Tageszusammenfassung - 05.10.2022

End-of-Day report

Timeframe: Dienstag 04-10-2022 18:00 - Mittwoch 05-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Exchange Zero-Day: Microsoft korrigiert Workaround

Der zuerst vorgeschlagene Workaround für die Zero-Day-Lücke ProxyNotShell in Exchange ließ sich einfach umgehen. Microsoft liefert eine korrigierte Fassung.

https://heise.de/-7284241


Ende von Basic Auth: Brute-Force-Angriffe auf Microsoft Exchange nehmen zu

Microsoft berichtet von vielen Angriffen auf E-Mail-Konten, die noch die einfache Authentifizierung nutzen. Kunden sollen rasch handeln.

https://www.golem.de/news/ende-von-basic-auth-brute-force-angriffe-auf-microsoft-exchange-nehmen-zu-2210-168735.html


Post-Exploitation Persistent Email Forwarder in Outlook Desktop

There is an exploitation method that can automatically forward emails CC-d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/


GandCrab bedroht Deutschland

Die Ransomware GandCrab dominiert in Deutschland, Österreich und der Schweiz die ESET Erkennungsstatistiken. Nahezu jeder vierte Ransomware-Fund geht auf GandCrab zurück.

https://www.zdnet.de/88403902/gandcrab-bedroht-deutschland/


Vorsicht vor Blackout-Shops wie dyn-amo.de und dynamos.at!

Immer wieder wird aktuell von der Möglichkeit kurzzeitiger Blackouts, also großflächiger Strom-, Internet- oder Heizungsausfälle berichtet. Unseriöse Online-Shops wie jene von ECOM4YOU, HAPPY SHOPPING oder Shopfactory24 GmbH bauen auf die Ängste ihrer Kundinnen und Kunden und bieten Notfall-Sets für Blackouts an. Vorsicht, wir haben es getestet: Die Produkte sind überteuert, die Lieferzeiten lang, die Qualität teils minderwertig und [...]

https://www.watchlist-internet.at/news/vorsicht-vor-blackout-shops-wie-dyn-amode-und-dynamosat/


Shadowserver Alliance Launch

The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowservers freely provided internet security services and enables partners, [...]

https://www.shadowserver.org/news/shadowserver-alliance-launch/


Credential Harvesting with Telegram API, (Tue, Oct 4th)

Phishing emails are a daily occurrence and many times it ends with credential harvesting. An email initially lures a user to a website that promised an anticipated file. The landing page taunts a user to click on an additional link and enter their credentials. In this case, the credentials entered by the user are not sent back to the bad actor using a simple web form but using the Telegram API [1].

https://isc.sans.edu/diary/rss/29112


How to Secure & Harden Your Joomla! Website in 12 Steps

At Sucuri, we-re often asked how website owners and webmasters can secure their websites. However, advice can often be too broad; different content management systems (CMS) exist in this ecosystem and each require a unique security configuration.

https://blog.sucuri.net/2022/10/how-to-secure-harden-your-joomla-website-in-12-steps.html


Securing Developer Tools: A New Supply Chain Attack on PHP

Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal, and other tech giants using a new supply chain attack technique.

https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-attack-on-php/


Our Fox-IT Dissect framework for forensic data collection, now open source

Dissect is a framework for collecting and analysing large amounts of forensic data. A game changer in cyber incident response, it enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack.

https://www.mynewsdesk.com/nccgroup/pressreleases/our-fox-it-dissect-framework-for-forensic-data-collection-now-open-source-3208630


Change in Magniber Ransomware (*.js - *.wsf) - September 28th

The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection [...]

https://asec.ahnlab.com/en/39489/


How Water Labbu Exploits Electron-Based Applications

In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors.

https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html

Vulnerabilities

Patchday: Angreifer könnten ihre Rechte unter Android 10 bis 13 hochstufen

Wichtige Sicherheitsupdates schließen zum Teil kritische Lücken in verschiedenen Android-Versionen.

https://heise.de/-7284409


Aruba: Kritische Sicherheitslücke in Access Points

Aruba warnt vor kritischen Sicherheitslücken in den eigenen Access Points.

https://heise.de/-7284335


IBM Security Bulletins 2022-10-04

IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manage, IBM Tivoli Monitoring, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM Security Guardium, Rational Business Developer, IBM Cloud Pak for Watson, IBM i Modernization Engine, IBM CICS TX Advanced, IBM Planning Analytics Workspace, IBM Security Guardium.

https://www.ibm.com/blogs/psirt/


Security updates for Wednesday

Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg).

https://lwn.net/Articles/910395/


SA45476 - Client Side Desync Attack (Informational)

The deprecated Pulse Collaboration feature is vulnerable to Client-Side Desync attacks on versions of PCS 9.1R15 and below.

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-Desync-Attack


OpenSSH: Mehrere Schwachstellen ermöglichen Denial of Service

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1621


Keycloak: Schwachstelle ermöglicht Cross-Site Scripting

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1624


Octopus Deploy: Schwachstelle ermöglicht nicht spezifizierten Angriff

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1625


Matomo: Schwachstellen ermöglichen Cross-Site Scripting

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1626


BD Totalys MultiProcessor

https://us-cert.cisa.gov/ics/advisories/icsma-22-277-01


Johnson Controls Metasys ADX Server

https://us-cert.cisa.gov/ics/advisories/icsa-22-277-01


Hitachi Energy Modular Switchgear Monitoring (MSM)

https://us-cert.cisa.gov/ics/advisories/icsa-22-277-02


Horner Automation Cscape

https://us-cert.cisa.gov/ics/advisories/icsa-22-277-03


OMRON CX-Programmer

https://us-cert.cisa.gov/ics/advisories/icsa-22-277-04