[CERT-daily] Tageszusammenfassung - 22.09.2022

Thu Sep 22 18:08:15 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 21-09-2022 18:00 − Donnerstag 22-09-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ BlackCat ransomware’s data exfiltration tool gets an upgrade ∗∗∗
---------------------------------------------
The BlackCat ransomware (aka ALPHV) isnt showing any signs of slowing down, and the latest example of its evolution is a new version of the gangs data exfiltration tool used for double-extortion attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/blackcat-ransomware-s-data-exfiltration-tool-gets-an-upgrade/


∗∗∗ Critical Magento vulnerability targeted in new surge of attacks ∗∗∗
---------------------------------------------
Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-magento-vulnerability-targeted-in-new-surge-of-attacks/


∗∗∗ RAT Delivered Through FODHelper , (Thu, Sep 22nd) ∗∗∗
---------------------------------------------
I found a simple batch file that drops a Remcos RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper").
---------------------------------------------
https://isc.sans.edu/diary/rss/29078


∗∗∗ Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure ∗∗∗
---------------------------------------------
Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers.
---------------------------------------------
https://thehackernews.com/2022/09/researchers-disclose-critical.html


∗∗∗ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions ∗∗∗
---------------------------------------------
Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 – a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure – the FileBlockExecutable event (ID 27).
---------------------------------------------
https://www.huntandhackett.com/blog/bypassing-sysmon


∗∗∗ A technical analysis of the leaked LockBit 3.0 builder ∗∗∗
---------------------------------------------
This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022.
---------------------------------------------
https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/


∗∗∗ You can’t stop me. MS Teams session hijacking and bypass ∗∗∗
---------------------------------------------
How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user.
---------------------------------------------
https://www.pentestpartners.com/security-blog/you-cant-stop-me-ms-teams-session-hijacking-and-bypass/


∗∗∗ Webinar: Love Scams im Internet erkennen ∗∗∗
---------------------------------------------
Am Mittwoch, den 28.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Love Scams" statt.
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-love-scams-im-internet-erkennen/


∗∗∗ Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics ∗∗∗
---------------------------------------------
New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps


∗∗∗ AA22-265A: Control System Defense: Know the Opponent ∗∗∗
---------------------------------------------
This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa22-265a


∗∗∗ MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja ∗∗∗
---------------------------------------------
Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network.
---------------------------------------------
https://www.thezdi.com/blog/2022/9/19/mindshare-analyzing-bsd-kernels-with-binary-ninja


=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins 2022-09-21 ∗∗∗
---------------------------------------------
IBM Security Guardium, IBM Cloud Pak for Multicloud Management Managed Services, IBM Tivoli Netcool Impact, IBM Maximo Asset Management, IBM Spectrum Protect Plus SQL.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Notfallpatch für Microsoft Endpoint Configuration Manager erschienen ∗∗∗
---------------------------------------------
Admins sollten die IT-Managementlösung Endpoint Configuration Manager von Microsoft aktualisieren. Es könnten Attacken bevorstehen.
---------------------------------------------
https://heise.de/-7272195


∗∗∗ Python: 15 Jahre alte Schwachstelle betrifft potenziell 350.000 Projekte ∗∗∗
---------------------------------------------
Das Issue zu der Directory-Traversal-Schwachstelle in dem Modul tarfile existiert seit 2007. Geschlossen wurde es mit einem Hinweis in der Dokumentation.
---------------------------------------------
https://heise.de/-7272186


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, [...]
---------------------------------------------
https://lwn.net/Articles/909051/


∗∗∗ Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414) ∗∗∗
---------------------------------------------
https://research.nccgroup.com/2022/09/22/technical-advisory-multiple-vulnerabilities-in-juplink-rx4-1800-wifi-router-cve-2022-37413-cve-2022-37414/


∗∗∗ HP LaserJet: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1499


∗∗∗ Measuresoft ScadaPro Server ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-265-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily