[CERT-daily] Tageszusammenfassung - 05.10.2022

Wed Oct 5 19:37:19 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 04-10-2022 18:00 − Mittwoch 05-10-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Exchange Zero-Day: Microsoft korrigiert Workaround ∗∗∗
---------------------------------------------
Der zuerst vorgeschlagene Workaround für die Zero-Day-Lücke ProxyNotShell in Exchange ließ sich einfach umgehen. Microsoft liefert eine korrigierte Fassung.
---------------------------------------------
https://heise.de/-7284241


∗∗∗ Ende von Basic Auth: Brute-Force-Angriffe auf Microsoft Exchange nehmen zu ∗∗∗
---------------------------------------------
Microsoft berichtet von vielen Angriffen auf E-Mail-Konten, die noch die einfache Authentifizierung nutzen. Kunden sollen rasch handeln.
---------------------------------------------
https://www.golem.de/news/ende-von-basic-auth-brute-force-angriffe-auf-microsoft-exchange-nehmen-zu-2210-168735.html


∗∗∗ Post-Exploitation Persistent Email Forwarder in Outlook Desktop ∗∗∗
---------------------------------------------
There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/


∗∗∗ GandCrab bedroht Deutschland ∗∗∗
---------------------------------------------
Die Ransomware GandCrab dominiert in Deutschland, Österreich und der Schweiz die ESET Erkennungsstatistiken. Nahezu jeder vierte Ransomware-Fund geht auf GandCrab zurück.
---------------------------------------------
https://www.zdnet.de/88403902/gandcrab-bedroht-deutschland/


∗∗∗ Vorsicht vor Blackout-Shops wie dyn-amo.de und dynamos.at! ∗∗∗
---------------------------------------------
Immer wieder wird aktuell von der Möglichkeit kurzzeitiger Blackouts, also großflächiger Strom-, Internet- oder Heizungsausfälle berichtet. Unseriöse Online-Shops wie jene von ECOM4YOU, HAPPY SHOPPING oder Shopfactory24 GmbH bauen auf die Ängste ihrer Kundinnen und Kunden und bieten Notfall-Sets für Blackouts an. Vorsicht, wir haben es getestet: Die Produkte sind überteuert, die Lieferzeiten lang, die Qualität teils minderwertig und [...]
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-blackout-shops-wie-dyn-amode-und-dynamosat/


∗∗∗ Shadowserver Alliance Launch ∗∗∗
---------------------------------------------
The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowservers freely provided internet security services and enables partners, [...]
---------------------------------------------
https://www.shadowserver.org/news/shadowserver-alliance-launch/


∗∗∗ Credential Harvesting with Telegram API, (Tue, Oct 4th) ∗∗∗
---------------------------------------------
Phishing emails are a daily occurrence and many times it ends with credential harvesting. An email initially lures a user to a website that promised an anticipated file. The landing page taunts a user to click on an additional link and enter their credentials. In this case, the credentials entered by the user are not sent back to the bad actor using a simple web form but using the Telegram API [1].
---------------------------------------------
https://isc.sans.edu/diary/rss/29112


∗∗∗ How to Secure & Harden Your Joomla! Website in 12 Steps ∗∗∗
---------------------------------------------
At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, advice can often be too broad; different content management systems (CMS) exist in this ecosystem and each require a unique security configuration.
---------------------------------------------
https://blog.sucuri.net/2022/10/how-to-secure-harden-your-joomla-website-in-12-steps.html


∗∗∗ Securing Developer Tools: A New Supply Chain Attack on PHP ∗∗∗
---------------------------------------------
Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal, and other tech giants using a new supply chain attack technique.
---------------------------------------------
https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-attack-on-php/


∗∗∗ Our Fox-IT Dissect framework for forensic data collection, now open source ∗∗∗
---------------------------------------------
Dissect is a framework for collecting and analysing large amounts of forensic data. A game changer in cyber incident response, it enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack.
---------------------------------------------
https://www.mynewsdesk.com/nccgroup/pressreleases/our-fox-it-dissect-framework-for-forensic-data-collection-now-open-source-3208630


∗∗∗ Change in Magniber Ransomware (*.js → *.wsf) – September 28th ∗∗∗
---------------------------------------------
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection [...]
---------------------------------------------
https://asec.ahnlab.com/en/39489/


∗∗∗ How Water Labbu Exploits Electron-Based Applications ∗∗∗
---------------------------------------------
In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Patchday: Angreifer könnten ihre Rechte unter Android 10 bis 13 hochstufen ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates schließen zum Teil kritische Lücken in verschiedenen Android-Versionen.
---------------------------------------------
https://heise.de/-7284409


∗∗∗ Aruba: Kritische Sicherheitslücke in Access Points ∗∗∗
---------------------------------------------
Aruba warnt vor kritischen Sicherheitslücken in den eigenen Access Points.
---------------------------------------------
https://heise.de/-7284335


∗∗∗ IBM Security Bulletins 2022-10-04 ∗∗∗
---------------------------------------------
IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manage, IBM Tivoli Monitoring, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM Security Guardium, Rational Business Developer, IBM Cloud Pak for Watson, IBM i Modernization Engine, IBM CICS TX Advanced, IBM Planning Analytics Workspace, IBM Security Guardium.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg).
---------------------------------------------
https://lwn.net/Articles/910395/


∗∗∗ SA45476 - Client Side Desync Attack (Informational) ∗∗∗
---------------------------------------------
The deprecated Pulse Collaboration feature is vulnerable to Client-Side Desync attacks on versions of PCS 9.1R15 and below.
---------------------------------------------
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-Desync-Attack


∗∗∗ OpenSSH: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1621


∗∗∗ Keycloak: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1624


∗∗∗ Octopus Deploy: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1625


∗∗∗ Matomo: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1626


∗∗∗ BD Totalys MultiProcessor ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-277-01


∗∗∗ Johnson Controls Metasys ADX Server ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-01


∗∗∗ Hitachi Energy Modular Switchgear Monitoring (MSM) ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-02


∗∗∗ Horner Automation Cscape ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-03


∗∗∗ OMRON CX-Programmer ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-04

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily