[CERT-daily] Tageszusammenfassung - 20.10.2022

Daily end-of-shift report team at cert.at
Thu Oct 20 19:01:38 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 19-10-2022 18:00 − Donnerstag 20-10-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Forensic Value of Prefetch, (Thu, Oct 20th) ∗∗∗
---------------------------------------------
When a program executes on a Windows system there are many artifacts that are generated which can assist digital forensic investigations. One of particular note is the Windows Prefetch file. Found in C:\Windows\Prefetch by default, prefetch files (.pf) contain a wealth of information that can prove vital to any investigation.
---------------------------------------------
https://isc.sans.edu/diary/rss/29168


∗∗∗ Fantastic Rootkits: And Where to Find Them (Part 1) ∗∗∗
---------------------------------------------
In this blog series, we will cover the topic of rootkits — how they are built and the basics of kernel driver analysis — specifically on the Windows platform. In this first part, we will focus on some implementation examples of basic rootkit functionality and the basics of kernel driver development, as well as Windows Internals background needed to understand the inner workings of rootkits.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-1


∗∗∗ Microsoft liefert Updates gegen SSL-/TLS-Probleme durch Windows-Updates ∗∗∗
---------------------------------------------
Die aktuellen Windows-Updates für Windows 10, 11 und Server könnten Probleme bei SSL- und TLS-Verschlüsselung verursachen. Teils helfen weitere Patches dagegen.
---------------------------------------------
https://heise.de/-7314906


∗∗∗ New Malicious Clicker found in apps installed by 20M+ users ∗∗∗
---------------------------------------------
Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-found-in-apps-installed-by-20m-users/


∗∗∗ Social Engineering dos and don’ts ∗∗∗
---------------------------------------------
It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts.
---------------------------------------------
https://www.pentestpartners.com/security-blog/social-engineering-dos-and-donts/


∗∗∗ E-Mail-Konto wird migriert: Kriminelle senden betrügerische Mail an Mitarbeiter:innen ∗∗∗
---------------------------------------------
Kriminelle versenden betrügerische E-Mails und geben sich dabei als „Outlook-E-Mail-Administrator“ Ihres Unternehmens aus. Angeblich sollen die E-Mail-Konten aller Mitarbeiter:innen migriert werden. Klicken Sie nicht auf den Link.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-konto-wird-migriert-kriminelle-senden-betruegerische-mail-an-mitarbeiterinnen/


∗∗∗ Datenleck bei Microsoft, Kundendaten betroffen (Okt. 2022) ∗∗∗
---------------------------------------------
Bei Microsoft hat es ein größeres Datenleck gegeben, bei dem Kundendaten wohl öffentlich zugreifbar waren. Eine Sicherheitsfirma hat einen fehlkonfigurierten Server mit den Daten im Internet gefunden und Microsoft im September informiert.
---------------------------------------------
https://www.borncity.com/blog/2022/10/20/datenleck-bei-microsoft-kundendaten-betroffen-okt-2022/


∗∗∗ Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them ∗∗∗
---------------------------------------------
Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors.
---------------------------------------------
http://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html


∗∗∗ LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year ∗∗∗
---------------------------------------------
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.
---------------------------------------------
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/


∗∗∗ New Research: We’re Still Terrible at Passwords; Making it Easy for Attackers ∗∗∗
---------------------------------------------
We look at two of the most popular protocols used for remote administration, SSH and RDP, to get a sense of how attackers are taking advantage of weaker password management to gain access to systems.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/10/20/new-research-were-still-terrible-at-passwords-making-it-easy-for-attackers/


∗∗∗ Black Basta and the Unnoticed Delivery ∗∗∗
---------------------------------------------
As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions due to the lucrative payments demanded – and often received – by cybercrime gangs.
---------------------------------------------
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Patchday: Oracle liefert 370 Sicherheitsupdates im Oktober ∗∗∗
---------------------------------------------
Zum Patchday, Critical Patch Update genannt, liefert Oracle eine lange Liste an Produkten mit Sicherheitslücken. 370 Updates schließen die Schwachstellen.
---------------------------------------------
https://heise.de/-7314209


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, OpenShift Container Platform 4.9.50 bug fix and, and rh-nodejs14-nodejs), SUSE (buildah, clone-master-clean-up, go1.18, go1.19, helm, jasper, libostree, nodejs16, php8, qemu, and xen), and Ubuntu (libxdmcp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oem-5.14, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-oem-5.17, and perl). 
---------------------------------------------
https://lwn.net/Articles/911879/


∗∗∗ Drupal: Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-059


∗∗∗ Security Bulletin: IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-an-identity-spoofing-issue-in-ibm-websphere-application-server-liberty-cve-2022-22475/


∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-service-is-vulnerable-to-multiple-vulnerabilities-due-to-ibm-java-2/


∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-services-is-vulnerable-to-multiple-vulnerabilities-due-to-eclipse-jetty-2/


∗∗∗ Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-b2b-api-vulnerable-to-multiple-issues-due-to-apache-zookeeper-cve-2019-0201-cve-2021-21409/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-ibm-websphere-application-server-april-2022-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/


∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – [CVE-2021-45105] (affecting v2.16) and [CVE-2021-45046] (affecting v2.15) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vulnerability-as-it-relates-to-ibm-maximo-scheduler-optimization-apache-log4j-cve-2021-45105-affecting-v2-16-and-cve-2021-45046-affecting-v2-15-2/


∗∗∗ F5: K24823443: Apache Commons Text vulnerability CVE-2022-42889 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K24823443


∗∗∗ F5: K27155546: BIND vulnerability CVE-2022-38177 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K27155546


∗∗∗ F5: K04712583: Linux kernel vulnerability CVE-2021-40490 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K04712583


∗∗∗ F5: K32615023: Linux kernel vulnerability CVE-2022-2588 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K32615023


∗∗∗ Bentley Systems MicroStation Connect ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-293-01


∗∗∗ Spring: CVE-2022-31684: Reactor Netty HTTP Server may log request headers ∗∗∗
---------------------------------------------
https://spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-may-log-request-headers

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list