2019年5月28日 星期二

TrendLabs: Trickbot Watch: Arrival via Redirection URL in Spam

Figure 3. Malicious site purported to be an order review
Figure 3. Malicious site purported to be an order review
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-watch-arrival-via-redirection-url-in-spam/

2019年5月27日 星期一

ADMIN: Stack Overflow Compromised

The company also admitted that the intruders may have managed to access information on users. “While our overall user database was not compromised, we have identified privileged web requests that the attacker made that could have returned IP address, names, or emails for a very small number of Stack Exchange users. Our team is currently reviewing these logs and will be providing appropriate notifications to any users who are impacted,” said Mary Ferguson, VP of Engineering at Stack Overflow.

REF: http://www.admin-magazine.com/News/Stack-Overflow-Compromised

2019年5月26日 星期日

TrendLabs: Dharma Ransomware Uses AV Tool to Distract from Malicious Activities



Figure 4. Software installation distracts from the ransomware’s activities
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/

2019年5月25日 星期六

[USN-3973-1] DHCP vulnerability

---------- Forwarded message ---------
From:  Marc Deslauriers
Date: May 13, 2019 11:21PM

It was discovered that DHCP, when built with a mismatched external BIND
library, incorrectly handled certain memory operations. A remote attacker
could possibly use this issue to cause DHCP to crash, resulting in a
denial of service.

References:
  https://usn.ubuntu.com/usn/usn-3973-1
  CVE-2019-6470

Trello: How To Hack The Anxiety Roadblock And Get More Done

Woman working on herself to help manage anxiety at work
It’s 3 pm on a Friday and you’re pushing towards a 5:00 pm deadline. Your palms are sweating, your heart is going a mile a minute, and you can’t seem to catch your breath.
REF: https://blog.trello.com/hack-anxiety-at-work

TrendLabs: CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit



Figure 1. Infection chain
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/

[USN-3975-1] OpenJDK vulnerabilities

---------- Forwarded message ---------
From: Steve Beattie
Date: May 14, 2019 3:57AM

It was discovered that the BigDecimal implementation in OpenJDK performed
excessive computation when given certain values. An attacker could use this
to cause a denial of service (excessive CPU usage). (CVE-2019-2602)

Corwin de Boor and Robert Xiao discovered that the RMI registry
implementation in OpenJDK did not properly select the correct skeleton
class in some situations. An attacker could use this to possibly escape
Java sandbox restrictions. (CVE-2019-2684)

Mateusz Jurczyk discovered a vulnerability in the 2D component of
OpenJDK. An attacker could use this to possibly escape Java sandbox
restrictions. This issue only affected OpenJDK 8 in Ubuntu 16.04
LTS. (CVE-2019-2697)

Mateusz Jurczyk discovered a vulnerability in the font layout engine
of OpenJDK's 2D component. An attacker could use this to possibly
escape Java sandbox restrictions. This issue only affected OpenJDK 8
in Ubuntu 16.04 LTS. (CVE-2019-2698)

References:
  https://usn.ubuntu.com/usn/usn-3975-1
  CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698

Trello: Here's Proof That Office Layout Doesn't Affect Productivity

Office layout productivity tips
There has long been a heated debate as to which type of workplace layout is the best for productivity: Cubicles? Open office? Anywhere in the world?
REF: https://blog.trello.com/office-layout-productivity

TrendLabs: Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers

Figure. 6
Figure 6. Login page of a compromised DVR
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/

[USN-3976-1] Samba vulnerability

---------- Forwarded message ---------
From: Marc Deslauriers
Date: May 14, 2019 9:12PM

Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked
S4U2Self packets. In certain environments, a remote attacker could possibly
use this issue to escalate privileges.

References:
  https://usn.ubuntu.com/usn/usn-3976-1
  CVE-2018-16860

Trello: How to Stay Productive With An Irregular (Even Unpredictable) Schedule

2017-06-12_5-Mistakes-Project-Management_06_r01
There’s a lot of content out there about productivity.
You can find tips like turning off alerts, tackling tasks in batches, and writing out a physical to-do list everywhere. The vast majority of that advice arises with the traditional workday in mind—it’s designed for knowledge workers who sit at a desk from 9 AM to 5 PM every Monday through Friday.
REF: https://blog.trello.com/manage-productivity-unpredictable-schedule

TrendLabs: AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

Figure 4. Code snippet showing the AESDDoS variant stealing an affected system’s CPU information
Figure 4. Code snippet showing the AESDDoS variant stealing an affected system’s CPU information
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/

[USN-3978-1] QEMU update

---------- Forwarded message ---------
From: Steve Beattie
Date: May 15, 2019 2:43AM

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan
Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos,
Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss
discovered that memory previously stored in microarchitectural fill buffers
of an Intel CPU core may be exposed to a malicious process that is
executing on the same CPU core. A local attacker could use this to expose
sensitive information. (CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan
van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh
Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory
previously stored in microarchitectural load ports of an Intel CPU core may
be exposed to a malicious process that is executing on the same CPU core. A
local attacker could use this to expose sensitive information.
(CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel
Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel
Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory
previously stored in microarchitectural store buffers of an Intel CPU core
may be exposed to a malicious process that is executing on the same CPU
core. A local attacker could use this to expose sensitive information.
(CVE-2018-12126)

Kurtis Miller discovered that a buffer overflow existed in QEMU when
loading a device tree blob. A local attacker could use this to execute
arbitrary code. (CVE-2018-20815)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur,
Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and
Cristiano Giuffrida discovered that uncacheable memory previously stored in
microarchitectural buffers of an Intel CPU core may be exposed to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11091)

It was discovered that a NULL pointer dereference existed in the sun4u
power device implementation in QEMU. A local attacker could use this
to cause a denial of service. This issue only affected Ubuntu 18.10
and Ubuntu 19.04. (CVE-2019-5008)

William Bowling discovered that an information leak existed in the SLiRP
networking implementation of QEMU. An attacker could use this to expose
sensitive information. (CVE-2019-9824)

References:
  https://usn.ubuntu.com/usn/usn-3978-1
  CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2018-20815,
  CVE-2019-11091, CVE-2019-5008, CVE-2019-9824,
  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

Plex: With great power comes great responsibility

With great power comes great responsibility
Ever get home and your server’s fan sounds like a Harrier jet takeoff in a Category 4 hurricane? Are some of your viewers watching “Spider-Man” a few times too many? Well, we wanted to give you some further insight and figured out a way to give your admin console some delightful new powers (without the pain of a radioactive spider bite):
  • Check out RAM and CPU graphs—dynamic graphs that show how your server is being used... like a task manager for your server
  • See the history of what’s been playing from your server, whether it’s your movies or your friends who have watched them
  • Check out the history of any item in your library—see how many times and on which devices it has been played
Simply open your dashboard in the web app to access these. 

TrendLabs: Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers


Figure 1. The frozen fake Microsoft support page used in the campaign
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/

[LSN-0051-1] Linux kernel vulnerability

---------- Forwarded message ---------
From:
Date: May 15, 2019 2:43AM

On May 14, fixes for CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
and CVE-2019-11091 were released into the Ubuntu Xenial and Bionic
kernels. These CVEs are security vulnerabilities caused by flaws in the
design of speculative execution hardware in the computer's CPU.
Researchers discovered that memory contents previously stored in
microarchitectural buffers of an Intel CPU core may be visible to other
processes running on the same core.

Details on the vulnerability and our response can be found here:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

Due to the high complexity of the fixes and the need for a corresponding
CPU microcode update for a complete fix, we are unable to livepatch these
CVEs. Please plan to reboot into an updated kernel as soon as possible.

References:
  CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091

Trello: What's Executive Presence? The Art And Science Of Getting Ahead At Work

2017-06-20_Why-Rejection-Is-Good-For-You_03_r01
Does this story sound familiar?
Rena has had a great pedigree and a successful career, first as an engineer, then as a product manager and later, a director at a fashionable tech company. She was gunning for a Vice President role but was told by her boss that she was missing executive presence and the promotion was then given to her male peer. A month later, Rena was hired by a competitor for the same type of role she was passed on. She was happy about the new gig but was also feeling very confused by the mixed messaging:
“[Executive presence] seems so nebulous, everyone seems to want it in their execs but no one can quite define what it is! I am trying to figure out whether I have it, and if not, what I can do to develop ‘it.’ But first, I need to wrap my head around what ‘it’ is.”
REF: https://blog.trello.com/executive-presence-leadership-at-work

TrendLabs: Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat

Figure 1. Command line string for Windows
Figure 1. Command line string for Windows
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

[USN-3977-1] Intel Microcode update

---------- Forwarded message ---------
From: Steve Beattie
Date: May 15, 2019 2:43AM

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan
Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos,
Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss
discovered that memory previously stored in microarchitectural fill buffers
of an Intel CPU core may be exposed to a malicious process that is
executing on the same CPU core. A local attacker could use this to expose
sensitive information. (CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan
van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh
Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory
previously stored in microarchitectural load ports of an Intel CPU core may
be exposed to a malicious process that is executing on the same CPU core. A
local attacker could use this to expose sensitive information.
(CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel
Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel
Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory
previously stored in microarchitectural store buffers of an Intel CPU core
may be exposed to a malicious process that is executing on the same CPU
core. A local attacker could use this to expose sensitive information.
(CVE-2018-12126)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur,
Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and
Cristiano Giuffrida discovered that uncacheable memory previously stored in
microarchitectural buffers of an Intel CPU core may be exposed to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11091)

References:
  https://usn.ubuntu.com/usn/usn-3977-1
  CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091,
  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

2019年5月9日 星期四

New Spleen font for OpenBSD 6.5 console


REF: https://mobile.twitter.com/ao_kenji/status/1083956639076560896

2019年5月8日 星期三

Updated Debian 9: 9.9 released

---------- Forwarded message ---------
From: Laura Arjona Reina
Date: Apr 27, 2019 9:52PM
Subject: Updated Debian 9: 9.9 released

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 9: 9.9 released                          press@debian.org
April 27th, 2019               https://www.debian.org/News/2019/20190427
------------------------------------------------------------------------

The Debian project is pleased to announce the ninth update of its stable
distribution Debian 9 (codename "stretch"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


As a special case for this point release, those using the "apt-get" tool
to perform the upgrade will need to ensure that the "dist-upgrade"
command is used, in order to update to the latest kernel packages. Users
of other tools such as "apt" and "aptitude" should use the "upgrade"
command.

TrendLabs: Zero-day XML External Entity (XXE) Injection Vulnerability in Internet Explorer Can Let Attackers Steal Files, System Info


Figure 1. A malicious XML file that specifies the files to extract from the user’s system
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-xml-external-entity-xxe-injection-vulnerability-in-internet-explorer-can-let-attackers-steal-files-system-info/

[Openvpn-announce] New OpenVPN 2.4.7 Windows installers released

---------- Forwarded message ---------
From: Samuli Seppänen
Date: Wed, Apr 24, 2019 at 6:55 PM

New OpenVPN Windows installers have been released. The release
highlights are:

- Latest openvpn-gui
- Latest openvpnserv2 (OpenVPNService)
- Latest tap-windows6 driver
  - ARM64 support
  - NDIS 6.30 support
  - other enhancements
  - fix to local privilege exploit vulnerability
...
For further details see the download page:
https://openvpn.net/community-downloads/

Trello: Why Self-Care Is The Secret To Becoming A Productivity Powerhouse

2017-07-26_How-To-Stop-Micromanaging-Your_Remote-Team_04_r01-1
When it comes to productivity, most people think the key to getting ahead is doing more. More work, more clients, more time… just more. And when you’re stuck in this mindset of “more, more, more,” it can feel impossible to step away and find time for yourself.
REF: https://blog.trello.com/self-care-for-productivity

TrendLabs: Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection


Figure 1. Attack chain starting with the arrival of the email with the malicious attachment
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection/

[USN-3957-1] MySQL vulnerabilities

---------- Forwarded message ---------
From: Marc Deslauriers
Date: Apr 29, 2019 9:42PM

Multiple security issues were discovered in MySQL and this update includes
a new upstream MySQL version to fix these issues.

Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

References:
  https://usn.ubuntu.com/usn/usn-3957-1
  CVE-2019-2566, CVE-2019-2581, CVE-2019-2592, CVE-2019-2614,
  CVE-2019-2627, CVE-2019-2628, CVE-2019-2632, CVE-2019-2683

Plexcerpts – a recurring newsletter of updates to Plex.

Plexcerpts
Welcome to Plexcerpts – a recurring newsletter of updates to Plex.

Now you might ask, “Why did you name the newsletter Plexcerpts?” Like an "excerpt,” we'll highlight some smaller pieces of info from various feature or app releases we've recently made. Basically, it’s a chance to let you in on some of the cool things we’ve been cooking up that you might have otherwise missed.

TrendLabs: Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts

Figure 2. From Orca MSI Editor: CustomAction that contains JavaScript
Figure 2. From Orca MSI Editor: CustomAction that contains JavaScript
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/