End-of-Day report
Timeframe: Donnerstag 27-10-2022 18:00 - Freitag 28-10-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Windows: Gefährliche, IE-basierende Schwachstellen
Sicherheitsforscher der Varonis Threat Labs haben zwei Windows-Sicherheitslücken aufgedeckt, die große blinde Flecken für Sicherheits-Software erzeugen und Rechner mittels DoS-Angriffe außer Betrieb setzen können. LogCrusher und OverLog nutzen dabei das Internet Explorer-spezifische Ereignisprotokoll MS-EVEN, das auf allen aktuellen Windows-Betriebssystemen vorhanden ist, unabhängig davon, ob der Browser genutzt wurde oder wird. Während OverLog mittlerweile gefixt ist, hat Microsoft für LogCrusher kürzlich nur einen partiellen Patch herausgegeben: Cyberkriminelle können deshalb immer noch Angriffe durchführen, wenn sie sich einen Administrator-Zugang zum Netzwerk des Opfers verschaffen.
https://www.borncity.com/blog/2022/10/28/windows-gefhrliche-ie-basierende-schwachstellen/
Neue Website: Apple erleichtert Sicherheitsforschung
Ein zentrales neues Portal erklärt das Bug-Bounty-Programm und ermöglicht es, schneller und direkter mit dem Security-Team des Konzerns in Kontakt zu kommen.
https://heise.de/-7323634
macOS 13: Anti-Malware-Tools nach Upgrade zahnlos
Antivirus-Software und andere Sicherheits-Tools funktionieren durch einen Apple-Bug in macOS Ventura nicht mehr richtig. Das Problem kann behoben werden.
https://heise.de/-7322669
Vorsicht vor dieser Fake-Raiffeisen Investmentfalle
Geld verdienen mit Raiffeisen, angeboten werden angeblich Aktien einer der größten Banken Österreichs. Das Versprechen klingt gut, doch es handelt sich um eine gut getarnte Phishing-Seite. Investieren Sie nicht auf lps.snowgross.com, Sie tappen in eine Anlagebetrugsfalle!
https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-raiffeisen-investmentfalle/
One-Time Programs
One of the things I like to do on this blog is write about new research that has a practical angle. Most of the time (I swear) this involves writing about other folks- research: it-s not that often that I write about work that comes out of my own lab. Today I-m going make an [...]
https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/
Apple clarifies security update policy: Only the latest OSes are fully patched
New document confirms what security researchers have observed for a few years.
https://arstechnica.com/?p=1893235
Android malware droppers with 130K installs found on Google Play
A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates.
https://www.bleepingcomputer.com/news/security/android-malware-droppers-with-130k-installs-found-on-google-play/
Exploit released for critical VMware RCE vulnerability, patch now
Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-rce-vulnerability-patch-now/
Researchers Expose Over 80 ShadowPad Malware C2 Servers
As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. Thats according to VMwares Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications.
https://thehackernews.com/2022/10/researchers-expose-over-80-shadowpad.html
Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints
The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up.
https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html
TCP/IP Vulnerability CVE-2022-34718 PoC Restoration and Analysis
The patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen-s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison.
https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf
Defeating Guloader Anti-Analysis Technique
Unit 42 is providing a script to deobfuscate a recently discovered Guloader variant that uses anti-analysis techniques, and other samples like it.
https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/
Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign
Group uses novel method of reading commands from legitimate IIS logs.
https://symantec-enterprise-blogs.security.com/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan
Vulnerabilities
Sicherheitsupdates für älteres iOS und iPadOS
iPadOS 15.7.1 und iOS 15.7.1 stopfen problematische Sicherheitslücken für alle, die nicht auf iPadOS 16 und iOS 16 aktualisieren wollen - oder können.
https://heise.de/-7323199
Webbrowser: Entwickler schließen hochriskante Sicherheitslücke in Chrome
Google hat ein Update für den Webbrowser Chrome veröffentlicht. Darin dichten die Programmierer eine Schwachstelle mit hohem Risiko ab.
https://heise.de/-7322963
IBM Security Bulletins
CP4D Match 360, IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier, IBM Cloud Pak System, IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data, Db2 Warehouse® on Cloud Pak for Data, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM QRadar SIEM, IBM TXSeries for Multiplatforms, IBM Voice Gateway, IBM Watson Assistant for IBM Cloud Pak for Data, IBM® SDK, Java- Technology Edition, Liberty for Java for IBM Cloud, node.js
https://www.ibm.com/blogs/psirt/
Security updates for Friday
Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff).
https://lwn.net/Articles/912873/
Corel Coreldraw graphics suite vulnerabilities
https://secalerts.co/vulnerabilities/corel/coreldraw_graphics_suite
Case update: DIVD-2022-00020 - Multiple injection vulnerabilities identified within Feathers.js
https://csirt.divd.nl/cases/DIVD-2022-00020/
Case update: DIVD-2022-00045 - Injection vulnerability found within Socket.io
https://csirt.divd.nl/cases/DIVD-2022-00045/
[R1] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2022-21