[CERT-daily] Tageszusammenfassung - 17.10.2022
Daily end-of-shift report
team at cert.at
Mon Oct 17 18:34:13 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 14-10-2022 18:00 − Montag 17-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Prestige: Microsoft findet neue Ransomware in Polen und Ukraine ∗∗∗
---------------------------------------------
Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt.
---------------------------------------------
https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-polen-und-ukraine-2210-168970.html
∗∗∗ Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher ∗∗∗
---------------------------------------------
Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden.
---------------------------------------------
https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist-unsicher-2210-168996.html
∗∗∗ Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN ∗∗∗
---------------------------------------------
Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen.
---------------------------------------------
https://heise.de/-7309762
∗∗∗ Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv ∗∗∗
---------------------------------------------
Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz.
---------------------------------------------
https://heise.de/-7310412
∗∗∗ Neue Ransomware-Gang „Ransom Cartel“ ∗∗∗
---------------------------------------------
Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu „Ransom Cartel“ gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist.
---------------------------------------------
https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/
∗∗∗ Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber – Blocklisten nicht verteilt ∗∗∗
---------------------------------------------
Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat.
---------------------------------------------
https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-bei-der-erkennung-gefhrlicher-treiber/
∗∗∗ Unseriöse Werbung auf Pinterest ∗∗∗
---------------------------------------------
Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/
∗∗∗ New PHP information-stealing malware targets Facebook accounts ∗∗∗
---------------------------------------------
Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/
∗∗∗ Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 ∗∗∗
---------------------------------------------
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.
---------------------------------------------
https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html
∗∗∗ Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis ∗∗∗
---------------------------------------------
On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
∗∗∗ Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day) ∗∗∗
---------------------------------------------
In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW;
---------------------------------------------
https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html
∗∗∗ New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals ∗∗∗
---------------------------------------------
A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns.
---------------------------------------------
https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-level-capabilities-cybercriminals
∗∗∗ Detecting Emerging Network Threats From Newly Observed Domains ∗∗∗
---------------------------------------------
We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/
∗∗∗ CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool ∗∗∗
---------------------------------------------
CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-redeye-red-team-campaign-visualization-and-reporting
∗∗∗ Stories from the SOC: Feeling so foolish – SocGholish drive by compromise ∗∗∗
---------------------------------------------
SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-feeling-so-foolish-socgholish-drive-by-compromise
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-10-14 ∗∗∗
---------------------------------------------
IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ MiniDVBLinux 5.4 Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/
∗∗∗ CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults ∗∗∗
---------------------------------------------
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...]
---------------------------------------------
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm).
---------------------------------------------
https://lwn.net/Articles/911461/
∗∗∗ WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-042/
∗∗∗ WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-040/
∗∗∗ TRUMPF TruTops prone to improper access control ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-023/
∗∗∗ Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742
∗∗∗ Linux Kernel: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list