End-of-Day report
Timeframe: Dienstag 18-10-2022 18:00 - Mittwoch 19-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Adobe patcht Illustrator außer der Reihe
Nach dem großen Patchday letzte Woche legt Adobe nun zwei Updates gegen kritische Lücken im Illustrator nach.
https://heise.de/-7314003
AMD, Google, Microsoft, Nvidia: Offengelegter Sicherheitsprozessor Caliptra
Branchenschwergewichte setzen auf RISC-V-Technik für offengelegte Hardware-Security. Sie könnte Black-Box-Umsetzungen wie Microsofts Pluton ersetzen.
https://heise.de/-7313272
Achtung Betrug: Bewerben Sie sich nicht als -Process Tester- bei page-rangers.de
page-rangers.de bietet einen gut bezahlten Minijob als -App-Tester-. Die Arbeit wird von zu Hause aus erledigt und benötigt keine speziellen Anforderungen. Sie erhalten täglich kleine Aufträge, z. B. die Benutzerfreundlichkeit bei der Eröffnung eines Bankkontos zu testen. Doch Vorsicht: Mit diesem Job stehlen Kriminelle Ihre Identität. Mit dem erstellten Bankkonto wird in Ihrem Namen Geld gewaschen!
https://www.watchlist-internet.at/news/achtung-betrug-bewerben-sie-sich-nicht-als-process-tester-bei-page-rangersde/
Defenders beware: A case for post-ransomware investigations
The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.
https://www.microsoft.com/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk
Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web [...]
https://msrc-blog.microsoft.com/2022/10/19/awareness-and-guidance-related-to-potential-service-fabric-explorer-sfx-v1-web-client-risk/
Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th)
I'm in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc.
https://isc.sans.edu/diary/rss/29164
Fully undetectable Windows backdoor gets detected
SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming.
https://go.theregister.com/feed/www.theregister.com/2022/10/18/fully_undetectable_windows_powershell_backdoor/
A New Attack Surface on MS Exchange Part 4 - ProxyRelay!
Hi, this is a long-time-pending article. We could have published this article earlier (the original bug was reported to MSRC in June 2021 with a 90-days Public Disclosure Policy). However, during communications with MSRC, they explained that since this is an architectural design issue, lots of code changes and testings are expected and required, so they hope to resolve this problem with a one-time CU (Cumulative Update) instead of the regular Patch Tuesday.
https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4-ProxyRelay/
Warning: "FaceStealer" iOS and Android apps steal your Facebook login
FaceStealer is back. As a seasoned threat to legitimate app stores, expect it to be gone and then back again.
https://www.malwarebytes.com/blog/news/2022/10/warning-facestealer-ios-and-android-apps-steal-your-facebook-login
TeamTNT Returns - or Does It?
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT-s arsenal.
https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html
Vulnerabilities
Security updates for Wednesday
Security updates have been issued by Debian (bcel, kernel, node-xmldom, and squid), Mageia (chromium-browser-stable, dhcp, dokuwiki, firefox, golang, python-joblib, sos, and unzip), Oracle (nodejs and nodejs:16), Red Hat (firefox, kernel, kernel-rt, nodejs, nodejs:14, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (git and mozilla), SUSE (amazon-ssm-agent, caasp-release, cri-o, patchinfo, release-notes-caasp, skuba, enlightenment, libreoffice, netty, nodejs12, nodejs14, [...]
https://lwn.net/Articles/911723/
Oracle Releases 370 New Security Patches With October 2022 CPU
Oracle on Tuesday announced the release of 370 patches as part of its quarterly set of security updates. The October 2022 Critical Patch Update (CPU) resolves over 50 critical-severity vulnerabilities. More than 200 of the newly released security patches deal with vulnerabilities that are remotely exploitable without authentication.
https://www.securityweek.com/oracle-releases-370-new-security-patches-october-2022-cpu
Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A
UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SETCPX-CMXX to affected products.
Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service
https://cert.vde.com/de/advisories/VDE-2022-036/
K30425568: Overview of F5 vulnerabilities (October 2022)
https://support.f5.com/csp/article/K30425568
CVE-2021-3772 Linux Kernel Vulnerability in NetApp DSA E2800 series
https://psirt.bosch.com/security-advisories/bosch-sa-609377-bt.html
Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000
https://psirt.bosch.com/security-advisories/bosch-sa-454166-bt.html
Cisco Identity Services Engine Unauthorized File Access Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM
Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-trav-beFvCcyu
Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf
Cisco Identity Services Engine Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-twLnpy3M
Security Bulletin: Operations Dashboard is vulnerable to Golang Go vulnerabilities (CVE-2022-27664 and CVE-2022-32190)
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-golang-go-vulnerabilities-cve-2022-27664-and-cve-2022-32190/
Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-add-on-to-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-2/
Security Bulletin: Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-spark-affecting-ibm-qradar-user-behavior-analytics/
Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-may-affect-ibm-robotic-process-automation-for-cloud-pak-9/
Security Bulletin: Enterprise Content Management System Monitor is affected by vulnerability in Dojo [CVE-2021-23450]
https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-management-system-monitor-is-affected-by-vulnerability-in-dojo-cve-2021-23450/
Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-cve-2022-34339-cve-2021-3712-cve-2021-3711-cve-2021-4160-cve-2021-29425-cve-2021-3733-cve-2021-3737-cve-2022-0391/
Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963]
https://www.ibm.com/blogs/psirt/security-bulletin-cmis-is-affected-since-it-uses-spring-framework-but-not-vulnerable-to-cve-2022-22965-and-cve-2022-22963/
Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to JUnit4 (CVE-2020-15250)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-is-vulnerable-to-information-disclosure-due-to-junit4-cve-2020-15250/
Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-predictive-insights-impacted-by-apache-log4j-vulnerabilities-cve-2022-23302/