[CERT-daily] Tageszusammenfassung - 24.08.2022

Daily end-of-shift report team at cert.at
Wed Aug 24 18:07:27 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 23-08-2022 18:00 − Mittwoch 24-08-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Fake Chrome extension Internet Download Manager has 200,000 installs ∗∗∗
---------------------------------------------
Google Chrome extension Internet Download Manager installed by more than 200,000 users is adware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-chrome-extension-internet-download-manager-has-200-000-installs/


∗∗∗ Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams ∗∗∗
---------------------------------------------
A new business email compromise (BEC) campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle (AiTM) tactics to hack corporate executives Microsoft 365 accounts, even those protected by MFA.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-monitor-microsoft-365-accounts-for-bec-scams/


∗∗∗ Ransomware updates & 1-day exploits ∗∗∗
---------------------------------------------
In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability.
---------------------------------------------
https://securelist.com/ransomware-updates-1-day-exploits/107291/


∗∗∗ Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC, (Wed, Aug 24th) ∗∗∗
---------------------------------------------
On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak). 
---------------------------------------------
https://isc.sans.edu/diary/rss/28974


∗∗∗ Bomber is an application that scans SBoMs for security vulnerabilities. ∗∗∗
---------------------------------------------
So youve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what?
---------------------------------------------
https://github.com/devops-kung-fu/bomber


∗∗∗ Cyber-Angriff: Griechischer Gasnetzbetreiber Desfa Opfer von Ransomware-Gang ∗∗∗
---------------------------------------------
Die Ransomware-Gang hinter Ragnar Locker ist in die Netze des Betreibers des griechischen Erdgas-Netzes Desfa eingebrochen. Die Versorgung bleibt gesichert.
---------------------------------------------
https://heise.de/-7241322


∗∗∗ Einbruch bei Plex: Daten abgezogen, Passwortänderung nötig ∗∗∗
---------------------------------------------
Bösartige Akteure sind offenbar in die Datenbanken des Streaming-Dienstes und Medienservers Plex eingebrochen. Dort konnten sie persönliche Daten stehlen.
---------------------------------------------
https://heise.de/-7241975


∗∗∗ Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems ∗∗∗
---------------------------------------------
A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices.
---------------------------------------------
https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-gapped-systems


∗∗∗ Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity ∗∗∗
---------------------------------------------
Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT).
---------------------------------------------
https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-targeted-ot-scanning-activity


∗∗∗ HavanaCrypt Ransomware tarnt sich als Google Update ∗∗∗
---------------------------------------------
Die neu entdeckte HavanaCrypt Ransomware nutzt ausgefeilte Techniken und verkleidet sich als Google Update. Lösegeldforderungen gab es bisher nicht.
---------------------------------------------
https://www.zdnet.de/88403049/havanacrypt-ransomware-tarnt-sich-als-google-update/


∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2) ∗∗∗
---------------------------------------------
In this blog post, we discuss a second prototype pollution vulnerability that allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox.
---------------------------------------------
https://www.thezdi.com/blog/2022/8/23/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-renderer-part-2


∗∗∗ BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool.
---------------------------------------------
https://asec.ahnlab.com/en/37939/


∗∗∗ AsyncRAT Being Distributed in Fileless Form ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form.
---------------------------------------------
https://asec.ahnlab.com/en/37954/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Gefährliche Lücken bedrohen Sicherheit von kritischen Infrastrukturen ∗∗∗
---------------------------------------------
Angreifer könnten Industrie-Steuerungssysteme attackieren und im schlimmsten Fall die volle Kontrolle erlangen. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7241733


∗∗∗ Updates für GitLab schließen kritische Sicherheitslücke ∗∗∗
---------------------------------------------
Für die GitLab Community- und Enterprise-Edition haben die Entwickler aktualisierte Versionen veröffentlicht, die eine kritische Sicherheitslücke schließen.
---------------------------------------------
https://heise.de/-7241481


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted).
---------------------------------------------
https://lwn.net/Articles/905853/


∗∗∗ Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service ∗∗∗
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/oracle-sbc-multiple-security-vulnerabilities-leading-to-unauthorized-access-and-denial-of-service/


∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-sensitive-information-exposure-cve-2021-35550/


∗∗∗ Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipped with IBM Tivoli Business Service Manager (CVE-2021-35603) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-in-ibm-java-sdk-shipped-with-ibm-tivoli-business-service-manager-cve-2021-35603/


∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-vulnerable-to-multiple-vulnerabilities/


∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-is-vulnerable-to-denial-of-service-cve-2021-35578/


∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-exposure-of-sensitive-information-cve-2021-35603-3/


∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-is-vulnerable-to-identity-spoofing-due-to-ibm-websphere-application-server-liberty-cve-2022-22475/


∗∗∗ Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-includes-components-with-multiple-known-vulnerabilities/


∗∗∗ VMSA-2022-0024 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0024.html


∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1157


∗∗∗ Jenkins Plugins: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1166


∗∗∗ F-Secure Produkte: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1165


∗∗∗ tribe29 checkmk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1160


∗∗∗ Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/08/23/mozilla-releases-security-updates-firefox-firefox-esr-and

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list