=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 29-12-2022 18:00 β Freitag 30-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
βββ Netgear warns users to patch recently fixed WiFi router bug βββ
---------------------------------------------
Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patchβ¦
βββ New Linux malware uses 30 plugin exploits to backdoor WordPress sites βββ
---------------------------------------------
A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plβ¦
βββ Security Update Guide Improvement β Representing Hotpatch Updates βββ
---------------------------------------------
Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemenβ¦
βββ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) βββ
---------------------------------------------
There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited.
---------------------------------------------
https://isc.sans.edu/diary/rss/29382
βββ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) βββ
---------------------------------------------
Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a βspoofedβ e-mail is therefore quite easy.
---------------------------------------------
https://isc.sans.edu/diary/rss/29384
βββ CISA Warns of Active exploitation of JasperReports Vulnerabilities βββ
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively.
---------------------------------------------
https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html
βββ ENLBufferPwn (CVE-2022-47949) βββ
---------------------------------------------
ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution).
---------------------------------------------
https://github.com/PabloMK7/ENLBufferPwn
βββ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 βββ
---------------------------------------------
Welcome to the third and final installment of the βChrome Browser Exploitationβ series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth.
---------------------------------------------
https://jhalon.github.io/chrome-browser-exploitation-3/
βββ EU-Regeln fΓΌr Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen βββ
---------------------------------------------
Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt verΓΆffentlicht. Der Countdown zur Umsetzung in Deutschland lΓ€uft.
---------------------------------------------
https://heise.de/-7444366
=====================
= Vulnerabilities =
=====================
βββ IBM Security Bulletins 2022-12-30 βββ
---------------------------------------------
IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
βββ Security updates for Friday βββ
---------------------------------------------
Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918778/
βββ Synology-SA-22:26 VPN Plus Server βββ
---------------------------------------------
A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_26
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 28-12-2022 18:00 β Donnerstag 29-12-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
βββ Google Home speakers allowed hackers to snoop on conversations βββ
---------------------------------------------
A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-home-speakers-allowedβ¦
βββ WordPress Vulnerability & Patch Roundup December 2022 βββ
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
---------------------------------------------
https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decemβ¦
βββ The Worst Hacks of 2022 βββ
---------------------------------------------
The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.
---------------------------------------------
https://www.wired.com/story/worst-hacks-2022/
βββ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection βββ
---------------------------------------------
We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses.
---------------------------------------------
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hiβ¦
βββ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) βββ
---------------------------------------------
Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware.
---------------------------------------------
http://arxiv.org/abs/2212.13716
βββ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) βββ
---------------------------------------------
TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic.
---------------------------------------------
http://arxiv.org/abs/2010.16388
βββ HardCIDR β Network CIDR and Range Discovery Tool βββ
---------------------------------------------
HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test.
---------------------------------------------
https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discoverβ¦
=====================
= Vulnerabilities =
=====================
βββ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting βββ
---------------------------------------------
The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php
βββ Security updates for Thursday βββ
---------------------------------------------
Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918715/
βββ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers βββ
---------------------------------------------
Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.
---------------------------------------------
https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fouβ¦
βββ Ungepatchte Citrix-Server zu Tausenden ΓΌber kritische Schwachstellen angreifbar βββ
---------------------------------------------
Citrix hat in den letzten Monaten Sicherheitsupdates fΓΌr kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen verΓΆffentlicht.
---------------------------------------------
https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tauseβ¦
βββ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) βββ
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?nameβ¦
βββ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
βββ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6852105
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 27-12-2022 18:00 β Mittwoch 28-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
βββ KI-Wunder ChatGPT kann bΓΆsartige E-Mails und Code generieren βββ
---------------------------------------------
Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen kΓΆnnten, um gezielte Cyberangriffe durchzufΓΌhren.
https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hacβ¦
---------------------------------------------
https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-undβ¦
βββ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? βββ
---------------------------------------------
Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfΓ€llig fΓΌr Angriffe ΓΌber die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit lΓ€ngerem eine automatisierte Angriffsplattform zum [...]
---------------------------------------------
https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-β¦
βββ Why Attackers Target GitHub, and How You Can Secure It βββ
---------------------------------------------
The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.
---------------------------------------------
https://www.darkreading.com/edge-articles/why-attackers-target-github-and-hβ¦
βββ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) βββ
---------------------------------------------
In this post we'll take a look at parsing and manipulating JSON in Powershell.
---------------------------------------------
https://isc.sans.edu/diary/rss/29380
βββ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet βββ
---------------------------------------------
Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...]
---------------------------------------------
https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-β¦
βββ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer βββ
---------------------------------------------
As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted userβs conversations, according to a team of researchers from several universities in the United States.
---------------------------------------------
https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratioβ¦
βββ Alias and Directive Overloading in GraphQL βββ
---------------------------------------------
Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources.
---------------------------------------------
https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/
=====================
= Vulnerabilities =
=====================
βββ Security updates for Wednesday βββ
---------------------------------------------
Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim).
---------------------------------------------
https://lwn.net/Articles/918655/
βββ Microsoft Patches Azure Cross-Tenant Data Access Flaw βββ
---------------------------------------------
Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks.
---------------------------------------------
https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acceβ¦
βββ ABB Security Advisory: NE843 Pulsar Plus Controller βββ
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lanβ¦
βββ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851953
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 23-12-2022 18:00 β Dienstag 27-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
βββ EarSpy attack eavesdrops on Android phones via motion sensors βββ
---------------------------------------------
A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-β¦
βββ Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes βββ
---------------------------------------------
A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.
---------------------------------------------
https://www.darkreading.com/cloud/container-verification-bug-malicious-imagβ¦
βββ BlueNoroff introduces new methods bypassing MoTW βββ
---------------------------------------------
We continue to track the BlueNoroff groupβs activities and this October we observed the adoption of new malware strains in its arsenal.
---------------------------------------------
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
βββ DShield Sensor Setup in Azure, (Wed, Dec 21st) βββ
---------------------------------------------
In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29370
βββ GuLoader Malware Utilizing New Techniques to Evade Security Software βββ
---------------------------------------------
Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
---------------------------------------------
https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html
βββ Navigating the Vast Ocean of Sandbox Evasions βββ
---------------------------------------------
After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/
βββ Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet βββ
---------------------------------------------
Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online auslΓ€uft und im kommenden Jahr abgeschaltet wird.
---------------------------------------------
https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-inβ¦
βββ Caution! Malware Signed With Microsoft Certificate βββ
---------------------------------------------
Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later).
---------------------------------------------
https://asec.ahnlab.com/en/44726/
βββ Distribution of Magniber Ransomware Stops (Since November 29th) βββ
---------------------------------------------
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted.
---------------------------------------------
https://asec.ahnlab.com/en/43858/
βββ Inside the IcedID BackConnect Protocol βββ
---------------------------------------------
As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedIDβs BackConnect (BC) protocol.
---------------------------------------------
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
=====================
= Vulnerabilities =
=====================
βββ Ksmbd: Kritische LΓΌcke im SMB-Dienst des Linux-Kernels βββ
---------------------------------------------
Der Linux-Kernel verfΓΌgt seit vergangenem Jahr ΓΌber eine eigene SMB-Implementierung. Diese enthΓ€lt eine sehr gefΓ€hrliche LΓΌcke - Updates stehen bereit.
---------------------------------------------
https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-keβ¦
βββ Security updates for Monday βββ
---------------------------------------------
Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).
---------------------------------------------
https://lwn.net/Articles/918607/
βββ Security updates for Tuesday βββ
---------------------------------------------
Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).
---------------------------------------------
https://lwn.net/Articles/918631/
βββ Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks βββ
---------------------------------------------
Defiantβs Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks.
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-premium-gift-cards-wordβ¦
βββ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011 βββ
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0011.html
βββ Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051) βββ
---------------------------------------------
Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende kΓΆnnen somit JavaScript-Code im Browser ausfΓΌhren.
---------------------------------------------
https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-luβ¦
βββ MISP 2.4.167 released with many improvements, bugs fixed and security fixes. βββ
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.167
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 22-12-2022 18:00 β Freitag 23-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
βββ Vice Society ransomware gang switches to new custom encryptor βββ
---------------------------------------------
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gangβ¦
βββ Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd) βββ
---------------------------------------------
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware.
---------------------------------------------
https://isc.sans.edu/diary/rss/29376
βββ Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden βββ
---------------------------------------------
Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter PasswΓΆrter zugreifen.
---------------------------------------------
https://heise.de/-7441929
βββ Sourcecode vom Zugriffsmanagementdienst Okta geleakt βββ
---------------------------------------------
Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefΓ€hrdet sein.
---------------------------------------------
https://heise.de/-7442131
βββ IcedID Botnet Distributors Abuse Google PPC to Distribute Malware βββ
---------------------------------------------
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-aβ¦
=====================
= Vulnerabilities =
=====================
βββ Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas? βββ
---------------------------------------------
Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed.
---------------------------------------------
https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmbβ¦
βββ Security updates for Friday βββ
---------------------------------------------
Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).
---------------------------------------------
https://lwn.net/Articles/918486/
βββ Threat Brief: OWASSRF Vulnerability Exploitation βββ
---------------------------------------------
We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-brief-owassrf/
βββ CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability βββ
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
βββ PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild βββ
---------------------------------------------
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premβ¦
βββ Multiple vulnerabilities in IBM Java SDK affect AIX βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851437
βββ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
βββ AIX is affected by a denial of service (CVE-2022-43680) due to Python βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851439
βββ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848295
βββ IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851449
βββ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851613
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 21-12-2022 18:00 β Donnerstag 22-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
βββ FIN7 hackers create auto-attack platform to breach Exchange servers βββ
---------------------------------------------
The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-attβ¦
βββ Ransomware and wiper signed with stolen certificates βββ
---------------------------------------------
In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.
---------------------------------------------
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificatesβ¦
βββ Microsoft research uncovers new Zerobot capabilities βββ
---------------------------------------------
The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-researchβ¦
βββ βSuspicious loginβ scammers up their game β take care at Christmas βββ
---------------------------------------------
A picture is worth 1024 words - we clicked through so you dont have to.
---------------------------------------------
https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-thβ¦
βββ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab βββ
---------------------------------------------
Eine neue Banking-Malware namens Godfather hat 16 LΓ€nder im Visier. Deutschland fΓ€llt darunter. Sie zeichnet Eingaben in ΓΌber 415 Banking- und Krypto-Apps auf.
---------------------------------------------
https://heise.de/-7441440
βββ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata βββ
---------------------------------------------
If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the βurlβ parameter to achieve a successful exploit.
---------------------------------------------
https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerabβ¦
βββ Qakbot Being Distributed via Virtual Disk Files (*.vhd) βββ
---------------------------------------------
Thereβs been a recent increase in the distribution of malware using disk image files.
---------------------------------------------
https://asec.ahnlab.com/en/44662/
βββ Vidar Stealer Exploiting Various Platforms βββ
---------------------------------------------
Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.
---------------------------------------------
https://asec.ahnlab.com/en/44554/
=====================
= Vulnerabilities =
=====================
βββ Critical Windows code-execution vulnerability went undetected until now βββ
---------------------------------------------
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, itβs wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems.
---------------------------------------------
https://arstechnica.com/information-technology/2022/12/critical-windows-codβ¦
βββ Sicherheitsupdates: Angreifer kΓΆnnten Synology-Router kompromittieren βββ
---------------------------------------------
Aktuelle Versionen von Synology Router Manager schlieΓen mehrere SicherheitslΓΌcken. Der Hersteller stuft den Schweregrad als kritisch ein.
---------------------------------------------
https://heise.de/-7440888
βββ Wichtige Sicherheitsupdates fΓΌr Avira Security, AVG Antivirus & Co. βββ
---------------------------------------------
Norton hat in seinem Portfolio von Anti-Viren-Software mehrere SicherheitslΓΌcken geschlossen. Angreifer kΓΆnnten sich hΓΆhere Nutzerrechte verschaffen.
---------------------------------------------
https://heise.de/-7441040
βββ Puckungfu: A NETGEAR WAN Command Injection βββ
---------------------------------------------
This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 routerβs WAN interface.
---------------------------------------------
https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-inβ¦
βββ Security updates for Thursday βββ
---------------------------------------------
Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/918379/
βββ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service βββ
---------------------------------------------
Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-fileβ¦
βββ Two New Security Flaws Reported in Ghost CMS Blogging Software βββ
---------------------------------------------
https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html
βββ Security Vulnerabilities fixed in Thunderbird 102.6.1 βββ
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/
βββ Priva TopControl Suite βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01
βββ Rockwell Automation Studio 5000 Logix Emulate βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02
βββ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03
βββ Omron CX-Programmer βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04
βββ IBM Content Navigator is vulnerable to missing authorization. βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6844453
βββ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851347
βββ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851337
βββ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851351
βββ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851339
βββ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851345
βββ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851343
βββ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851349
βββ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6851341
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 20-12-2022 18:00 β Mittwoch 21-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
βββ Hackers bombard PyPi platform with information-stealing malware βββ
---------------------------------------------
The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platforβ¦
βββ VirusTotal cheat sheet makes it easy to search for specific results βββ
---------------------------------------------
VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makesβ¦
βββ FBI warns of search engine ads pushing malware, phishing βββ
---------------------------------------------
The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-aβ¦
βββ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT βββ
---------------------------------------------
After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-mβ¦
βββ Fake jQuery Domain Redirects Site Visitors to Scam Pages βββ
---------------------------------------------
A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing.
---------------------------------------------
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-β¦
βββ Kindersicherungs-Apps: Smarte Kids kΓΆnnten Eltern attackieren βββ
---------------------------------------------
Sicherheitsforscher haben Android-Apps untersucht, ΓΌber die Eltern Internetzugriffe von Kindern einschrΓ€nken kΓΆnnen. Doch Schwachstellen weichen den Schutz auf.
---------------------------------------------
https://heise.de/-7435146
βββ Adult popunder campaign used in mainstream ad fraud scheme βββ
---------------------------------------------
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popundeβ¦
βββ Meddler-in-the-Middle Phishing Attacks Explained βββ
---------------------------------------------
Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.
---------------------------------------------
https://unit42.paloaltonetworks.com/meddler-phishing-attacks/
βββ Godfather: A banking Trojan that is impossible to refuse βββ
---------------------------------------------
Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries.
---------------------------------------------
https://blog.group-ib.com/godfather-trojan
βββ Didnβt Notice Your Rate Limiting: GraphQL Batching Attack βββ
---------------------------------------------
In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS).
---------------------------------------------
https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batchingβ¦
βββ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 βββ
---------------------------------------------
This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-β¦
βββ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks βββ
---------------------------------------------
In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-grouβ¦
=====================
= Vulnerabilities =
=====================
βββ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet βββ
---------------------------------------------
Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates.
---------------------------------------------
https://heise.de/-7434860
βββ Security updates for Wednesday βββ
---------------------------------------------
Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils).
---------------------------------------------
https://lwn.net/Articles/918313/
βββ Passwordless Persistence and Privilege Escalation in Azure βββ
---------------------------------------------
Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons.
---------------------------------------------
https://posts.specterops.io/passwordless-persistence-and-privilege-escalatiβ¦
βββ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries βββ
---------------------------------------------
https://jvn.jp/en/jp/JVN29902403/
βββ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking βββ
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-hikvision-wireless-bridβ¦
βββ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released βββ
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-eβ¦
βββ Rechteausweitung in Razer Synapse (SYSS-2022-047) βββ
---------------------------------------------
https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-202β¦
βββ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849213
βββ GraphQL Denial of Service security vulnerability CVE-2022-37734 βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6828663
βββ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849223
βββ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849249
βββ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6850775
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 19-12-2022 18:00 β Dienstag 20-12-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
βββ Linux File System Monitoring & Actions, (Tue, Dec 20th) βββ
---------------------------------------------
There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless?
---------------------------------------------
https://isc.sans.edu/diary/rss/29362
βββ ChatGPT: Emerging AI Threat Landscape βββ
---------------------------------------------
ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-emeβ¦
βββ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems βββ
---------------------------------------------
Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications.
---------------------------------------------
https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html
βββ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg βββ
---------------------------------------------
We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
---------------------------------------------
https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilterβ¦
βββ clif - simple command-line application fuzzer βββ
---------------------------------------------
clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification.
---------------------------------------------
https://andy.codes/content/blog/2022-12-20-clif.html
βββ Better Make Sure Your Password Manager Is Secure βββ
---------------------------------------------
As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application.
---------------------------------------------
https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_paβ¦
βββ New RisePro Infostealer Increasingly Popular Among Cybercriminals βββ
---------------------------------------------
A recently identified information stealer named βRiseProβ is being distributed by pay-per-install malware downloader service βPrivateLoaderβ, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs.
---------------------------------------------
https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-aβ¦
βββ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins βββ
---------------------------------------------
As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.
---------------------------------------------
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/
βββ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities βββ
---------------------------------------------
More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-cβ¦
βββ Raspberry Robin Malware Targets Telecom, Governments βββ
---------------------------------------------
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targβ¦
βββ Web3 IPFS Only Used for Phishing - So Far βββ
---------------------------------------------
We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phisβ¦
=====================
= Vulnerabilities =
=====================
βββ Security updates for Tuesday βββ
---------------------------------------------
Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird).
---------------------------------------------
https://lwn.net/Articles/918268/
βββ FoxIt Patches Code Execution Flaws in PDF Tools βββ
---------------------------------------------
Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products.
---------------------------------------------
https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools
βββ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities βββ
---------------------------------------------
https://www.tenable.com/security/tns-2022-28
βββ Fuji Electric Tellus Lite V-Simulator βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01
βββ Rockwell Automation GuardLogix and ControlLogix controllers βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02
βββ ARC Informatique PcVue βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03
βββ Rockwell Automation MicroLogix 1100 and 1400 βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04
βββ Delta 4G Router DX-3021 βββ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05
βββ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849101
βββ IBM UrbanCode Build is affected by CVE-2022-42252 βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849111
βββ IBM UrbanCode Build is affected by CVE-2021-43980 βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849109
βββ IBM UrbanCode Build is affected by CVE-2022-34305 βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6849107
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-12-2022 18:00 β Montag 19-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
βββ Infostealer Malware with Double Extension, (Sun, Dec 18th) βββ
---------------------------------------------
Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines.
---------------------------------------------
https://isc.sans.edu/diary/rss/29354
βββ Day 3 β Next Level Font Obfuscation βββ
---------------------------------------------
Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable.
---------------------------------------------
https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5
βββ Venom βββ
---------------------------------------------
Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations.
---------------------------------------------
https://github.com/Idov31/Venom
βββ Exploiting API Framework Flexibility βββ
---------------------------------------------
The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.
---------------------------------------------
https://attackshipsonfi.re/p/exploiting-api-framework-flexibility
βββ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-WeihnachtsgeschΓ€ft βββ
---------------------------------------------
Weihnachten bedeutet auch wieder Hochsaison fΓΌr BetrΓΌger, die mit gefΓ€lschten Shops und irrefΓΌhrenden SMS auf das Geld ihrer Opfer aus sind.
---------------------------------------------
https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-β¦
βββ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor βββ
---------------------------------------------
Kurzer Hinweis fΓΌr Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt fΓΌr Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET ΓΌber Active Directory Domain Services bis hin zu Windows Server.
---------------------------------------------
https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-bausteiβ¦
=====================
= Vulnerabilities =
=====================
βββ Cisco Security Advisories 2022-12-16 - 2022-12-18 βββ
---------------------------------------------
Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDsβ¦
βββ HP kΓΌmmert sich mit BIOS-Updates um Schadcode-LΓΌcken βββ
---------------------------------------------
Sicherheitsupdates schlieΓen mehrere Schwachstellen in HP-Computern. Einige LΓΌcken betreffen ausschlieΓlich AMD-Systeme.
---------------------------------------------
https://heise.de/-7398783
βββ Security updates for Monday βββ
---------------------------------------------
Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).
---------------------------------------------
https://lwn.net/Articles/918203/
βββ Synology-SA-22:24 Samba AD DC βββ
---------------------------------------------
Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_24
βββ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 βββ
---------------------------------------------
Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash.
---------------------------------------------
https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bulβ¦
βββ Zenphoto vulnerable to cross-site scripting βββ
---------------------------------------------
https://jvn.jp/en/jp/JVN06093462/
βββ Corel Roxio Creator LJB starts a program with an unquoted file path βββ
---------------------------------------------
https://jvn.jp/en/jp/JVN13075438/
βββ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability βββ
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1681/
βββ DLL Search Order Hijacking Vulnerability in the DWG TrueViewβ’ Desktop Software βββ
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024
βββ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6845928
βββ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6841801
βββ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848587
βββ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848585
βββ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848583
βββ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848577
βββ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848581
βββ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848847
βββ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848879
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 15-12-2022 18:00 β Freitag 16-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
βββ Phishing attack uses Facebook posts to evade email security βββ
---------------------------------------------
A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-attack-uses-facebooβ¦
βββ Backdoor Targets FreePBX Asterisk Management Portal βββ
---------------------------------------------
Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems. During a recent investigation, I came across a simple piece of malware targeting FreePBXβs Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the websiteβs .htaccess file. Letβs take a closer look at this backdoor.
---------------------------------------------
https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-managemenβ¦
βββ Decentralized Identity Attack Surface β Part 2 βββ
---------------------------------------------
This is the second part of our Decentralized Identity (DID) blog series. In case youβre not familiar with DID concepts, we highly encourage you to start with the first part. This time we will cover a different DID implementation β Sovrin. We will also see what a critical (CVSS 10) DID vulnerability looks like by reviewing the one we found in this popular implementation.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/decentralized-identβ¦
βββ Das Ende vom unsicheren Hash-Algorithmus SHA-1 zieht sich wie Kaugummi βββ
---------------------------------------------
Das National Institute of Standards and Technology schickt das lΓ€ngst geknackte SHA-1-Verfahren in Rente β endgΓΌltig aber erst in acht Jahren.
---------------------------------------------
https://heise.de/-7396973
βββ Codeschmuggel mΓΆglich: Microsoft stuft SicherheitslΓΌcke auf "kritisch" herauf βββ
---------------------------------------------
Eine SicherheitslΓΌcke, fΓΌr die Microsoft ein Update bereitgestellt hat, ermΓΆglicht unerwartet Angreifern ohne Anmeldung, Schadcode einzuschleusen.
---------------------------------------------
https://heise.de/-7396879
βββ The Data Protection Officer, an ubiquitous role nobody really knows. (arXiv:2212.07712v1 [cs.CR]) βββ
---------------------------------------------
Among all cybersecurity and privacy workers, the Data Protection Officer (DPO) stands between those auditing a company's compliance and those acting as management advisors. A person that must be somehow versed in legal, management, and cybersecurity technical skills. We describe how this role tackles socio-technical risks in everyday scenarios.
---------------------------------------------
http://arxiv.org/abs/2212.07712
βββ FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food βββ
---------------------------------------------
The joint CSA analyzes the common tactics, techniques, and procedures (TTPs) utilized by criminal actors to spoof emails and domains to impersonate legitimate employees and order goods that went unpaid and were possibly resold at devalued prices with labeling that lacked industry standard βneed-to-knowsβ (i.e., necessary information about ingredients, allergens, or expiration dates).
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/fbi-fda-oci-and-uβ¦
βββ Agenda Ransomware Uses Rust to Target More Vital Industries βββ
---------------------------------------------
This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agendas Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-β¦
=====================
= Vulnerabilities =
=====================
βββ VMSA-2022-0034 βββ
---------------------------------------------
vRealize Operations (vROps) contains aΒ privilege escalationΒ vulnerability.Β VMware has evaluated the severity of this issue to be in the Important severity rangeΒ with a maximum CVSSv3 base score ofΒ 7.2.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0034.html
*** Cisco Security Advisories 2022-12-16 ***
---------------------------------------------
Cisco has updated 18 security advisories: (4x Critical, 11x High, 3x Medium)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastPβ¦
*** Vulnerabilities in Autodesk Image Processing component used by Autodesk products II ***
---------------------------------------------
Applications and services that utilize Image Processing component used by Autodesk products may be impacted by Out-of-bound Read, Heap-based Overflow, Out-of-bound Write, Memory corruption, and Use-after-free vulnerabilities.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0025
βββ Security updates for Friday βββ
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium).
---------------------------------------------
https://lwn.net/Articles/918047/
βββ Samba Releases Security Updates βββ
---------------------------------------------
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/samba-releases-seβ¦
βββ Remote code execution bypass in Eclipse Business Intelligence Reporting Tool (BiRT) βββ
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-byβ¦
βββ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848317
βββ Multiple Vulnerabilities in base image packages affect IBM Voice Gateway βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848319
βββ Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server βββ
---------------------------------------------
https://www.ibm.com/support/pages/node/6848279
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily