[CERT-daily] Tageszusammenfassung - 23.12.2022
Daily end-of-shift report
team at cert.at
Fri Dec 23 18:07:34 CET 2022
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 22-12-2022 18:00 − Freitag 23-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Vice Society ransomware gang switches to new custom encryptor ∗∗∗
---------------------------------------------
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang-switches-to-new-custom-encryptor/
∗∗∗ Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd) ∗∗∗
---------------------------------------------
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware.
---------------------------------------------
https://isc.sans.edu/diary/rss/29376
∗∗∗ Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden ∗∗∗
---------------------------------------------
Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen.
---------------------------------------------
https://heise.de/-7441929
∗∗∗ Sourcecode vom Zugriffsmanagementdienst Okta geleakt ∗∗∗
---------------------------------------------
Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein.
---------------------------------------------
https://heise.de/-7442131
∗∗∗ IcedID Botnet Distributors Abuse Google PPC to Distribute Malware ∗∗∗
---------------------------------------------
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas? ∗∗∗
---------------------------------------------
Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed.
---------------------------------------------
https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmbd/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).
---------------------------------------------
https://lwn.net/Articles/918486/
∗∗∗ Threat Brief: OWASSRF Vulnerability Exploitation ∗∗∗
---------------------------------------------
We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-brief-owassrf/
∗∗∗ CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
∗∗∗ PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851437
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ AIX is affected by a denial of service (CVE-2022-43680) due to Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851439
∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848295
∗∗∗ IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851449
∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851613
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list