Secrets: Pwning an industrial IoT router
I get involved in a lot of IoT and ICS pen tests and found an interesting device on one of them. I didn-t have enough time on the job to go as deep as I wanted, so got PTP to buy a couple to play with. eBay FTW! It-s an Ewon Flexy IoT Router.
https://www.pentestpartners.com/security-blog/sharing-the-secrets-pwning-an-industrial-iot-router/
Bestellen Sie nicht bei lastore.net
Auch wenn die Preise bei lastore.net sehr verlockend sind, raten wir von einer Bestellung ab. Denn lastore.net ist ein Fake-Shop, der trotz Bezahlung keine Ware liefert!
https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-lastorenet/
 Vulnerabilities 
TCP SACK PANIC: Linux- und FreeBSD-Kernel lassen sich aus der Ferne angreifen
Netflix hat einige Sicherheitsprobleme im Netzwerk-Stack von Linux- und FreeBSD-Kerneln entdeckt, die sich für Denial-of-Service-Attacken eignen.
https://heise.de/-4449183
Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers
KCodes- NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.
https://blog.talosintelligence.com/2019/06/vulnerability-spotlight-two-bugs-in.html
Security updates for Tuesday
Security updates have been issued by Arch Linux (linux-hardened), Debian (kdepim, kernel, linux-4.9, and phpmyadmin), Fedora (ansible and glib2), openSUSE (kernel and vim), Oracle (bind and kernel), Red Hat (kernel and kernel-rt), Scientific Linux (bind and kernel), SUSE (dbus-1, ImageMagick, kernel, netpbm, openssh, and sqlite3), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon and linux,
https://lwn.net/Articles/791370/
Critical Flaw Exposes TP-Link Wi-Fi Extenders to Remote Attacks
A critical remote code execution vulnerability discovered by an IBM X-Force researcher allows an unauthenticated attacker to take complete control of some TP-Link Wi-Fi extenders. Firmware updates that should patch the flaw have been made available by the vendor.
https://www.securityweek.com/critical-flaw-exposes-tp-link-wi-fi-extenders-remote-attacks
MISP: Schwachstelle ermöglicht Codeausführung
MISP ist eine Open-Source-Plattform für den Informationsaustausch über Bedrohungen.
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MISP ausnutzen, um beliebigen Programmcode auszuführen.
CVE Liste: 	CVE-2019-12868
http://www.cert-bund.de/advisoryshort/CB-K19-0515
Improper Access Control Vulnerability in AppDNA
A vulnerability has been identified in AppDNA that could result in access controls not being enforced when accessing the web console potentially allowing privilege escalation and remote code execution.
https://support.citrix.com/article/CTX253828
IBM Security Bulletin: Password exposure via job log in IBM Spectrum Protect Plus (CVE-2019-4385)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-exposure-via-job-log-in-ibm-spectrum-protect-plus-cve-2019-4385/
IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to CSV Injection (CVE-2019-4364)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-csv-injection-cve-2019-4364/
IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4303)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-cross-site-scripting-cve-2019-4303/
IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms April 2019 CPU (CVE-2019-2684)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-java-sdk-affects-ibm-tivoli-system-automation-for-multiplatforms-april-2019-cpu-cve-2019-2684/
IBM Security Bulletin: IBM i is affected by networking BIND vulnerability CVE-2018-5743
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-networking-bind-vulnerability-cve-2018-5743/
IBM Security Bulletin: An Arbitrary Download Vulnerability Affects IBM Campaign (CVE-2019-4384)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-an-arbitrary-download-vulnerability-affects-ibm-campaign-cve-2019-4384/
IBM Security Bulletin: Information Disclosure Vulnerability Affects IBM Marketing Platform (CVE-2017-1107)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosure-vulnerability-affects-ibm-marketing-platform-cve-2017-1107/