[CERT-daily] Tageszusammenfassung - 30.06.2022
Daily end-of-shift report
team at cert.at
Thu Jun 30 18:27:42 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 29-06-2022 18:00 − Donnerstag 30-06-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Atlassian warnt vor Sicherheitslücke in Projektverwaltung Jira ∗∗∗
---------------------------------------------
Vor einer Sicherheitslücke mit hohem Risiko in Jira warnt Hersteller Atlassian. Updates stehen bereit. Auch ein Workaround bietet das Unternehmen an.
---------------------------------------------
https://heise.de/-7157892
∗∗∗ Recovery-Scams: Kriminelle geben sich als FMA und Börsenaufsicht aus! ∗∗∗
---------------------------------------------
Sind Sie Opfer einer unseriösen Trading-Plattform geworden? Anbieter wie börsenaufsicht.net, finanzmarktaufsicht.net und payback-ltd.com versprechen Ihr verlorenes Geld zurückzuholen. Vorsicht! Es handelt sich um betrügerische Dienste, die Sie noch weiter abzocken wollen.
---------------------------------------------
https://www.watchlist-internet.at/news/recovery-scams-kriminelle-geben-sich-als-fma-und-boersenaufsicht-aus/
∗∗∗ Microsoft Exchange Server: Remote Code Execution-Schwachstelle CVE-2022-23277 trotz Patch ausnutzbar? ∗∗∗
---------------------------------------------
Sind auf dem aktuellen Patch-Stand befindliche Microsoft Exchange Server über die Remote Code Execution-Schwachstelle CVE-2022-23277 immer noch angreifbar? Mir sind gerade einige Informationsfragmente unter die Augen gekommen, die dies zumindest nahelegen, dass der betreffende Patch die Möglichkeiten zur Ausnutzung nicht [...]
---------------------------------------------
https://www.borncity.com/blog/2022/06/30/microsoft-exchange-server-remote-code-execution-schwachstelle-cve-2022-23277-trotz-patch-ausnutzbar/
∗∗∗ CISA warns of hackers exploiting PwnKit Linux vulnerability ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-pwnkit-linux-vulnerability/
∗∗∗ AstraLocker 2.0 infects users directly from Word attachments ∗∗∗
---------------------------------------------
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users-directly-from-word-attachments/
∗∗∗ XFiles info-stealing malware adds support for Follina delivery ∗∗∗
---------------------------------------------
The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware-adds-support-for-follina-delivery/
∗∗∗ The SessionManager IIS backdoor ∗∗∗
---------------------------------------------
In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.
---------------------------------------------
https://securelist.com/the-sessionmanager-iis-backdoor/106868/
∗∗∗ Toll fraud malware: How an Android application can drain your wallet ∗∗∗
---------------------------------------------
Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware - and it continues to evolve.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/
∗∗∗ Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th) ∗∗∗
---------------------------------------------
How do threat actors behind a Cobalt Strike server keep it running after its domain is taken down? If the server is not hosted through the domain registrar, it merely keeps running on the same IP address. Today's diary is a case study where Cobalt Strike remained active on the same IP address at least one week after its domain was suspended.
---------------------------------------------
https://isc.sans.edu/diary/rss/28804
∗∗∗ Flubot: the evolution of a notorious Android Banking Malware ∗∗∗
---------------------------------------------
Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the [...]
---------------------------------------------
https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/
∗∗∗ Amazon Photos vulnerability could have given attackers access to user files and data ∗∗∗
---------------------------------------------
The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/amazon-photos-vulnerability-could-have-given-attackers-access-to-user-files-and-data/
∗∗∗ Cloudy with a Chance of Risk: Managing Risks in Cloud-Managed OT Networks ∗∗∗
---------------------------------------------
In this blog, we'll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively.
---------------------------------------------
https://claroty.com/2022/06/30/blog-research-cloudy-with-a-chance-of-risk/
∗∗∗ Reducing data exfiltration by malicious insiders ∗∗∗
---------------------------------------------
Advice and recommendations for mitigating this type of insider behaviour.
---------------------------------------------
https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-insiders
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-06-29 ∗∗∗
---------------------------------------------
IBM Spectrum Protect, IBM Watson Discovery, IBM Sterling B2B Integrator, IBM Sterling Connect, IBM Cloud Pak, IBM Tivoli Netcool Impact, IBM Db2
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init).
---------------------------------------------
https://lwn.net/Articles/899483/
∗∗∗ Mitsubishi Electric FA Engineering Software (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05
∗∗∗ CODESYS Gateway Server (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02
∗∗∗ Revision von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) vom 28. Juni 2022 ∗∗∗
---------------------------------------------
Microsoft hat seine Beschreibung von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) zum 28. Juni 2022 revidiert. Es wurden die Sicherheitsupdates für Windows 10 Version 21H2, Windows 11 und Windows Server 2022 hinzugefügt, da diese Windows-Versionen ebenfalls von dieser Sicherheitslücke [...]
---------------------------------------------
https://www.borncity.com/blog/2022/06/29/revision-von-cve-2022-26414-windows-dcom-server-security-feature-bypass-vom-28-juni-2022/
∗∗∗ Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-047
∗∗∗ Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-046
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list