[CERT-daily] Tageszusammenfassung - 16.11.2022

Wed Nov 16 18:27:59 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 15-11-2022 18:00 − Mittwoch 16-11-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Forscher erraten Passwörter via Wärmebild mit Machine Learning und KI ∗∗∗
---------------------------------------------
In einem Versuchsaufbau haben Sicherheitsforscher auf einer Tastatur eingetippte zwölfstellige Passwörter mit einer Erfolgsquote von 83 Prozent rekonstruiert.
---------------------------------------------
https://heise.de/-7341957


∗∗∗ ESET APT Activity Report T2 2022 ∗∗∗
---------------------------------------------
Ein Überblick über die Aktivitäten ausgewählter APT-Gruppen, die von ESET Research in T2 2022 untersucht und analysiert wurden.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-2022/


∗∗∗ Fake Black Friday Gewinnspiele auf WhatsApp und Instagram im Umlauf ∗∗∗
---------------------------------------------
Vorsicht vor betrügerischen Gewinnspielen rund um den Black Friday. Zahlreiche WhatsApp- und Instagram-Nutzer:innen erhalten aktuell betrügerische Nachrichten von Unbekannten, aber auch eigenen Kontakten, die beispielsweise Gewinnspiele im Namen Amazons bewerben. Achtung: Es handelt sich um einen Versuch, Sie in eine Abo-Falle zu locken. Folgen Sie keinen Links in solchen Nachrichten und geben Sie keine Kreditkartendaten bekannt!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-black-friday-gewinnspiele-auf-whatsapp-und-instagram-im-umlauf/


∗∗∗ Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend ∗∗∗
---------------------------------------------
By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately submitted to Microsoft. They patched both bugs along with several other Exchange vulnerabilities in the November Patch Tuesday release. It is a beautiful chain, with an ingenious vector [...]
---------------------------------------------
https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend


∗∗∗ CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures ∗∗∗
---------------------------------------------
Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/


∗∗∗ Magento stores targeted in massive surge of TrojanOrders attacks ∗∗∗
---------------------------------------------
At least seven hacking groups are behind a massive surge in TrojanOrders attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/


∗∗∗ Token tactics: How to prevent, detect, and respond to cloud token theft ∗∗∗
---------------------------------------------
As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/


∗∗∗ Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th) ∗∗∗
---------------------------------------------
A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below.
---------------------------------------------
https://isc.sans.edu/diary/rss/29252


∗∗∗ New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques ∗∗∗
---------------------------------------------
Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware attacks against corporations and other organizations.
---------------------------------------------
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html


∗∗∗ Researchers Discover Hundreds of Amazon RDS Instances Leaking Users Personal Data ∗∗∗
---------------------------------------------
"Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it."
---------------------------------------------
https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Secure Email Gateway Malware Detection Evasion ∗∗∗
---------------------------------------------
This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time
frame.  As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022110021


∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako).
---------------------------------------------
https://lwn.net/Articles/915097/


∗∗∗ RICOH Aficio SP 4210N vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN24659622/


∗∗∗ Multiple vulnerabilities in Movable Type ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN37014768/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-due-to-the-october-2022-cpu/


∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update July 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-security-update-july-2022/


∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.2ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-102-2esr-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if16-2022-4-0/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily