[CERT-daily] Tageszusammenfassung - 21.12.2022

Wed Dec 21 18:09:15 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗
---------------------------------------------
The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platform-with-information-stealing-malware/


∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗
---------------------------------------------
VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes-it-easy-to-search-for-specific-results/


∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗
---------------------------------------------
The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-ads-pushing-malware-phishing/


∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗
---------------------------------------------
After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat/


∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗
---------------------------------------------
A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing.
---------------------------------------------
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html


∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗
---------------------------------------------
Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf.
---------------------------------------------
https://heise.de/-7435146


∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗
---------------------------------------------
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme


∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗
---------------------------------------------
Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.
---------------------------------------------
https://unit42.paloaltonetworks.com/meddler-phishing-attacks/


∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗
---------------------------------------------
Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries.
---------------------------------------------
https://blog.group-ib.com/godfather-trojan


∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗
---------------------------------------------
In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS). 
---------------------------------------------
https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching-attack/


∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗
---------------------------------------------
This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.html


∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗
---------------------------------------------
In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates.
---------------------------------------------
https://heise.de/-7434860


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils).
---------------------------------------------
https://lwn.net/Articles/918313/


∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗
---------------------------------------------
Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons.
---------------------------------------------
https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f


∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN29902403/


∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-hikvision-wireless-bridges-allows-cctv-hacking


∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-esr-released/


∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-2022-047


∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849213


∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6828663


∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849223


∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849249


∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6850775

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily