[CERT-daily] Tageszusammenfassung - 14.11.2022

Daily end-of-shift report team at cert.at
Mon Nov 14 18:15:16 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 11-11-2022 18:00 − Montag 14-11-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Jetzt deinstallieren! Sicherheitslücken, aber keine Patches für VMware Hyperic ∗∗∗
---------------------------------------------
Der Support für die IT-Managementsoftware VMware Hyperic ist ausgelaufen. Admins sollten umsteigen.
---------------------------------------------
https://heise.de/-7339160


∗∗∗ Neue Betrugsmasche auf Amazon: Betrügerische Marketplace-Händler stornieren Bestellungen und empfehlen Kauf bei „Amazon-Partnershops“ ∗∗∗
---------------------------------------------
Sabine sucht auf Amazon nach einer Kaffeemaschine. Bei einem Marketplace-Händler findet sie ein günstiges Angebot. Sie bestellt und wartet nun auf die Lieferung. Kurz nach der Bestellung wird der Kauf aber vom Händler storniert. Sie bekommt ein Mail, indem sich der Händler entschuldigt und ihr einen Shop nennt, bei dem sie die Kaffeemaschine zum gleichen Preis bestellen kann. Vorsicht: Dabei handelt es sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-amazon-betruegerische-marketplace-haendler-stornieren-bestellungen-und-empfehl/


∗∗∗ Extracting HTTP CONNECT Requests with Python, (Mon, Nov 14th) ∗∗∗
---------------------------------------------
Seeing abnormal Suricata alerts isnt too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts.
---------------------------------------------
https://isc.sans.edu/diary/rss/29246


∗∗∗ Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th) ∗∗∗
---------------------------------------------
https://isc.sans.edu/diary/rss/29244


∗∗∗ KmsdBot: The Attack and Mine Malware ∗∗∗
---------------------------------------------
Akamai Security Research has observed a new malware that infected our honeypot, which we have dubbed KmsdBot. The botnet infects systems via an SSH connection that uses weak login credentials.
---------------------------------------------
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware


∗∗∗ Discover 2022’s Nastiest Malware ∗∗∗
---------------------------------------------
For the past year, hackers have been following close behind businesses and families just waiting for the right time to strike. In other words, 2022 has been an eventful year in the threat landscape, with malware continuing to take center stage. The 6 Nastiest Malware of 2022 Since the mainstreaming of ransomware payloads and the [...]
---------------------------------------------
https://www.webroot.com/blog/2022/10/14/discover-2022s-nastiest-malware/


∗∗∗ Typhon Reborn With New Capabilities ∗∗∗
---------------------------------------------
Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn.
---------------------------------------------
https://unit42.paloaltonetworks.com/typhon-reborn-stealer/


∗∗∗ BumbleBee Zeros in on Meterpreter ∗∗∗
---------------------------------------------
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign.
---------------------------------------------
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/


∗∗∗ Stories from the SOC: Fortinet authentication bypass observed in the wild ∗∗∗
---------------------------------------------
Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back’s of unpatched and exposed Fortinet devices.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-fortinet-authentication-bypass-observed-in-the-wild



=====================
=  Vulnerabilities  =
=====================

∗∗∗ HP-BIOS: Pufferüberlauf ermöglicht Rechteausweitung, Update ist verfügbar ∗∗∗
---------------------------------------------
HP warnt vor einer Sicherheitslücke im BIOS zahlreicher Notebooks und PC. Angreifer könnten dadurch ihre Rechte ausweiten oder beliebigen Code ausführen.
---------------------------------------------
https://heise.de/-7339122


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird).
---------------------------------------------
https://lwn.net/Articles/914811/


∗∗∗ Path Traversal Schwachstelle in Payara Platform ∗∗∗
---------------------------------------------
Aufgrund einer fehlerhaften Pfadüberprüfung in der Payara Software ist es möglich, die Konfigurations- oder Sourcecode-Dateien von Webanwendungen in den Verzeichnissen WEB-INF und META-INF über eine Path Traversal Schwachstelle zu lesen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/path-traversal-vulnerability-in-payara-platform/


∗∗∗ Vielfältige Schwachstellen in BACKCLICK Professional (SYSS-2022-026 bis -037) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037


∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-denial-of-service-due-to-fasterxml-jackson-databind-cve-2022-42003/


∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44832-7/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-after-entering-a-specially-crafted-malformed-sql-statement-into-the-db2expln-tool-cve-2022-35637-2/


∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-denial-of-service-due-to-fasterxml-jackson-databind/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44228-6/


∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-denial-of-service-due-to-fasterxml-jackson-databind-cve-2022-42004/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-in-some-scenarios-due-to-unauthorized-access-caused-by-improper-privilege-management-when-create-or-replace-command-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-45046-cve-2021-45105-6/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-caused-by-improper-privilege-management-when-table-function-is-used-cve-2022-22390-3/


∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru-traces-sensitive-data-cve-2022-35719/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list