[CERT-daily] Tageszusammenfassung - 03.08.2022

Wed Aug 3 18:15:26 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 02-08-2022 18:00 − Mittwoch 03-08-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Wolf in sheep’s clothing: how malware tricks users and antivirus ∗∗∗
---------------------------------------------
One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/


∗∗∗ Open Source: Gut getarnte Malware-Kampagne in Tausenden Github Repos ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher hat eine groß angelegte Malware-Kampagne entdeckt, die versucht, sich durch einfache Pull Requests einzuschmuggeln.
---------------------------------------------
https://www.golem.de/news/open-source-gut-getarnte-malware-kampagne-in-tausenden-github-repos-2208-167352.html


∗∗∗ Creating Processes Using System Calls ∗∗∗
---------------------------------------------
When we think about EDR or AV evasion, one of the most widespread methods adopted by offensive teams is the use of system calls (syscalls) to carry out specific actions.
---------------------------------------------
https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls


∗∗∗ EMBA v1.1.0: The security analyzer for embedded device firmware ∗∗∗
---------------------------------------------
EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a report.
---------------------------------------------
https://github.com/e-m-b-a/emba/releases


∗∗∗ PART 3: How I Met Your Beacon – Brute Ratel ∗∗∗
---------------------------------------------
In part three of this series, we will analyse Brute Ratel, a command and control framework developed by Dark Vortex.
---------------------------------------------
https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/


∗∗∗ Ransomware in Python-Paketmanager PyPI: Die Rückkehr der Skriptkiddies ∗∗∗
---------------------------------------------
Eine Reihe von Paketen hat auf Typosquatting gesetzt und Code verbreitet, der unter Windows Dateien verschlüsselt. Die Motive sind schleierhaft.
---------------------------------------------
https://heise.de/-7200335


∗∗∗ Vorsicht vor Fake-Mails der bank99 ∗∗∗
---------------------------------------------
Kriminelle geben sich als bank99 aus und wollen, dass Sie die „Okay99 App“ herunterladen. Klicken Sie nicht auf „Aktivierung starten“, da sonst Ihre Daten in die Hände der Kriminellen kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-mails-der-bank99/


∗∗∗ Detection Rules for Lightning Framework (and How to Make Them With Osquery) ∗∗∗
---------------------------------------------
On 21 July, 2022, we released a blog post about a new malware called Lightning Framework. Lightning is a modular malware framework targeting Linux. At the time of the publication, the Core module had one suspicious detection and the Downloader module was not detected by any scanning engines on VirusTotal.
---------------------------------------------
https://www.intezer.com/blog/threat-hunting/lightning-framework-linux-detection-rules-osquery/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Forti Security Advisories 2022-08-02 ∗∗∗
---------------------------------------------
Forti published 3 Security Advisories (1 High, 2 Medium Severity).
---------------------------------------------
https://fortiguard.fortinet.com/psirt?date=08-2022


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), [...]
---------------------------------------------
https://lwn.net/Articles/903676/


∗∗∗ Android Patchday August 2022 ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und beliebigen Code auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0887


∗∗∗ Chrome 104.0.5112.x fixt Schwachstellen ∗∗∗
---------------------------------------------
Google hat zum 2. August 2022 das Update des Google Chrome 104.0.5112.79 für Linux und MacOS sowie 104.0.5112.79/80/81 für Windows auf dem Desktop im Stable Channel freigegeben. Mit dem Sicherheitsupdate werden zahlreiche Schwachstellen geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2022/08/03/chrome-104-0-5112-x-fixt-schwachstellen/


∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.6 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-using-a-component-with-multiple-known-vulnerabilities-ibm-jdk-8-0-7-6/


∗∗∗ K14649763: Overview of F5 vulnerabilities (August 2022) ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K14649763


∗∗∗ High Severity Vulnerability Patched in Download Manager Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/


∗∗∗ Synology-SA-22:14 USB Copy ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_14


∗∗∗ Synology-SA-22:13 SSO Server ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_13


∗∗∗ Synology-SA-22:12 Synology Note Station Client ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_12


∗∗∗ Synology-SA-22:11 Storage Analyzer ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_11


∗∗∗ Ipswitch WS_FTP Server: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0895


∗∗∗ Nvidia GPU Treiber und NVIDIA vGPU software: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0894


∗∗∗ Rsync: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0891


∗∗∗ 2022-13 Denial of Service Vulnerability in EagleSDV ∗∗∗
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14662&mediaformatid=50063&destinationid=10016

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily