[CERT-daily] Tageszusammenfassung - 28.09.2022

Wed Sep 28 19:03:40 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 27-09-2022 18:00 − Mittwoch 28-09-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Microsoft to retire Exchange Online client access rules in a year ∗∗∗
---------------------------------------------
Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchange-online-client-access-rules-in-a-year/


∗∗∗ Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks ∗∗∗
---------------------------------------------
The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/


∗∗∗ Prilex: the pricey prickle credit card complex ∗∗∗
---------------------------------------------
Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware.
---------------------------------------------
https://securelist.com/prilex-atm-pos-malware-evolution/107551/


∗∗∗ New Malware Variants Serve Bogus CloudFlare DDoS Captcha ∗∗∗
---------------------------------------------
When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it’s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month.
---------------------------------------------
https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html


∗∗∗ Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems ∗∗∗
---------------------------------------------
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
---------------------------------------------
https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html


∗∗∗ Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren ∗∗∗
---------------------------------------------
Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert.
---------------------------------------------
https://heise.de/-7278355


∗∗∗ Attacking Encrypted HTTP Communications ∗∗∗
---------------------------------------------
The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers.
---------------------------------------------
https://www.pentestpartners.com/security-blog/attacking-encrypted-http-communications/


∗∗∗ Decrypt “encrypted stub data” in Wireshark ∗∗∗
---------------------------------------------
I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I’m often interrupted in my enthusiasm by the payload dissected as “encrypted stub data”: Can we decrypt this “encrypted stub data?”
---------------------------------------------
https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7


∗∗∗ Stories from the SOC - C2 over port 22 ∗∗∗
---------------------------------------------
The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-c2-over-port-22


=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers ∗∗∗
---------------------------------------------
OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers.
---------------------------------------------
https://kb.cert.org/vuls/id/855201


∗∗∗ Cisco Security Advisories 2022-09-27 - 2022-09-28 ∗∗∗
---------------------------------------------
Cisco published 23 Security Advisories (13 High, 10 Medium Severity)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F09%2F27&firstPublishedEndDate=2022%2F09%2F28


∗∗∗ Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks ∗∗∗
---------------------------------------------
Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen.
---------------------------------------------
https://heise.de/-7277825


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15).
---------------------------------------------
https://lwn.net/Articles/909676/


∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552


∗∗∗ Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-was-fixed-in-ibm-application-gateway/


∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-is-vulnerable-to-server-side-request-forgery-cve-2022-35282/


∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-ibm-qradar-user-behavior-analytics-cve-2022-36771/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-app-connect-enterprise-and-ibm-integration-bus/


∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-to-identity-spoofing-by-an-authenticated-user-using-a-specially-crafted-request/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-functional-tester-9/


∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-to-http-header-injection-caused-by-improper-validation/


∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-cross-site-scripting-cve-2022-32750/


∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-decision-optimization-center-cve-2022-21299/


∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35721/


∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35722-2/


∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-an-xml-external-entity-injection-attack-cve-2022-31775/


∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-vulnerable-to-a-denial-of-service-due-to-zlib-cve-2018-25032/


∗∗∗ Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-platform-discloses-possible-path-command-executioncve-2021-41878/


∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-eclipse-paho-java-client-could-allow-a-remote-attacker-to-bypass-security-restric/


∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549


∗∗∗ Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546


∗∗∗ Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily