[CERT-daily] Tageszusammenfassung - 19.08.2022

Daily end-of-shift report team at cert.at
Fri Aug 19 18:58:05 CEST 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 18-08-2022 18:00 − Freitag 19-08-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Honeypot Attack Summaries with Python ∗∗∗
---------------------------------------------
We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal.
---------------------------------------------
https://isc.sans.edu/diary/rss/28956


∗∗∗ Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads ∗∗∗
---------------------------------------------
Under normal circumstances, DDoS pages usually don’t affect users much — they simply perform a check or request a skill testing question in order to proceed to the desired webpage. However, a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware.
---------------------------------------------
https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html


∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Renderer (Part 1) ∗∗∗
---------------------------------------------
At Pwn2Own Vancouver 2022, Manfred Paul compromised the Mozilla Firefox browser using a full chain exploit that broke the mold. Although his exploit used some memory corruptions, the vulnerable code was written in a memory-safe programming language: JavaScript!
---------------------------------------------
https://www.zerodayinitiative.com/blog/2022/8/17/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-renderer-part-1


∗∗∗ Auch TikTok-App soll mit internem iPhone-Browser spionieren können ∗∗∗
---------------------------------------------
Nachdem das Problem bereits bei Facebook und Instagram aufgedeckt worden war, hat sich ein Sicherheitsforscher nun auch den chinesischen Videodienst angesehen.
---------------------------------------------
https://heise.de/-7235891


∗∗∗ Aktive Angriffe auf iPhones, iPads und Macs: Was Nutzer jetzt tun sollten ∗∗∗
---------------------------------------------
Erneut warnt Apple vor schweren Sicherheitslücken, die wohl aktiv ausgenutzt werden. Es gibt Patches, aber nicht für alle Systeme und Bugs. Ein Überblick.
---------------------------------------------
https://heise.de/-7237518


∗∗∗ Back in Black: Unlocking a LockBit 3.0 Ransomware Attack ∗∗∗
---------------------------------------------
This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.
---------------------------------------------
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/


∗∗∗ SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.
---------------------------------------------
https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-details-disclosed-hacker-conferences


∗∗∗ Fake-Shop-Alarm: getvoltplug.com hilft Ihnen nicht beim Stromsparen ∗∗∗
---------------------------------------------
In Zeiten der Energiekrise wirbt getvoltplug.com mit einem attraktiven Angebot: Ein Gerät soll Ihnen helfen bis zu 90% Ihrer Stromrechnung zu sparen. Aber Achtung! Dieses Gerät existiert gar nicht, es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shop-alarm-getvoltplugcom-hilft-ihnen-nicht-beim-stromsparen/


∗∗∗ Wissen: Webseite als kompromittiert gemeldet? Wie geht man vor? ∗∗∗
---------------------------------------------
Wer eine Webseite betreibt, wird möglicherweise gelegentlich mit dem Problem konfrontiert, dass diese von Sicherheitsportalen oder Benutzern als "riskant" gemeldet wird. Dann stellt sich die Frage, wie man vorgehen könnte, um herauszufinden, ob dies ein Fehlalarm ist oder die Webseite kompromittiert wurde.
---------------------------------------------
https://www.borncity.com/blog/2022/08/19/wissen-webseite-als-kompromittiert-gemeldet-wie-geht-man-vor/


∗∗∗ Ukraine war spotlights agriculture sectors vulnerability to cyber attack ∗∗∗
---------------------------------------------
The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs.
---------------------------------------------
http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agriculture.html


∗∗∗ Business Email Compromise Attack Tactics ∗∗∗
---------------------------------------------
Is BEC more damaging than ransomware? What tactics are BEC actors using? How can organizations bolster their defenses?
---------------------------------------------
https://www.trendmicro.com/en_us/ciso/22/h/business-email-compromise-bec-attack-tactics.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-22-1076: PDF-XChange Editor submitForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1076/


∗∗∗ DSA-2022-241: Dell EMC PowerFlex Rack Security Update for Multiple Third-Party Component Vulnerabilities ∗∗∗
---------------------------------------------
Dell EMC PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
---------------------------------------------
https://www.dell.com/support/kbdoc/de-at/000202540/dsa-2022-241-dell-emc-powerflex-rack-security-update-for-multiple-third-party-component-vulnerabilities


∗∗∗ Virenscanner: Schwachstelle von McAfee erleichtert Angreifern das Einnisten ∗∗∗
---------------------------------------------
Angreifer hätten aufgrund einer Sicherheitslücke im Virenschutz McAfee Security Scan Plus ihre Rechte erhöhen können. Das erleichterte das Einnisten im System.
---------------------------------------------
https://heise.de/-7235809


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ruby-tzinfo), Mageia (nvidia-current and nvidia390), SUSE (python-PyYAML, ucode-intel, and zlib), and Ubuntu (linux-aws, postgresql-10, postgresql-12, postgresql-14, and rsync).
---------------------------------------------
https://lwn.net/Articles/905265/


∗∗∗ vim: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1076


∗∗∗ Security Advisory - JAD-AL50: Permission Bypass Vulnerability in Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220819-01-7e0a6103-en


∗∗∗ Security Bulletin: IBM MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2022-22489) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-explorer-is-vulnerable-to-an-xml-external-entity-injection-xxe-attack-cve-2022-22489/


∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-software-used-by-ibm-b-type-san-directors-and-switches-4/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-35948 and CVE-2022-35949 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designerauthoring-operands-may-be-vulnerable-to-loss-of-confidentiality-due-to-cve-2022-35948-and-cve-2022-35949/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-25/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-24/


∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-vulnerable-to-docker-cli-cve-2021-41092-and-apache-log4j-cve-2021-4104-cve-2022-23302-cve-2022-23305-cve-2022-23307-weaknesses-2/


∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-vulnerable-to-multiple-weaknesses-related-to-ibm-websphere-application-server-liberty-and-openssl-cve-2022-2068-cve-2022-2097-cve-2022-22475/


∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-affected-by-vulnerabilities-in-icu-cve-2017-14952-and-cve-2020-10531/


∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-software-used-by-ibm-b-type-san-directors-and-switches-3/


∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2048 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-jetty-affects-ibm-process-mining-cve-2022-2048/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list