[CERT-daily] Tageszusammenfassung - 04.08.2022

Daily end-of-shift report team at cert.at
Thu Aug 4 18:43:47 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 03-08-2022 18:00 − Donnerstag 04-08-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ TLP 2.0 is here ∗∗∗
---------------------------------------------
Earlier this week, the global Forum of Incident Response and Security Teams – or FIRST, as it is commonly known – published a new version of its Traffic Light Protocol standard. The Traffic Light Protocol (TLP) is commonly used in the incident response community, as well as in the wider security space, to quickly and in a standardized way indicate any limitations on further sharing of any transferred information.
---------------------------------------------
https://isc.sans.edu/diary/rss/28914


∗∗∗ PersistenceSniper ∗∗∗
---------------------------------------------
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.
---------------------------------------------
https://github.com/last-byte/PersistenceSniper


∗∗∗ Woody RAT: A new feature-rich malware spotted in the wild ∗∗∗
---------------------------------------------
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
---------------------------------------------
https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/


∗∗∗ Dreiecksbetrug beim Verkauf von Gaming-Accounts über Kleinanzeigen ∗∗∗
---------------------------------------------
Vorsicht beim Kauf und Verkauf von Gaming-Accounts. Abgesehen davon, dass Kauf und Verkauf häufig durch die Spieleentwickler:innen verboten werden, kommt es immer wieder zu einem Dreiecksbetrug. Verkaufende verlieren ihren Gaming-Account und bekommen kein Geld oder Kaufende bekommen keinen Account und buchen das Geld zurück.
---------------------------------------------
https://www.watchlist-internet.at/news/dreiecksbetrug-beim-verkauf-von-gaming-accounts-ueber-kleinanzeigen/


∗∗∗ Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware ∗∗∗
---------------------------------------------
This blog presents a case study from recent Bumblebee malware activity distributed through Projector Libra that led to Cobalt Strike. Information presented here should provide a clearer picture of the group’s tactics and help security professionals better defend their organizations against this threat.
---------------------------------------------
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/


∗∗∗ Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns ∗∗∗
---------------------------------------------
In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/dark-utilities.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco fixes critical remote code execution bug in VPN routers ∗∗∗
---------------------------------------------
Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-code-execution-bug-in-vpn-routers/


∗∗∗ Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks ∗∗∗
---------------------------------------------
A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it's exploited, researchers warn that it could allow complete device takeover, along with access to the broader network.
---------------------------------------------
https://www.darkreading.com/endpoint/critical-rce-bug-draytek-routers-smbs-zero-click-attacks


∗∗∗ IBM Security Bulletins 2022-08-03 ∗∗∗
---------------------------------------------
IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Db2, IBM Sterling File Gateway, IBM Sterling B2B Integrator, IBM Data Risk Manager, IBM Tivoli Application Dependency Discovery Manager, IBM Java SDK Technology Edition.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security Advisory - The input verification vulnerability of a Huawei Device product is involved. ∗∗∗
---------------------------------------------
A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks. (Vulnerability ID: HWPSIRT-2022-49379) Affected Product: CV81-WDM FW
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220810-01-8cfecdcc-en


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server). 
---------------------------------------------
https://lwn.net/Articles/903816/


∗∗∗ genua genugate: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
Ein Angreifer kann eine Schwachstelle in genua genugate ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0906


∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0907


∗∗∗ PostgreSQL: Schwachstelle ermöglicht SQL Injection ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PostgreSQL ausnutzen, um eine SQL Injection durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0910


∗∗∗ Nextcloud Server und Nextcloud Mail: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0912


∗∗∗ Cisco Security Advisories 2022-08-03 ∗∗∗
---------------------------------------------
Cisco published 5 security advisories (1 critical, 4 medium severity).
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F08%2F03&firstPublishedEndDate=2022%2F08%2F03


∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0901


∗∗∗ Digi ConnectPort X2D ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-216-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list