[CERT-daily] Tageszusammenfassung - 20.12.2022
Daily end-of-shift report
team at cert.at
Tue Dec 20 19:17:12 CET 2022
=====================
= End-of-Day report =
=====================
Timeframe: Montag 19-12-2022 18:00 − Dienstag 20-12-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Linux File System Monitoring & Actions, (Tue, Dec 20th) ∗∗∗
---------------------------------------------
There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless?
---------------------------------------------
https://isc.sans.edu/diary/rss/29362
∗∗∗ ChatGPT: Emerging AI Threat Landscape ∗∗∗
---------------------------------------------
ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-emerging-ai-threat-landscape/
∗∗∗ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems ∗∗∗
---------------------------------------------
Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications.
---------------------------------------------
https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html
∗∗∗ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg ∗∗∗
---------------------------------------------
We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
---------------------------------------------
https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/
∗∗∗ clif - simple command-line application fuzzer ∗∗∗
---------------------------------------------
clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification.
---------------------------------------------
https://andy.codes/content/blog/2022-12-20-clif.html
∗∗∗ Better Make Sure Your Password Manager Is Secure ∗∗∗
---------------------------------------------
As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application.
---------------------------------------------
https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_password_manager_is_secure/index.html
∗∗∗ New RisePro Infostealer Increasingly Popular Among Cybercriminals ∗∗∗
---------------------------------------------
A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs.
---------------------------------------------
https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-among-cybercriminals
∗∗∗ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins ∗∗∗
---------------------------------------------
As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.
---------------------------------------------
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/
∗∗∗ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities ∗∗∗
---------------------------------------------
More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-chain-and-discovering-3-new-sip-bypas.html
∗∗∗ Raspberry Robin Malware Targets Telecom, Governments ∗∗∗
---------------------------------------------
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html
∗∗∗ Web3 IPFS Only Used for Phishing - So Far ∗∗∗
---------------------------------------------
We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishing---so-far.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird).
---------------------------------------------
https://lwn.net/Articles/918268/
∗∗∗ FoxIt Patches Code Execution Flaws in PDF Tools ∗∗∗
---------------------------------------------
Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products.
---------------------------------------------
https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools
∗∗∗ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-28
∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01
∗∗∗ Rockwell Automation GuardLogix and ControlLogix controllers ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02
∗∗∗ ARC Informatique PcVue ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03
∗∗∗ Rockwell Automation MicroLogix 1100 and 1400 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04
∗∗∗ Delta 4G Router DX-3021 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05
∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849101
∗∗∗ IBM UrbanCode Build is affected by CVE-2022-42252 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849111
∗∗∗ IBM UrbanCode Build is affected by CVE-2021-43980 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849109
∗∗∗ IBM UrbanCode Build is affected by CVE-2022-34305 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849107
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list