[CERT-daily] Tageszusammenfassung - 25.10.2022
Daily end-of-shift report
team at cert.at
Tue Oct 25 20:41:12 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-10-2022 18:00 − Dienstag 25-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Zero-Day-Fehler im Kernel von iOS und iPadOS wird ausgenutzt ∗∗∗
---------------------------------------------
iOS und iPadOS 16.1 beheben einen schwerwiegenden Kernel-Bug in den Betriebssystemen für iPhone und iPad. Apple hat Berichte über laufende Angriffe.
---------------------------------------------
https://heise.de/-7319500
∗∗∗ Chrome extensions with 1 million installs hijack targets’ browsers ∗∗∗
---------------------------------------------
Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome and Microsoft Edge extensions that hijack searches and insert affiliate links into webpages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/
∗∗∗ How the Software Supply Chain Security is Threatened by Hackers ∗∗∗
---------------------------------------------
In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials. However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously.
---------------------------------------------
https://thehackernews.com/2022/10/how-software-supply-chain-security-is.html
∗∗∗ Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS).
---------------------------------------------
https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html
∗∗∗ Chapter 1 - From Gozi to ISFB: The history of a mythical malware family. ∗∗∗
---------------------------------------------
Disclaimer: This article does not contain any IOCs or infrastructure details. Instead, the aim is to explain the whole business dynamic of a long-lasting malware family. This work is based on almost 10 years of research and intel gatherings and tries its best to stick to the truth and the facts observed around ISFB. Hopefully, it will give some insight on how the top cyber crime groups have been working over the years.
---------------------------------------------
https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef
∗∗∗ Stranger Strings: An exploitable flaw in SQLite ∗∗∗
---------------------------------------------
Trail of Bits is publicly disclosing CVE-2022-35737, which affects applications that use the SQLite library API. CVE-2022-35737 was introduced in SQLite version 1.0.12 (released on October 17, 2000) and fixed in release 3.39.2 (released on July 21, 2022). CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled [...]
---------------------------------------------
https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
∗∗∗ E-Mail von WhatsApp: Gewinn über 900.600,00 USD ist Fake ∗∗∗
---------------------------------------------
Aktuell kursiert ein E-Mail von WhatsApp, in dem Sie über den Gewinn von 900.600,00 USD informiert werden. Um den Gewinn zu erhalten, müssen Sie Ihre Kontaktdaten an account.whatsapp at mail.com senden.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-von-whatsapp-gewinn-ueber-90060000-usd-ist-fake/
∗∗∗ Windows 10 22H2, Windows 11 22H2: Administrative Vorlagen (.admx); Windows 10 22H2 Security Baseline ∗∗∗
---------------------------------------------
Kleiner Hinweis für Administratoren von Windows-Systemen in Unternehmensumgebungen. Microsoft hat die Security Baseline für das Windows 10 October 2022 Update (Version 22H2) freigegeben.
---------------------------------------------
https://www.borncity.com/blog/2022/10/25/windows-10-22h2-windows-11-22h2-administrative-vorlagen-admx-windows-10-22h2-security-baseline/
∗∗∗ Rapidly Evolving Magniber Ransomware ∗∗∗
---------------------------------------------
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed.
---------------------------------------------
https://asec.ahnlab.com/en/40422/
∗∗∗ Analysis on Attack Techniques and Cases Using RDP ∗∗∗
---------------------------------------------
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used.
---------------------------------------------
https://asec.ahnlab.com/en/40394/
=====================
= Vulnerabilities =
=====================
∗∗∗ Webkonferenzen: Sicherheitslücke in Zoom ermöglicht Sitzungsübernahme ∗∗∗
---------------------------------------------
Zoom warnt vor einer Sicherheitslücke, durch die Angreifer Opfer etwa auf falsche Server locken und so Sitzungen übernehmen könnten. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7319974
∗∗∗ VMSA-2022-00031 ∗∗∗
---------------------------------------------
VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-00031.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libbluray and wkhtmltopdf), Fedora (firefox, libksba, libmodsecurity, libxml2, qemu, and xmlsec1), Red Hat (389-ds-base, 389-ds:1.4, git-lfs, gnutls, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libksba, mysql:8.0, pki-core, postgresql:12, samba, sqlite, and zlib), Scientific Linux (389-ds-base, libksba, and pki-core), SUSE (bluez, firefox, jdom, kernel, libosip2, libxml2, multipath-tools, and python-Mako), and Ubuntu (barbican, mysql-5.7, mysql-8.0, openvswitch, and pillow).
---------------------------------------------
https://lwn.net/Articles/912324/
∗∗∗ Synology-SA-22:19 Presto File Server ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to write arbitrary files or remote authenticated users to bypass security constraint via a susceptible version of Presto File Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_19
∗∗∗ Synology-SA-22:18 DSM ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_18
∗∗∗ Node.js: OpenSSL and zlib update assessment, and Node.js Assessment workflow ∗∗∗
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment
∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of information that could aid in further system attacks. (CVD-2022-38710) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-disclosure-of-information-that-could-aid-in-further-system-attacks-cvd-2022-38710/
∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-may-affect-ibm-robotic-process-automation-for-cloud-pak-10/
∗∗∗ Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to CSV Injection (CVE-2022-22425) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-potentially-vulnerable-to-csv-injection-cve-2022-22425/
∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to incorrect permission assignment ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-incorrect-permission-assignment/
∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthorized attacker causing integrity impact (CVE-2021-2163) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java-runtime-for-ibm-i-are-vulnerable-to-unauthorized-attacker-causing-integrity-impact-cve-2021-2163/
∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-34/
∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-07
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list