End-of-Day report
Timeframe: Dienstag 25-10-2022 18:00 - Donnerstag 27-10-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Microsoft fixes Windows vulnerable driver blocklist sync issue
Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions.
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vulnerable-driver-blocklist-sync-issue/
Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets
A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands embedded in packets and new features to evade detection of its infrastructure.
https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/
How to prevent lateral movement attacks using Microsoft 365 Defender
Learn how Microsoft 365 Defender can enhance mitigations against lateral movement paths in your environment, stopping attackers from gaining access to privileged and sensitive accounts.
https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lateral-movement-attacks-using-microsoft-365-defender/
Malware vs Virus: What-s the Difference?
In today-s article, we-ll be clarifying the difference between viruses and malware while helping to identify the most common types of malware.
https://blog.sucuri.net/2022/10/whats-the-difference-malware-virus.html
New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances
A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency.
https://thehackernews.com/2022/10/new-cryptojacking-campaign-targeting.html
Hijacking AUR Packages by Searching for Expired Domains
The Arch User Repository (AUR) is a software repository for Arch Linux. It differs from the official Arch Linux repositories in that its packages are provided by its users and not officially supported by Arch Linux.
https://blog.nietaanraken.nl/posts/aur-packages-expired-domains/
Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom
Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends.
https://www.securityweek.com/industrial-ransomware-attacks-new-groups-emerge-manufacturing-pays-highest-ransom
Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving
We examine trends in web threats for the second calendar year quarter of 2022, including how a malicious JavaScript downloader is evolving to evade detection.
https://unit42.paloaltonetworks.com/web-threats-malicious-javascript-downloader/
FormBook Malware Being Distributed as .NET
FormBook is an info-stealer that aims to steal the user-s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites.
https://asec.ahnlab.com/en/40663/
Vulnerabilities
Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th)
This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability. The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x.
https://isc.sans.edu/diary/rss/29192
IBM Security Bulletins 2022-10-26 and 2022-10-25
IBM SDK, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM i, IBM Robotic Process Automation, IBM Cloud Transformation Advisor, CloudPak for Watson, Netcool Operations Insight.
https://www.ibm.com/blogs/psirt/
Cisco AnyConnect: Alte Sicherheitslücken im Visier von Angreifern
Allerhöchste Zeit, um alte Lücken in Cisco AnyConnect abzudichten: Cisco warnt vor derzeitigen Cyber-Angriffen auf Schwachstellen aus dem Jahr 2020.
https://heise.de/-7320917
Sicherheitsupdate ArubaOS: Schadcode-Attacken durch präparierte Anfragen möglich
Die Entwickler des Netzwerkbetriebssystems ArubaOS haben unter anderem eine kritische Lücke geschlossen.
https://heise.de/-7321787
Security updates for Wednesday
Security updates have been issued by Debian (tomcat9), Oracle (389-ds-base, device-mapper-multipath, firefox, git-lfs, gnutls, kernel, kernel-container, libksba, pki-core, samba, sqlite, and zlib), Red Hat (device-mapper-multipath, kernel, kpatch-patch, libksba, and thunderbird), Slackware (expat and samba), SUSE (bind, buildah, curl, firefox, golang-github-prometheus-node_exporter, grafana, icinga2, python-paramiko, python-waitress, SUSE Manager Client Tools, telnet, and xen), [...]
https://lwn.net/Articles/912495/
Security updates for Thursday
Security updates have been issued by CentOS (389-ds-base, bind, expat, java-1.8.0-openjdk, java-11-openjdk, libksba, and squid), Debian (chromium, libdatetime-timezone-perl, tzdata, and wordpress), Fedora (dbus, dhcp, dotnet3.1, jhead, samba, and strongswan), Mageia (virtualbox), Oracle (device-mapper-multipath), Scientific Linux (device-mapper-multipath and thunderbird), Slackware (curl), SUSE (container-suseconnect, curl, kernel, libmad, libtasn1, libtirpc, qemu, rubygem-puppet, [...]
https://lwn.net/Articles/912688/
Windows (Mark of the Web) 0-day per JavaScript für Ransomware-Angriffe genutzt
Die Tage hatte ich über eine ungefixte 0-day-Schwachstelle, Mark of the Web (MOTOW), in Windows berichtet, für die es einen inoffiziellen Fix gibt. Nun ist mir ein Bericht unter die Augen gekommen, dass eine 0-day-Schwachstelle in diesem Bereich von Cyberkriminellen per JavaScript ausgenutzt werden kann, um Web-Sicherheitswarnungen zu umgehen und Ransomware-Angriffe zu verschleiern.
https://www.borncity.com/blog/2022/10/27/exploited-windows-0-day-mark-of-the-web-per-javascript-fr-ransomware-angriffe-genutzt/
ZDI-22-1467: (0Day) IronCAD STP File Parsing Uninitialized Pointer Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-1467/
VMSA-2022-0027
https://www.vmware.com/security/advisories/VMSA-2022-0027.html
K11601010: Intel Processor vulnerability CVE-2021-33149
https://support.f5.com/csp/article/K11601010
Synology-SA-22:20 Samba
https://www.synology.com/en-global/support/security/Synology_SA_22_20
Hitachi Energy MicroSCADA X DMS600
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-04
Johnson Controls CKS CEVAS
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-05
Delta Electronics DIAEnergie
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-06
AliveCor KardiaMobile
https://us-cert.cisa.gov/ics/advisories/icsma-22-298-01
Haas Controller
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-01
HEIDENHAIN Controller TNC on HARTFORD Machine
https://us-cert.cisa.gov/ics/advisories/icsa-22-298-02
Rockwell Automation FactoryTalk Alarm and Events Server
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-01
SAUTER Controls moduWeb
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-02
Rockwell Automation Stratix Devices Containing Cisco IOS
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-03
Trihedral VTScada
https://us-cert.cisa.gov/ics/advisories/icsa-22-300-04
Samba Releases Security Updates
https://us-cert.cisa.gov/ncas/current-activity/2022/10/26/samba-releases-security-updates
[R1] Nessus Version 10.3.1 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2022-20