End-of-Day report
Timeframe: Donnerstag 09-04-2020 18:00 - Freitag 10-04-2020 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
DNS: Gehackte Router zeigen Coronavirus-Warnung mit Schadsoftware
Gehackte Router leiten bekannte Domains auf eine gefälschte Warnung der WHO um und versuchen, ihren Opfern eine Schadsoftware unterzujubeln.
https://www.golem.de/news/dns-gehackte-router-zeigen-coronavirus-warnung-mit-schadsoftware-2003-147511-rss.html
Performing deception to OS Fingerprint (Part 1: nmap), (Sat, Mar 28th)
How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified.
https://isc.sans.edu/diary/rss/25960
PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th)
Another diary, another technique to fetch a malicious payload and execute it on the victim host. I spotted this piece of Powershell code this morning while reviewing my hunting results. It implements a very interesting technique. As usual, all the code snippets below have been beautified.
https://isc.sans.edu/diary/rss/26004
Analysis of a WordPress Credit Card Swiper
While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in the past). With WooCommerce recently overtaking all other ecommerce platforms in popularity it was only a matter of time before we started seeing [...]
https://blog.sucuri.net/2020/04/analysis-of-a-wordpress-credit-card-swiper.html
Sophos Releases Sandboxie in Open Source
Sophos this week announced that the source code of isolation tool Sandboxie is now publicly available.
https://www.securityweek.com/sophos-releases-sandboxie-open-source
Gefälschte Mails von Sebastian Kurz im Umlauf
Viele Menschen benötigen derzeit aufgrund geschlossener Betriebe oder fehlender Aufträge finanzielle Unterstützung. Kriminelle nützen diese Ausnahmesituation aus und verschicken E-Mails im Namen von Sebastian Kurz, in denen sie rasche Soforthilfe anbieten. Der Link in diesen E-Mails führt jedoch zu einer unseriösen Trading-Plattform, bei der den Internet-NutzerInnen durch das Investment in Bitcoins schnelles Geld versprochen wird.
https://www.watchlist-internet.at/news/gefaelschte-mails-von-sebastian-kurz-im-umlauf/
CVE-2020-0688: Verwundbare Microsoft Exchange Server in Österreich
Mit CVE-2020-0688 wurde im Februar eine Lücke in Microsoft Exchange Servern gepatched, die AngreiferInnen ermöglicht, beliebigen Code über das Netzwerk auszuführen -- und das mit NT Authority\SYSTEM also der Windows-Entsprechung von root. Für eine erfolgreiche Attacke werden zwar gültige Zugangsdaten für einen Mailaccount benötigt, da es bei CVE-2020-0688 aber auch zu einer Privilegieneskaltion kommt, können diese auch unpriviligiert sein.
https://cert.at/de/blog/2020/4/cve-2020-0688-verwundbare-microsoft-exchange-server-in-osterreich
Vulnerabilities
Rockwell Automation RSLinx Classic
This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in the Rockwell Automation RSLinx Classic PLC communications software.
https://www.us-cert.gov/ics/advisories/icsa-20-100-01
VMSA-2020-0006
VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
Security updates for Friday
Security updates have been issued by Arch Linux (chromium, firefox, haproxy, libssh, and wireshark-cli), Fedora (firefox, glibc, nss, and rubygem-puma), openSUSE (ceph, exim, firefox, and gnuhealth), Oracle (firefox, kernel, and qemu-kvm), and SUSE (djvulibre and firefox).
https://lwn.net/Articles/817233/
Security Bulletin: Multiple vulnerabilities in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-affects-ibm-integration-bus-ibm-app-connect-enterprise-v11/
Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4362)
https://www.ibm.com/blogs/psirt/security-bulletin-privilege-escalation-vulnerability-in-websphere-application-server-cve-2020-4362/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11.
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterpise-v11-3/
Security Bulletin: Possible remote code execution vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-possible-remote-code-execution-vulnerability-in-watson-knowledge-catalog-for-ibm-cloud-pak-for-data/
Security Bulletin: Windows DLL injection vulnerability with IBM Java Affects SPSS Modeler
https://www.ibm.com/blogs/psirt/security-bulletin-windows-dll-injection-vulnerability-with-ibm-java-affects-spss-modeler/