[CERT-daily] Tageszusammenfassung - 27.12.2022

Tue Dec 27 18:31:42 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 23-12-2022 18:00 − Dienstag 27-12-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ EarSpy attack eavesdrops on Android phones via motion sensors ∗∗∗
---------------------------------------------
A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-android-phones-via-motion-sensors/


∗∗∗ Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes ∗∗∗
---------------------------------------------
A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.
---------------------------------------------
https://www.darkreading.com/cloud/container-verification-bug-malicious-images-free-rein-kubernetes


∗∗∗ BlueNoroff introduces new methods bypassing MoTW ∗∗∗
---------------------------------------------
We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal.
---------------------------------------------
https://securelist.com/bluenoroff-methods-bypass-motw/108383/


∗∗∗ DShield Sensor Setup in Azure, (Wed, Dec 21st) ∗∗∗
---------------------------------------------
In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29370


∗∗∗ GuLoader Malware Utilizing New Techniques to Evade Security Software ∗∗∗
---------------------------------------------
Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
---------------------------------------------
https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html


∗∗∗ Navigating the Vast Ocean of Sandbox Evasions ∗∗∗
---------------------------------------------
After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/


∗∗∗ Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet ∗∗∗
---------------------------------------------
Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online ausläuft und im kommenden Jahr abgeschaltet wird.
---------------------------------------------
https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-in-exchange-online-wird-2023-abgeschaltet/


∗∗∗ Caution! Malware Signed With Microsoft Certificate ∗∗∗
---------------------------------------------
Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later).
---------------------------------------------
https://asec.ahnlab.com/en/44726/


∗∗∗ Distribution of Magniber Ransomware Stops (Since November 29th) ∗∗∗
---------------------------------------------
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted.
---------------------------------------------
https://asec.ahnlab.com/en/43858/


∗∗∗ Inside the IcedID BackConnect Protocol ∗∗∗
---------------------------------------------
As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol.
---------------------------------------------
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Ksmbd: Kritische Lücke im SMB-Dienst des Linux-Kernels ∗∗∗
---------------------------------------------
Der Linux-Kernel verfügt seit vergangenem Jahr über eine eigene SMB-Implementierung. Diese enthält eine sehr gefährliche Lücke - Updates stehen bereit.
---------------------------------------------
https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-kernel-2212-170747.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).
---------------------------------------------
https://lwn.net/Articles/918607/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).
---------------------------------------------
https://lwn.net/Articles/918631/


∗∗∗ Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks ∗∗∗
---------------------------------------------
Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks.
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-premium-gift-cards-wordpress-plugin-exploited-attacks


∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0011.html


∗∗∗ Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051) ∗∗∗
---------------------------------------------
Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende können somit JavaScript-Code im Browser ausführen.
---------------------------------------------
https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-lucee-server-syss-2022-051


∗∗∗ MISP 2.4.167 released with many improvements, bugs fixed and security fixes. ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.167

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily