End-of-Day report
Timeframe: Donnerstag 20-10-2022 18:00 - Freitag 21-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Synology: Kritische Lücken in NAS erlauben Angreifern Ausführen von Schadcode
Synology warnt vor kritischen Sicherheitslücken in der DSM-Software einiger NAS. Angreifer könnten Schadode ausführen und unbefugt an Informationen gelangen.
https://heise.de/-7316623
F5 BIG-IP und Nginx: Hersteller stopft teils kritische Sicherheitslücken
Mehrere Sicherheitslücken in den BIG-IP- und Nginx-Systemen von F5 könnten Angreifern etwa das Ausführen von Schadcode ermöglichen. Updates stehen bereit.
https://heise.de/-7316039
Gefahren für kritische Infrastrukturen: "Uns fehlt eine Schwachstellenanalyse"
Prof. Norbert Gebbeken, Gründer und Sprecher des Forschungszentrums RISK, über die Gefahren, die unserer kritischen Infrastruktur drohen - und was man tun kann.
https://heise.de/-7315119
Your Microsoft Exchange Server Is a Security Liability
Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. Its time to say goodbye to on-premise Exchange.
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/
sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st)
A campaign nicknamed "sczriptzzbn inject" can be identified by script using a variable named sczriptzzbn injected into files returned from a compromised website. This injected script causes a fake browser update page to appear in the victim's browser. The fake browser update page presents the malware payload for download. More information on the campaign can be found here. In previous weeks, this campaign pushed SolarMarker malware. I ran across one such example on 2022-09-27. This month, we've started seeing a payload for NetSupport RAT from the sczriptzzbn inject.
https://isc.sans.edu/diary/rss/29170
Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR
Trustwave SpiderLabs- spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sidestepping-self-unlocking-password-protected-rar/
Wordfence Evasion Malware Conceals Backdoors
Malware authors, with some notable exceptions, tend to design their malicious code to hide from sight. The techniques they use help their malware stay on the victim-s website for as long as possible and ensure execution. For example - obfuscation techniques, fake code comments, naming conventions for injections that deploy SEO spam, redirect visitors to malicious third party websites, or steal credit card information from eCommerce stores.
https://blog.sucuri.net/2022/10/wordfence-evasion-malware-conceals-backdoors.html
Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victims resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.
https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html
Threat Advisory: Monitoring CVE-2022-42889 -Text4Shell- Exploit Attempts
On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or -Text4Shell- on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022. Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve [...]
https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/
CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks.
https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vulnerability-exploited-malware
Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool
Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Attackers Abusing Various Remote Control Tools
Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major programs used by attackers.
https://asec.ahnlab.com/en/40263/
Vulnerabilities
IBM Security Bulletins 2022-10-20
IBM Security Verify Gateway/Bridge, IBM Enterprise Records, IBM Sterling Order Management Netty, IBM WebSphere Application Server, IBM MQ Operator, IBM Sterling Order Management, IBM Enterprise Records, IBM Netezza Host Management.
https://www.ibm.com/blogs/psirt/
SolarWinds Security Advisories 2022-10-19
SolarWinds released 4 new Security Advisories (3 high, 1 medium) for SolarWinds Platform 2022.4 RC1.
https://www.solarwinds.com/trust-center/security-advisories
SSA-640732 V1.0: Authentication Bypass Vulnerability in Siveillance Video Mobile Server
The mobile server component of Siveillance Video 2022 R2 contains an authentication bypass vulnerability that could allow an unauthenticated remote attacker to access the application without a valid account.Siemens has released a hotfix for Siveillance Video 2022 R2 and recommends to apply the hotfix on all installations of the mobile server.
https://cert-portal.siemens.com/productcert/txt/ssa-640732.txt
Security updates for Friday
Security updates have been issued by Fedora (poppler), Oracle (firefox and thunderbird), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk, and java-17-openjdk), SUSE (bind, clone-master-clean-up, grafana, libksba, python3, tiff, and v4l2loopback), and Ubuntu (libreoffice).
https://lwn.net/Articles/911989/