===================== = End-of-Day report = =====================
Timeframe: Freitag 16-12-2022 18:00 − Montag 19-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer
===================== = News = =====================
∗∗∗ Infostealer Malware with Double Extension, (Sun, Dec 18th) ∗∗∗ --------------------------------------------- Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines. --------------------------------------------- https://isc.sans.edu/diary/rss/29354
∗∗∗ Day 3 — Next Level Font Obfuscation ∗∗∗ --------------------------------------------- Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable. --------------------------------------------- https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5
∗∗∗ Venom ∗∗∗ --------------------------------------------- Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations. --------------------------------------------- https://github.com/Idov31/Venom
∗∗∗ Exploiting API Framework Flexibility ∗∗∗ --------------------------------------------- The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches. --------------------------------------------- https://attackshipsonfi.re/p/exploiting-api-framework-flexibility
∗∗∗ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft ∗∗∗ --------------------------------------------- Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind. --------------------------------------------- https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-d...
∗∗∗ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server. --------------------------------------------- https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-baustein...
===================== = Vulnerabilities = =====================
∗∗∗ Cisco Security Advisories 2022-12-16 - 2022-12-18 ∗∗∗ --------------------------------------------- Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=...
∗∗∗ HP kümmert sich mit BIOS-Updates um Schadcode-Lücken ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme. --------------------------------------------- https://heise.de/-7398783
∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/918203/
∗∗∗ Synology-SA-22:24 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_24
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash. --------------------------------------------- https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bull...
∗∗∗ Zenphoto vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN06093462/
∗∗∗ Corel Roxio Creator LJB starts a program with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13075438/
∗∗∗ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1681/
∗∗∗ DLL Search Order Hijacking Vulnerability in the DWG TrueView™ Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024
∗∗∗ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6845928
∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6841801
∗∗∗ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848587
∗∗∗ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848585
∗∗∗ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848583
∗∗∗ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848577
∗∗∗ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848581
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848847
∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848879