[CERT-daily] Tageszusammenfassung - 09.12.2022

Daily end-of-shift report team at cert.at
Fri Dec 9 18:58:08 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 07-12-2022 18:00 − Freitag 09-12-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Unsichtbare npm-Malware umgeht Sicherheitsprüfungen mit manipulierten Versionen ∗∗∗
---------------------------------------------
JFrog hat ein unerwartetes Verhalten der npm-Werkzeuge entdeckt: Für Pakete bestimmter Versionsformate zeigen sie wohl keine sicherheitsrelevanten Hinweise an.
---------------------------------------------
https://heise.de/-7372357


∗∗∗ So schützen Sie sich vor Fake-Shops ∗∗∗
---------------------------------------------
Fake-Shops locken mit gutem Design und unschlagbaren Preisen in die Falle. Doch wie erkennen Sie Fake-Shops und andere betrügerische Online-Shops, bevor es zu spät ist? Hier beschreiben wir hier die gängigsten Formen von Fake-Shops und ihre Erkennungsmerkmale. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-fake-shops/


∗∗∗ Ransomware: Löschen statt entschlüsseln ∗∗∗
---------------------------------------------
Die defekte Ransomware Cryptonite kann Ihre Dateien nicht entschlüsseln, selbst wenn Sie das Lösegeld bezahlen. Stattdessen werden alle Daten einfach gelöscht.
---------------------------------------------
https://www.zdnet.de/88405737/ransomware-loeschen-statt-entschluesseln/


∗∗∗ New Zombinder platform binds Android malware with legitimate apps ∗∗∗
---------------------------------------------
A darknet platform dubbed Zombinder allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/


∗∗∗ Hacked corporate email accounts used to send MSP remote access tool ∗∗∗
---------------------------------------------
MuddyWater hackers, a group associated with Irans Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/


∗∗∗ DeathStalker targets legal entities with new Janicab variant ∗∗∗
---------------------------------------------
While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020.
---------------------------------------------
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/


∗∗∗ How to train your Ghidra ∗∗∗
---------------------------------------------
Brief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years.
---------------------------------------------
https://securelist.com/how-to-train-your-ghidra/108272/


∗∗∗ Finding Gaps in Syslog - How to find when nothing happened, (Wed, Dec 7th) ∗∗∗
---------------------------------------------
I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time. They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently.
---------------------------------------------
https://isc.sans.edu/diary/rss/29314


∗∗∗ Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!), (Fri, Dec 9th) ∗∗∗
---------------------------------------------
In the story I wrote in October about using PowerShell for Port Scanning (https://isc.sans.edu/diary/29202), I noted that the basic "test-connect" operation made for a pretty slow port scanner, which seems to be the message that everyone latched onto. Of course, my immediate response was "challenge accepted!", so let's go - let's make that operation faster!
---------------------------------------------
https://isc.sans.edu/diary/rss/29324


∗∗∗ Trojanized OneNote Document Leads to Formbook Malware ∗∗∗
---------------------------------------------
Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/


∗∗∗ Compromised Cloud Compute Credentials: Case Studies From the Wild ∗∗∗
---------------------------------------------
A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.
---------------------------------------------
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/


∗∗∗ Fantasy - a new Agrius wiper deployed through a supply‑chain attack ∗∗∗
---------------------------------------------
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry
---------------------------------------------
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/


∗∗∗ On hacking forums, even the scammers aren’t safe ∗∗∗
---------------------------------------------
Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software to siphon financial data to old-fashioned “rip-and-runs” — but that doesn’t mean they’re immune to falling for these scams themselves. Scammers scamming scammers, including sometimes the scammers who have scammed them, is “an entire sub-economy” on darknet marketplaces, according to [...]
---------------------------------------------
https://therecord.media/on-hacking-forums-even-the-scammers-arent-safe/


∗∗∗ OpenSSL CVE-2022-3786: Food for Thought on the Importance of Security Scanning ∗∗∗
---------------------------------------------
After a CVE on open source software has been discovered and a fix has been released, a fruitful practice for security researchers is to go deep into the nature of the CVE and the fix.
---------------------------------------------
https://checkmarx.com/blog/openssl-cve-2022-3786-food-for-thought-on-the-importance-of-security-scanning/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U


∗∗∗ IBM Security Bulletins 2022-12-05 ∗∗∗
---------------------------------------------
IBM App Connect Enterprise, IBM Cloud Transformation Advisor, IBM Event Streams, IBM InfoSphere Information Server, IBM Power System, IBM QRadar SIEM, IBM Rational Functional Tester, IBM Rational Test Automation Server, IBM Spectrum Scale, IBM Sterling Secure Proxy, IBM Watson Developer Cloud
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ IBM Security Bulletins 2022-12-06 ∗∗∗
---------------------------------------------
IBM Business Automation Workflow, IBM Content Navigator, IBM Operations Analytics, IBM Rational Business Developer, IBM SPSS Collaboration and Deployment Services, IBM Security SiteProtector System, IBM Sterling External Authentication Server, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Business Service Manager, IBM Tivoli Composite Application Manager for Transactions, IBM WebSphere Application Server
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ IBM Security Bulletins 2022-12-07 ∗∗∗
---------------------------------------------
AIX, HMC, IBM Business Automation Workflow Event Emitters, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Data Risk Manager, IBM Enterprise Content Management System Monitor, IBM Match 360, IBM PowerVM Novalink, IBM Virtualization Engine TS7700, IBM Watson Assistant for IBM Cloud Pak for Data
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ IBM Security Bulletins 2022-12-08 ∗∗∗
---------------------------------------------
AIX, IBM API Connect, IBM CICS Transaction Gateway, IBM Cloud Transformation Advisor, IBM InfoSphere Information Server, IBM MQ, IBM PowerVM Novalink, IBM Security Verify
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ IBM Security Bulletins 2022-12-09 ∗∗∗
---------------------------------------------
IBM App Connect Enterprise Certified Container, IBM Security Verify Governance, IBM Spectrum Copy Data Management, IBM Spectrum Protect for Space Management Client, IBM Tivoli Application Dependency Discovery Manager, z/Transaction Processing Facility
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ VMSA-2022-0030 ∗∗∗
---------------------------------------------
VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0030.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5).
---------------------------------------------
https://lwn.net/Articles/917398/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8).
---------------------------------------------
https://lwn.net/Articles/917530/


∗∗∗ Synology-SA-22:23 PWN2OWN TORONTO 2022 ∗∗∗
---------------------------------------------
Multiple vulnerabilities reported by PWN2OWN TORONTO 2022 have been addressed.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_23


∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500535-AMI-MEGARAC-SP-X-BMC-VULNERABILITIES


∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smart WiFi Router ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-dosvihswr-8f632df1-en


∗∗∗ K87046687: VMware Tools vulnerability CVE-2022-31676 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K87046687


∗∗∗ Advantech iView ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-342-01


∗∗∗ AVEVA InTouch Access Anywhere ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-342-02


∗∗∗ Rockwell Automation Logix controllers ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-342-03

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list