End-of-Day report
Timeframe: Montag 24-10-2022 18:00 - Dienstag 25-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Zero-Day-Fehler im Kernel von iOS und iPadOS wird ausgenutzt
iOS und iPadOS 16.1 beheben einen schwerwiegenden Kernel-Bug in den Betriebssystemen für iPhone und iPad. Apple hat Berichte über laufende Angriffe.
https://heise.de/-7319500
Chrome extensions with 1 million installs hijack targets- browsers
Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome and Microsoft Edge extensions that hijack searches and insert affiliate links into webpages.
https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/
How the Software Supply Chain Security is Threatened by Hackers
In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials. However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously.
https://thehackernews.com/2022/10/how-software-supply-chain-security-is.html
Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog
Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS).
https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html
Chapter 1 - From Gozi to ISFB: The history of a mythical malware family.
Disclaimer: This article does not contain any IOCs or infrastructure details. Instead, the aim is to explain the whole business dynamic of a long-lasting malware family. This work is based on almost 10 years of research and intel gatherings and tries its best to stick to the truth and the facts observed around ISFB. Hopefully, it will give some insight on how the top cyber crime groups have been working over the years.
https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef
Stranger Strings: An exploitable flaw in SQLite
Trail of Bits is publicly disclosing CVE-2022-35737, which affects applications that use the SQLite library API. CVE-2022-35737 was introduced in SQLite version 1.0.12 (released on October 17, 2000) and fixed in release 3.39.2 (released on July 21, 2022). CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled [...]
https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/
E-Mail von WhatsApp: Gewinn über 900.600,00 USD ist Fake
Aktuell kursiert ein E-Mail von WhatsApp, in dem Sie über den Gewinn von 900.600,00 USD informiert werden. Um den Gewinn zu erhalten, müssen Sie Ihre Kontaktdaten an account.whatsapp@mail.com senden.
https://www.watchlist-internet.at/news/e-mail-von-whatsapp-gewinn-ueber-90060000-usd-ist-fake/
Windows 10 22H2, Windows 11 22H2: Administrative Vorlagen (.admx); Windows 10 22H2 Security Baseline
Kleiner Hinweis für Administratoren von Windows-Systemen in Unternehmensumgebungen. Microsoft hat die Security Baseline für das Windows 10 October 2022 Update (Version 22H2) freigegeben.
https://www.borncity.com/blog/2022/10/25/windows-10-22h2-windows-11-22h2-administrative-vorlagen-admx-windows-10-22h2-security-baseline/
Rapidly Evolving Magniber Ransomware
The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed.
https://asec.ahnlab.com/en/40422/
Analysis on Attack Techniques and Cases Using RDP
Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used.
https://asec.ahnlab.com/en/40394/
Vulnerabilities
Webkonferenzen: Sicherheitslücke in Zoom ermöglicht Sitzungsübernahme
Zoom warnt vor einer Sicherheitslücke, durch die Angreifer Opfer etwa auf falsche Server locken und so Sitzungen übernehmen könnten. Updates stehen bereit.
https://heise.de/-7319974
VMSA-2022-00031
VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
https://www.vmware.com/security/advisories/VMSA-2022-00031.html
Security updates for Tuesday
Security updates have been issued by Debian (libbluray and wkhtmltopdf), Fedora (firefox, libksba, libmodsecurity, libxml2, qemu, and xmlsec1), Red Hat (389-ds-base, 389-ds:1.4, git-lfs, gnutls, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libksba, mysql:8.0, pki-core, postgresql:12, samba, sqlite, and zlib), Scientific Linux (389-ds-base, libksba, and pki-core), SUSE (bluez, firefox, jdom, kernel, libosip2, libxml2, multipath-tools, and python-Mako), and Ubuntu (barbican, mysql-5.7, mysql-8.0, openvswitch, and pillow).
https://lwn.net/Articles/912324/
Synology-SA-22:19 Presto File Server
Multiple vulnerabilities allow remote attackers to write arbitrary files or remote authenticated users to bypass security constraint via a susceptible version of Presto File Server.
https://www.synology.com/en-global/support/security/Synology_SA_22_19
Synology-SA-22:18 DSM
Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM).
https://www.synology.com/en-global/support/security/Synology_SA_22_18
Node.js: OpenSSL and zlib update assessment, and Node.js Assessment workflow
https://nodejs.org/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment
Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of information that could aid in further system attacks. (CVD-2022-38710)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-disclosure-of-information-that-could-aid-in-further-system-attacks-cvd-2022-38710/
Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-may-affect-ibm-robotic-process-automation-for-cloud-pak-10/
Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to CSV Injection (CVE-2022-22425)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-potentially-vulnerable-to-csv-injection-cve-2022-22425/
Security Bulletin: IBM Robotic Process Automation is vulnerable to incorrect permission assignment
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-incorrect-permission-assignment/
Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthorized attacker causing integrity impact (CVE-2021-2163)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java-runtime-for-ibm-i-are-vulnerable-to-unauthorized-attacker-causing-integrity-impact-cve-2021-2163/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-34/
Delta Electronics InfraSuite Device Master
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-07