End-of-Day report
Timeframe: Mittwoch 19-10-2022 18:00 - Donnerstag 20-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Forensic Value of Prefetch, (Thu, Oct 20th)
When a program executes on a Windows system there are many artifacts that are generated which can assist digital forensic investigations. One of particular note is the Windows Prefetch file. Found in C:\Windows\Prefetch by default, prefetch files (.pf) contain a wealth of information that can prove vital to any investigation.
https://isc.sans.edu/diary/rss/29168
Fantastic Rootkits: And Where to Find Them (Part 1)
In this blog series, we will cover the topic of rootkits - how they are built and the basics of kernel driver analysis - specifically on the Windows platform. In this first part, we will focus on some implementation examples of basic rootkit functionality and the basics of kernel driver development, as well as Windows Internals background needed to understand the inner workings of rootkits.
https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-1
Microsoft liefert Updates gegen SSL-/TLS-Probleme durch Windows-Updates
Die aktuellen Windows-Updates für Windows 10, 11 und Server könnten Probleme bei SSL- und TLS-Verschlüsselung verursachen. Teils helfen weitere Patches dagegen.
https://heise.de/-7314906
New Malicious Clicker found in apps installed by 20M+ users
Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-found-in-apps-installed-by-20m-users/
Social Engineering dos and don-ts
It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts.
https://www.pentestpartners.com/security-blog/social-engineering-dos-and-donts/
E-Mail-Konto wird migriert: Kriminelle senden betrügerische Mail an Mitarbeiter:innen
Kriminelle versenden betrügerische E-Mails und geben sich dabei als -Outlook-E-Mail-Administrator- Ihres Unternehmens aus. Angeblich sollen die E-Mail-Konten aller Mitarbeiter:innen migriert werden. Klicken Sie nicht auf den Link.
https://www.watchlist-internet.at/news/e-mail-konto-wird-migriert-kriminelle-senden-betruegerische-mail-an-mitarbeiterinnen/
Datenleck bei Microsoft, Kundendaten betroffen (Okt. 2022)
Bei Microsoft hat es ein größeres Datenleck gegeben, bei dem Kundendaten wohl öffentlich zugreifbar waren. Eine Sicherheitsfirma hat einen fehlkonfigurierten Server mit den Daten im Internet gefunden und Microsoft im September informiert.
https://www.borncity.com/blog/2022/10/20/datenleck-bei-microsoft-kundendaten-betroffen-okt-2022/
Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them
Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors.
http://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html
LofyGang - Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called -LofyGang-.
https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/
New Research: We-re Still Terrible at Passwords; Making it Easy for Attackers
We look at two of the most popular protocols used for remote administration, SSH and RDP, to get a sense of how attackers are taking advantage of weaker password management to gain access to systems.
https://www.rapid7.com/blog/post/2022/10/20/new-research-were-still-terrible-at-passwords-making-it-easy-for-attackers/
Black Basta and the Unnoticed Delivery
As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions due to the lucrative payments demanded - and often received - by cybercrime gangs.
https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/
Vulnerabilities
Patchday: Oracle liefert 370 Sicherheitsupdates im Oktober
Zum Patchday, Critical Patch Update genannt, liefert Oracle eine lange Liste an Produkten mit Sicherheitslücken. 370 Updates schließen die Schwachstellen.
https://heise.de/-7314209
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, OpenShift Container Platform 4.9.50 bug fix and, and rh-nodejs14-nodejs), SUSE (buildah, clone-master-clean-up, go1.18, go1.19, helm, jasper, libostree, nodejs16, php8, qemu, and xen), and Ubuntu (libxdmcp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oem-5.14, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-oem-5.17, and perl).
https://lwn.net/Articles/911879/
Drupal: Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059
https://www.drupal.org/sa-contrib-2022-059
Security Bulletin: IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-an-identity-spoofing-issue-in-ibm-websphere-application-server-liberty-cve-2022-22475/
Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-service-is-vulnerable-to-multiple-vulnerabilities-due-to-ibm-java-2/
Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-services-is-vulnerable-to-multiple-vulnerabilities-due-to-eclipse-jetty-2/
Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-b2b-api-vulnerable-to-multiple-issues-due-to-apache-zookeeper-cve-2019-0201-cve-2021-21409/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2022 CPU that is bundled with IBM WebSphere Application Server Patterns
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-ibm-websphere-application-server-april-2022-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/
Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization - Apache Log4j - [CVE-2021-45105] (affecting v2.16) and [CVE-2021-45046] (affecting v2.15)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vulnerability-as-it-relates-to-ibm-maximo-scheduler-optimization-apache-log4j-cve-2021-45105-affecting-v2-16-and-cve-2021-45046-affecting-v2-15-2/
F5: K24823443: Apache Commons Text vulnerability CVE-2022-42889
https://support.f5.com/csp/article/K24823443
F5: K27155546: BIND vulnerability CVE-2022-38177
https://support.f5.com/csp/article/K27155546
F5: K04712583: Linux kernel vulnerability CVE-2021-40490
https://support.f5.com/csp/article/K04712583
F5: K32615023: Linux kernel vulnerability CVE-2022-2588
https://support.f5.com/csp/article/K32615023
Bentley Systems MicroStation Connect
https://us-cert.cisa.gov/ics/advisories/icsa-22-293-01
Spring: CVE-2022-31684: Reactor Netty HTTP Server may log request headers
https://spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-may-log-request-headers