Tageszusammenfassung - 06.10.2022

End-of-Day report

Timeframe: Mittwoch 05-10-2022 18:00 - Donnerstag 06-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast

With just one malformed Zigbee frame, attackers could take over certain Ikea smart lightbulbs, leaving users unable to turn the lights down.

https://www.darkreading.com/application-security/ikea-smart-light-system-flaw-lets-attackers-turn-bulbs-on-full-blast

Ransomware: Sicherheitssoftware mit legitimem Treiber deaktiviert

Die Ransomware Blackbyte nutzt die Angriffstechnik Bring your own vulnerable Driver, um Antivirensoftware zu deaktivieren.

https://www.golem.de/news/ransomware-sicherheitssoftware-mit-legitimem-treiber-deaktiviert-2210-168754.html

A look at the 2020-2022 ATM/PoS malware landscape

We looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims in 2020-2022.

https://securelist.com/atm-pos-malware-landscape-2020-2022/107656/

Detecting and preventing LSASS credential dumping attacks

In this blog, we share examples of various threat actors that we-ve recently observed using the LSASS credential dumping technique. [..] Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping.

https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/

MSSQL, meet Maggie

Continuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. [Keine kompromittierten Systeme in AT angeführt, Anm. d. Red.]

https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01

CVE-2022-36635 - A SQL Injection in ZKSecurityBio to RCE

This is a write-up of CVE-2022-36635: SQLInjection found in a platform of physical security (access control, elevator control, guest management, patrol and parking management) called ZKSecurity Bio v4.1.3 and how it was used to obtain a RCE.

https://medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47

Exchange Zero-Day: Microsoft bessert Workaround erneut nach

Nachdem der erste Workaround für eine Exchange Zero-Day-Lücke wirkungslos war und Microsoft nachbesserte, hat der Hersteller abermals eine Korrektur vorgelegt.

https://heise.de/-7285558

Gratis Entschlüsselungstool: Lücke in Ransomwares der Hades-Familie entdeckt

Opfer einiger Erpressungstrojan der der Hades-Familie wie MafiaWare666 können unter bestimmten Voraussetzungen wieder auf ihre Daten zugreifen.

https://heise.de/-7285784

Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style

Hidden DNS resolvers and how to compromise your infrastructure

https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-your-infrastructure-kaminsky-style/

ESET Threat Report T2 2022

Ein Blick auf die Bedrohungslandschaft im zweiten Drittel des Jahres 2022 aus Sicht der ESET-Telemetrie und aus der Perspektive der ESET-Experten.

https://www.welivesecurity.com/deutsch/2022/10/05/eset-threat-report-t2-2022-2/

Vulnerabilities

CVE-2022-41343 - RCE via Phar Deserialisation (Dompdf)

Dompdf is a popular library in PHP used for rendering PDF files from HTML. Tanto Security disclosed a vulnerability in Dompdf affecting version 2.0.0 and below. The vulnerability was patched in Dompdf v2.0.1. We recommend all Dompdf users update to the latest version as soon as possible.

https://tantosec.com/blog/cve-2022-41343/

Cisco Security Advisories 2022-10-05

Cisco published 9 Security Advisories (2 High, 7 Medium Severity)

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F10%2F05&firstPublishedEndDate=2022%2F10%2F05

Security updates for Thursday

Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4).

https://lwn.net/Articles/910492/

Internet Systems Consortium DHCP: Mehrere Schwachstellen ermöglichen Denial of Service

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Internet Systems Consortium DHCP ausnutzen, um einen Denial of Service Angriff durchzuführen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1634

Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-business-automation-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/

Security Bulletin: IBM QRadar DNS Analyzer App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-31129, CVE-2022-24785, CVE-2017-18214)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-dns-analyzer-app-for-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-cve-2022-31129-cve-2022-24785-cve-2017-18214/

Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2021-40690, CVE-2022-25647, XFID: 233967)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-multiple-vulnerabilities-cve-2021-40690-cve-2022-25647-xfid-233967/

Security Bulletin: IBM HTTP Server is vulnerable to arbitrary code execution due to Expat (CVE-2022-40674)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulnerable-to-arbitrary-code-execution-due-to-expat-cve-2022-40674/