===================== = End-of-Day report = =====================
Timeframe: Dienstag 23-08-2022 18:00 − Mittwoch 24-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer
===================== = News = =====================
∗∗∗ Fake Chrome extension Internet Download Manager has 200,000 installs ∗∗∗ --------------------------------------------- Google Chrome extension Internet Download Manager installed by more than 200,000 users is adware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-chrome-extension-interne...
∗∗∗ Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams ∗∗∗ --------------------------------------------- A new business email compromise (BEC) campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle (AiTM) tactics to hack corporate executives Microsoft 365 accounts, even those protected by MFA. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-mo...
∗∗∗ Ransomware updates & 1-day exploits ∗∗∗ --------------------------------------------- In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability. --------------------------------------------- https://securelist.com/ransomware-updates-1-day-exploits/107291/
∗∗∗ Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC, (Wed, Aug 24th) ∗∗∗ --------------------------------------------- On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak). --------------------------------------------- https://isc.sans.edu/diary/rss/28974
∗∗∗ Bomber is an application that scans SBoMs for security vulnerabilities. ∗∗∗ --------------------------------------------- So youve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what? --------------------------------------------- https://github.com/devops-kung-fu/bomber
∗∗∗ Cyber-Angriff: Griechischer Gasnetzbetreiber Desfa Opfer von Ransomware-Gang ∗∗∗ --------------------------------------------- Die Ransomware-Gang hinter Ragnar Locker ist in die Netze des Betreibers des griechischen Erdgas-Netzes Desfa eingebrochen. Die Versorgung bleibt gesichert. --------------------------------------------- https://heise.de/-7241322
∗∗∗ Einbruch bei Plex: Daten abgezogen, Passwortänderung nötig ∗∗∗ --------------------------------------------- Bösartige Akteure sind offenbar in die Datenbanken des Streaming-Dienstes und Medienservers Plex eingebrochen. Dort konnten sie persönliche Daten stehlen. --------------------------------------------- https://heise.de/-7241975
∗∗∗ Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems ∗∗∗ --------------------------------------------- A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices. --------------------------------------------- https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-g...
∗∗∗ Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity ∗∗∗ --------------------------------------------- Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). --------------------------------------------- https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-targ...
∗∗∗ HavanaCrypt Ransomware tarnt sich als Google Update ∗∗∗ --------------------------------------------- Die neu entdeckte HavanaCrypt Ransomware nutzt ausgefeilte Techniken und verkleidet sich als Google Update. Lösegeldforderungen gab es bisher nicht. --------------------------------------------- https://www.zdnet.de/88403049/havanacrypt-ransomware-tarnt-sich-als-google-u...
∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2) ∗∗∗ --------------------------------------------- In this blog post, we discuss a second prototype pollution vulnerability that allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox. --------------------------------------------- https://www.thezdi.com/blog/2022/8/23/but-you-told-me-you-were-safe-attackin...
∗∗∗ BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool. --------------------------------------------- https://asec.ahnlab.com/en/37939/
∗∗∗ AsyncRAT Being Distributed in Fileless Form ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. --------------------------------------------- https://asec.ahnlab.com/en/37954/
===================== = Vulnerabilities = =====================
∗∗∗ Gefährliche Lücken bedrohen Sicherheit von kritischen Infrastrukturen ∗∗∗ --------------------------------------------- Angreifer könnten Industrie-Steuerungssysteme attackieren und im schlimmsten Fall die volle Kontrolle erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7241733
∗∗∗ Updates für GitLab schließen kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Für die GitLab Community- und Enterprise-Edition haben die Entwickler aktualisierte Versionen veröffentlicht, die eine kritische Sicherheitslücke schließen. --------------------------------------------- https://heise.de/-7241481
∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted). --------------------------------------------- https://lwn.net/Articles/905853/
∗∗∗ Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/oracle-sbc-m...
∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gove...
∗∗∗ Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipped with IBM Tivoli Business Service Manager (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-h...
∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-v...
∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-govern...
∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gove...
∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-govern...
∗∗∗ Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-includes-c...
∗∗∗ VMSA-2022-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0024.html
∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1157
∗∗∗ Jenkins Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1166
∗∗∗ F-Secure Produkte: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1165
∗∗∗ tribe29 checkmk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1160
∗∗∗ Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/23/mozilla-releases-s...