[CERT-daily] Tageszusammenfassung - 26.09.2022

Daily end-of-shift report team at cert.at
Mon Sep 26 18:34:58 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 23-09-2022 18:00 − Montag 26-09-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ NullMixer: oodles of Trojans in a single dropper ∗∗∗
---------------------------------------------
NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.
---------------------------------------------
https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/


∗∗∗ Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th) ∗∗∗
---------------------------------------------
When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump.
---------------------------------------------
https://isc.sans.edu/diary/rss/29084


∗∗∗ Downloading Samples From Takendown Domains, (Sun, Sep 25th) ∗∗∗
---------------------------------------------
Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).
---------------------------------------------
https://isc.sans.edu/diary/rss/29086


∗∗∗ Easy Python Sandbox Detection , (Mon, Sep 26th) ∗∗∗
---------------------------------------------
Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this, but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism?
---------------------------------------------
https://isc.sans.edu/diary/rss/29090


∗∗∗ 13,8 Millionen Downloads: Malware-Apps unter Android und iOS ∗∗∗
---------------------------------------------
Ein IT-Sicherheitsunternehmen hat Werbebetrugs-Apps in Google Play und im Apple Store gefunden, die auf insgesamt 13,8 Millionen Downloads kommen.
---------------------------------------------
https://heise.de/-7275295


∗∗∗ Ransomware: Nach Verschlüsseln kommt jetzt Kopieren & Zerstören ∗∗∗
---------------------------------------------
Das mit dem Verschlüsseln ist aufwendig und fehleranfällig – das denken sich wohl auch Cybercrime-Banden, die zuvor kopierte Daten unbrauchbar machen.
---------------------------------------------
https://heise.de/-7275667


∗∗∗ Microsoft Edge mit SOCKS Proxy über PuTTY / SSH nutzen ∗∗∗
---------------------------------------------
Microsoft Edge (dzt. geprüfte Versionen bis v107) bietet in den Einstellungen leider keine Nutzung von SOCKS-Proxys an. Edge unterstützt dies aber (obwohl sich hierzu in der offiziellen Doku leider nichts findet) über das CmdLine-Argument “--proxy-server“.
---------------------------------------------
https://hitco.at/blog/microsoft-edge-socks-proxy-putty-ssh/


∗∗∗ Betrügerisches Post-Gewinnspiel auf WhatsApp ∗∗∗
---------------------------------------------
Vorsicht, wenn Sie auf WhatsApp ein Gewinnspiel mit dem Titel „Österreichische Post Staatliche Förderung“ erhalten. Dabei handelt es sich um Fake. Sie tappen entweder in eine Abo-Falle oder laden Schadsoftware herunter. Klicken Sie nicht auf den Link und löschen Sie die Nachricht.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerisches-post-gewinnspiel-auf-whatsapp/


∗∗∗ Hunting for Unsigned DLLs to Find APTs ∗∗∗
---------------------------------------------
Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs.
---------------------------------------------
https://unit42.paloaltonetworks.com/unsigned-dlls/


∗∗∗ BumbleBee: Round Two ∗∗∗
---------------------------------------------
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.
---------------------------------------------
https://thedfirreport.com/2022/09/26/bumblebee-round-two/


∗∗∗ MISP 2.4.163 released with improved periodic notification system and many improvements ∗∗∗
---------------------------------------------
We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification systemand many improvements.
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.163


∗∗∗ Tell Me Where You Live and I Will Tell You About Your P at ssw0rd: Understanding the Macrosocial Factors Influencing Password’s Strength ∗∗∗
---------------------------------------------
Free Person Holding World Globe Facing Mountain Stock PhotoTo explore how a user’s environment influences password creation strategies, we present a blogpost series in which we consider several different perspectives – the macrosocial influence of your country (where you live), the influence of your peers (who your friends are), and a technical understanding of how they are attacked – to improve password security and mitigate the risk of poorly secured passwords.
---------------------------------------------
https://www.gosecure.net/blog/2022/09/26/tell-me-where-you-live-and-i-will-tell-you-about-your-password-understanding-the-macrosocial-factors-influencing-passwords-strength/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Microsoft Windows Shift F10 Bypass and Autopilot privilge escalation ∗∗∗
---------------------------------------------
This post demonstrates full chained exploitation, and it contains two steps. The second step is a known vulnerability, but there are other ways.
---------------------------------------------
https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html


∗∗∗ Sophos Firewalls: Kritische Sicherheitslücke wird angegriffen ∗∗∗
---------------------------------------------
Angreifer nutzen eine Schwachstelle in Sophos Firewalls aus, durch die sie eigenen Code auf verwundbare Maschinen schieben. Softwareflicken dichten das Leck ab.
---------------------------------------------
https://heise.de/-7275195


∗∗∗ Angreifer nisten sich in Exchange Online ein – mit bösartigen OAuth-Apps ∗∗∗
---------------------------------------------
Microsoft hat Angriffe auf Cloud-Exchange analysiert, bei denen Angreifer mit bösartigen OAuth-Apps nachhaltig Zugang erlangten und ihn für Spam missbrauchen.
---------------------------------------------
https://heise.de/-7275757


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport).
---------------------------------------------
https://lwn.net/Articles/909439/


∗∗∗ Trend Micro Deep Security Agent: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Deep Security Agent ausnutzen, um Informationen offenzulegen oder seine Rechte zu erweitern.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1534


∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1535


∗∗∗ WhatsApp: Zwei Schwachstellen ermöglichen Remote Code-Ausführung ∗∗∗
---------------------------------------------
Meta-Tochter WhatsApp warnt vor zwei Schwachstellen in seinen Apps für Android und iOS, die die Sicherheit der Benutzer gefährden. Beide Schwachstellen ermöglichen eine Remote Code-Ausführung – die Apps sollten also zeitnah aktualisiert werden.
---------------------------------------------
https://www.borncity.com/blog/2022/09/26/whatsapp-zwei-schwachstellen-ermglichen-remote-code-ausfhrung/


∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-engagement-manager-vulnerable-to-denial-of-service-due-to-apache-shiro-cve-2022-32532/


∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-cross-site-scripting-cve-2022-31744/


∗∗∗ Security Bulletin: Due to RPM, AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-rpm-aix-is-vulnerable-to-arbitrary-code-execution-cve-2021-20271-rpm-database-corruption-cve-2021-3421-and-denial-of-service-cve-2021-20266/


∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-engagement-manager-is-vulnerable-to-a-denial-of-service-due-to-vmware-tanzu-spring-framework-cve-2022-22971/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Curl affect PowerSC ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-curl-affect-powersc-2/


∗∗∗ Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0 ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-029/


∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/09/23/cisa-has-added-one-known-exploited-vulnerability-catalog


∗∗∗ Node.js: September 22nd 2022 Security Releases ∗∗∗
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list