[CERT-daily] Tageszusammenfassung - 25.07.2022

Daily end-of-shift report team at cert.at
Mon Jul 25 18:45:16 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 22-07-2022 18:00 − Montag 25-07-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Windows-Sicherheit: Microsoft härtet RDP, MS-Office und geschützte Prozesse​ ∗∗∗
---------------------------------------------
Automatische Login-Sperren, Schutz vor Makros und Passwortklau - hinter den Kulissen tut sich einiges. Mit der Kommunikation tut sich Microsoft jedoch schwer.
---------------------------------------------
https://heise.de/-7189313


∗∗∗ Vorsicht vor gefälschten Post und DHL-Mails ∗∗∗
---------------------------------------------
Kriminelle geben sich als Post oder DHL aus und versenden wahllos betrügerische E-Mails. In den E-Mails mit dem Betreff „Ihr Paket wartet auf die Zustellung“ oder „Ihr Paket ist gerade bei der örtlichen Post angekommen“ wird behauptet, dass ein Paket angekommen sei, es aber nicht zugestellt werden kann, weil noch Zoll- bzw. Lieferkosten offen seien. Sie werden aufgefordert, auf einen Link zu klicken. Ignorieren Sie derartige E-Mails. Es handelt sich um Fake!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-post-und-dhl-mails/


∗∗∗ CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit ∗∗∗
---------------------------------------------
In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor.
---------------------------------------------
https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/


∗∗∗ Month of PowerShell: Process Threat Hunting, Part 1 ∗∗∗
---------------------------------------------
PowerShell is a powerful tool for threat hunting. Here we look at PowerShell threat hunting steps by assessing processes on Windows.
---------------------------------------------
https://www.sans.org/blog/process-threat-hunting-part-1/


∗∗∗ Month of PowerShell - The Curious Case of AD User Properties ∗∗∗
---------------------------------------------
Where are all of the user properties for Active Directory users for Get-ADUSer?
---------------------------------------------
https://www.sans.org/blog/curious-case-ad-user-properties/


∗∗∗ Month of PowerShell: Process Threat Hunting, Part 2 ∗∗∗
---------------------------------------------
We continue our look at PowerShell threat hunting through process analysis, identifying Command & Control/C2 threats on a Windows system.
---------------------------------------------
https://www.sans.org/blog/process-threat-hunting-part-2/


∗∗∗ Defeating Javascript Obfuscation ∗∗∗
---------------------------------------------
To make a long story short, I’m releasing a Javascript deobfuscation tool called REstringer. To make a short story long - I want to share my incentive for creating the tool, some design decisions, and the process through which I’m adding new capabilities to it - so you can join in on the fun!
---------------------------------------------
https://www.perimeterx.com/tech-blog/2022/defeating-javascript-obfuscation/


∗∗∗ A repository of Windows persistence mechanisms ∗∗∗
---------------------------------------------
The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
---------------------------------------------
https://persistence-info.github.io/


∗∗∗ IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation ∗∗∗
---------------------------------------------
We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS.
---------------------------------------------
https://unit42.paloaltonetworks.com/iam-deescalate/


∗∗∗ Case closed: DIVD-2022-00009 - SolarMan backend administrator account/password ∗∗∗
---------------------------------------------
DIVD researcher Jelle Ursem found the password of the super user of the web backend for all SolarMan / Solis / Omnik / Ginlong inverters, loggers, and batteries. The password has been changed now, and the repository containing the password has been deleted.
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00009/


∗∗∗ Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers ∗∗∗
---------------------------------------------
The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched.
---------------------------------------------
https://asec.ahnlab.com/en/36820/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Google Chrome: Update schließt Hochrisiko-Sicherheitslöcher ∗∗∗
---------------------------------------------
Google veröffentlicht ein Update für Chrome, das elf potenzielle Sicherheitsschwachstellen schließt - fünf davon sind mit High Risk bewertet.
---------------------------------------------
https://www.golem.de/news/google-chrome-update-schliesst-hochrisiko-sicherheitsloecher-2207-167127.html


∗∗∗ Angreifer könnten Scan-Engine von F-Secure und WithSecure crashen lassen ∗∗∗
---------------------------------------------
Patches schließen mehrere Lücken in Sicherheitsprodukten von WithSecure ehemals F-Secure.
---------------------------------------------
https://heise.de/-7189082


∗∗∗ Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505) ∗∗∗
---------------------------------------------
The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven vulnerabilities were discovered.
---------------------------------------------
https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1).
---------------------------------------------
https://lwn.net/Articles/902400/


∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN77850327/


∗∗∗ Multiple vulnerabilities in untangle ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN30454777/


∗∗∗ K08152433: Intel processors MMIO stale data vulnerability CVE-2022-21166 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K08152433/


∗∗∗ Unify OpenScape Branch: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0814


∗∗∗ Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-failed-attempt-to-regenerate-an-ibm-security-verify-information-queue-api-token-reveals-sensitive-data-cve-2022-35288/


∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-pak-for-multicloud-management-managed-services-2/


∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4j-affect-ibm-operations-analytics-log-analysis-cve-2019-17571-cve-2020-9488/


∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-apache-struts-affect-ibm-sterling-file-gateway-cve-2019-0233-cve-2019-0230-4/


∗∗∗ Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-distributes-configuration-files-with-hard-coded-credentials-cve-2022-35287/


∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2022-23307/


∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4j-core-2-16-0-jar-affect-ibm-operations-analytics-log-analysis-cve-2021-44832-cve-2021-45105-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-log4j-1-2-16-jar-used-by-ibm-operations-analytics-log-analysis/


∗∗∗ Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-audit-events-query-facility-in-ibm-security-verify-information-queue-is-vulnerable-to-sql-injection-cve-2022-35285/


∗∗∗ Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-session-cookie-used-by-ibm-security-verify-information-queue-is-not-properly-secured-cve-2022-35284/


∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-pak-for-multicloud-management-managed-services/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list