End-of-Day report
Timeframe: Freitag 14-10-2022 18:00 - Montag 17-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Prestige: Microsoft findet neue Ransomware in Polen und Ukraine
Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt.
https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-polen-und-ukraine-2210-168970.html
Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher
Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden.
https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist-unsicher-2210-168996.html
Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN
Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen.
https://heise.de/-7309762
Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv
Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz.
https://heise.de/-7310412
Neue Ransomware-Gang -Ransom Cartel-
Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu -Ransom Cartel- gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist.
https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/
Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber - Blocklisten nicht verteilt
Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat.
https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-bei-der-erkennung-gefhrlicher-treiber/
Unseriöse Werbung auf Pinterest
Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten.
https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/
New PHP information-stealing malware targets Facebook accounts
Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts.
https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/
Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week.
https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html
Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis
On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges.
https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day)
In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW;
https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html
New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals
A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns.
https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-level-capabilities-cybercriminals
Detecting Emerging Network Threats From Newly Observed Domains
We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic.
https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/
CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool
CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making.
https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-redeye-red-team-campaign-visualization-and-reporting
Stories from the SOC: Feeling so foolish - SocGholish drive by compromise
SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals- and organizations- sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user.
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-feeling-so-foolish-socgholish-drive-by-compromise
Vulnerabilities
IBM Security Bulletins 2022-10-14
IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway
https://www.ibm.com/blogs/psirt/
MiniDVBLinux 5.4 Multiple Vulnerabilities
Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit
https://www.zeroscience.mk/en/vulnerabilities/
CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...]
https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Security updates for Monday
Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm).
https://lwn.net/Articles/911461/
WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot
https://cert.vde.com/de/advisories/VDE-2022-042/
WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime
https://cert.vde.com/de/advisories/VDE-2022-040/
TRUMPF TruTops prone to improper access control
https://cert.vde.com/de/advisories/VDE-2022-023/
Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742
Linux Kernel: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741