End-of-Day report
Timeframe: Mittwoch 18-09-2019 18:00 - Donnerstag 19-09-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Fake Human Verification Spam
We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar - and it didn-t take long before we were receiving clean up requests for websites that had already been exploited through this plugin.
https://blog.sucuri.net/2019/09/fake-human-verification-spam.html
Agent Tesla Trojan Abusing Corporate Email Accounts
The trojan Agent Tesla is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1].
https://isc.sans.edu/forums/diary/Agent+Tesla+Trojan+Abusing+Corporate+Email+Accounts/25336/
Shhmon - Silencing Sysmon via Driver Unload
https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
Vulnerabilities
Kritische Lücke erlaubt Root-Zugriff auf D-Link-NAS DNS-320
Ein Update schließt eine Schwachstelle mit Höchstwertung im Netzwerkspeicher DNS-320 von D-Link.
https://heise.de/-4533707
Security updates for Thursday
Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, [...]
https://lwn.net/Articles/799971/
Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)
Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole.
https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/
TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067
https://www.drupal.org/sa-contrib-2019-067
Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066
https://www.drupal.org/sa-contrib-2019-066
Kubernetes: Schwachstelle ermöglicht Manipulation von Dateien
http://www.cert-bund.de/advisoryshort/CB-K19-0826
Cisco HyperFlex Software Counter Value Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-valinj
Cisco HyperFlex Software Cross-Frame Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190918-hyperflex-xfs
Security Advisory - Improper Authentication Vulnerability in Some Huawei CloudEngine Products
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190918-01-authentication-en
IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-websphere-application-server/
IBM Security Bulletin: IBM Security QRadar Packet Capture is vulnerable to Denial of Service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-3896)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-qradar-packet-capture-is-vulnerable-to-denial-of-service-cve-2019-11477-cve-2019-11478-cve-2019-11479-cve-2019-3896/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-for-multiplatforms-july-2019-cpu-cve-2019-2816-cve-2019-11771-cve-2019-4473/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-application-manager-july-2019-cpu-cve-2019-2816-cve-2019-11771-cve-2019-4473/
IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct File Agent
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-sterling-connectdirect-file-agent-3/
IBM Security Bulletin: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system and Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs CVE-2019-4473 and CVE-2019-11771
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-eclipse-openj9-could-allow-a-local-attacker-to-gain-elevated-privileges-on-the-system-and-multiple-binaries-in-ibm-sdk-java-technology-edition-on-the-aix-platform-use-insecure/
IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE-s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-as-used-in-ibm-qradar-packet-capture-is-vulnerable-to-the-following-cves-cve-2019-1559-cve-2019-5737-cve-2019-5739/
IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737)
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects-watson-explorer-foundational-components-cve-2018-0732-cve-2018-0734-cve-2018-0737-2/