Tageszusammenfassung - 17.10.2022

End-of-Day report

Timeframe: Freitag 14-10-2022 18:00 - Montag 17-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Prestige: Microsoft findet neue Ransomware in Polen und Ukraine

Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt.

https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-polen-und-ukraine-2210-168970.html


Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher

Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden.

https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist-unsicher-2210-168996.html


Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN

Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen.

https://heise.de/-7309762


Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv

Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz.

https://heise.de/-7310412


Neue Ransomware-Gang -Ransom Cartel-

Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu -Ransom Cartel- gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist.

https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/


Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber - Blocklisten nicht verteilt

Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat.

https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-bei-der-erkennung-gefhrlicher-treiber/


Unseriöse Werbung auf Pinterest

Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten.

https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/


New PHP information-stealing malware targets Facebook accounts

Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts.

https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/


Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4

The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.

https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html


Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis

On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges.

https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part


Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day)

In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW;

https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html


New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals

A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns.

https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-level-capabilities-cybercriminals


Detecting Emerging Network Threats From Newly Observed Domains

We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic.

https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/


CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool

CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making.

https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-redeye-red-team-campaign-visualization-and-reporting


Stories from the SOC: Feeling so foolish - SocGholish drive by compromise

SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals- and organizations- sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user.

https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-feeling-so-foolish-socgholish-drive-by-compromise

Vulnerabilities

IBM Security Bulletins 2022-10-14

IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway

https://www.ibm.com/blogs/psirt/


MiniDVBLinux 5.4 Multiple Vulnerabilities

Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit

https://www.zeroscience.mk/en/vulnerabilities/


CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...]

https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om


Security updates for Monday

Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm).

https://lwn.net/Articles/911461/


WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot

https://cert.vde.com/de/advisories/VDE-2022-042/


WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime

https://cert.vde.com/de/advisories/VDE-2022-040/


TRUMPF TruTops prone to improper access control

https://cert.vde.com/de/advisories/VDE-2022-023/


Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742


Linux Kernel: Mehrere Schwachstellen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741