End-of-Day report
Timeframe: Mittwoch 12-10-2022 18:00 - Donnerstag 13-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
New Alchimist attack framework targets Windows, macOS, Linux
Cybersecurity researchers have discovered a new attack and C2 framework called Alchimist, which appears to be actively used in attacks targeting Windows, Linux, and macOS systems.
https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framework-targets-windows-macos-linux/
SiteCheck Malware Trends Report - Q3 2022
Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of webmasters every month. Best of all, conducting a remote website scan is one of the easiest ways to identify security issues.
https://blog.sucuri.net/2022/10/sitecheck-malware-trends-report-2022-q3.html
Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
https://thehackernews.com/2022/10/researchers-uncover-custom-backdoors.html
VPN-Problem: Apple-Apps leaken Daten unter iOS
Der iPhone-VPN-Dienst scheint noch immer nicht sauber zu laufen. Ein Sicherheitsforscher warnt vor Leaks insbesondere aus Apple-eigenen Apps.
https://heise.de/-7307198
Top 5 ransomware detection techniques: Pros and cons of each
In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example.
https://www.malwarebytes.com/blog/business/2022/10/top-5-ransomware-detection-techniques-pros-and-cons-of-each
MS Enterprise app management service RCE. CVE-2022-35841
TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September-s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications deployed via MDM.
https://www.pentestpartners.com/security-blog/ms-enterprise-app-management-service-rce-cve-2022-35841/
Some Vulnerabilities Don-t Have a Name
There is a common assumption that all open source vulnerabilities hold a CVE. Still, others believe that the National Vulnerability Database (NVD) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn-t tracked by a CVE, or is not in the NVD?
https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/
Vulnerabilities
Sicherheitsupdates: Kritische Lücken in WAN-Managementsystem von Aruba
Zwei kritische Schwachstellen in Aruba EdgeConnect Orchestrator gefährden Netzwerke.
https://heise.de/-7307059
CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface
An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions.
https://security.paloaltonetworks.com/CVE-2022-0030
Juniper Security Bulletins 2022-10-12
Juniper has released 37 security advisories.
https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&numberOfResults=50&f:ctype=[Security%20Advisories]
Schwachstelle in JavaScript-Sandbox vm2 erlaubt Ausbruch aus der Isolation
Wer eine Version kleiner 3.9.11 von vm2 verwendet, sollte die Sandbox aktualisieren, da eine Schwachstelle das Ausführen von Remote-Code auf dem Host erlaubt.
https://heise.de/-7306752
Groupware Zimbra: Updates stopfen mehrere Sicherheitslecks
In der Groupware Zimbra beheben die Entwickler mehrere sicherheitsrelevante Fehler. Angreifer könnten die Instanz kompromittieren oder ihre Rechte ausweiten.
https://heise.de/-7307521
Security updates for Thursday
Security updates have been issued by Debian (libreoffice, rexical, ruby-nokogiri, and squid), Fedora (wavpack), Red Hat (expat), SUSE (gdcm, orthanc, orthanc-gdcm, orthanc-webviewer and rubygem-puma), and Ubuntu (GMP and unzip).
https://lwn.net/Articles/911042/
Trellix ePolicy Orchestrator: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1700
Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
http://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.html
Sonicwall: GMS File Path Manipulation
An unauthenticated attacker can gain access to web directory containing applications binaries and configuration files through file path manipulation vulnerability.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0021
Drupal: Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058
https://www.drupal.org/sa-contrib-2022-058
Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-predictive-insights-impacted-by-apache-log4j-vulnerabilities-cve-2021-4104/
Security Bulletin: Hortonworks DataFlow product has log messages vulnerable to arbitrary code execution, denial of service, and remote code execution due to Apache Log4j vulnerabilities [CVE-2021-44228], [CVE-2021-45105], and [CVE-2021-45046]
https://www.ibm.com/blogs/psirt/security-bulletin-hortonworks-dataflow-product-has-log-messages-vulnerable-to-arbitrary-code-execution-denial-of-service-and-remote-code-execution-due-to-apache-log4j-vulnerabilities-cve-2021-4422/
Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-predictive-insights-impacted-by-apache-log4j-vulnerabilities-cve-2021-44832/
Security Bulletin: Vulnerabilities in Java affect IBM WIoTP MessageGateway (CVE-2021-213)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-affect-ibm-wiotp-messagegateway-cve-2021-213/
Dell BIOS: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1705
Grafana: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1702
Mitel MiVoice Connect: Mehrere Schwachstellen ermöglichen Codeausführung
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1706
Pulse Secure SA45520 - CVEs (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520