End-of-Day report
Timeframe:   Dienstag 09-07-2019 18:00 - Mittwoch 10-07-2019 18:00
Handler:     Robert Waldner
Co-Handler:  n/a
      News       
eCh0raix - New Ransomware Targets QNAP NAS Devices
A new ransomware family has been found targeting Network Attached Storage (NAS) devices made by Taiwan-based QNAP Systems and holding users data hostage until a ransom is paid, researchers told The Hacker News. Ideal for home and small business, NAS devices are dedicated file storage units connected to a network or through the Internet ...
https://thehackernews.com/2019/07/ransomware-nas-devices.html
New FinSpy iOS and Android implants revealed ITW
FinSpy is used to collect a variety of private user information on various platforms. Since 2011 Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019.
https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/
ENISA puts out EU ICT Industrial Policy paper for consultation
The EU Agency for Cybersecurity, ENISA, launches its consultation paper -EU ICT Industrial Policy: Breaking the Cycle of Failure-, a paper that aims to explore issues such as digital sovereignty and the supply chain of cybersecurity products in Europe, as well as to present an overview of the relationship between the global ICT market and the cybersecurity market.
https://www.enisa.europa.eu/news/enisa-news/enisa-puts-out-eu-ict-industrial-policy-paper-for-consultation
Error in DNSSEC implementation on F5 BIG-IP load balancers
The vendor (F5) was informed about the error in August 2018 and now it has released the recommended configuration to workaround the problem. As the operators of DNS resolvers are already encountering the bug in normal operation, we are publishing a detailed description of the error to inform the professional public and raise awareness of the problem.
https://en.blog.nic.cz/2019/07/10/error-in-dnssec-implementation-on-f5-big-ip-load-balancers/
Verschlüsseln mit PGP: Das neue GnuPG und der langsame Tod des Web of Trust
Die neue Version von GnuPG soll die Auswirkungen des Signatur-Spams einschränken. Deshalb ignoriert es ab sofort alle Signaturen der importierten Schlüssel.
https://heise.de/-4467052
Angreifbare Logitech-Tastaturen: Antworten auf die dringendsten Fragen
Was muss man bei kabellosen Tastaturen und Mäusen von Logitech jetzt beachten? Wie gefährliche sind die Lücken? Unsere FAQ beantworten die häufigsten Fragen.
https://heise.de/-4466921
Discovering and fingerprinting BACnet devices
BACnet is a communication protocol deployed for building automation and control networks. The most widely accepted networks include Internet Protocol (BACnet/IP) and the Master-Slave Token-Passing network (BACnet MS/TP). Generally, routers are required to interconnect BACnet networks while gateways are preferred for connecting non-compliant devices to a primary BACnet network. It is anticipated that 64% of the building automation industry uses BACnet for effective operations.
https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/
Windows zero-day CVE-2019-1132 exploited in targeted attacks
The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.
https://www.welivesecurity.com/2019/07/10/windows-zero-day-cve-2019-1132-exploit/
Bank Austria Phishing-Nachricht mit PDF-Anhang in Umlauf
Vorsicht vor einer betrügerischen E-Mail im Namen der Bank Austria. Kriminelle versenden eine Nachricht mit .pdf-Anhang, die zur Eingabe der Online-Banking-Daten auffordert, da Datenbankprobleme aufgetreten sein sollen. Anschließend sollen Betroffene einen SMS-Code erhalten. Achtung! Es handelt sich vermutlich um eine SMS-Tan für eine betrügerische Abbuchungen.
https://www.watchlist-internet.at/news/bank-austria-phishing-nachricht-mit-pdf-anhang-in-umlauf/
Using Wireshark: Exporting Objects from a PCAP
When reviewing packet captures (pcaps) of suspicious activity, security professionals may need to export objects from the pcaps for a closer examination.This tutorial offers tips on how to export different types of objects from a pcap. The instructions assume you understand network traffic fundamentals. We will use these pcaps of network traffic to practice extracting objects using Wireshark.
https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/
New Android malware replaces legitimate apps with ad-infested doppelgangers
New "Agent Smith" malware operation is preparing to invade the Google Play Store.
https://www.zdnet.com/article/new-android-malware-replaces-legitimate-apps-with-ad-infested-doppelgangers/#ftag=RSSbaffb68
 Vulnerabilities 
Medizin: Sicherheitslücken in Beatmungsgeräten
Über das Krankenhausnetzwerk lassen sich Befehle an Anästhesie- und Beatmungsgeräte des Herstellers GE senden. Eine Sicherheitslücke ermöglicht unter anderem, Dosierung und Typ des Narkosemittels zu ändern.
https://www.golem.de/news/medizin-sicherheitsluecken-in-beatmungsgeraeten-1907-142459-rss.html
[20190701] - Core - Filter attribute in subform fields allows remote code execution
Project: Joomla! SubProject: CMS
Impact: Moderate
Severity: Low 
Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.
https://developer.joomla.org/security-centre/787-20190701-core-filter-attribute-in-subform-fields-allows-remote-code-execution.html
VMWare Security Advisory on DoS Vulnerability in ESXi, (Tue, Jul 9th)
VMWare has released patches for ESXi that address a denial of service vulnerablility in hostd. ESXi 6.0 is unaffected, 6.5 has a patch, and 6.7 has a patch pending. This addresses a vulnerability described in CVE-2019-5528 and is rated important (CVSSv3 = 5.3). A workaround has also been published. If you run ESXi, you should take a look at this as well today.
https://isc.sans.edu/diary/rss/25112
Vuln: Intel Processor Diagnostic Tool CVE-2019-11133 Local Privilege Escalation Vulnerability
A local attacker can exploit this issue to gain elevated privileges, obtain sensitive information or cause denial-of-service conditions. 
http://www.securityfocus.com/bid/109096
Vuln: Symantec Messaging Gateway CVE-2019-12751 Privilege Escalation Vulnerability
An attacker can exploit this issue to gain elevated privileges on an affected system. Symantec Messaging Gateway versions prior to 10.7.1 are vulnerable. 
http://www.securityfocus.com/bid/108925
Patchday: Angreifer attackieren Windows und Windows Server
Microsoft schließt fast 80 Sicherheitslücken in Windows & Co. Davon gelten mehrere Schwachstellen als kritisch.
https://heise.de/-4466722
Security Advisory - Three Vulnerabilities in Huawei PCManager Product
There are two information leak vulnerabilities in Huawei PCManager product. Successful exploitation may cause the attacker to read/write some information. The two vulnerabilities have been assigned two Common Vulnerabilities and Exposures (CVE) IDs: CVE-2019-5237 and CVE-2019-5238.
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190710-01-pcmanager-en
Security updates for Wednesday
Security updates have been issued by Debian (redis), Fedora (expat), Mageia (dosbox, irssi, microcode, and postgresql11), Red Hat (bind, dbus, openstack-ironic-inspector, openstack-tripleo-common, python-novajoin, and qemu-kvm-rhev), Scientific Linux (kernel), SUSE (kernel-firmware, libdlm, libqb, and libqb), and Ubuntu (apport).
https://lwn.net/Articles/793360/
ImageMagick: Schwachstelle ermöglicht Denial of Service
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in ImageMagick ausnutzen, um einen Denial of Service Angriff durchzuführen.
http://www.cert-bund.de/advisoryshort/CB-K19-0589
Emerson DeltaV Distributed Control System
https://www.us-cert.gov/ics/advisories/icsa-19-190-01
Rockwell Automation PanelView 5510
https://www.us-cert.gov/ics/advisories/icsa-19-190-02
Schneider Electric Zelio Soft 2
https://www.us-cert.gov/ics/advisories/icsa-19-190-03
IBM Security Bulletin: IBM has released Unified Extensible Firmware Interface (UEFI) fixes in response to Intel Microarchitectural Data Sampling (MDS) Side Channel vulnerabilities.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-released-unified-extensible-firmware-interface-uefi-fixes-in-response-to-intel-microarchitectural-data-sampling-mds-side-channel-vulnerabilities/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Transformation Advisor
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cloud-transformation-advisor-3/
IBM Security Bulletin: The IBM Runtime Environment Java Version 8 used by Transparent Cloud Tiering has a vulnerability which disclosed as part of the IBM Java SDK updates in April 2019
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-the-ibm-runtime-environment-java-version-8-used-by-transparent-cloud-tiering-has-a-vulnerability-which-disclosed-as-part-of-the-ibm-java-sdk-updates-in-april-2019/
IBM Security Bulletin: IBM® Java- SDK Technology Edition, Apr 2019, affects IBM Security Identity Manager Virtual Appliance
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-java-sdk-technology-edition-apr-2019-affects-ibm-security-identity-manager-virtual-appliance/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2019-2684)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-decision-optimization-center-cve-2019-2684/
IBM Security Bulletin: Vulnerabilities CVE-2019-0196, CVE-2019-0197, and CVE-2019-0220 in the IBM i HTTP Server affect IBM i.
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-cve-2019-0196-cve-2019-0197-and-cve-2019-0220-in-the-ibm-i-http-server-affect-ibm-i/
IBM Security Bulletin: Security vulnerability in IBM WebSphere Application Server affects IBM Voice Gateway
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerability-in-ibm-websphere-application-server-affects-ibm-voice-gateway/
IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-announced-a-release-for-ibm-security-identity-governance-and-intelligence-in-response-to-security-vulnerability-2/
IBM Security Bulletin: A vulnerability in Apache Tomcat affects the IBM FlashSystem 840 and 900
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-apache-tomcat-affects-the-ibm-flashsystem-840-and-900/
IBM Security Bulletin: A vulnerability in Apache Tomcat affects the IBM FlashSystem V840 and V9000
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-apache-tomcat-affects-the-ibm-flashsystem-v840-and-v9000/
IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private - IAM WebSphere Liberty (CVE-2018-1683, CVE-2018-1755)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerability-affects-ibm-cloud-private-iam-websphere-liberty-cve-2018-1683-cve-2018-1755/
IBM Security Bulletin: Mozilla Firefox vulnerability in IBM SONAS (CVE-2019-11708)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-mozilla-firefox-vulnerability-in-ibm-sonas-cve-2019-11708/
IBM Security Bulletin: Mozilla Firefox vulnerability in IBM SONAS (CVE-2019-11707)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-mozilla-firefox-vulnerability-in-ibm-sonas-cve-2019-11707/
IBM Security Bulletin: Vulnerabilities in Intel CPUs affect IBM Integrated Analytics System
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-intel-cpus-affect-ibm-integrated-analytics-system/