[CERT-daily] Tageszusammenfassung - 09.05.2022

Daily end-of-shift report team at cert.at
Mon May 9 18:40:39 CEST 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 06-05-2022 18:00 − Montag 09-05-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Hilfestellung für die Analyse schadbringender Dokumente ∗∗∗
---------------------------------------------
Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll.
---------------------------------------------
https://heise.de/-7079601


∗∗∗ Utimaco, der Krypto-Miner und ein Disclosure-Desaster​ ∗∗∗
---------------------------------------------
Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt.
---------------------------------------------
https://heise.de/-7079962


∗∗∗ Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen ∗∗∗
---------------------------------------------
Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren.
---------------------------------------------
https://heise.de/-7079049


∗∗∗ Kaufen Sie keine Schuhe vom Instagram-Account „wesleyroberts375“ ∗∗∗
---------------------------------------------
Auf der Instagram-Seite „wesleyroberts375“ finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von „wesleyroberts375“ steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes!
---------------------------------------------
https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagram-account-wesleyroberts375/


∗∗∗ Bedrohungen in der Cloud ∗∗∗
---------------------------------------------
Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag.
---------------------------------------------
https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/


∗∗∗ Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall ∗∗∗
---------------------------------------------
Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...]
---------------------------------------------
https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s-protect-ein-totalausfall/


∗∗∗ Caramel credit card stealing service is growing in popularity ∗∗∗
---------------------------------------------
A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing-service-is-growing-in-popularity/


∗∗∗ Constrained environment breakout. .NET Assembly exfiltration via Internet Options ∗∗∗
---------------------------------------------
It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...]
---------------------------------------------
https://www.pentestpartners.com/security-blog/constrained-environment-breakout-net-assembly-exfiltration-via-internet-options/


∗∗∗ Beware: This cheap and homemade malware is surprisingly effective ∗∗∗
---------------------------------------------
DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem.
---------------------------------------------
https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-surprisingly-effective/


∗∗∗ Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound ∗∗∗
---------------------------------------------
During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...]
---------------------------------------------
https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/


∗∗∗ Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application ∗∗∗
---------------------------------------------
The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases.
---------------------------------------------
https://asec.ahnlab.com/en/34010/


∗∗∗ BPFDoor - an active Chinese global surveillance tool ∗∗∗
---------------------------------------------
Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...]
---------------------------------------------
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?source=rss----8343faddf0ec---4


∗∗∗ [Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic ∗∗∗
---------------------------------------------
Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurations-dont-become-a-breach-statistic/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows ∗∗∗
---------------------------------------------
Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log.
---------------------------------------------
https://support.sophos.com/support/s/article/KB-000043980?language=en_US


∗∗∗ Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-7079563


∗∗∗ Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich ∗∗∗
---------------------------------------------
Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten.
---------------------------------------------
https://heise.de/-7079644


∗∗∗ Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) ∗∗∗
---------------------------------------------
Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...]
---------------------------------------------
https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-possible-xss-vulnerability-in-actionview-tag-helpers-cve-2022-27777/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog).
---------------------------------------------
https://lwn.net/Articles/894353/


∗∗∗ RubyGems Fixes Critical Gem Takeover Vulnerability ∗∗∗
---------------------------------------------
RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager.
---------------------------------------------
https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerability


∗∗∗ SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability ∗∗∗
---------------------------------------------
A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K12492858


∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0549

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list