[CERT-daily] Tageszusammenfassung - 17.08.2022

Wed Aug 17 18:10:54 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 16-08-2022 18:00 − Mittwoch 17-08-2022 18:00
Handler:     Stephan Richter
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Malware devs already bypassed Android 13s new security feature ∗∗∗
---------------------------------------------
Android malware developers are already adjusting their tactics to bypass a new Restricted settings security feature introduced by Google in the newly released Android 13.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/


∗∗∗ SocGholish: 5+ Years of Massive Website Infections ∗∗∗
---------------------------------------------
Earlier this June, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of the most common website infections detected and cleaned by our remediation team in the last few years.This NDSW/NDSX malware — also referred to as FakeUpdates or SocGholish by other research groups — is responsible for redirecting site visitors to malicious pages designed to trick victims into loading and installing fake browser updates.
---------------------------------------------
https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html


∗∗∗ RubyGems now requires multi-factor auth for top package maintainers ∗∗∗
---------------------------------------------
Sign-on you crazy diamond: RubyGems.org, the Ruby programming communitys software package registry, now requires maintainers of popular "gems" to secure their accounts using multi-factor authentication (MFA).
---------------------------------------------
https://www.theregister.com/2022/08/16/rubygems_package_registry_mfa/


∗∗∗ Phishing Site used to Spread Typhon Stealer ∗∗∗
---------------------------------------------
During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe.
---------------------------------------------
https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/


∗∗∗ Cisco-ASA-Firewalls hacken per Metasploit und Open-Source-Tools ∗∗∗
---------------------------------------------
Ein Forscher hat zahlreiche Tools und Metasploit-Module zum Hacken von Cisco-Firewalls veröffentlicht. Ein aktuelles Update hilft nicht gegen eines der Tools.
---------------------------------------------
https://heise.de/-7222976


∗∗∗ Achtung: Disney+ Phishing-Mails im Umlauf! ∗∗∗
---------------------------------------------
Besitzen Sie ein Disney+ Konto? Dann nehmen Sie sich vor betrügerischen Phishing-Nachrichten in Acht. Kriminelle versenden massenhaft E-Mails, in denen behauptet wird, Sie müssten Ihre Zahlungsinformationen aktualisieren, da Ihr Abonnement abgelaufen sei.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-disney-phishing-mails-im-umlauf/


∗∗∗ How a spoofed email passed the SPF check and landed in my inbox ∗∗∗
---------------------------------------------
The Sender Policy Framework can’t help prevent spam and phishing if you allow billions of IP addresses to send as your domain.
---------------------------------------------
https://www.welivesecurity.com/2022/08/16/spoofed-email-passed-spf-check-inbox/


∗∗∗ Los VMware, noch einmal! ∗∗∗
---------------------------------------------
In den Monaten April und Mai dieses Jahres veröffentlichte VMware zwei Security Advisories (VMSA-2022-0011 & VMSA-2022-0014) zu schwerwiegenden Sicherheitslücken in mehreren Produkten, zu denen teilweise bereits Patches zur Verfügung standen. Besagte Sicherheitsaktualisierungen wurden daraufhin von verschiedenen Bedrohungsakteuren untersucht und dienten als Basis für erste Exploits, welche wiederum bereits binnen 48 Stunden nach dem Erscheinen der Advisories genutzt wurden um großflächig Systeme zu kompromittieren.
---------------------------------------------
https://cert.at/de/blog/2022/8/los-vmware-machs-nochmal


∗∗∗ GCP, therefore IAM ∗∗∗
---------------------------------------------
Managing access authorization for your cloud assets is a challenging task. Certainly, when dealing with multiple public/private resources, environments, services, providers, and users.
---------------------------------------------
https://blog.checkpoint.com/2022/08/17/gcp-therefore-iam/


∗∗∗ Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/vuln-spotlight-wwbn-avideo-stream.html


∗∗∗ Top Five Patch Management & Process Best Practices ∗∗∗
---------------------------------------------
Explore the top patch management best practices to mitigate the growing threat of vulnerability exploits in your organization.
---------------------------------------------
https://www.trendmicro.com/en_us/ciso/22/h/patch-management-process-best-practices.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ RTLS systems vulnerable to MiTM attacks, location manipulation ∗∗∗
---------------------------------------------
Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rtls-systems-vulnerable-to-mitm-attacks-location-manipulation/


∗∗∗ IBM Security Bulletins 2022-08-16 ∗∗∗
---------------------------------------------
IBM Cloud Pak System, BM Security Verify Governance, IBM Sterling Connect:Direct for Microsoft Windows, IBM InfoSphere Identity Insight, PowerVC.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Google Chrome-Update: Exploit im Umlauf ∗∗∗
---------------------------------------------
Google hat in Chrome mehrere Sicherheitslücken gestopft. Mindestens eine davon gilt dem Hersteller als kritisch. Für eine weitere kursiert bereits ein Exploit.
---------------------------------------------
https://heise.de/-7222389


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound).
---------------------------------------------
https://lwn.net/Articles/904955/


∗∗∗ Quarterly Security Patches Released for Splunk Enterprise ∗∗∗
---------------------------------------------
Splunk this week announced the release of a new set of quarterly patches, to address multiple vulnerabilities in Splunk Enterprise.
---------------------------------------------
https://www.securityweek.com/quarterly-security-patches-released-splunk-enterprise


∗∗∗ WAGO: Multiple Products Series affected by multiple CODESYS vulnerabilities ∗∗∗
---------------------------------------------
VDE-2022-031Vendor(s)WAGO GmbH & Co. KGProduct(s)   Article No° Product Name Affected Version(s) 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8217/xxx-xxxPFC 200 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-031/


∗∗∗ WAGO: Multiple product series affected by multiple CODESYS vulnerabilities ∗∗∗
---------------------------------------------
VDE-2022-035Vendor(s)WAGO GmbH & Co. KGProduct(s)   Article No° Product Name Affected Version(s) 751-9301CC100 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 750-8202/xxx-xxxPFC
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-035/


∗∗∗ Microsoft Windows Defender: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1053


∗∗∗ Ansible Automation Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1058


∗∗∗ Delta Industrial Automation DRAS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-03

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily