End-of-Day report
Timeframe: Dienstag 04-10-2022 18:00 - Mittwoch 05-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Exchange Zero-Day: Microsoft korrigiert Workaround
Der zuerst vorgeschlagene Workaround für die Zero-Day-Lücke ProxyNotShell in Exchange ließ sich einfach umgehen. Microsoft liefert eine korrigierte Fassung.
https://heise.de/-7284241
Ende von Basic Auth: Brute-Force-Angriffe auf Microsoft Exchange nehmen zu
Microsoft berichtet von vielen Angriffen auf E-Mail-Konten, die noch die einfache Authentifizierung nutzen. Kunden sollen rasch handeln.
https://www.golem.de/news/ende-von-basic-auth-brute-force-angriffe-auf-microsoft-exchange-nehmen-zu-2210-168735.html
Post-Exploitation Persistent Email Forwarder in Outlook Desktop
There is an exploitation method that can automatically forward emails CC-d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploitation-persistent-email-forwarder-in-outlook-desktop/
GandCrab bedroht Deutschland
Die Ransomware GandCrab dominiert in Deutschland, Österreich und der Schweiz die ESET Erkennungsstatistiken. Nahezu jeder vierte Ransomware-Fund geht auf GandCrab zurück.
https://www.zdnet.de/88403902/gandcrab-bedroht-deutschland/
Vorsicht vor Blackout-Shops wie dyn-amo.de und dynamos.at!
Immer wieder wird aktuell von der Möglichkeit kurzzeitiger Blackouts, also großflächiger Strom-, Internet- oder Heizungsausfälle berichtet. Unseriöse Online-Shops wie jene von ECOM4YOU, HAPPY SHOPPING oder Shopfactory24 GmbH bauen auf die Ängste ihrer Kundinnen und Kunden und bieten Notfall-Sets für Blackouts an. Vorsicht, wir haben es getestet: Die Produkte sind überteuert, die Lieferzeiten lang, die Qualität teils minderwertig und [...]
https://www.watchlist-internet.at/news/vorsicht-vor-blackout-shops-wie-dyn-amode-und-dynamosat/
Shadowserver Alliance Launch
The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowservers freely provided internet security services and enables partners, [...]
https://www.shadowserver.org/news/shadowserver-alliance-launch/
Credential Harvesting with Telegram API, (Tue, Oct 4th)
Phishing emails are a daily occurrence and many times it ends with credential harvesting. An email initially lures a user to a website that promised an anticipated file. The landing page taunts a user to click on an additional link and enter their credentials. In this case, the credentials entered by the user are not sent back to the bad actor using a simple web form but using the Telegram API [1].
https://isc.sans.edu/diary/rss/29112
How to Secure & Harden Your Joomla! Website in 12 Steps
At Sucuri, we-re often asked how website owners and webmasters can secure their websites. However, advice can often be too broad; different content management systems (CMS) exist in this ecosystem and each require a unique security configuration.
https://blog.sucuri.net/2022/10/how-to-secure-harden-your-joomla-website-in-12-steps.html
Securing Developer Tools: A New Supply Chain Attack on PHP
Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal, and other tech giants using a new supply chain attack technique.
https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-attack-on-php/
Our Fox-IT Dissect framework for forensic data collection, now open source
Dissect is a framework for collecting and analysing large amounts of forensic data. A game changer in cyber incident response, it enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack.
https://www.mynewsdesk.com/nccgroup/pressreleases/our-fox-it-dissect-framework-for-forensic-data-collection-now-open-source-3208630
Change in Magniber Ransomware (*.js - *.wsf) - September 28th
The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection [...]
https://asec.ahnlab.com/en/39489/
How Water Labbu Exploits Electron-Based Applications
In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors.
https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-electron-based-applications.html
Vulnerabilities
Patchday: Angreifer könnten ihre Rechte unter Android 10 bis 13 hochstufen
Wichtige Sicherheitsupdates schließen zum Teil kritische Lücken in verschiedenen Android-Versionen.
https://heise.de/-7284409
Aruba: Kritische Sicherheitslücke in Access Points
Aruba warnt vor kritischen Sicherheitslücken in den eigenen Access Points.
https://heise.de/-7284335
IBM Security Bulletins 2022-10-04
IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manage, IBM Tivoli Monitoring, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM Security Guardium, Rational Business Developer, IBM Cloud Pak for Watson, IBM i Modernization Engine, IBM CICS TX Advanced, IBM Planning Analytics Workspace, IBM Security Guardium.
https://www.ibm.com/blogs/psirt/
Security updates for Wednesday
Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg).
https://lwn.net/Articles/910395/
SA45476 - Client Side Desync Attack (Informational)
The deprecated Pulse Collaboration feature is vulnerable to Client-Side Desync attacks on versions of PCS 9.1R15 and below.
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-Desync-Attack
OpenSSH: Mehrere Schwachstellen ermöglichen Denial of Service
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1621
Keycloak: Schwachstelle ermöglicht Cross-Site Scripting
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1624
Octopus Deploy: Schwachstelle ermöglicht nicht spezifizierten Angriff
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1625
Matomo: Schwachstellen ermöglichen Cross-Site Scripting
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1626
BD Totalys MultiProcessor
https://us-cert.cisa.gov/ics/advisories/icsma-22-277-01
Johnson Controls Metasys ADX Server
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-01
Hitachi Energy Modular Switchgear Monitoring (MSM)
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-02
Horner Automation Cscape
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-03
OMRON CX-Programmer
https://us-cert.cisa.gov/ics/advisories/icsa-22-277-04