#Ransomware Goes Fileless, Uses Malicious Documents and #PowerShell to Encrypt Files

https://www.bromium.com/ransomware-goes-fileless-uses-malicious-documents-and-powershell-to-encrypt-files/

Chinese Hackers Use New Malware to Backdoor #Microsoft #SQL Servers


New malware created by Chinese-backed Winnti Group has been discovered by researchers at ESET while being used to gain persistence on Microsoft SQL Server (MSSQL) systems.

The new malicious tool dubbed skip-2.0 can be used by the attackers to backdoor MSSQL Server 11 and 12 servers, enabling them to connect to any account on the server using a so-called "magic password" and hide their activity from the security logs.

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-malware-to-backdoor-microsoft-sql-servers/

Vulnerabilidad en Security Access Manager de IBM

Fecha de publicación: 25/10/2019
Importancia: 4 - Alta

Recursos afectados: 
Todas las versiones de IBM Security Access Manager.

Descripción: 
Lczap, investigador de seguridad, ha reportado a IBM una vulnerabilidad de criticidad alta. Un atacante, sin autenticar, podría generar una condición de denegación de servicio.

Solución: 
Por el momento, no se dispone de actualización que solucione la vulnerabilidad. IBM ha publicado unas indicaciones para mitigar este tipo de ataques.

Detalle: 
IBM Security Access Manager es vulnerable a ataques del tipo Slow HTTP Attack. Un atacante, sin autenticación, podría generar una condición de denegación de servicio en el sistema. Se ha reservado el identificador CVE-2019-4036 para esta vulnerabilidad.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/vulnerabilidad-security-access-manager-ibm

List of open source tools for #AWS security: defensive, offensive, auditing, #DFIR, etc.

https://github.com/toniblyx/my-arsenal-of-aws-security-tools

Securing #Docker Containers

I made a guide on how to secure docker. I’ve split it up into 3 categories. Feedback is appreciated as this is more a compilation of other resources than anything else and I did not verify everything.

https://0x00sec.org/t/securing-docker-containers/16913

Unsecured #ElasticSearch DB exposed data for 7.5M #Adobe Creative Cloud Users

Adobe suffered an important data leak, data for 7.5 Million Adobe Creative Cloud users have been exposed online through an unsecured server.

https://securityaffairs.co/wordpress/92986/breaking-news/adobe-creative-cloud-data-leak.html

Nasty #PHP7 remote code execution bug exploited in the wild

New PHP7 bug CVE-2019-11043 can allow even non-technical attackers to take over servers.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL.

https://www.zdnet.com/article/nasty-php7-remote-code-execution-bug-exploited-in-the-wild/

Múltiples vulnerabilidades en RouterOS de MikroTik

Fecha de publicación: 29/10/2019
Importancia: 4 - Alta

Recursos afectados: 
RouterOS Stable, con versiones 6.45.6 y anteriores,
RouterOS Long-term, con versiones 6.44.5 y anteriores.

Descripción: 
Jacob Baines, investigador de seguridad en Tenable, ha descubierto 4 vulnerabilidades con criticidades altas. Un atacante remoto, no autenticado, podría acceder, modificar u obtener privilegios de root en el dispositivo.

Solución: 
MikroTik ha publicado actualizaciones que solucionan las vulnerabilidades:
RouterOS Stable, actualizar a la versión 6.45.7,
RouterOS Long-term, actualizar a la versión 6.44.6.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-routeros-mikrotik

New 'unremovable' xHelper malware has infected 45,000 Android devices

https://www.zdnet.com/article/new-unremovable-xhelper-malware-has-infected-45000-android-devices/

Denegación de servicio en RDesktop

Fecha de publicación: 31/10/2019
Importancia: 4 - Alta

Recursos afectados: 
RDesktop, anterior a la versión 1.8.4.

Descripción: 
El investigador de seguridad, Pavel Cheremushkin, de Kaspersky ICS CERT ha detectado una vulnerabilidad en RDesktop, que podría permitir a un atacante remoto generar una condición de denegación de servicio.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/denegacion-servicio-rdesktop

Malware Analysis Report (AR19-304A)

MAR-10135536-8 – North Korean Trojan: HOPLIGHT

https://www.us-cert.gov/ncas/analysis-reports/ar19-304a

#Chrome Zero-Day Bug with Exploit in the Wild Gets A Patch

Google on Thursday night started to roll out an update for Chrome that patches two use-after-free vulnerabilities, one of them having at least one exploit in the wild.

Both security issues are serious as they could be leveraged to take control of a vulnerable system, reads an alert from the Cybersecurity and Infrastructure Security Agency (CISA).

https://www.bleepingcomputer.com/news/security/chrome-zero-day-bug-with-exploit-in-the-wild-gets-a-patch/

Google Releases Security Updates for Chrome

Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary updates.

https://www.us-cert.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome

Watch Out IT Admins! Two Unpatched Critical #RCE Flaws Disclosed in #rConfig

If you're using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you.

A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers, and connected network devices.

https://thehackernews.com/2019/11/rConfig-network-vulnerability.html

ICS Advisory (ICSA-19-304-02)

#Honeywell equIP Series IP Cameras

CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Honeywell 
Equipment: equIP series IP cameras
Vulnerability: Improper Input Validation

https://www.us-cert.gov/ics/advisories/icsa-19-304-02

ICS Advisory (ICSA-19-304-03)

#Honeywell equIP and Performance Series IP Cameras

CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Honeywell 
Equipment: equIP series and Performance series IP cameras
Vulnerability: Missing Authentication for Critical Function 

https://www.us-cert.gov/ics/advisories/icsa-19-304-03

ICS Advisory (ICSA-19-304-04)

#Honeywell equIP and Performance Series IP Cameras and Recorders

CVSS v3 7.5
ATTENTION: Exploitable remotely
Vendor: Honeywell
Equipment: equIP series and Performance series IP cameras and recorders
Vulnerability: Authentication Bypass by Capture-Replay 

https://www.us-cert.gov/ics/advisories/icsa-19-304-04

#BlueKeep Attacks Have Arrived, Are Initially Underwhelming

The first attacks that exploit the zero-day #Windows vulnerability install cryptominers and scan for targets rather than a worm with WannaCry potential.

The wave of BlueKeep attacks that security experts predicted could take down systems globally have arrived, but they are not in showing the form nor the destructive impact experts initially feared.

https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/

#BlueKeep attacks go live, but it isn’t as dangerous as feared

Hackers have already started using BlueKeep exploit to break into Windows systems, but according to security researchers, the exploit is not as dangerous as everybody feared.

For those unaware, BlueKeep affects the Remote Desktop Protocole service(RDP), which is widely used for remote control administration. May 14 is when it first came into existence and security experts at various firms labeled it as “wormable,” meaning that code exploiting this vulnerability can be self-propagating in nature, and, therefore, can spread very quickly, just like how Wannacry spread.

https://mspoweruser.com/bluekeep-attacks-go-live-but-it-isnt-as-dangerous-as-feared/amp/

Recordatorio sobre Microsoft Teams
2019-06-30
https://t.me/sysadmin24x7/2702

Múltiples vulnerabilidades en Xen

Fecha de publicación: 04/11/2019
Importancia: 4 - Alta

Recursos afectados: 
Xen, versiones 4.6 y posteriores;
Xen, versiones de 32 bit, desde la versión 3.2;
Xen, todos los sistemas x86, con invitados PV sin confianza;
los sistemas Xen en los que los huéspedes tengan acceso directo a los dispositivos físicos.
Xen, todos los sistemas ARM;
Citrix Hypervisor, versión 8.0 y anteriores.

Descripción: 
Se han publicado varias vulnerabilidades en Xen que podrían permitir la denegación del servicio, escalada de privilegios o corrupción de datos.

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-xen-1