End-of-Day report
Timeframe: Donnerstag 06-10-2022 18:00 - Freitag 07-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Powershell Backdoor with DGA Capability, (Fri, Oct 7th)
DGA ("Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period. An alternative is to generate a lot of domains and loop across them to find an available C2 server. Attackers just register a few domain names and can change them very quickly.
https://isc.sans.edu/diary/rss/29122
What is a Malware Attack?
A malware attack is the act of injecting malicious software to infiltrate and execute unauthorized commands within a victim-s system without their knowledge or authorization. The objectives of such an attack can vary - from stealing client information to sell as lead sources, obtaining system information for personal gain, bringing a site down to stop business or even just placing the mark of a cyber-criminal on a public domain.
https://blog.sucuri.net/2022/10/what-is-a-malware-attack.html
Loads of PostgreSQL systems are sitting on the internet without SSL encryption
They probably shouldnt be connected in the first place, says database expert. Only a third of PostgreSQL databases connected to the internet use SSL for encrypted messaging, according to a cloud database provider.
https://www.theregister.com/2022/10/07/postgresql_no_ssl/
Top CVEs Actively Exploited By [..] State-Sponsored Cyber Actors
This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by [..] state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI).
https://www.cisa.gov/uscert/ncas/alerts/aa22-279a
So schützen Sie sich vor Kleinanzeigen-Betrug
Egal ob Sie kaufen oder verkaufen: Schützen Sie sich auf Kleinanzeigen-Plattformen wie Willhaben, ebay, Vinted und Co. vor Kriminellen. Mit Fake-Profilen, gefälschten Zahlungsbestätigungen oder unechten Zahlungsplattformen zocken Kriminelle immer wieder Nutzer:innen ab. Wir geben Ihnen Tipps zum sicheren Kaufen und Verkaufen.
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-kleinanzeigen-betrug-1/
Exchange Hacks: Achtung, gut gemachte, bösartige Mails im Umlauf (7. Oktober 2022)
Die Woche wurden Administratoren von Exchange-Servern ja durch die Ende September 2022 bekannt gewordene 0-day-Schwachstellen und die Workarounds von Microsoft ziemlich gefordert. Inzwischen versuchen Cyber-Kriminelle aus dieser Situation Kapital zu schlagen.
https://www.borncity.com/blog/2022/10/07/exchange-hacks-achtung-gut-gemachte-bsartige-mails-im-umlauf-7-oktober-2022/
Vulnerabilities
Remote Code Execution in Zimbra Collaboration Suite - Workaround verfügbar
Eine kritische Schwachstelle in Zimbra Collaboration Suite erlaubt potentiell entfernten, unauthorisierten Angreifer:innen das Ausführen von beliebigem Code. Laut diversen Berichten wird diese Schwachstelle bereits aktiv ausgenutzt. Das Ausnützen der Schwachstelle durch senden einer Email mit speziell präparierten Anhängen in den Formaten .cpio, .tar, .rpm kann zu einer vollständigen Kompromittierung des Systems führen.
https://cert.at/de/warnungen/2022/10/remote-code-execution-in-zimbra-collaboration-suite-workaround-verfugbar
Fortinet warns admins to patch critical auth bypass bug immediately
Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability.
https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-patch-critical-auth-bypass-bug-immediately/
Technical Advisory - OpenJDK - Weak Parsing Logic in java.net.InetAddress and Related Classes
An attacker may trivially bypass the use of InetAddress::getAllByName to validate inputs. Note: As input validation is not an appropriate mechanism to protect against injection attacks - as opposed to output encoding and Harvard architecture-style APIs - this issue is itself considered to be of Low risk as code relying on the documented validation for such purposes should be considered insecure regardless of this issue.
https://research.nccgroup.com/2022/10/06/technical-advisory-openjdk-weak-parsing-logic-in-java-net-inetaddress-and-related-classes/
Angreifer könnten Cisco-Admins manipulierte Updates unterschieben
Es sind wichtige Sicherheitsupdates für unter anderem Cisco Expressway Series und TelePresence Video Communication Server erschienen.
https://heise.de/-7286880
Security updates for Friday
Security updates have been issued by Debian (dbus, isc-dhcp, and strongswan), Fedora (booth, php, php-twig, php-twig2, and php-twig3), Oracle (expat, prometheus-jmx-exporter, and squid), Red Hat (expat, openvswitch2.11, and squid), Scientific Linux (expat and squid), SUSE (exiv2, LibVNCServer, postgresql-jdbc, protobuf, python-PyJWT, python3, slurm, squid, and webkit2gtk3), and Ubuntu (libreoffice).
https://lwn.net/Articles/910606/
VMware Patches Code Execution Vulnerability in vCenter Server
Virtualization giant VMware on Thursday announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution. A centralized management utility, the vCenter Server is used for controlling virtual machines and ESXi hosts, along with their dependent components. Tracked as CVE-2022-31680 (CVSS score of 7.2), the security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC).
https://www.securityweek.com/vmware-patches-code-execution-vulnerability-vcenter-server
Growi vulnerable to improper access control
https://jvn.jp/en/jp/JVN00845253/
IPFire WebUI vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN15411362/
Security Bulletin: IBM InfoSphere Information Server Low Level Authenticated User Can View Higher Level User And Group Listing (CVE-2022-36772)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-low-level-authenticated-user-can-view-higher-level-user-and-group-listing-cve-2022-36772/
Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-release-for-ibm-security-verify-governance-in-response-to-a-security-vulnerability-cve-2022-21824-3/
Security Bulletin: IBM InfoSphere Information Server is affected by a session management vulnerability (CVE-2022-41291)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-session-management-vulnerability-cve-2022-41291/
Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analyst-workflow-app-for-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities/
Security Bulletin: IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-browser-user-interface-vulnerable-to-multiple-issues-due-to-ibm-runtime-environment-java/
Nagios Enterprises Nagios XI: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1638
Avaya Aura Application Enablement Services: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1645