[CERT-daily] Tageszusammenfassung - 25.08.2022

Thu Aug 25 18:20:05 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 24-08-2022 18:00 − Donnerstag 25-08-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ PyPI packages hijacked after developers fall for phishing emails ∗∗∗
---------------------------------------------
A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages exotel and spam are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/


∗∗∗ More hackers adopt Sliver toolkit as a Cobalt Strike alternative ∗∗∗
---------------------------------------------
Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-toolkit-as-a-cobalt-strike-alternative/


∗∗∗ Twilio hackers hit over 130 orgs in massive Okta phishing attack ∗∗∗
---------------------------------------------
Threat analysts have discovered the phishing kit responsible for thousands of attacks against 136 high-profile organizations that have compromised 9,931 accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-orgs-in-massive-okta-phishing-attack/


∗∗∗ MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone ∗∗∗
---------------------------------------------
Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/


∗∗∗ whids - Open Source EDR for Windows ∗∗∗
---------------------------------------------
EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules.
---------------------------------------------
https://github.com/0xrawsec/whids


∗∗∗ EDR: Nachfolger der Antiviren-Software kämpfen mit altbekannten Problemen ∗∗∗
---------------------------------------------
Die Security-Industrie preist Endpoint Detection & Response als das bessere Antivirus an. Tests zeigen, dass es oft an den gleichen Problemen scheitert.
---------------------------------------------
https://heise.de/-7241955


∗∗∗ Firefox ESR, Thunderbird: Angreifer könnten Nutzereingaben abfangen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für den Mailclient Thunderbird und den Webbrowser Firefox ESR.
---------------------------------------------
https://heise.de/-7242897


∗∗∗ Doxing – was ist das und wie schützt man sich davor? ∗∗∗
---------------------------------------------
Doxing kann jeden treffen - hier erfahren Sie, wie Sie die Wahrscheinlichkeit verringern können, dass Ihre persönlichen Daten als Waffe gegen Sie eingesetzt werden.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/08/25/doxing-was-ist-das-und-wie-schutzt-man-sich-davor/


∗∗∗ Vorsicht vor Coin-Fallen auf Dating-Portalen ∗∗∗
---------------------------------------------
Sie wollen herausfinden, ob es Ihrer Internetbekanntschaft wirklich ernst ist? Haben Sie Geld für Coins oder Guthaben investiert, um mit Ihrer Bekanntschaft zu chatten, es kommt aber nie zu einem persönlichen Treffen? Hier erfahren Sie alles über die Maschen von moderierten Dating-Portalen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-coin-fallen-auf-dating-portalen/


∗∗∗ Preparing Critical Infrastructure for Post-Quantum Cryptography ∗∗∗
---------------------------------------------
CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/08/24/preparing-critical-infrastructure-post-quantum-cryptography


∗∗∗ Palo Alto warns of firewall vulnerability used in DDoS attack on service provider ∗∗∗
---------------------------------------------
Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 – which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software.
---------------------------------------------
https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-ddos-attack-on-service-provider/


∗∗∗ New Golang Ransomware Agenda Customizes Attacks ∗∗∗
---------------------------------------------
A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass ∗∗∗
---------------------------------------------
The following vendor-specific bootloaders were found vulnerable:
    Inherently vulnerable bootloader to bypass Secure Boot
        New Horizon Datasys Inc (CVE-2022-34302)
    UEFI Shell execution to bypass Secure Boot
        CryptoPro Secure Disk (CVE-2022-34301)
        Eurosoft (UK) Ltd (CVE-2022-34303)
Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX).
---------------------------------------------
https://kb.cert.org/vuls/id/309662


∗∗∗ Movable Type XMLRPC API vulnerable to command injection ∗∗∗
---------------------------------------------
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN57728859/


∗∗∗ Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053 ∗∗∗
---------------------------------------------
Project: Commerce Elavon
Security risk: Moderately critical
Vulnerability: Access bypass
Description: This module enables you to accept payments from the Elavon payment provider. [..] This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-053


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish).
---------------------------------------------
https://lwn.net/Articles/906055/


∗∗∗ Atlassian Bitbucket: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Bitbucket ausnutzen, um beliebigen Programmcode auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1185


∗∗∗ HCL Notes und Domino: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HCL Notes und HCL Domino ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1180


∗∗∗ Mattermost security updates 7.1.3 (ESR), 7.0.2, 6.3.10 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses a medium-level severity vulnerability. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.1.3 (Extended Support Release), 7.0.2, and 6.3.10 (Extended Support Release) for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-1-3-esr-7-0-2-6-3-10-esr-released/


∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Cisco has released security updates for vulnerabilities affecting ACI Multi-Site Orchestrator, FXOS, and NX-OS software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisco-releases-security-updates-multiple-products


∗∗∗ SMA100 Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗
---------------------------------------------
A vulnerability in the SonicWall SMA100 appliance could potentially expose sensitive information i.e., third-party packages and library versions used in the appliance firmware to a pre-authenticated actor.IMPORTANT: SMA 1000 series products are not affected by this vulnerability.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0020


∗∗∗ SonicWall SMA100 Post-Auth Heap-based Buffer Overflow Vulnerability ∗∗∗
---------------------------------------------
A Heap-based Buffer Overflow vulnerability in the SonicWall SMA100 appliance allows a remote authenticated attacker to cause Denial of Service (DoS) on the appliance or potentially lead to code execution. This vulnerability impacts 10.2.1.5-34sv and earlier versions.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. CVE: CVE-2022-2915
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0019


∗∗∗ Security Bulletin: IBM Connect:Direct Web Services vulnerable to remote security bypass due to PostgreSQL (CVE-2022-1552) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-connectdirect-web-services-vulnerable-to-remote-security-bypass-due-to-postgresql-cve-2022-1552/


∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service due to Linux Kernel (CVE-2020-35513) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-a-denial-of-service-due-to-linux-kernel-cve-2020-35513/


∗∗∗ FATEK Automation FvDesigner ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-237-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily