=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-10-2022 18:00 − Donnerstag 27-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Microsoft fixes Windows vulnerable driver blocklist sync issue ∗∗∗
---------------------------------------------
Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vul…
∗∗∗ Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets ∗∗∗
---------------------------------------------
A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands embedded in packets and new features to evade detection of its infrastructure.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1…
∗∗∗ How to prevent lateral movement attacks using Microsoft 365 Defender ∗∗∗
---------------------------------------------
Learn how Microsoft 365 Defender can enhance mitigations against lateral movement paths in your environment, stopping attackers from gaining access to privileged and sensitive accounts.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lat…
∗∗∗ Malware vs Virus: What’s the Difference? ∗∗∗
---------------------------------------------
In today’s article, we’ll be clarifying the difference between viruses and malware while helping to identify the most common types of malware.
---------------------------------------------
https://blog.sucuri.net/2022/10/whats-the-difference-malware-virus.html
∗∗∗ New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances ∗∗∗
---------------------------------------------
A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency.
---------------------------------------------
https://thehackernews.com/2022/10/new-cryptojacking-campaign-targeting.html
∗∗∗ Hijacking AUR Packages by Searching for Expired Domains ∗∗∗
---------------------------------------------
The Arch User Repository (AUR) is a software repository for Arch Linux. It differs from the official Arch Linux repositories in that its packages are provided by its users and not officially supported by Arch Linux.
---------------------------------------------
https://blog.nietaanraken.nl/posts/aur-packages-expired-domains/
∗∗∗ Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom ∗∗∗
---------------------------------------------
Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends.
---------------------------------------------
https://www.securityweek.com/industrial-ransomware-attacks-new-groups-emerg…
∗∗∗ Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving ∗∗∗
---------------------------------------------
We examine trends in web threats for the second calendar year quarter of 2022, including how a malicious JavaScript downloader is evolving to evade detection.
---------------------------------------------
https://unit42.paloaltonetworks.com/web-threats-malicious-javascript-downlo…
∗∗∗ FormBook Malware Being Distributed as .NET ∗∗∗
---------------------------------------------
FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites.
---------------------------------------------
https://asec.ahnlab.com/en/40663/
=====================
= Vulnerabilities =
=====================
∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗
---------------------------------------------
This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability. The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x.
---------------------------------------------
https://isc.sans.edu/diary/rss/29192
∗∗∗ IBM Security Bulletins 2022-10-26 and 2022-10-25 ∗∗∗
---------------------------------------------
IBM SDK, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM i, IBM Robotic Process Automation, IBM Cloud Transformation Advisor, CloudPak for Watson, Netcool Operations Insight.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Cisco AnyConnect: Alte Sicherheitslücken im Visier von Angreifern ∗∗∗
---------------------------------------------
Allerhöchste Zeit, um alte Lücken in Cisco AnyConnect abzudichten: Cisco warnt vor derzeitigen Cyber-Angriffen auf Schwachstellen aus dem Jahr 2020.
---------------------------------------------
https://heise.de/-7320917
∗∗∗ Sicherheitsupdate ArubaOS: Schadcode-Attacken durch präparierte Anfragen möglich ∗∗∗
---------------------------------------------
Die Entwickler des Netzwerkbetriebssystems ArubaOS haben unter anderem eine kritische Lücke geschlossen.
---------------------------------------------
https://heise.de/-7321787
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tomcat9), Oracle (389-ds-base, device-mapper-multipath, firefox, git-lfs, gnutls, kernel, kernel-container, libksba, pki-core, samba, sqlite, and zlib), Red Hat (device-mapper-multipath, kernel, kpatch-patch, libksba, and thunderbird), Slackware (expat and samba), SUSE (bind, buildah, curl, firefox, golang-github-prometheus-node_exporter, grafana, icinga2, python-paramiko, python-waitress, SUSE Manager Client Tools, telnet, and xen), [...]
---------------------------------------------
https://lwn.net/Articles/912495/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (389-ds-base, bind, expat, java-1.8.0-openjdk, java-11-openjdk, libksba, and squid), Debian (chromium, libdatetime-timezone-perl, tzdata, and wordpress), Fedora (dbus, dhcp, dotnet3.1, jhead, samba, and strongswan), Mageia (virtualbox), Oracle (device-mapper-multipath), Scientific Linux (device-mapper-multipath and thunderbird), Slackware (curl), SUSE (container-suseconnect, curl, kernel, libmad, libtasn1, libtirpc, qemu, rubygem-puppet, [...]
---------------------------------------------
https://lwn.net/Articles/912688/
∗∗∗ Windows (Mark of the Web) 0-day per JavaScript für Ransomware-Angriffe genutzt ∗∗∗
---------------------------------------------
Die Tage hatte ich über eine ungefixte 0-day-Schwachstelle, Mark of the Web (MOTOW), in Windows berichtet, für die es einen inoffiziellen Fix gibt. Nun ist mir ein Bericht unter die Augen gekommen, dass eine 0-day-Schwachstelle in diesem Bereich von Cyberkriminellen per JavaScript ausgenutzt werden kann, um Web-Sicherheitswarnungen zu umgehen und Ransomware-Angriffe zu verschleiern.
---------------------------------------------
https://www.borncity.com/blog/2022/10/27/exploited-windows-0-day-mark-of-th…
∗∗∗ ZDI-22-1467: (0Day) IronCAD STP File Parsing Uninitialized Pointer Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1467/
∗∗∗ VMSA-2022-0027 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0027.html
∗∗∗ K11601010: Intel Processor vulnerability CVE-2021-33149 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K11601010
∗∗∗ Synology-SA-22:20 Samba ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_20
∗∗∗ Hitachi Energy MicroSCADA X DMS600 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-04
∗∗∗ Johnson Controls CKS CEVAS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-05
∗∗∗ Delta Electronics DIAEnergie ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-06
∗∗∗ AliveCor KardiaMobile ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-298-01
∗∗∗ Haas Controller ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-01
∗∗∗ HEIDENHAIN Controller TNC on HARTFORD Machine ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-02
∗∗∗ Rockwell Automation FactoryTalk Alarm and Events Server ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-01
∗∗∗ SAUTER Controls moduWeb ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-02
∗∗∗ Rockwell Automation Stratix Devices Containing Cisco IOS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-03
∗∗∗ Trihedral VTScada ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-04
∗∗∗ Samba Releases Security Updates ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/10/26/samba-releases-se…
∗∗∗ [R1] Nessus Version 10.3.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-20
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-10-2022 18:00 − Dienstag 25-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Zero-Day-Fehler im Kernel von iOS und iPadOS wird ausgenutzt ∗∗∗
---------------------------------------------
iOS und iPadOS 16.1 beheben einen schwerwiegenden Kernel-Bug in den Betriebssystemen für iPhone und iPad. Apple hat Berichte über laufende Angriffe.
---------------------------------------------
https://heise.de/-7319500
∗∗∗ Chrome extensions with 1 million installs hijack targets’ browsers ∗∗∗
---------------------------------------------
Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome and Microsoft Edge extensions that hijack searches and insert affiliate links into webpages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-mil…
∗∗∗ How the Software Supply Chain Security is Threatened by Hackers ∗∗∗
---------------------------------------------
In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials. However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously.
---------------------------------------------
https://thehackernews.com/2022/10/how-software-supply-chain-security-is.html
∗∗∗ Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS).
---------------------------------------------
https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html
∗∗∗ Chapter 1 - From Gozi to ISFB: The history of a mythical malware family. ∗∗∗
---------------------------------------------
Disclaimer: This article does not contain any IOCs or infrastructure details. Instead, the aim is to explain the whole business dynamic of a long-lasting malware family. This work is based on almost 10 years of research and intel gatherings and tries its best to stick to the truth and the facts observed around ISFB. Hopefully, it will give some insight on how the top cyber crime groups have been working over the years.
---------------------------------------------
https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of…
∗∗∗ Stranger Strings: An exploitable flaw in SQLite ∗∗∗
---------------------------------------------
Trail of Bits is publicly disclosing CVE-2022-35737, which affects applications that use the SQLite library API. CVE-2022-35737 was introduced in SQLite version 1.0.12 (released on October 17, 2000) and fixed in release 3.39.2 (released on July 21, 2022). CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled [...]
---------------------------------------------
https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-libr…
∗∗∗ E-Mail von WhatsApp: Gewinn über 900.600,00 USD ist Fake ∗∗∗
---------------------------------------------
Aktuell kursiert ein E-Mail von WhatsApp, in dem Sie über den Gewinn von 900.600,00 USD informiert werden. Um den Gewinn zu erhalten, müssen Sie Ihre Kontaktdaten an account.whatsapp(a)mail.com senden.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-von-whatsapp-gewinn-ueber-900…
∗∗∗ Windows 10 22H2, Windows 11 22H2: Administrative Vorlagen (.admx); Windows 10 22H2 Security Baseline ∗∗∗
---------------------------------------------
Kleiner Hinweis für Administratoren von Windows-Systemen in Unternehmensumgebungen. Microsoft hat die Security Baseline für das Windows 10 October 2022 Update (Version 22H2) freigegeben.
---------------------------------------------
https://www.borncity.com/blog/2022/10/25/windows-10-22h2-windows-11-22h2-ad…
∗∗∗ Rapidly Evolving Magniber Ransomware ∗∗∗
---------------------------------------------
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed.
---------------------------------------------
https://asec.ahnlab.com/en/40422/
∗∗∗ Analysis on Attack Techniques and Cases Using RDP ∗∗∗
---------------------------------------------
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used.
---------------------------------------------
https://asec.ahnlab.com/en/40394/
=====================
= Vulnerabilities =
=====================
∗∗∗ Webkonferenzen: Sicherheitslücke in Zoom ermöglicht Sitzungsübernahme ∗∗∗
---------------------------------------------
Zoom warnt vor einer Sicherheitslücke, durch die Angreifer Opfer etwa auf falsche Server locken und so Sitzungen übernehmen könnten. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7319974
∗∗∗ VMSA-2022-00031 ∗∗∗
---------------------------------------------
VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-00031.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libbluray and wkhtmltopdf), Fedora (firefox, libksba, libmodsecurity, libxml2, qemu, and xmlsec1), Red Hat (389-ds-base, 389-ds:1.4, git-lfs, gnutls, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libksba, mysql:8.0, pki-core, postgresql:12, samba, sqlite, and zlib), Scientific Linux (389-ds-base, libksba, and pki-core), SUSE (bluez, firefox, jdom, kernel, libosip2, libxml2, multipath-tools, and python-Mako), and Ubuntu (barbican, mysql-5.7, mysql-8.0, openvswitch, and pillow).
---------------------------------------------
https://lwn.net/Articles/912324/
∗∗∗ Synology-SA-22:19 Presto File Server ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to write arbitrary files or remote authenticated users to bypass security constraint via a susceptible version of Presto File Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_19
∗∗∗ Synology-SA-22:18 DSM ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_18
∗∗∗ Node.js: OpenSSL and zlib update assessment, and Node.js Assessment workflow ∗∗∗
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/openssl-and-zlib-vulnerability-ass…
∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of information that could aid in further system attacks. (CVD-2022-38710) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom…
∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera…
∗∗∗ Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to CSV Injection (CVE-2022-22425) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio…
∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to incorrect permission assignment ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom…
∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthorized attacker causing integrity impact (CVE-2021-2163) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java…
∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-…
∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-07
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 21-10-2022 18:00 − Montag 24-10-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Thousands of GitHub repositories deliver fake PoC exploits with malware ∗∗∗
---------------------------------------------
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/thousands-of-github-reposito…
∗∗∗ Typosquat campaign mimics 27 brands to push Windows, Android malware ∗∗∗
---------------------------------------------
A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27…
∗∗∗ Kriminalität: Eltern durch Whatsapp-Betrug um Tausende Euro gebracht ∗∗∗
---------------------------------------------
Die Polizei warnt vor Trickbetrügern, die mit einer angeblichen Notlage des Kindes Eltern um ihr Geld bringen.
---------------------------------------------
https://www.golem.de/news/kriminalitaet-eltern-durch-whatsapp-betrug-um-tau…
∗∗∗ Securing IoT devices against attacks that target critical infrastructure ∗∗∗
---------------------------------------------
South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/10/21/securing-iot-devic…
∗∗∗ rtfdumps Find Option, (Sat, Oct 22nd) ∗∗∗
---------------------------------------------
Due to the nature of the RTF language, malicious RTF files can be very obfuscated. To the point that my tool rtfdump.py and Philippe's tool rtfobj don't find embedded objects.
---------------------------------------------
https://isc.sans.edu/diary/rss/29174
∗∗∗ C2 Communications Through outlook.com, (Mon, Oct 24th) ∗∗∗
---------------------------------------------
Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails.
---------------------------------------------
https://isc.sans.edu/diary/rss/29180
∗∗∗ SCuBA M365 Security Baseline Assessment Tool ∗∗∗
---------------------------------------------
Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents.
---------------------------------------------
https://github.com/cisagov/ScubaGear
∗∗∗ Cisco ISE: Angreifer könnten Kontrolle übernehmen ∗∗∗
---------------------------------------------
Cisco warnt, dass Angreifer Dateien in der Identity Services Engine lesen und löschen könnten. Die Übernahme der Kontrolle über die Geräte könnte möglich sein.
---------------------------------------------
https://heise.de/-7317442
∗∗∗ Gebrauchtwagen-Kauf: Abwicklung über Treuhandunternehmen ist Betrug ∗∗∗
---------------------------------------------
Sie sind gerade auf der Suche nach einem Gebrauchtwagen? Bedenken Sie: Nicht jedes Inserat ist seriös. Auch Kriminelle nutzen gängige Verkaufsplattformen, um betrügerische Lockangebote zu platzieren. Ein betrügerisches Angebot erkennen Sie an der Kommunikation und der Forderung, Geld an ein Treuhandkonto zu überweisen.
---------------------------------------------
https://www.watchlist-internet.at/news/gebrauchtwagen-kauf-abwicklung-ueber…
∗∗∗ So funktioniert Domain Shadowing ∗∗∗
---------------------------------------------
Cyberkriminelle nutzen schwer auffindbare Shadow Domains für verschiedene illegale Aktivitäten, einschließlich Phishing und Botnet-Operationen.
---------------------------------------------
https://www.zdnet.de/88404347/so-funktioniert-domain-shadowing/
∗∗∗ AA22-294A: #StopRansomware: Daixin Team ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa22-294a
∗∗∗ Treasure trove. Alive and well point-of-sale malware ∗∗∗
---------------------------------------------
Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals.
---------------------------------------------
https://blog.group-ib.com/majikpos_treasurehunter_malware
∗∗∗ Attacking Very Weak RC4-Like Ciphers the Hard Way ∗∗∗
---------------------------------------------
RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream of bytes (the “key stream”), which look like random noise unless you know what the original byte array was.
---------------------------------------------
https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-t…
∗∗∗ Uncovering Security Blind Spots in CNC Machines ∗∗∗
---------------------------------------------
Industry 4.0 has given rise to smart factories that have markedly improved machining processes, but it has also opened the doors for cybercriminals looking to abuse networked industrial equipment such as CNC machines. Our research investigates potential cyberthreats to CNC machines and how manufacturers can mitigate the associated risks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/j/uncovering-security-blind-sp…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-10-21 and 2022-10-22 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Watson, API Connect, IBM Cloud Pak for Multicloud Management, IBM MQ Appliance, IBM Voice Gateway, Infrastructure Automation, IBM Security Identity Manager.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bluez, kernel, and lava), Fedora (ckeditor, drupal7, moby-engine, php-Smarty, and wavpack), Mageia (bind, e2fsprogs, epiphany, freerdp, kernel, kernel-linus, libconfuse, libosip2, ntfs-3g, perl-Image-ExifTool, and poppler), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-container, and thunderbird), Scientific Linux (firefox, java-1.8.0-openjdk, and java-11-openjdk), SUSE (bluez, firefox, kernel, libxml2, and Ubuntu (linux-gcp).
---------------------------------------------
https://lwn.net/Articles/912178/
∗∗∗ Missing Authentication in ZKTeco ZEM/ZMM Web Interface ∗∗∗
---------------------------------------------
The ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-003/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 20-10-2022 18:00 − Freitag 21-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Synology: Kritische Lücken in NAS erlauben Angreifern Ausführen von Schadcode ∗∗∗
---------------------------------------------
Synology warnt vor kritischen Sicherheitslücken in der DSM-Software einiger NAS. Angreifer könnten Schadode ausführen und unbefugt an Informationen gelangen.
---------------------------------------------
https://heise.de/-7316623
∗∗∗ F5 BIG-IP und Nginx: Hersteller stopft teils kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken in den BIG-IP- und Nginx-Systemen von F5 könnten Angreifern etwa das Ausführen von Schadcode ermöglichen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7316039
∗∗∗ Gefahren für kritische Infrastrukturen: "Uns fehlt eine Schwachstellenanalyse" ∗∗∗
---------------------------------------------
Prof. Norbert Gebbeken, Gründer und Sprecher des Forschungszentrums RISK, über die Gefahren, die unserer kritischen Infrastruktur drohen – und was man tun kann.
---------------------------------------------
https://heise.de/-7315119
∗∗∗ Your Microsoft Exchange Server Is a Security Liability ∗∗∗
---------------------------------------------
Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. Its time to say goodbye to on-premise Exchange.
---------------------------------------------
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/
∗∗∗ sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) ∗∗∗
---------------------------------------------
A campaign nicknamed "sczriptzzbn inject" can be identified by script using a variable named sczriptzzbn injected into files returned from a compromised website. This injected script causes a fake browser update page to appear in the victim's browser. The fake browser update page presents the malware payload for download. More information on the campaign can be found here. In previous weeks, this campaign pushed SolarMarker malware. I ran across one such example on 2022-09-27. This month, we've started seeing a payload for NetSupport RAT from the sczriptzzbn inject.
---------------------------------------------
https://isc.sans.edu/diary/rss/29170
∗∗∗ Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR ∗∗∗
---------------------------------------------
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sid…
∗∗∗ Wordfence Evasion Malware Conceals Backdoors ∗∗∗
---------------------------------------------
Malware authors, with some notable exceptions, tend to design their malicious code to hide from sight. The techniques they use help their malware stay on the victim’s website for as long as possible and ensure execution. For example — obfuscation techniques, fake code comments, naming conventions for injections that deploy SEO spam, redirect visitors to malicious third party websites, or steal credit card information from eCommerce stores.
---------------------------------------------
https://blog.sucuri.net/2022/10/wordfence-evasion-malware-conceals-backdoor…
∗∗∗ Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware ∗∗∗
---------------------------------------------
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victims resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.
---------------------------------------------
https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html
∗∗∗ Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts ∗∗∗
---------------------------------------------
On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or “Text4Shell” on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022. Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve [...]
---------------------------------------------
https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-…
∗∗∗ CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks.
---------------------------------------------
https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vu…
∗∗∗ Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool ∗∗∗
---------------------------------------------
Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bl…
∗∗∗ Attackers Abusing Various Remote Control Tools ∗∗∗
---------------------------------------------
Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major programs used by attackers.
---------------------------------------------
https://asec.ahnlab.com/en/40263/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-10-20 ∗∗∗
---------------------------------------------
IBM Security Verify Gateway/Bridge, IBM Enterprise Records, IBM Sterling Order Management Netty, IBM WebSphere Application Server, IBM MQ Operator, IBM Sterling Order Management, IBM Enterprise Records, IBM Netezza Host Management.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ SolarWinds Security Advisories 2022-10-19 ∗∗∗
---------------------------------------------
SolarWinds released 4 new Security Advisories (3 high, 1 medium) for SolarWinds Platform 2022.4 RC1.
---------------------------------------------
https://www.solarwinds.com/trust-center/security-advisories
∗∗∗ SSA-640732 V1.0: Authentication Bypass Vulnerability in Siveillance Video Mobile Server ∗∗∗
---------------------------------------------
The mobile server component of Siveillance Video 2022 R2 contains an authentication bypass vulnerability that could allow an unauthenticated remote attacker to access the application without a valid account.Siemens has released a hotfix for Siveillance Video 2022 R2 and recommends to apply the hotfix on all installations of the mobile server.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-640732.txt
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (poppler), Oracle (firefox and thunderbird), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk, and java-17-openjdk), SUSE (bind, clone-master-clean-up, grafana, libksba, python3, tiff, and v4l2loopback), and Ubuntu (libreoffice).
---------------------------------------------
https://lwn.net/Articles/911989/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 19-10-2022 18:00 − Donnerstag 20-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Forensic Value of Prefetch, (Thu, Oct 20th) ∗∗∗
---------------------------------------------
When a program executes on a Windows system there are many artifacts that are generated which can assist digital forensic investigations. One of particular note is the Windows Prefetch file. Found in C:\Windows\Prefetch by default, prefetch files (.pf) contain a wealth of information that can prove vital to any investigation.
---------------------------------------------
https://isc.sans.edu/diary/rss/29168
∗∗∗ Fantastic Rootkits: And Where to Find Them (Part 1) ∗∗∗
---------------------------------------------
In this blog series, we will cover the topic of rootkits — how they are built and the basics of kernel driver analysis — specifically on the Windows platform. In this first part, we will focus on some implementation examples of basic rootkit functionality and the basics of kernel driver development, as well as Windows Internals background needed to understand the inner workings of rootkits.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-…
∗∗∗ Microsoft liefert Updates gegen SSL-/TLS-Probleme durch Windows-Updates ∗∗∗
---------------------------------------------
Die aktuellen Windows-Updates für Windows 10, 11 und Server könnten Probleme bei SSL- und TLS-Verschlüsselung verursachen. Teils helfen weitere Patches dagegen.
---------------------------------------------
https://heise.de/-7314906
∗∗∗ New Malicious Clicker found in apps installed by 20M+ users ∗∗∗
---------------------------------------------
Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-…
∗∗∗ Social Engineering dos and don’ts ∗∗∗
---------------------------------------------
It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts.
---------------------------------------------
https://www.pentestpartners.com/security-blog/social-engineering-dos-and-do…
∗∗∗ E-Mail-Konto wird migriert: Kriminelle senden betrügerische Mail an Mitarbeiter:innen ∗∗∗
---------------------------------------------
Kriminelle versenden betrügerische E-Mails und geben sich dabei als „Outlook-E-Mail-Administrator“ Ihres Unternehmens aus. Angeblich sollen die E-Mail-Konten aller Mitarbeiter:innen migriert werden. Klicken Sie nicht auf den Link.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-konto-wird-migriert-kriminell…
∗∗∗ Datenleck bei Microsoft, Kundendaten betroffen (Okt. 2022) ∗∗∗
---------------------------------------------
Bei Microsoft hat es ein größeres Datenleck gegeben, bei dem Kundendaten wohl öffentlich zugreifbar waren. Eine Sicherheitsfirma hat einen fehlkonfigurierten Server mit den Daten im Internet gefunden und Microsoft im September informiert.
---------------------------------------------
https://www.borncity.com/blog/2022/10/20/datenleck-bei-microsoft-kundendate…
∗∗∗ Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them ∗∗∗
---------------------------------------------
Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors.
---------------------------------------------
http://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html
∗∗∗ LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year ∗∗∗
---------------------------------------------
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.
---------------------------------------------
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organiz…
∗∗∗ New Research: We’re Still Terrible at Passwords; Making it Easy for Attackers ∗∗∗
---------------------------------------------
We look at two of the most popular protocols used for remote administration, SSH and RDP, to get a sense of how attackers are taking advantage of weaker password management to gain access to systems.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/10/20/new-research-were-still-terribl…
∗∗∗ Black Basta and the Unnoticed Delivery ∗∗∗
---------------------------------------------
As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions due to the lucrative payments demanded – and often received – by cybercrime gangs.
---------------------------------------------
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Oracle liefert 370 Sicherheitsupdates im Oktober ∗∗∗
---------------------------------------------
Zum Patchday, Critical Patch Update genannt, liefert Oracle eine lange Liste an Produkten mit Sicherheitslücken. 370 Updates schließen die Schwachstellen.
---------------------------------------------
https://heise.de/-7314209
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, OpenShift Container Platform 4.9.50 bug fix and, and rh-nodejs14-nodejs), SUSE (buildah, clone-master-clean-up, go1.18, go1.19, helm, jasper, libostree, nodejs16, php8, qemu, and xen), and Ubuntu (libxdmcp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oem-5.14, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-oem-5.17, and perl).
---------------------------------------------
https://lwn.net/Articles/911879/
∗∗∗ Drupal: Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-059
∗∗∗ Security Bulletin: IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-an-…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – [CVE-2021-45105] (affecting v2.16) and [CVE-2021-45046] (affecting v2.15) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul…
∗∗∗ F5: K24823443: Apache Commons Text vulnerability CVE-2022-42889 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K24823443
∗∗∗ F5: K27155546: BIND vulnerability CVE-2022-38177 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K27155546
∗∗∗ F5: K04712583: Linux kernel vulnerability CVE-2021-40490 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K04712583
∗∗∗ F5: K32615023: Linux kernel vulnerability CVE-2022-2588 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K32615023
∗∗∗ Bentley Systems MicroStation Connect ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-293-01
∗∗∗ Spring: CVE-2022-31684: Reactor Netty HTTP Server may log request headers ∗∗∗
---------------------------------------------
https://spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 18-10-2022 18:00 − Mittwoch 19-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Adobe patcht Illustrator außer der Reihe ∗∗∗
---------------------------------------------
Nach dem großen Patchday letzte Woche legt Adobe nun zwei Updates gegen kritische Lücken im Illustrator nach.
---------------------------------------------
https://heise.de/-7314003
∗∗∗ AMD, Google, Microsoft, Nvidia: Offengelegter Sicherheitsprozessor Caliptra ∗∗∗
---------------------------------------------
Branchenschwergewichte setzen auf RISC-V-Technik für offengelegte Hardware-Security. Sie könnte Black-Box-Umsetzungen wie Microsofts Pluton ersetzen.
---------------------------------------------
https://heise.de/-7313272
∗∗∗ Achtung Betrug: Bewerben Sie sich nicht als „Process Tester“ bei page-rangers.de ∗∗∗
---------------------------------------------
page-rangers.de bietet einen gut bezahlten Minijob als „App-Tester“. Die Arbeit wird von zu Hause aus erledigt und benötigt keine speziellen Anforderungen. Sie erhalten täglich kleine Aufträge, z. B. die Benutzerfreundlichkeit bei der Eröffnung eines Bankkontos zu testen. Doch Vorsicht: Mit diesem Job stehlen Kriminelle Ihre Identität. Mit dem erstellten Bankkonto wird in Ihrem Namen Geld gewaschen!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-betrug-bewerben-sie-sich-nic…
∗∗∗ Defenders beware: A case for post-ransomware investigations ∗∗∗
---------------------------------------------
The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/10/18/defenders-beware-a-case-…
∗∗∗ Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk ∗∗∗
---------------------------------------------
Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web [...]
---------------------------------------------
https://msrc-blog.microsoft.com/2022/10/19/awareness-and-guidance-related-t…
∗∗∗ Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th) ∗∗∗
---------------------------------------------
I'm in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc.
---------------------------------------------
https://isc.sans.edu/diary/rss/29164
∗∗∗ Fully undetectable Windows backdoor gets detected ∗∗∗
---------------------------------------------
SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/10/18/fully_undete…
∗∗∗ A New Attack Surface on MS Exchange Part 4 - ProxyRelay! ∗∗∗
---------------------------------------------
Hi, this is a long-time-pending article. We could have published this article earlier (the original bug was reported to MSRC in June 2021 with a 90-days Public Disclosure Policy). However, during communications with MSRC, they explained that since this is an architectural design issue, lots of code changes and testings are expected and required, so they hope to resolve this problem with a one-time CU (Cumulative Update) instead of the regular Patch Tuesday.
---------------------------------------------
https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4…
∗∗∗ Warning: "FaceStealer" iOS and Android apps steal your Facebook login ∗∗∗
---------------------------------------------
FaceStealer is back. As a seasoned threat to legitimate app stores, expect it to be gone and then back again.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2022/10/warning-facestealer-ios-and-…
∗∗∗ TeamTNT Returns – or Does It? ∗∗∗
---------------------------------------------
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.h…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bcel, kernel, node-xmldom, and squid), Mageia (chromium-browser-stable, dhcp, dokuwiki, firefox, golang, python-joblib, sos, and unzip), Oracle (nodejs and nodejs:16), Red Hat (firefox, kernel, kernel-rt, nodejs, nodejs:14, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (git and mozilla), SUSE (amazon-ssm-agent, caasp-release, cri-o, patchinfo, release-notes-caasp, skuba, enlightenment, libreoffice, netty, nodejs12, nodejs14, [...]
---------------------------------------------
https://lwn.net/Articles/911723/
∗∗∗ Oracle Releases 370 New Security Patches With October 2022 CPU ∗∗∗
---------------------------------------------
Oracle on Tuesday announced the release of 370 patches as part of its quarterly set of security updates. The October 2022 Critical Patch Update (CPU) resolves over 50 critical-severity vulnerabilities. More than 200 of the newly released security patches deal with vulnerabilities that are remotely exploitable without authentication.
---------------------------------------------
https://www.securityweek.com/oracle-releases-370-new-security-patches-octob…
∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A ∗∗∗
---------------------------------------------
UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SETCPX-CMXX to affected products.
Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-036/
∗∗∗ K30425568: Overview of F5 vulnerabilities (October 2022) ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K30425568
∗∗∗ CVE-2021-3772 Linux Kernel Vulnerability in NetApp DSA E2800 series ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-609377-bt.html
∗∗∗ Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000 ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-454166-bt.html
∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Golang Go vulnerabilities (CVE-2022-27664 and CVE-2022-32190) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v…
∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera…
∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by vulnerability in Dojo [CVE-2021-23450] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage…
∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-…
∗∗∗ Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cmis-is-affected-since-it…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to JUnit4 (CVE-2020-15250) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 17-10-2022 18:00 − Dienstag 18-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CVE-2022-42889: Keep Calm and Stop Saying "4Shell" ∗∗∗
---------------------------------------------
[...] The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.
In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-st…
∗∗∗ Europol: Festgenommene Autodiebe stahlen Fahrzeuge mittels Software ∗∗∗
---------------------------------------------
In Frankreich wurden 31 Mitglieder einer Diebesbande festgenommen, die Autos mit schlüssellosen Zugangssystemen per Software gestohlen haben sollen.
---------------------------------------------
https://www.golem.de/news/europol-festgenommene-autodiebe-stahlen-fahrzeuge…
∗∗∗ Sicherheit: Antivirensoftware blockiert Thunderbird-Updates ∗∗∗
---------------------------------------------
Statt für Sicherheit zu sorgen, blockieren Avast und AVG Thunderbird-Updates. Das soll bereits seit dreieinhalb Monaten der Fall sein.
---------------------------------------------
https://www.golem.de/news/sicherheit-antivirensoftware-blockiert-thunderbir…
∗∗∗ Fake-Shop Alarm: Vorsicht vor betrügerischen Solar- und Photovoltaik-Shops ∗∗∗
---------------------------------------------
Shops wie elektrox-solar.at und horizon-shot.com täuschen mit professionellem Design und gestohlenen Impressumsdaten. Lassen Sie sich von diesen Fake-Shops nicht in die Falle locken! So erkennen Sie Fake-Solar-Shops online.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-vor-betrueg…
∗∗∗ Das Salz in der Suppe: Salts als unverzichtbare Zutat bei der Passwortspeicherung für Applikationen ∗∗∗
---------------------------------------------
Die Verwendung eines Salt bei der Passwortspeicherung verhindert die Vorberechnung des Hash. Als zusätzliches Geheimnis kann ein Pepper verwendet werden.
---------------------------------------------
https://www.syss.de/pentest-blog/das-salz-in-der-suppe-salts-als-unverzicht…
∗∗∗ WordPress 6.0.3 erschienen ∗∗∗
---------------------------------------------
Gerade habe ich die Meldung erhalten, dass ein Wartungsupdate auf WordPress 6.0.3 erschienen ist. Dieses Update schließt einige Sicherheitslücken, die hier beschrieben sind.
---------------------------------------------
https://www.borncity.com/blog/2022/10/18/wordpress-6-0-3-erschienen/
∗∗∗ FLEXlm and Citrix ADM Denial of Service Vulnerability ∗∗∗
---------------------------------------------
On June 27, 2022, Citrix released an advisory for CVE-2022-27511 and CVE-2022-27512, which affect Citrix ADM (Application Delivery Management).
Rapid7 investigated these issues to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch).
---------------------------------------------
https://www.rapid7.com/blog/post/2022/10/18/flexlm-and-citrix-adm-denial-of…
∗∗∗ Python Obfuscation for Dummies, (Tue, Oct 18th) ∗∗∗
---------------------------------------------
Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/29160
∗∗∗ I’m in your hypervisor, collecting your evidence ∗∗∗
---------------------------------------------
Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response for the past few years has been to collect small forensic artefact packages using our internal data collection utility, “acquire”, usually deployed using the clients’ preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible.
---------------------------------------------
https://blog.fox-it.com/2022/10/18/im-in-your-hypervisor-collecting-your-ev…
∗∗∗ Zoom for macOS Contains High-Risk Security Flaw ∗∗∗
---------------------------------------------
Video messaging technology powerhouse Zoom has rolled out a high-priority patch for macOS users alongside a warning that hackers could abuse the software flaw to connect to and control Zoom Apps.
---------------------------------------------
https://www.securityweek.com/zoom-macos-contains-high-risk-security-flaw
∗∗∗ Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims ∗∗∗
---------------------------------------------
Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week. In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in [...]
---------------------------------------------
https://therecord.media/dutch-police-obtain-155-decryption-keys-for-deadbol…
∗∗∗ Alchimist: A new attack framework in Chinese for Mac, Linux and Windows ∗∗∗
---------------------------------------------
Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.
---------------------------------------------
http://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html
∗∗∗ Software Patch Management Policy Best Practices ∗∗∗
---------------------------------------------
Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization.
---------------------------------------------
https://www.trendmicro.com/en_us/ciso/22/j/software-patch-management-policy…
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software ∗∗∗
---------------------------------------------
HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems.
---------------------------------------------
https://thehackernews.com/2022/10/critical-rce-vulnerability-discovered.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib).
---------------------------------------------
https://lwn.net/Articles/911562/
∗∗∗ Advantech R-SeeNet ∗∗∗
---------------------------------------------
Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-291-01
∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to remove traversal due to Apache Commons IO (CVE-2021-29425) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-…
∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy…
∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow – CVE-2022-35279 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu…
∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 14-10-2022 18:00 − Montag 17-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Prestige: Microsoft findet neue Ransomware in Polen und Ukraine ∗∗∗
---------------------------------------------
Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt.
---------------------------------------------
https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-pole…
∗∗∗ Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher ∗∗∗
---------------------------------------------
Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden.
---------------------------------------------
https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist…
∗∗∗ Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN ∗∗∗
---------------------------------------------
Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen.
---------------------------------------------
https://heise.de/-7309762
∗∗∗ Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv ∗∗∗
---------------------------------------------
Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz.
---------------------------------------------
https://heise.de/-7310412
∗∗∗ Neue Ransomware-Gang „Ransom Cartel“ ∗∗∗
---------------------------------------------
Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu „Ransom Cartel“ gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist.
---------------------------------------------
https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/
∗∗∗ Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber – Blocklisten nicht verteilt ∗∗∗
---------------------------------------------
Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat.
---------------------------------------------
https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-b…
∗∗∗ Unseriöse Werbung auf Pinterest ∗∗∗
---------------------------------------------
Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/
∗∗∗ New PHP information-stealing malware targets Facebook accounts ∗∗∗
---------------------------------------------
Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-php-information-stealing…
∗∗∗ Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 ∗∗∗
---------------------------------------------
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.
---------------------------------------------
https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html
∗∗∗ Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis ∗∗∗
---------------------------------------------
On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-windows-…
∗∗∗ Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day) ∗∗∗
---------------------------------------------
In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW;
---------------------------------------------
https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html
∗∗∗ New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals ∗∗∗
---------------------------------------------
A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns.
---------------------------------------------
https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-leve…
∗∗∗ Detecting Emerging Network Threats From Newly Observed Domains ∗∗∗
---------------------------------------------
We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/
∗∗∗ CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool ∗∗∗
---------------------------------------------
CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-red…
∗∗∗ Stories from the SOC: Feeling so foolish – SocGholish drive by compromise ∗∗∗
---------------------------------------------
SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-10-14 ∗∗∗
---------------------------------------------
IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ MiniDVBLinux 5.4 Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/
∗∗∗ CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults ∗∗∗
---------------------------------------------
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...]
---------------------------------------------
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm).
---------------------------------------------
https://lwn.net/Articles/911461/
∗∗∗ WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-042/
∗∗∗ WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-040/
∗∗∗ TRUMPF TruTops prone to improper access control ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-023/
∗∗∗ Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742
∗∗∗ Linux Kernel: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 13-10-2022 18:00 − Freitag 14-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Infostealer: Was ist das, wie werden sie verbreitet und wie lassen sie sich aufhalten? ∗∗∗
---------------------------------------------
Infostealer sind eine schädliche Software, die darauf ausgelegt ist, Ihre vertraulichen Daten zu stehlen. Hier erfahren Sie, was genau sie sind, wie sie verbreitet werden und wie sie sich aufhalten lassen.
---------------------------------------------
https://blog.emsisoft.com/de/41944/infostealer-was-ist-das-wie-werden-sie-v…
∗∗∗ Magniber ransomware now infects Windows users via JavaScript files ∗∗∗
---------------------------------------------
A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/magniber-ransomware-now-infe…
∗∗∗ What the Uber Hack can teach us about navigating IT Security ∗∗∗
---------------------------------------------
The recent Uber cyberattack shows us the myriad tactics employed by threat actors to breach corporate networks. Learn more about these tactics used and how to navigate IT Security.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/what-the-uber-hack-can-teach…
∗∗∗ Microsoft 365 Message Encryption Can Leak Sensitive Info ∗∗∗
---------------------------------------------
The default email encryption used in Microsoft Offices cloud version is leaky, which the company acknowledged but said it wouldnt fix.
---------------------------------------------
https://www.darkreading.com/application-security/microsoft-365-message-encr…
∗∗∗ Hunting for Cobalt Strike: Mining and plotting for fun and profit ∗∗∗
---------------------------------------------
Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike [...]
---------------------------------------------
https://msrc-blog.microsoft.com/2022/10/13/hunting-for-cobalt-strike-mining…
∗∗∗ Improvements in Security Update Notifications Delivery - And a New Delivery Method ∗∗∗
---------------------------------------------
At MSRC, we are passionate about ensuring our customers have a positive experience when they use the Microsoft Security Update Guide (SUG). A big part of improving that experience is ensuring that customers have timely and easily accessible notifications. As such we have two important announcements to share about changes to the way we provide notifications.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/10/12/14921/
∗∗∗ Analysis of a Malicious HTML File (QBot), (Thu, Oct 13th) ∗∗∗
---------------------------------------------
Reader Eric submitted a malicious HTML page that contains BASE64 images with malware.
---------------------------------------------
https://isc.sans.edu/diary/rss/29146
∗∗∗ Firefoxs New Service Gives You a Burner Phone Number To Cut Down on Spam ∗∗∗
---------------------------------------------
Firefox Relay, a Mozilla service designed to hide your "real" email address by giving you virtual ones to hand out, is expanding to offer virtual phone numbers. From a report: In a blog post Mozilla product manager Tony Amaral-Cinotto explains that the relay service generates a phone number for you to give out to companies if you suspect they might use it to send you spam messages in the future, or if you think they might share it with others who will.
---------------------------------------------
https://news.slashdot.org/story/22/10/13/1124240/firefoxs-new-service-gives…
∗∗∗ PiRogue Tool Suite Mobile forensic & network analysis on a Raspberry Pie ∗∗∗
---------------------------------------------
PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting mobile devices both Android and iOS, internet of things devices (devices that are connected to the user mobile apps), and in general any device using wi-fi to connect to the Internet.
---------------------------------------------
https://pts-project.org/
∗∗∗ PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin ∗∗∗
---------------------------------------------
Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts.
---------------------------------------------
https://www.securityweek.com/poc-published-fortinet-vulnerability-mass-expl…
∗∗∗ Ransom Cartel Ransomware: A Possible Connection With REvil ∗∗∗
---------------------------------------------
Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview.
---------------------------------------------
https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/
∗∗∗ Seven tips to run effective security awareness campaigns ∗∗∗
---------------------------------------------
Planning large-scale security awareness campaigns throws up many questions to grapple with. How can you make sure your campaign reaches the right people? What’s the best way to inspire them to take action? And how do you run a security awareness campaign so realistic it gets banned by the national post office?
---------------------------------------------
https://connect.geant.org/2022/10/14/seven-tips-to-run-effective-security-a…
∗∗∗ Shodan Verified Vulns 2022-10-01 ∗∗∗
---------------------------------------------
Mit Stand 2022-10-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2022/10/shodan-verified-vulns-2022-10-01
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM Performance Management, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Cloud Pak System
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (dbus, dhcp, expat, kernel, thunderbird, vim, and weechat), Mageia (libofx, lighttpd, mediawiki, and python), Oracle (.NET 6.0 and .NET Core 3.1), Slackware (python3), SUSE (chromium, kernel, libosip2, python-Babel, and python-waitress), and Ubuntu (gThumb, heimdal, linux-aws, linux-gcp-4.15, linux-aws-hwe, linux-gcp, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, postgresql-9.5, and xmlsec1).
---------------------------------------------
https://lwn.net/Articles/911168/
∗∗∗ Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service ∗∗∗
---------------------------------------------
This advisory contains mitigations for Allocation of Resources Without Limits or Throttling and Code Injection vulnerabilities in versions of Hitachi Energy Lumada Asset Performance Manager (APM) software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-286-05
∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗
---------------------------------------------
Version: 1.7, Date: 14-Oct-2022, Description: Fixed product(s) lists are updated: GMS, Analytics, SonicWave, SonicSwitch, Connect Tunnel Client.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
∗∗∗ Joomla KSAdvertiser 2.5.37 Cross Site Scripting ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022100035
∗∗∗ Android App "IIJ SmartKey" vulnerable to information disclosure ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN74534998/
∗∗∗ Pulse Secure Pulse Connect Secure: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1717
∗∗∗ Red Hat Enterprise Linux (Advanced Cluster Management): Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1715
∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1719
∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1720
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 12-10-2022 18:00 − Donnerstag 13-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New Alchimist attack framework targets Windows, macOS, Linux ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new attack and C2 framework called Alchimist, which appears to be actively used in attacks targeting Windows, Linux, and macOS systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framewo…
∗∗∗ SiteCheck Malware Trends Report – Q3 2022 ∗∗∗
---------------------------------------------
Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of webmasters every month. Best of all, conducting a remote website scan is one of the easiest ways to identify security issues.
---------------------------------------------
https://blog.sucuri.net/2022/10/sitecheck-malware-trends-report-2022-q3.html
∗∗∗ Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers ∗∗∗
---------------------------------------------
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
---------------------------------------------
https://thehackernews.com/2022/10/researchers-uncover-custom-backdoors.html
∗∗∗ VPN-Problem: Apple-Apps leaken Daten unter iOS ∗∗∗
---------------------------------------------
Der iPhone-VPN-Dienst scheint noch immer nicht sauber zu laufen. Ein Sicherheitsforscher warnt vor Leaks insbesondere aus Apple-eigenen Apps.
---------------------------------------------
https://heise.de/-7307198
∗∗∗ Top 5 ransomware detection techniques: Pros and cons of each ∗∗∗
---------------------------------------------
In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example.
---------------------------------------------
https://www.malwarebytes.com/blog/business/2022/10/top-5-ransomware-detecti…
∗∗∗ MS Enterprise app management service RCE. CVE-2022-35841 ∗∗∗
---------------------------------------------
TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September’s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications deployed via MDM.
---------------------------------------------
https://www.pentestpartners.com/security-blog/ms-enterprise-app-management-…
∗∗∗ Some Vulnerabilities Don’t Have a Name ∗∗∗
---------------------------------------------
There is a common assumption that all open source vulnerabilities hold a CVE. Still, others believe that the National Vulnerability Database (NVD) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn’t tracked by a CVE, or is not in the NVD?
---------------------------------------------
https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: Kritische Lücken in WAN-Managementsystem von Aruba ∗∗∗
---------------------------------------------
Zwei kritische Schwachstellen in Aruba EdgeConnect Orchestrator gefährden Netzwerke.
---------------------------------------------
https://heise.de/-7307059
∗∗∗ CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface ∗∗∗
---------------------------------------------
An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0030
∗∗∗ Juniper Security Bulletins 2022-10-12 ∗∗∗
---------------------------------------------
Juniper has released 37 security advisories.
---------------------------------------------
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor…
∗∗∗ Schwachstelle in JavaScript-Sandbox vm2 erlaubt Ausbruch aus der Isolation ∗∗∗
---------------------------------------------
Wer eine Version kleiner 3.9.11 von vm2 verwendet, sollte die Sandbox aktualisieren, da eine Schwachstelle das Ausführen von Remote-Code auf dem Host erlaubt.
---------------------------------------------
https://heise.de/-7306752
∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslecks ∗∗∗
---------------------------------------------
In der Groupware Zimbra beheben die Entwickler mehrere sicherheitsrelevante Fehler. Angreifer könnten die Instanz kompromittieren oder ihre Rechte ausweiten.
---------------------------------------------
https://heise.de/-7307521
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libreoffice, rexical, ruby-nokogiri, and squid), Fedora (wavpack), Red Hat (expat), SUSE (gdcm, orthanc, orthanc-gdcm, orthanc-webviewer and rubygem-puma), and Ubuntu (GMP and unzip).
---------------------------------------------
https://lwn.net/Articles/911042/
∗∗∗ Trellix ePolicy Orchestrator: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1700
∗∗∗ Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service ∗∗∗
---------------------------------------------
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
---------------------------------------------
http://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.ht…
∗∗∗ Sonicwall: GMS File Path Manipulation ∗∗∗
---------------------------------------------
An unauthenticated attacker can gain access to web directory containing applications binaries and configuration files through file path manipulation vulnerability.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0021
∗∗∗ Drupal: Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-058
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
∗∗∗ Security Bulletin: Hortonworks DataFlow product has log messages vulnerable to arbitrary code execution, denial of service, and remote code execution due to Apache Log4j vulnerabilities [CVE-2021-44228], [CVE-2021-45105], and [CVE-2021-45046] ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-hortonworks-dataflow-prod…
∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-…
∗∗∗ Security Bulletin: Vulnerabilities in Java affect IBM WIoTP MessageGateway (CVE-2021-213) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a…
∗∗∗ Dell BIOS: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1705
∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1702
∗∗∗ Mitel MiVoice Connect: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1706
∗∗∗ Pulse Secure SA45520 - CVEs (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack ∗∗∗
---------------------------------------------
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily