Daily

daily@lists.cert.at

3157 discussions

Tageszusammenfassung - 05.10.2022
by Daily end-of-shift report 05 Oct '22

05 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-10-2022 18:00 − Mittwoch 05-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange Zero-Day: Microsoft korrigiert Workaround ∗∗∗ --------------------------------------------- Der zuerst vorgeschlagene Workaround für die Zero-Day-Lücke ProxyNotShell in Exchange ließ sich einfach umgehen. Microsoft liefert eine korrigierte Fassung. --------------------------------------------- https://heise.de/-7284241 ∗∗∗ Ende von Basic Auth: Brute-Force-Angriffe auf Microsoft Exchange nehmen zu ∗∗∗ --------------------------------------------- Microsoft berichtet von vielen Angriffen auf E-Mail-Konten, die noch die einfache Authentifizierung nutzen. Kunden sollen rasch handeln. --------------------------------------------- https://www.golem.de/news/ende-von-basic-auth-brute-force-angriffe-auf-micr… ∗∗∗ Post-Exploitation Persistent Email Forwarder in Outlook Desktop ∗∗∗ --------------------------------------------- There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploi… ∗∗∗ GandCrab bedroht Deutschland ∗∗∗ --------------------------------------------- Die Ransomware GandCrab dominiert in Deutschland, Österreich und der Schweiz die ESET Erkennungsstatistiken. Nahezu jeder vierte Ransomware-Fund geht auf GandCrab zurück. --------------------------------------------- https://www.zdnet.de/88403902/gandcrab-bedroht-deutschland/ ∗∗∗ Vorsicht vor Blackout-Shops wie dyn-amo.de und dynamos.at! ∗∗∗ --------------------------------------------- Immer wieder wird aktuell von der Möglichkeit kurzzeitiger Blackouts, also großflächiger Strom-, Internet- oder Heizungsausfälle berichtet. Unseriöse Online-Shops wie jene von ECOM4YOU, HAPPY SHOPPING oder Shopfactory24 GmbH bauen auf die Ängste ihrer Kundinnen und Kunden und bieten Notfall-Sets für Blackouts an. Vorsicht, wir haben es getestet: Die Produkte sind überteuert, die Lieferzeiten lang, die Qualität teils minderwertig und [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-blackout-shops-wie-dyn-… ∗∗∗ Shadowserver Alliance Launch ∗∗∗ --------------------------------------------- The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowservers freely provided internet security services and enables partners, [...] --------------------------------------------- https://www.shadowserver.org/news/shadowserver-alliance-launch/ ∗∗∗ Credential Harvesting with Telegram API, (Tue, Oct 4th) ∗∗∗ --------------------------------------------- Phishing emails are a daily occurrence and many times it ends with credential harvesting. An email initially lures a user to a website that promised an anticipated file. The landing page taunts a user to click on an additional link and enter their credentials. In this case, the credentials entered by the user are not sent back to the bad actor using a simple web form but using the Telegram API [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29112 ∗∗∗ How to Secure & Harden Your Joomla! Website in 12 Steps ∗∗∗ --------------------------------------------- At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, advice can often be too broad; different content management systems (CMS) exist in this ecosystem and each require a unique security configuration. --------------------------------------------- https://blog.sucuri.net/2022/10/how-to-secure-harden-your-joomla-website-in… ∗∗∗ Securing Developer Tools: A New Supply Chain Attack on PHP ∗∗∗ --------------------------------------------- Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal, and other tech giants using a new supply chain attack technique. --------------------------------------------- https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-at… ∗∗∗ Our Fox-IT Dissect framework for forensic data collection, now open source ∗∗∗ --------------------------------------------- Dissect is a framework for collecting and analysing large amounts of forensic data. A game changer in cyber incident response, it enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack. --------------------------------------------- https://www.mynewsdesk.com/nccgroup/pressreleases/our-fox-it-dissect-framew… ∗∗∗ Change in Magniber Ransomware (*.js → *.wsf) – September 28th ∗∗∗ --------------------------------------------- The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection [...] --------------------------------------------- https://asec.ahnlab.com/en/39489/ ∗∗∗ How Water Labbu Exploits Electron-Based Applications ∗∗∗ --------------------------------------------- In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-ele… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Angreifer könnten ihre Rechte unter Android 10 bis 13 hochstufen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zum Teil kritische Lücken in verschiedenen Android-Versionen. --------------------------------------------- https://heise.de/-7284409 ∗∗∗ Aruba: Kritische Sicherheitslücke in Access Points ∗∗∗ --------------------------------------------- Aruba warnt vor kritischen Sicherheitslücken in den eigenen Access Points. --------------------------------------------- https://heise.de/-7284335 ∗∗∗ IBM Security Bulletins 2022-10-04 ∗∗∗ --------------------------------------------- IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manage, IBM Tivoli Monitoring, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM Security Guardium, Rational Business Developer, IBM Cloud Pak for Watson, IBM i Modernization Engine, IBM CICS TX Advanced, IBM Planning Analytics Workspace, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/910395/ ∗∗∗ SA45476 - Client Side Desync Attack (Informational) ∗∗∗ --------------------------------------------- The deprecated Pulse Collaboration feature is vulnerable to Client-Side Desync attacks on versions of PCS 9.1R15 and below. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-D… ∗∗∗ OpenSSH: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1621 ∗∗∗ Keycloak: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1624 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1625 ∗∗∗ Matomo: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1626 ∗∗∗ BD Totalys MultiProcessor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-277-01 ∗∗∗ Johnson Controls Metasys ADX Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-01 ∗∗∗ Hitachi Energy Modular Switchgear Monitoring (MSM) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-03 ∗∗∗ OMRON CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2022
by Daily end-of-shift report 04 Oct '22

04 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-10-2022 18:00 − Dienstag 04-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Live support service hacked to spread malware in supply chain attack ∗∗∗ --------------------------------------------- The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/live-support-service-hacked-… ∗∗∗ Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub ∗∗∗ --------------------------------------------- Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-exchange-prox… ∗∗∗ OnionPoison: infected Tor Browser installer distributed through popular YouTube channel ∗∗∗ --------------------------------------------- Kaspersky researchers detected OnionPoison campaign: malicious Tor Browser installer spreading through a popular YouTube channel and targeting Chinese users. --------------------------------------------- https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/1… ∗∗∗ CISA verdonnert US-Behörden zu besserer Netzwerkkontrolle ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA hat eine verbindliche Direktive erlassen. Nach der müssen alle Bundesbehörden ihre Netzwerke regelmäßig untersuchen. --------------------------------------------- https://heise.de/-7283699 ∗∗∗ Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices ∗∗∗ --------------------------------------------- NXP’s HABv4 API documentation references a now-mitigated defect in ROM-resident High Assurance Boot (HAB) functionality present in devices with HAB version < 4.3.7. I could find no further public documentation on whether this constituted a vulnerability or an otherwise “uninteresting” errata item, so I analyzed it myself! --------------------------------------------- https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vu… ∗∗∗ Mit tragbaren Heizgeräten Strom sparen? Fallen Sie nicht auf dieses Fake-Produkt herein! ∗∗∗ --------------------------------------------- Online-Shops wie ultraheatpro.com und valty-heater.com bewerben aktuell einen Stecker, der Räume in weniger als 2 Minuten aufheizt. Die sehr kleinen und kabellosen Heizgeräte verbrauchen angeblich kaum Strom, reduzieren Heizkosten und verursachen keinen Lärm. Beim Kauf dieser „Wundergeräte“ verschwenden Sie aber Ihr Geld, denn Sie bekommen, wenn überhaupt, ein funktionsloses Gerät zugesendet. --------------------------------------------- https://www.watchlist-internet.at/news/mit-tragbaren-heizgeraeten-strom-spa… ∗∗∗ Developer account body snatchers pose risks to the software supply chain ∗∗∗ --------------------------------------------- Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research. Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others. --------------------------------------------- http://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-… ∗∗∗ Tracking Earth Aughisky’s Malware and Changes ∗∗∗ --------------------------------------------- For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-mal… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-03 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere Application Server Liberty, IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, Content Manager OnDemand z/OS, IBM Spectrum Copy Data Management, CloudPak for Watson AIOPs, IBM MaaS360, Tivoli Netcool/OMNIbus WebGUI, CP4D Match 360. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (barbican), Fedora (libdxfrw, librecad, and python-oauthlib), Oracle (bind), Red Hat (bind and rh-python38-python), SUSE (bind, chromium, colord, libcroco, libgit2, lighttpd, nodejs12, python, python3, slurm, slurm_20_02, and webkit2gtk3), and Ubuntu (linux-azure, python-django, strongswan, and wayland). --------------------------------------------- https://lwn.net/Articles/910300/ ∗∗∗ Aruba ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ArubaOS ausnutzen, um beliebigen Programmcode auszuführen, einen Denial-of-Service-Zustand herbeizuführen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1606 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1604 ∗∗∗ Hitachi Storage: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Hitachi Storage ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1601 ∗∗∗ FasterXML Jackson: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in FasterXML Jackson ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1608 ∗∗∗ Netgate pfSense: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Netgate pfSense ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1609 ∗∗∗ Android-Sicherheitsbulletin – Oktober 2022 ∗∗∗ --------------------------------------------- https://source.android.com/docs/security/bulletin/2022-10-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2022
by Daily end-of-shift report 03 Oct '22

03 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-09-2022 18:00 − Montag 03-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server ∗∗∗ --------------------------------------------- October 2, 2022 updates: Added to the Mitigations section: we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is here. Updated Detection section to refer to Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-z… ∗∗∗ Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 ∗∗∗ --------------------------------------------- MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-… ∗∗∗ Achtung, Phishing boomt! Security-Checkliste zu den 6 meist verbreiteten Methoden ∗∗∗ --------------------------------------------- Dass Phishing derzeit besonders häufig von Cyberkriminellen eingesetzt wird, um in IT-Systeme einzudringen, belegen viele aktuelle Statistiken. --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Sicherheitsupdate Drupal: Angreifer könnten auf Zugangsdaten zugreifen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das Content Management System Drupal. --------------------------------------------- https://heise.de/-7282401 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Bitbucket Server ∗∗∗ --------------------------------------------- Sicherheitsforscher und eine US-Sicherheitsbehörde warnen davor, dass Angreifer Bitbucket Server im Visier haben. --------------------------------------------- https://heise.de/-7282369 ∗∗∗ Backdoor in Windows-Logo versteckt ∗∗∗ --------------------------------------------- Eine Hackergruppe hat bei Angriffen auf Regierungen Steganografie verwendet, um Schadsoftware über harmlos aussehende Bitmaps nachzuladen. --------------------------------------------- https://heise.de/-7282730 ∗∗∗ Fake-Shops fälschen Klarna-Zahlungsprozess ∗∗∗ --------------------------------------------- Die Online-Shops schmitt-drogerie.com und ohnesorge-fachhandel.com sind betrügerisch. Produkte, die Sie hier bestellen, werden nicht geliefert. Die Bezahlung erfolgt angeblich per „Klarna Sofortüberweisung“. Doch Vorsicht: Der Zahlungsprozess wurde gefälscht. Sie sind nicht auf der echten Klarna-Zahlungsseite, sondern auf einer nachgebauten Website, mit der Ihre Bankdaten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-klarna-zahlungs… ∗∗∗ 11 old software bugs that took way too long to squash ∗∗∗ --------------------------------------------- In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old—and there was no patch available, and no expectation that one would be forthcoming. Fortunately, thats because the system in question was Marvin Minskys 1967 implementation of a Universal Turing Machine, [...] --------------------------------------------- https://www.csoonline.com/article/3620948/10-old-software-bugs-that-took-wa… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-30 ∗∗∗ --------------------------------------------- IBM MQ, IBM Tivoli Monitoring Basic Services, IBM Event Streams, The IBM® Engineering Requirements Management, Rational Change Fix Pack, BM Tivoli Monitoring Data Provider, IBM Virtualization Engine, IBM Content Manager OnDemand, IBM Security Identity Governance and Intelligence, IBM Robotic Process Automation, IBM Jazz Technology, IBM Tivoli Composite Application Manager, IBM Case Manager, IBM Cloud Pak for Business Automation, Rational Synergy. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ macOS: Apps können Festplattenvollzugriff des Terminals missbrauchen ∗∗∗ --------------------------------------------- Programme, die nicht in einer Sandbox laufen, können den Systemschutz TCC von macOS umgehen, sobald man dem Terminal Festplattenvollzugriff gestattet. --------------------------------------------- https://heise.de/-7282104 ∗∗∗ Thunderbird: Angreifer könnten Absender verschlüsselter Nachrichten fälschen ∗∗∗ --------------------------------------------- Sicherheitslücken im Matrix-Chat-SDK machen den Mail-Client Thunderbird verwundbar. Eine aktualisierte Version schafft Abhilfe. --------------------------------------------- https://heise.de/-7282339 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdal, kernel, libdatetime-timezone-perl, libhttp-daemon-perl, lighttpd, mariadb-10.3, node-thenify, snakeyaml, tinyxml, and tzdata), Fedora (enlightenment, kitty, and thunderbird), Mageia (expat, firejail, libjpeg, nodejs, perl-HTTP-Daemon, python-mako, squid, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (buildah, connman, cosign, expat, ImageMagick, python36, python39, slurm, and webkit2gtk3), and Ubuntu (linux, [...] --------------------------------------------- https://lwn.net/Articles/910161/ ∗∗∗ K21600298: OpenSSL vulnerabilities CVE-2022-1292 and CVE-2022-2068 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21600298?utm_source=f5support&utm_mediu… ∗∗∗ Update - 0-day Exploit Remote Code Execution in Microsoft Exchange On-Premise – Workaround verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2022/10/0-day-exploit-remote-code-execution-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2022
by Daily end-of-shift report 30 Sep '22

30 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-09-2022 18:00 − Freitag 30-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-Day-Attacken auf Microsoft Exchange Server – Sicherheitspatches fehlen ∗∗∗ --------------------------------------------- Aufgrund von Angriffen und bislang fehlenden Patches sollten Admins Exchange Server über einen Workaround absichern. --------------------------------------------- https://heise.de/-7280460 ∗∗∗ Microsoft warnt: Angriffe mit Linkedin und präparierter Open-Source-Software ∗∗∗ --------------------------------------------- Laut Microsoft führen staatliche Hacker derzeit Angriffe auf Linkedin durch. Dabei arbeiten sie mit um Schadfunktionen erweiterter Open-Source-Software. --------------------------------------------- https://www.golem.de/news/microsoft-warnt-angriffe-mit-linkedin-und-praepar… ∗∗∗ Hacking group hides backdoor malware inside Windows logo image ∗∗∗ --------------------------------------------- Security researchers have discovered a malicious campaign by the Witchetty hacking group, which uses steganography to hide a backdoor malware in a Windows logo. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-group-hides-backdoor… ∗∗∗ Detecting Mimikatz with Busylight ∗∗∗ --------------------------------------------- In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required certain kind of busylights that [...] --------------------------------------------- https://research.nccgroup.com/2022/09/30/detecting-mimikatz-with-busylight/ ∗∗∗ CISA Publishes User Guide to Prepare for Nov. 1 Move to TLP 2.0 ∗∗∗ --------------------------------------------- CISA has published its Traffic Light Protocol 2.0 User Guide and Traffic Light Protocol: Moving to Version 2.0 fact sheet in preparation for its November 1, 2022 move from Traffic Light Protocol (TLP) Version 1.0 to TLP 2.0. Managed by the Forum of Incident Response and Security Teams (FIRST), TLP is a system of markings that communicates information sharing permissions. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/29/cisa-publishes-us… ∗∗∗ Mandiant, VMware und US-CERT warnen vor Malware, die auf VMware ESXi Server zielt ∗∗∗ --------------------------------------------- Der von Google übernommene Sicherheitsanbieter Mandiant ist auf eine neue Malware-Familie (VirtualPITA, VirtualPIE und VirtualGATE) gestoßen, die es auf Virtualisierunglösungen wie VMware ESXi Server abgesehen hat und spezialisierte Techniken zum Eindringen verwendet. VMware hat einen entsprechenden Sicherheitshinweis veröffentlicht, [...] --------------------------------------------- https://www.borncity.com/blog/2022/09/30/mandiant-vmware-und-us-cert-warnen… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1325: SolarWinds Network Performance Monitor UpdateActionsDescriptions SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1325/ ∗∗∗ IBM Security Bulletins 2022-09-29 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint, Content Collector for IBM Connections, IBM Spectrum Fusion HCI, IBM MQ, IBM MQ Blockchain bridge, IBM QRadar User Behavior Analytics. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile and libvncserver), Fedora (bash), Red Hat (httpd24-httpd, java-1.7.1-ibm, and java-1.8.0-ibm), and SUSE (krb5-appl, libjpeg-turbo, python310, and slurm_20_02). --------------------------------------------- https://lwn.net/Articles/909947/ ∗∗∗ GitLab: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1582 ∗∗∗ vim: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1584 ∗∗∗ F-Secure und WithSecure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in F-Secure und WithSecure Produkten ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1591 ∗∗∗ BookStack vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78862034/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2022
by Daily end-of-shift report 29 Sep '22

29 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-09-2022 18:00 − Donnerstag 29-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New Royal Ransomware emerges in multi-million dollar attacks ∗∗∗ --------------------------------------------- A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges… ∗∗∗ The secrets of Schneider Electric’s UMAS protocol ∗∗∗ --------------------------------------------- Kaspersky ICS CERT report on vulnerabilities in Schneider Electrics engineering software that enables UMAS protocol abuse. --------------------------------------------- https://securelist.com/the-secrets-of-schneider-electrics-umas-protocol/107… ∗∗∗ Report Shows How Long It Takes Ethical Hackers to Execute Attacks ∗∗∗ --------------------------------------------- A survey of more than 300 ethical hackers conducted by cybersecurity companies Bishop Fox and SANS Institute found that many could execute an end-to-end attack in less than a day. --------------------------------------------- https://www.securityweek.com/report-shows-how-long-it-takes-ethical-hackers… ∗∗∗ Exchange Health Checker – Script-Erweiterungen von Frank Zöchling ∗∗∗ --------------------------------------------- Von Microsoft gibt es den Exchange Health Checker, ein PowerShell-Script zur Überprüfung von On-Premises Exchange-Installationen auf Probleme. Das Script wird durch Microsoft wohl kontinuierlich weiter entwickelt. Frank Zöchling hat sich das Thema jetzt mal vorgenommen und das Ganze um ein Script erweitert, um wichtige Einstellungen beim Prüfen einer Exchange-Installation automatisch vorzunehmen. --------------------------------------------- https://www.borncity.com/blog/2022/09/29/exchange-health-checker-script-erw… ===================== = Vulnerabilities = ===================== ∗∗∗ New malware backdoors VMware ESXi servers to hijack virtual machines ∗∗∗ --------------------------------------------- Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-backdoors-vmware… ∗∗∗ Root-Lücke: Selbstheilungsfunktion gefährdet Cisco-Netzwerkhardware ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Ciscos Netzwerkbetriebssystem IOS und weiterer Software. --------------------------------------------- https://heise.de/-7279116 ∗∗∗ Matrix chat encryption sunk by five now-patched holes ∗∗∗ --------------------------------------------- You take the green pill, youll spend six hours in a dont roll your own crypto debate. Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. --------------------------------------------- https://www.theregister.com/2022/09/28/matrix_encryption_flaws/ ∗∗∗ IBM Security Bulletins 2022-09-28 ∗∗∗ --------------------------------------------- IBM Content Manager OnDemand, SPSS Collaboration and Deployment Services, IBM Decision Optimization Center, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, IBM Spectrum Protect for Virtual Environments, IBM MQ Operator and Queue manager container images, TXSeries, Rational Service Tester, IBM ILOG CPLEX Optimization Studio, IBM CICS TX Standard and Advanced, IBM SDK, Enterprise Content Management System Monitor, AIX, IBM Robotic Process Automation, IBM WebSphere Application Server Liberty. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lighttpd, and webkit2gtk), Fedora (firefox, gajim, libofx, and python-nbxmpp), Gentoo (bluez, chromium, expat, firefox, go, graphicsmagick, kitty, php, poppler, redis, thunderbird, and zutty), Oracle (firefox and thunderbird), Red Hat (kernel), Slackware (xorg), SUSE (expat, libostree, lighttpd, python3-lxml, rust1.62, slurm, slurm_18_08, and vsftpd), and Ubuntu (libxi, linux-gcp, postgresql-9.5, and sqlite3). --------------------------------------------- https://lwn.net/Articles/909870/ ∗∗∗ Drupal Updates Patch Vulnerability in Twig Template Engine ∗∗∗ --------------------------------------------- Updates announced for Drupal this week address a severe vulnerability in Twig that could lead to the leakage of sensitive information. --------------------------------------------- https://www.securityweek.com/drupal-updates-patch-vulnerability-twig-templa… ∗∗∗ PHP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um einen Denial of Service Angriff durchzuführen und um Sicherheitsmechanismen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1567 ∗∗∗ Notepad++: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Notepad++ ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1559 ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tomcat ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1558 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in xpdf ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1570 ∗∗∗ Thunderbird 102.3.1 freigegeben ∗∗∗ --------------------------------------------- Die Entwickler des Thunderbird haben zum 28. September 2022 ein weiteres Update des E-Mail Client auf die Version 102.3.1 freigegeben. Es ist ein Bug-Fix-Update, welches eine Reihe an Problemen und Schwachstellen beheben soll. --------------------------------------------- https://www.borncity.com/blog/2022/09/29/thunderbird-102-3-1-freigegeben/ ∗∗∗ CVE-2022-37461: Two Reflected XSS Vulnerabilities in Canon Medical’s Vitrea View ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-37… ∗∗∗ Hitachi Energy MicroSCADA Pro X SYS600_8DBD000107 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-272-02 ∗∗∗ Hitachi Energy MicroSCADA Pro X SYS600_8DBD000106 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-272-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2022
by Daily end-of-shift report 28 Sep '22

28 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-09-2022 18:00 − Mittwoch 28-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft to retire Exchange Online client access rules in a year ∗∗∗ --------------------------------------------- Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchang… ∗∗∗ Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks ∗∗∗ --------------------------------------------- The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-us… ∗∗∗ Prilex: the pricey prickle credit card complex ∗∗∗ --------------------------------------------- Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware. --------------------------------------------- https://securelist.com/prilex-atm-pos-malware-evolution/107551/ ∗∗∗ New Malware Variants Serve Bogus CloudFlare DDoS Captcha ∗∗∗ --------------------------------------------- When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it’s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month. --------------------------------------------- https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare… ∗∗∗ Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems ∗∗∗ --------------------------------------------- A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. --------------------------------------------- https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html ∗∗∗ Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren ∗∗∗ --------------------------------------------- Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert. --------------------------------------------- https://heise.de/-7278355 ∗∗∗ Attacking Encrypted HTTP Communications ∗∗∗ --------------------------------------------- The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/attacking-encrypted-http-comm… ∗∗∗ Decrypt “encrypted stub data” in Wireshark ∗∗∗ --------------------------------------------- I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I’m often interrupted in my enthusiasm by the payload dissected as “encrypted stub data”: Can we decrypt this “encrypted stub data?” --------------------------------------------- https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshar… ∗∗∗ Stories from the SOC - C2 over port 22 ∗∗∗ --------------------------------------------- The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers ∗∗∗ --------------------------------------------- OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers. --------------------------------------------- https://kb.cert.org/vuls/id/855201 ∗∗∗ Cisco Security Advisories 2022-09-27 - 2022-09-28 ∗∗∗ --------------------------------------------- Cisco published 23 Security Advisories (13 High, 10 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks ∗∗∗ --------------------------------------------- Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen. --------------------------------------------- https://heise.de/-7277825 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15). --------------------------------------------- https://lwn.net/Articles/909676/ ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552 ∗∗∗ Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-pl… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549 ∗∗∗ Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546 ∗∗∗ Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2022
by Daily end-of-shift report 27 Sep '22

27 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 26-09-2022 18:00 − Dienstag 27-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use PowerPoint files for mouseover malware delivery ∗∗∗ --------------------------------------------- The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-powerpoint-files… ∗∗∗ New Erbium password-stealing malware spreads as game cracks, cheats ∗∗∗ --------------------------------------------- The new Erbium information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims credentials and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing… ∗∗∗ Pass-the-Hash Attacks and How to Prevent them in Windows Domains ∗∗∗ --------------------------------------------- Hackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network. One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-ho… ∗∗∗ Anlagebetrug: Vorsicht vor Diensten, die Ihnen helfen wollen, Ihr verlorenes Geld zurückzubekommen ∗∗∗ --------------------------------------------- Haben Sie bei einer betrügerischen Investmentplattform Geld verloren? Dann nehmen Sie sich vor Folgebetrug in Acht. Kriminelle bewerben Dienstleistung, die Ihnen angeblich dabei helfen, Ihr verlorenes Geld zurückzubekommen. Angebote von finanzaufsicht.com oder firstmoneyback.com sind aber Fake! Sie werden erneut betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-vorsicht-vor-diensten-d… ∗∗∗ More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID ∗∗∗ --------------------------------------------- Polyglot files, such as the malicious CHM file analyzed here, can be abused to hide from anti-malware systems that rely on file format identification. --------------------------------------------- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/ ∗∗∗ What happens with a hacked Instagram account – and how to recover it ∗∗∗ --------------------------------------------- Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again). --------------------------------------------- https://www.welivesecurity.com/2022/09/26/what-happens-hacked-instagram-acc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/909576/ ∗∗∗ SECURITY - ABB Central Licensing System Vulnerabilities, impact on ABB Ability SCADAvantage ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A3198&Lan… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Fileupload affects IBM Tivoli Business Service Manager (CVE-2013-2186, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, 220723) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in FasterXML Woodstox affects IBM Tivoli Business Service Manager (220573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-faster… ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1541 ∗∗∗ Publish SBA-ADV-20220328-01: Vtiger CRM Stored Cross-Site Scripting ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/28e164f1cb73e4885a58616d1b… ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-02 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-03 ∗∗∗ Hitachi Energy AFS660/AFS665 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-01 ∗∗∗ September 23rd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2022
by Daily end-of-shift report 26 Sep '22

26 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-09-2022 18:00 − Montag 26-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NullMixer: oodles of Trojans in a single dropper ∗∗∗ --------------------------------------------- NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others. --------------------------------------------- https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/1074… ∗∗∗ Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th) ∗∗∗ --------------------------------------------- When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump. --------------------------------------------- https://isc.sans.edu/diary/rss/29084 ∗∗∗ Downloading Samples From Takendown Domains, (Sun, Sep 25th) ∗∗∗ --------------------------------------------- Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down). --------------------------------------------- https://isc.sans.edu/diary/rss/29086 ∗∗∗ Easy Python Sandbox Detection , (Mon, Sep 26th) ∗∗∗ --------------------------------------------- Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this, but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism? --------------------------------------------- https://isc.sans.edu/diary/rss/29090 ∗∗∗ 13,8 Millionen Downloads: Malware-Apps unter Android und iOS ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsunternehmen hat Werbebetrugs-Apps in Google Play und im Apple Store gefunden, die auf insgesamt 13,8 Millionen Downloads kommen. --------------------------------------------- https://heise.de/-7275295 ∗∗∗ Ransomware: Nach Verschlüsseln kommt jetzt Kopieren & Zerstören ∗∗∗ --------------------------------------------- Das mit dem Verschlüsseln ist aufwendig und fehleranfällig – das denken sich wohl auch Cybercrime-Banden, die zuvor kopierte Daten unbrauchbar machen. --------------------------------------------- https://heise.de/-7275667 ∗∗∗ Microsoft Edge mit SOCKS Proxy über PuTTY / SSH nutzen ∗∗∗ --------------------------------------------- Microsoft Edge (dzt. geprüfte Versionen bis v107) bietet in den Einstellungen leider keine Nutzung von SOCKS-Proxys an. Edge unterstützt dies aber (obwohl sich hierzu in der offiziellen Doku leider nichts findet) über das CmdLine-Argument “--proxy-server“. --------------------------------------------- https://hitco.at/blog/microsoft-edge-socks-proxy-putty-ssh/ ∗∗∗ Betrügerisches Post-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie auf WhatsApp ein Gewinnspiel mit dem Titel „Österreichische Post Staatliche Förderung“ erhalten. Dabei handelt es sich um Fake. Sie tappen entweder in eine Abo-Falle oder laden Schadsoftware herunter. Klicken Sie nicht auf den Link und löschen Sie die Nachricht. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-post-gewinnspiel-auf… ∗∗∗ Hunting for Unsigned DLLs to Find APTs ∗∗∗ --------------------------------------------- Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs. --------------------------------------------- https://unit42.paloaltonetworks.com/unsigned-dlls/ ∗∗∗ BumbleBee: Round Two ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. --------------------------------------------- https://thedfirreport.com/2022/09/26/bumblebee-round-two/ ∗∗∗ MISP 2.4.163 released with improved periodic notification system and many improvements ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification systemand many improvements. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.163 ∗∗∗ Tell Me Where You Live and I Will Tell You About Your P@ssw0rd: Understanding the Macrosocial Factors Influencing Password’s Strength ∗∗∗ --------------------------------------------- Free Person Holding World Globe Facing Mountain Stock PhotoTo explore how a user’s environment influences password creation strategies, we present a blogpost series in which we consider several different perspectives – the macrosocial influence of your country (where you live), the influence of your peers (who your friends are), and a technical understanding of how they are attacked – to improve password security and mitigate the risk of poorly secured passwords. --------------------------------------------- https://www.gosecure.net/blog/2022/09/26/tell-me-where-you-live-and-i-will-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Windows Shift F10 Bypass and Autopilot privilge escalation ∗∗∗ --------------------------------------------- This post demonstrates full chained exploitation, and it contains two steps. The second step is a known vulnerability, but there are other ways. --------------------------------------------- https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html ∗∗∗ Sophos Firewalls: Kritische Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- Angreifer nutzen eine Schwachstelle in Sophos Firewalls aus, durch die sie eigenen Code auf verwundbare Maschinen schieben. Softwareflicken dichten das Leck ab. --------------------------------------------- https://heise.de/-7275195 ∗∗∗ Angreifer nisten sich in Exchange Online ein – mit bösartigen OAuth-Apps ∗∗∗ --------------------------------------------- Microsoft hat Angriffe auf Cloud-Exchange analysiert, bei denen Angreifer mit bösartigen OAuth-Apps nachhaltig Zugang erlangten und ihn für Spam missbrauchen. --------------------------------------------- https://heise.de/-7275757 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport). --------------------------------------------- https://lwn.net/Articles/909439/ ∗∗∗ Trend Micro Deep Security Agent: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Deep Security Agent ausnutzen, um Informationen offenzulegen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1534 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1535 ∗∗∗ WhatsApp: Zwei Schwachstellen ermöglichen Remote Code-Ausführung ∗∗∗ --------------------------------------------- Meta-Tochter WhatsApp warnt vor zwei Schwachstellen in seinen Apps für Android und iOS, die die Sicherheit der Benutzer gefährden. Beide Schwachstellen ermöglichen eine Remote Code-Ausführung – die Apps sollten also zeitnah aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2022/09/26/whatsapp-zwei-schwachstellen-ermgl… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: Due to RPM, AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-rpm-aix-is-vulnera… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-029/ ∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/23/cisa-has-added-on… ∗∗∗ Node.js: September 22nd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2022
by Daily end-of-shift report 23 Sep '22

23 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-09-2022 18:00 − Freitag 23-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schadsoftware: Betrüger verteilen Malware mit gefälschten Zoom-Webseiten ∗∗∗ --------------------------------------------- Die Webseiten geben sich als Downloadseite für Zoom aus, doch verteilen sie eine Schadsoftware, die es auf Bankdaten abgesehen hat. --------------------------------------------- https://www.golem.de/news/schadsoftware-betrueger-verteilen-malware-mit-gef… ∗∗∗ Google Play Store: Trojaner Harly kommt auf 4,8 Millionen Downloads ∗∗∗ --------------------------------------------- Im Google Play Store entdeckt Kaspersky zahlreiche trojanisierte Apps, die den Schädling Harly enthalten. Der schließt kostenpflichtige Dienste-Abos ab. --------------------------------------------- https://heise.de/-7273522 ∗∗∗ Fingerabdruck & Co. - Wie funktionieren biometrische Anmeldeverfahren? ∗∗∗ --------------------------------------------- Ihre Augen können das Fenster zu Ihrer Seele sein, aber sie können auch Ihre Bordkarte für das Flugzeug oder der Schlüssel zum Entsperren Ihres Telefons sein. Welche Vor- und Nachteile birgt die Verwendung biometrischer Merkmale für die Authentifizierung? --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/22/fingerabdruck-co-wie-funk… ∗∗∗ Microsoft: Windows KB5017383 preview update added to WSUS by mistake ∗∗∗ --------------------------------------------- Microsoft says that KB5017383, this months Windows preview update, has been accidentally listed in Windows Server Update Services (WSUS) and may lead to security update install problems in some managed environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383… ∗∗∗ Malicious OAuth applications used to compromise email servers and spread spam ∗∗∗ --------------------------------------------- Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange servers to launch spam runs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applicat… ∗∗∗ Kids Like Cookies, Malware Too!, (Fri, Sep 23rd) ∗∗∗ --------------------------------------------- Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won't discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user. --------------------------------------------- https://isc.sans.edu/diary/rss/29082 ∗∗∗ Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts ∗∗∗ --------------------------------------------- GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations. --------------------------------------------- https://thehackernews.com/2022/09/hackers-using-fake-circleci.html ∗∗∗ WAF bypasses via 0days ∗∗∗ --------------------------------------------- In May, I participated in 1337up0522 from Intigriti which was about hacking OWASP ModSecurity Core Rule Set (CRS). I’ve got 13 findings accepted including 3 exceptional, 2 critical, and 8 high severity vulnerabilities. In this article, I will showcase a couple of interesting findings. --------------------------------------------- https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec ∗∗∗ Surge in Magento 2 template attacks ∗∗∗ --------------------------------------------- The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack. --------------------------------------------- https://sansec.io/research/magento-2-template-attacks ∗∗∗ Cross-Site Scripting: The Real WordPress Supervillain ∗∗∗ --------------------------------------------- Vulnerabilities are a fact of life for anyone managing a website, even when using a well-established content management system like WordPress. Not all vulnerabilities are equal, with some allowing access to sensitive data that would normally be hidden from public view, while others could allow a malicious actor to take full control of an affected [...] --------------------------------------------- https://www.wordfence.com/blog/2022/09/cross-site-scripting-the-real-wordpr… ∗∗∗ CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of cyberattacks targeting a recently addressed vulnerability in Zoho ManageEngine. --------------------------------------------- https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability… ∗∗∗ NSA and CISA: Heres how hackers are going after critical systems, and what you need to do about it ∗∗∗ --------------------------------------------- NSA and CISA offer some advice for critical infrastructure operators to protect their industrial control systems. --------------------------------------------- https://www.zdnet.com/article/nsa-and-cisa-heres-how-hackers-are-going-afte… ∗∗∗ Experts fear LockBit spread after ransomware builder leaked ∗∗∗ --------------------------------------------- A toolkit to create DIY versions of the LockBit ransomware has leaked, raising alarms among incident responders and cybersecurity experts warning of more widespread use in attacks. The leak, for the LockBit 3.0 ransomware encryptor, was announced on Wednesday by security researcher 3xp0rt. Several experts and researchers confirmed to The Record that the builder works [...] --------------------------------------------- https://therecord.media/experts-fear-lockbit-spread-after-ransomware-builde… ∗∗∗ FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. --------------------------------------------- https://asec.ahnlab.com/en/39152/ ===================== = Vulnerabilities = ===================== ∗∗∗ HP-Drucker: Kritische Lücke erlaubt Codeschmuggel in diversen Modellen ∗∗∗ --------------------------------------------- HP warnt vor Sicherheitslücken in zahlreichen Druckermodellen, die Angreifern das Einschleusen von Schadcode ermöglichen. Der Hersteller stellt Updates bereit. --------------------------------------------- https://heise.de/-7250538 ∗∗∗ IBM Security Bulletins 2022-09-22 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM Common Cryptographic Architecture (CCA), IBM InfoSphere Information Server, IBM Jazz for Service Management, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM Partner Engagement Manager, IBM Security Guardium, IBM Spectrum Control, Operations Dashboard, TXSeries for Multiplatforms, Watson Explorer and Watson Explorer Content Analytics Studio, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, [...] --------------------------------------------- https://lwn.net/Articles/909208/ ∗∗∗ New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access ∗∗∗ --------------------------------------------- Firmware security company Binarly has discovered another round of potentially serious firmware vulnerabilities that could allow an attacker to gain persistent access to any of the millions of affected devices. --------------------------------------------- https://www.securityweek.com/new-firmware-vulnerabilities-affecting-million… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2022
by Daily end-of-shift report 22 Sep '22

22 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-09-2022 18:00 − Donnerstag 22-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackCat ransomware’s data exfiltration tool gets an upgrade ∗∗∗ --------------------------------------------- The BlackCat ransomware (aka ALPHV) isnt showing any signs of slowing down, and the latest example of its evolution is a new version of the gangs data exfiltration tool used for double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-s-data-e… ∗∗∗ Critical Magento vulnerability targeted in new surge of attacks ∗∗∗ --------------------------------------------- Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-magento-vulnerabili… ∗∗∗ RAT Delivered Through FODHelper , (Thu, Sep 22nd) ∗∗∗ --------------------------------------------- I found a simple batch file that drops a Remcos RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). --------------------------------------------- https://isc.sans.edu/diary/rss/29078 ∗∗∗ Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure ∗∗∗ --------------------------------------------- Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. --------------------------------------------- https://thehackernews.com/2022/09/researchers-disclose-critical.html ∗∗∗ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions ∗∗∗ --------------------------------------------- Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 – a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure – the FileBlockExecutable event (ID 27). --------------------------------------------- https://www.huntandhackett.com/blog/bypassing-sysmon ∗∗∗ A technical analysis of the leaked LockBit 3.0 builder ∗∗∗ --------------------------------------------- This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-buil… ∗∗∗ You can’t stop me. MS Teams session hijacking and bypass ∗∗∗ --------------------------------------------- How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-cant-stop-me-ms-teams-ses… ∗∗∗ Webinar: Love Scams im Internet erkennen ∗∗∗ --------------------------------------------- Am Mittwoch, den 28.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Love Scams" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-love-scams-im-internet-erken… ∗∗∗ Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics ∗∗∗ --------------------------------------------- New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ AA22-265A: Control System Defense: Know the Opponent ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-265a ∗∗∗ MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja ∗∗∗ --------------------------------------------- Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network. --------------------------------------------- https://www.thezdi.com/blog/2022/9/19/mindshare-analyzing-bsd-kernels-with-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-21 ∗∗∗ --------------------------------------------- IBM Security Guardium, IBM Cloud Pak for Multicloud Management Managed Services, IBM Tivoli Netcool Impact, IBM Maximo Asset Management, IBM Spectrum Protect Plus SQL. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Notfallpatch für Microsoft Endpoint Configuration Manager erschienen ∗∗∗ --------------------------------------------- Admins sollten die IT-Managementlösung Endpoint Configuration Manager von Microsoft aktualisieren. Es könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-7272195 ∗∗∗ Python: 15 Jahre alte Schwachstelle betrifft potenziell 350.000 Projekte ∗∗∗ --------------------------------------------- Das Issue zu der Directory-Traversal-Schwachstelle in dem Modul tarfile existiert seit 2007. Geschlossen wurde es mit einem Hinweis in der Dokumentation. --------------------------------------------- https://heise.de/-7272186 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, [...] --------------------------------------------- https://lwn.net/Articles/909051/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/09/22/technical-advisory-multiple-vulner… ∗∗∗ HP LaserJet: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1499 ∗∗∗ Measuresoft ScadaPro Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-265-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily