[CERT-daily] Tageszusammenfassung - 27.10.2022

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 25-10-2022 18:00 − Donnerstag 27-10-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Microsoft fixes Windows vulnerable driver blocklist sync issue ∗∗∗
---------------------------------------------
Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vulnerable-driver-blocklist-sync-issue/


∗∗∗ Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets ∗∗∗
---------------------------------------------
A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands embedded in packets and new features to evade detection of its infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/


∗∗∗ How to prevent lateral movement attacks using Microsoft 365 Defender ∗∗∗
---------------------------------------------
Learn how Microsoft 365 Defender can enhance mitigations against lateral movement paths in your environment, stopping attackers from gaining access to privileged and sensitive accounts.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lateral-movement-attacks-using-microsoft-365-defender/


∗∗∗ Malware vs Virus: What’s the Difference? ∗∗∗
---------------------------------------------
In today’s article, we’ll be clarifying the difference between viruses and malware while helping to identify the most common types of malware.
---------------------------------------------
https://blog.sucuri.net/2022/10/whats-the-difference-malware-virus.html


∗∗∗ New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances ∗∗∗
---------------------------------------------
A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency.
---------------------------------------------
https://thehackernews.com/2022/10/new-cryptojacking-campaign-targeting.html


∗∗∗ Hijacking AUR Packages by Searching for Expired Domains ∗∗∗
---------------------------------------------
The Arch User Repository (AUR) is a software repository for Arch Linux. It differs from the official Arch Linux repositories in that its packages are provided by its users and not officially supported by Arch Linux.
---------------------------------------------
https://blog.nietaanraken.nl/posts/aur-packages-expired-domains/


∗∗∗ Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom ∗∗∗
---------------------------------------------
Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends.
---------------------------------------------
https://www.securityweek.com/industrial-ransomware-attacks-new-groups-emerge-manufacturing-pays-highest-ransom


∗∗∗ Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving ∗∗∗
---------------------------------------------
We examine trends in web threats for the second calendar year quarter of 2022, including how a malicious JavaScript downloader is evolving to evade detection.
---------------------------------------------
https://unit42.paloaltonetworks.com/web-threats-malicious-javascript-downloader/


∗∗∗ FormBook Malware Being Distributed as .NET ∗∗∗
---------------------------------------------
FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites.
---------------------------------------------
https://asec.ahnlab.com/en/40663/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗
---------------------------------------------
This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability. The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x.
---------------------------------------------
https://isc.sans.edu/diary/rss/29192


∗∗∗ IBM Security Bulletins 2022-10-26 and 2022-10-25 ∗∗∗
---------------------------------------------
IBM SDK, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM i, IBM Robotic Process Automation, IBM Cloud Transformation Advisor, CloudPak for Watson, Netcool Operations Insight.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Cisco AnyConnect: Alte Sicherheitslücken im Visier von Angreifern ∗∗∗
---------------------------------------------
Allerhöchste Zeit, um alte Lücken in Cisco AnyConnect abzudichten: Cisco warnt vor derzeitigen Cyber-Angriffen auf Schwachstellen aus dem Jahr 2020.
---------------------------------------------
https://heise.de/-7320917


∗∗∗ Sicherheitsupdate ArubaOS: Schadcode-Attacken durch präparierte Anfragen möglich ∗∗∗
---------------------------------------------
Die Entwickler des Netzwerkbetriebssystems ArubaOS haben unter anderem eine kritische Lücke geschlossen.
---------------------------------------------
https://heise.de/-7321787


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tomcat9), Oracle (389-ds-base, device-mapper-multipath, firefox, git-lfs, gnutls, kernel, kernel-container, libksba, pki-core, samba, sqlite, and zlib), Red Hat (device-mapper-multipath, kernel, kpatch-patch, libksba, and thunderbird), Slackware (expat and samba), SUSE (bind, buildah, curl, firefox, golang-github-prometheus-node_exporter, grafana, icinga2, python-paramiko, python-waitress, SUSE Manager Client Tools, telnet, and xen), [...]
---------------------------------------------
https://lwn.net/Articles/912495/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (389-ds-base, bind, expat, java-1.8.0-openjdk, java-11-openjdk, libksba, and squid), Debian (chromium, libdatetime-timezone-perl, tzdata, and wordpress), Fedora (dbus, dhcp, dotnet3.1, jhead, samba, and strongswan), Mageia (virtualbox), Oracle (device-mapper-multipath), Scientific Linux (device-mapper-multipath and thunderbird), Slackware (curl), SUSE (container-suseconnect, curl, kernel, libmad, libtasn1, libtirpc, qemu, rubygem-puppet, [...]
---------------------------------------------
https://lwn.net/Articles/912688/


∗∗∗ Windows (Mark of the Web) 0-day per JavaScript für Ransomware-Angriffe genutzt ∗∗∗
---------------------------------------------
Die Tage hatte ich über eine ungefixte 0-day-Schwachstelle, Mark of the Web (MOTOW), in Windows berichtet, für die es einen inoffiziellen Fix gibt. Nun ist mir ein Bericht unter die Augen gekommen, dass eine 0-day-Schwachstelle in diesem Bereich von Cyberkriminellen per JavaScript ausgenutzt werden kann, um Web-Sicherheitswarnungen zu umgehen und Ransomware-Angriffe zu verschleiern.
---------------------------------------------
https://www.borncity.com/blog/2022/10/27/exploited-windows-0-day-mark-of-the-web-per-javascript-fr-ransomware-angriffe-genutzt/


∗∗∗ ZDI-22-1467: (0Day) IronCAD STP File Parsing Uninitialized Pointer Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1467/


∗∗∗ VMSA-2022-0027 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0027.html


∗∗∗ K11601010: Intel Processor vulnerability CVE-2021-33149 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K11601010


∗∗∗ Synology-SA-22:20 Samba ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_20


∗∗∗ Hitachi Energy MicroSCADA X DMS600 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-04


∗∗∗ Johnson Controls CKS CEVAS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-05


∗∗∗ Delta Electronics DIAEnergie ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-06


∗∗∗ AliveCor KardiaMobile ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-298-01


∗∗∗ Haas Controller ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-01


∗∗∗ HEIDENHAIN Controller TNC on HARTFORD Machine ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-02


∗∗∗ Rockwell Automation FactoryTalk Alarm and Events Server ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-01


∗∗∗ SAUTER Controls moduWeb ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-02


∗∗∗ Rockwell Automation Stratix Devices Containing Cisco IOS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-03


∗∗∗ Trihedral VTScada ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-04


∗∗∗ Samba Releases Security Updates ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/10/26/samba-releases-security-updates


∗∗∗ [R1] Nessus Version 10.3.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-20

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily