[CERT-daily] Tageszusammenfassung - 16.08.2022

Tue Aug 16 18:15:11 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 12-08-2022 18:00 − Dienstag 16-08-2022 18:00
Handler:     Stephan Richter
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ SOVA malware adds ransomware feature to encrypt Android devices ∗∗∗
---------------------------------------------
The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sova-malware-adds-ransomware-feature-to-encrypt-android-devices/


∗∗∗ John Deere: Hacker präsentiert Jailbreak für Traktoren ∗∗∗
---------------------------------------------
Nicht nur Telefonhersteller vernageln ihre Geräte. Der Hacker Sick Codes zeigt, wie Root-Zugriff auf die Systeme der Traktoren zu erlangen ist.
---------------------------------------------
https://www.golem.de/news/john-deere-ein-hacker-praesentiert-ein-jailbreak-fuer-traktoren-2208-167611.html


∗∗∗ Threat in your browser: what dangers innocent-looking extensions hold for users ∗∗∗
---------------------------------------------
In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them.
---------------------------------------------
https://securelist.com/threat-in-your-browser-extensions/107181/


∗∗∗ Two more malicious Python packages in the PyPI ∗∗∗
---------------------------------------------
We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.
---------------------------------------------
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/


∗∗∗ Disrupting SEABORGIUM’s ongoing phishing operations ∗∗∗
---------------------------------------------
The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM in campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/


∗∗∗ Realtek SDK SIP ALG Vulnerability: A Big Deal, but not much you can do about it. CVE 2022-27255, (Sun, Aug 14th) ∗∗∗
---------------------------------------------
On Friday, Octavio Gianatiempo & Octavio Galland released details about a vulnerability in Realtek's eCos SDK.
---------------------------------------------
https://isc.sans.edu/diary/rss/28940


∗∗∗ Finanzsanierungen nicht mit Krediten verwechseln! ∗∗∗
---------------------------------------------
Kreditsuchende stoßen bei ihren Recherchen immer wieder auf Werbeanzeigen für Finanzsanierungsangebote. Achtung: Bei Finanzsanierungsangeboten handelt es sich um keine Kredite, sondern um eine sogenannte Schuldenregulierung. Diese ist in Österreich kostenlos erhältlich, weshalb bei kostenpflichtigen Angeboten zu Abstand zu raten ist!
---------------------------------------------
https://www.watchlist-internet.at/news/finanzsanierungen-nicht-mit-krediten-verwechseln/


∗∗∗ Typosquatting Campaign Targeting Python’s Top Packages, Dropping GitHub Hosted Malware with DGA Capabilities ∗∗∗
---------------------------------------------
On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware.
---------------------------------------------
https://checkmarx.com/blog/typosquatting-campaign-targeting-pythons-top-packages-dropping-github-hosted-malware-with-dga-capabilities/


∗∗∗ What Exposed OPA Servers Can Tell You About Your Applications ∗∗∗
---------------------------------------------
This blog entry discusses what an OPA is and what it’s for, what we’ve discovered after identifying 389 exposed OPA servers via Shodan, and how exposed OPAs can negatively impact your applications’ overall security.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/h/what-exposed-opa-servers-can-tell-you-about-your-applications-.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Evil PLC Attack: Using a Controller as Predator Rather than Prey ∗∗∗
---------------------------------------------
Team82 has developed a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks.
---------------------------------------------
https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey


∗∗∗ Process injection: breaking all macOS security layers with a single vulnerability ∗∗∗
---------------------------------------------
In this post, we will first describe what process injection is, then the details of this vulnerability and finally how we abused it.
---------------------------------------------
https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/


∗∗∗ Database Integrity Vulnerabilities in Boeing’s Onboard Performance Tool ∗∗∗
---------------------------------------------
Security gaps in older, unprotected Windows desktop versions of Boeing’s Onboard Performance Tool (OPT) could make certain Electronic Flight Bags (EFB) more susceptible to attack.
---------------------------------------------
https://www.pentestpartners.com/security-blog/database-integrity-vulnerabilities-in-boeings-onboard-performance-tool/


∗∗∗ IBM Security Bulletins 2022-08-15 ∗∗∗
---------------------------------------------
IBM Sterling B2B Integrator, IBM SPSS Modeler, IBM Cloud Pak System, IBM Sterling File Gateway
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Zoom für macOS: Update-Funktion reißt Sicherheitslücke ∗∗∗
---------------------------------------------
Die populäre Videokonferenz-App hat auf dem Mac einmal mehr ein Security-Problem. Nutzer sollten dringend aktualisieren. Perfekt ist der Fix noch nicht.
---------------------------------------------
https://heise.de/-7219942


∗∗∗ DefCon 30: Unsicherheiten durch Microsoft in UEFI Secure Boot ∗∗∗
---------------------------------------------
Microsofts ausschweifende Signier-Praxis produziert Schwachstellen der Secure-Boot-Umgebung. Das kritisierten Sicherheitsforscher auf der DefCon 30.
---------------------------------------------
https://heise.de/-7221728


∗∗∗ Fernwartung: Kritische Sicherheitslücken in HPE Integrated Lights-Out (iLO) ∗∗∗
---------------------------------------------
Die Fernverwaltung HPE Integrated Lights-Out ermöglichte Angreifern das Einschmuggeln von Schadcode. Aktualisierte Software behebt die Fehler.
---------------------------------------------
https://heise.de/-7219923


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (trafficserver), Fedora (freeciv, gnutls, kernel, libldb, mingw-gdk-pixbuf, owncloud-client, rust-ffsend, samba, thunderbird, and zlib), Gentoo (apache, binutils, chromium, glibc, gstreamer, libarchive, libebml, nokogiri, puma, qemu, xen, and xterm), Mageia (golang, libtiff, poppler, python-django, and ruby-sinatra), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (chromium, cifs-utils, kernel, open-iscsi, and trousers), and Ubuntu (webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/904741/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel), Debian (kernel), Fedora (webkit2gtk3), Oracle (.NET 6.0, .NET Core 3.1, kernel, and kernel-container), Slackware (rsync), and SUSE (canna, ceph, chromium, curl, kernel, opera, python-Twisted, and seamonkey).
---------------------------------------------
https://lwn.net/Articles/904842/


∗∗∗ Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution ∗∗∗
---------------------------------------------
Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/vuln-spotlight-hdf5-library.html


∗∗∗ TRUMPF: Products prone to Unified Automation vulnerabilities ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-034/


∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1042


∗∗∗ CoreDNS: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1047


∗∗∗ ESRI ArcGIS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1046


∗∗∗ npm: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1049


∗∗∗ vim: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1048


∗∗∗ Yokogawa CENTUM Controller FCS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-01


∗∗∗ LS ELECTRIC PLC and XG5000 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-02


∗∗∗ Softing Secure Integration Server ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-04


∗∗∗ B&R Industrial Automation Automation Studio 4 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-05


∗∗∗ Emerson Proficy Machine Edition ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-06


∗∗∗ Sequi PortBloque S ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-07


∗∗∗ Two DoS vulnerabilities eliminated from Mitsubishi industrial controllers ∗∗∗
---------------------------------------------
https://www.ptsecurity.com/ww-en/about/news/two-dos-vulnerabilities-eliminated-from-mitsubishi-industrial-controllers


∗∗∗ Multiple Vulnerabilities in Samba ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-22-22


∗∗∗ Multiple Vulnerabilities in Apache HTTP Server ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-22-23


∗∗∗ Remote Support Authentication Vulnerability in IBM Spectrum Virtualize and Lenovo Storage V Series ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500514-REMOTE-SUPPORT-AUTHENTICATION-VULNERABILITY-IN-IBM-SPECTRUM-VIRTUALIZE-AND-LENOVO-STORAGE-V-SERIES

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily