===================== = End-of-Day report = =====================
Timeframe: Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a
===================== = News = =====================
∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗ --------------------------------------------- The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platform...
∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗ --------------------------------------------- VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes-...
∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗ --------------------------------------------- The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-ad...
∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗ --------------------------------------------- After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-ma...
∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗ --------------------------------------------- A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing. --------------------------------------------- https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-s...
∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf. --------------------------------------------- https://heise.de/-7435146
∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗ --------------------------------------------- Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder...
∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗ --------------------------------------------- Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. --------------------------------------------- https://unit42.paloaltonetworks.com/meddler-phishing-attacks/
∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗ --------------------------------------------- Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries. --------------------------------------------- https://blog.group-ib.com/godfather-trojan
∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗ --------------------------------------------- In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS). --------------------------------------------- https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching-...
∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗ --------------------------------------------- This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-2...
∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗ --------------------------------------------- In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group...
===================== = Vulnerabilities = =====================
∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates. --------------------------------------------- https://heise.de/-7434860
∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils). --------------------------------------------- https://lwn.net/Articles/918313/
∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗ --------------------------------------------- Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons. --------------------------------------------- https://posts.specterops.io/passwordless-persistence-and-privilege-escalatio...
∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29902403/
∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-hikvision-wireless-bridg...
∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-es...
∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-2022...
∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849213
∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828663
∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849223
∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849249
∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850775