[CERT-daily] Tageszusammenfassung - 23.09.2022

Daily end-of-shift report team at cert.at
Fri Sep 23 18:33:25 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 22-09-2022 18:00 − Freitag 23-09-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Schadsoftware: Betrüger verteilen Malware mit gefälschten Zoom-Webseiten ∗∗∗
---------------------------------------------
Die Webseiten geben sich als Downloadseite für Zoom aus, doch verteilen sie eine Schadsoftware, die es auf Bankdaten abgesehen hat.
---------------------------------------------
https://www.golem.de/news/schadsoftware-betrueger-verteilen-malware-mit-gefaelschten-zoom-webseiten-2209-168494.html


∗∗∗ Google Play Store: Trojaner Harly kommt auf 4,8 Millionen Downloads ∗∗∗
---------------------------------------------
Im Google Play Store entdeckt Kaspersky zahlreiche trojanisierte Apps, die den Schädling Harly enthalten. Der schließt kostenpflichtige Dienste-Abos ab.
---------------------------------------------
https://heise.de/-7273522


∗∗∗ Fingerabdruck & Co. - Wie funktionieren biometrische Anmeldeverfahren? ∗∗∗
---------------------------------------------
Ihre Augen können das Fenster zu Ihrer Seele sein, aber sie können auch Ihre Bordkarte für das Flugzeug oder der Schlüssel zum Entsperren Ihres Telefons sein. Welche Vor- und Nachteile birgt die Verwendung biometrischer Merkmale für die Authentifizierung?
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/09/22/fingerabdruck-co-wie-funktionieren-biometrische-anmeldeverfahren/


∗∗∗ Microsoft: Windows KB5017383 preview update added to WSUS by mistake ∗∗∗
---------------------------------------------
Microsoft says that KB5017383, this months Windows preview update, has been accidentally listed in Windows Server Update Services (WSUS) and may lead to security update install problems in some managed environments.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383-preview-update-added-to-wsus-by-mistake/


∗∗∗ Malicious OAuth applications used to compromise email servers and spread spam ∗∗∗
---------------------------------------------
Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange servers to launch spam runs.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/


∗∗∗ Kids Like Cookies, Malware Too!, (Fri, Sep 23rd) ∗∗∗
---------------------------------------------
Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won't discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user.
---------------------------------------------
https://isc.sans.edu/diary/rss/29082


∗∗∗ Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts ∗∗∗
---------------------------------------------
GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations.
---------------------------------------------
https://thehackernews.com/2022/09/hackers-using-fake-circleci.html


∗∗∗ WAF bypasses via 0days ∗∗∗
---------------------------------------------
In May, I participated in 1337up0522 from Intigriti which was about hacking OWASP ModSecurity Core Rule Set (CRS). I’ve got 13 findings accepted including 3 exceptional, 2 critical, and 8 high severity vulnerabilities. In this article, I will showcase a couple of interesting findings.
---------------------------------------------
https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec


∗∗∗ Surge in Magento 2 template attacks ∗∗∗
---------------------------------------------
The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack.
---------------------------------------------
https://sansec.io/research/magento-2-template-attacks


∗∗∗ Cross-Site Scripting: The Real WordPress Supervillain ∗∗∗
---------------------------------------------
Vulnerabilities are a fact of life for anyone managing a website, even when using a well-established content management system like WordPress. Not all vulnerabilities are equal, with some allowing access to sensitive data that would normally be hidden from public view, while others could allow a malicious actor to take full control of an affected [...]
---------------------------------------------
https://www.wordfence.com/blog/2022/09/cross-site-scripting-the-real-wordpress-supervillain/


∗∗∗ CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of cyberattacks targeting a recently addressed vulnerability in Zoho ManageEngine.
---------------------------------------------
https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability-exploitation


∗∗∗ NSA and CISA: Heres how hackers are going after critical systems, and what you need to do about it ∗∗∗
---------------------------------------------
NSA and CISA offer some advice for critical infrastructure operators to protect their industrial control systems.
---------------------------------------------
https://www.zdnet.com/article/nsa-and-cisa-heres-how-hackers-are-going-after-critical-systems-and-what-you-need-to-do-about-it/


∗∗∗ Experts fear LockBit spread after ransomware builder leaked ∗∗∗
---------------------------------------------
A toolkit to create DIY versions of the LockBit ransomware has leaked, raising alarms among incident responders and cybersecurity experts warning of more widespread use in attacks. The leak, for the LockBit 3.0 ransomware encryptor, was announced on Wednesday by security researcher 3xp0rt. Several experts and researchers confirmed to The Record that the builder works [...]
---------------------------------------------
https://therecord.media/experts-fear-lockbit-spread-after-ransomware-builder-leaked/


∗∗∗ FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers ∗∗∗
---------------------------------------------
The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
---------------------------------------------
https://asec.ahnlab.com/en/39152/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ HP-Drucker: Kritische Lücke erlaubt Codeschmuggel in diversen Modellen ∗∗∗
---------------------------------------------
HP warnt vor Sicherheitslücken in zahlreichen Druckermodellen, die Angreifern das Einschleusen von Schadcode ermöglichen. Der Hersteller stellt Updates bereit.
---------------------------------------------
https://heise.de/-7250538


∗∗∗ IBM Security Bulletins 2022-09-22 ∗∗∗
---------------------------------------------
IBM CICS TX Advanced, IBM CICS TX Standard, IBM Common Cryptographic Architecture (CCA), IBM InfoSphere Information Server, IBM Jazz for Service Management, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM Partner Engagement Manager, IBM Security Guardium, IBM Spectrum Control, Operations Dashboard, TXSeries for Multiplatforms, Watson Explorer and Watson Explorer Content Analytics Studio, z/Transaction Processing Facility
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, [...]
---------------------------------------------
https://lwn.net/Articles/909208/


∗∗∗ New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access ∗∗∗
---------------------------------------------
Firmware security company Binarly has discovered another round of potentially serious firmware vulnerabilities that could allow an attacker to gain persistent access to any of the millions of affected devices.
---------------------------------------------
https://www.securityweek.com/new-firmware-vulnerabilities-affecting-millions-devices-allow-persistent-access

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list