[CERT-daily] Tageszusammenfassung - 28.10.2022

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 27-10-2022 18:00 − Freitag 28-10-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Windows: Gefährliche, IE-basierende Schwachstellen ∗∗∗
---------------------------------------------
Sicherheitsforscher der Varonis Threat Labs haben zwei Windows-Sicherheitslücken aufgedeckt, die große blinde Flecken für Sicherheits-Software erzeugen und Rechner mittels DoS-Angriffe außer Betrieb setzen können. LogCrusher und OverLog nutzen dabei das Internet Explorer-spezifische Ereignisprotokoll MS-EVEN, das auf allen aktuellen Windows-Betriebssystemen vorhanden ist, unabhängig davon, ob der Browser genutzt wurde oder wird. Während OverLog mittlerweile gefixt ist, hat Microsoft für LogCrusher kürzlich nur einen partiellen Patch herausgegeben: Cyberkriminelle können deshalb immer noch Angriffe durchführen, wenn sie sich einen Administrator-Zugang zum Netzwerk des Opfers verschaffen.
---------------------------------------------
https://www.borncity.com/blog/2022/10/28/windows-gefhrliche-ie-basierende-schwachstellen/


∗∗∗ Neue Website: Apple erleichtert Sicherheitsforschung ∗∗∗
---------------------------------------------
Ein zentrales neues Portal erklärt das Bug–Bounty-Programm und ermöglicht es, schneller und direkter mit dem Security-Team des Konzerns in Kontakt zu kommen.
---------------------------------------------
https://heise.de/-7323634


∗∗∗ macOS 13: Anti-Malware-Tools nach Upgrade zahnlos ∗∗∗
---------------------------------------------
Antivirus-Software und andere Sicherheits-Tools funktionieren durch einen Apple-Bug in macOS Ventura nicht mehr richtig. Das Problem kann behoben werden.
---------------------------------------------
https://heise.de/-7322669


∗∗∗ Vorsicht vor dieser Fake-Raiffeisen Investmentfalle ∗∗∗
---------------------------------------------
Geld verdienen mit Raiffeisen, angeboten werden angeblich Aktien einer der größten Banken Österreichs. Das Versprechen klingt gut, doch es handelt sich um eine gut getarnte Phishing-Seite. Investieren Sie nicht auf lps.snowgross.com, Sie tappen in eine Anlagebetrugsfalle!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-raiffeisen-investmentfalle/


∗∗∗ One-Time Programs ∗∗∗
---------------------------------------------
One of the things I like to do on this blog is write about new research that has a practical angle. Most of the time (I swear) this involves writing about other folks’ research: it’s not that often that I write about work that comes out of my own lab. Today I’m going make an [...]
---------------------------------------------
https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/


∗∗∗ Apple clarifies security update policy: Only the latest OSes are fully patched ∗∗∗
---------------------------------------------
New document confirms what security researchers have observed for a few years.
---------------------------------------------
https://arstechnica.com/?p=1893235


∗∗∗ Android malware droppers with 130K installs found on Google Play ∗∗∗
---------------------------------------------
A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-droppers-with-130k-installs-found-on-google-play/


∗∗∗ Exploit released for critical VMware RCE vulnerability, patch now ∗∗∗
---------------------------------------------
Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-rce-vulnerability-patch-now/


∗∗∗ Researchers Expose Over 80 ShadowPad Malware C2 Servers ∗∗∗
---------------------------------------------
As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. Thats according to VMwares Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications.
---------------------------------------------
https://thehackernews.com/2022/10/researchers-expose-over-80-shadowpad.html


∗∗∗ Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints ∗∗∗
---------------------------------------------
The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up.
---------------------------------------------
https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html


∗∗∗ TCP/IP Vulnerability CVE-2022–34718 PoC Restoration and Analysis ∗∗∗
---------------------------------------------
The patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen’s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison.
---------------------------------------------
https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf


∗∗∗ Defeating Guloader Anti-Analysis Technique ∗∗∗
---------------------------------------------
Unit 42 is providing a script to deobfuscate a recently discovered Guloader variant that uses anti-analysis techniques, and other samples like it.
---------------------------------------------
https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/


∗∗∗ Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign ∗∗∗
---------------------------------------------
Group uses novel method of reading commands from legitimate IIS logs.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Sicherheitsupdates für älteres iOS und iPadOS ∗∗∗
---------------------------------------------
iPadOS 15.7.1 und iOS 15.7.1 stopfen problematische Sicherheitslücken für alle, die nicht auf iPadOS 16 und iOS 16 aktualisieren wollen - oder können.
---------------------------------------------
https://heise.de/-7323199


∗∗∗ Webbrowser: Entwickler schließen hochriskante Sicherheitslücke in Chrome ∗∗∗
---------------------------------------------
Google hat ein Update für den Webbrowser Chrome veröffentlicht. Darin dichten die Programmierer eine Schwachstelle mit hohem Risiko ab.
---------------------------------------------
https://heise.de/-7322963


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
CP4D Match 360, IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier, IBM Cloud Pak System, IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data, Db2 Warehouse® on Cloud Pak for Data, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM QRadar SIEM, IBM TXSeries for Multiplatforms, IBM Voice Gateway, IBM Watson Assistant for IBM Cloud Pak for Data, IBM® SDK, Java™ Technology Edition, Liberty for Java for IBM Cloud, node.js
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff).
---------------------------------------------
https://lwn.net/Articles/912873/


∗∗∗ Corel Coreldraw graphics suite vulnerabilities ∗∗∗
---------------------------------------------
https://secalerts.co/vulnerabilities/corel/coreldraw_graphics_suite


∗∗∗ Case update: DIVD-2022-00020 - Multiple injection vulnerabilities identified within Feathers.js ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00020/


∗∗∗ Case update: DIVD-2022-00045 - Injection vulnerability found within Socket.io ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00045/


∗∗∗ [R1] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-21

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily