Tageszusammenfassung - 28.10.2022

End-of-Day report

Timeframe: Donnerstag 27-10-2022 18:00 - Freitag 28-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Windows: Gefährliche, IE-basierende Schwachstellen

Sicherheitsforscher der Varonis Threat Labs haben zwei Windows-Sicherheitslücken aufgedeckt, die große blinde Flecken für Sicherheits-Software erzeugen und Rechner mittels DoS-Angriffe außer Betrieb setzen können. LogCrusher und OverLog nutzen dabei das Internet Explorer-spezifische Ereignisprotokoll MS-EVEN, das auf allen aktuellen Windows-Betriebssystemen vorhanden ist, unabhängig davon, ob der Browser genutzt wurde oder wird. Während OverLog mittlerweile gefixt ist, hat Microsoft für LogCrusher kürzlich nur einen partiellen Patch herausgegeben: Cyberkriminelle können deshalb immer noch Angriffe durchführen, wenn sie sich einen Administrator-Zugang zum Netzwerk des Opfers verschaffen.

https://www.borncity.com/blog/2022/10/28/windows-gefhrliche-ie-basierende-schwachstellen/


Neue Website: Apple erleichtert Sicherheitsforschung

Ein zentrales neues Portal erklärt das Bug-Bounty-Programm und ermöglicht es, schneller und direkter mit dem Security-Team des Konzerns in Kontakt zu kommen.

https://heise.de/-7323634


macOS 13: Anti-Malware-Tools nach Upgrade zahnlos

Antivirus-Software und andere Sicherheits-Tools funktionieren durch einen Apple-Bug in macOS Ventura nicht mehr richtig. Das Problem kann behoben werden.

https://heise.de/-7322669


Vorsicht vor dieser Fake-Raiffeisen Investmentfalle

Geld verdienen mit Raiffeisen, angeboten werden angeblich Aktien einer der größten Banken Österreichs. Das Versprechen klingt gut, doch es handelt sich um eine gut getarnte Phishing-Seite. Investieren Sie nicht auf lps.snowgross.com, Sie tappen in eine Anlagebetrugsfalle!

https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-raiffeisen-investmentfalle/


One-Time Programs

One of the things I like to do on this blog is write about new research that has a practical angle. Most of the time (I swear) this involves writing about other folks- research: it-s not that often that I write about work that comes out of my own lab. Today I-m going make an [...]

https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/


Apple clarifies security update policy: Only the latest OSes are fully patched

New document confirms what security researchers have observed for a few years.

https://arstechnica.com/?p=1893235


Android malware droppers with 130K installs found on Google Play

A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates.

https://www.bleepingcomputer.com/news/security/android-malware-droppers-with-130k-installs-found-on-google-play/


Exploit released for critical VMware RCE vulnerability, patch now

Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances.

https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-rce-vulnerability-patch-now/


Researchers Expose Over 80 ShadowPad Malware C2 Servers

As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. Thats according to VMwares Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications.

https://thehackernews.com/2022/10/researchers-expose-over-80-shadowpad.html


Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up.

https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html


TCP/IP Vulnerability CVE-2022-34718 PoC Restoration and Analysis

The patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen-s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison.

https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf


Defeating Guloader Anti-Analysis Technique

Unit 42 is providing a script to deobfuscate a recently discovered Guloader variant that uses anti-analysis techniques, and other samples like it.

https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/


Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign

Group uses novel method of reading commands from legitimate IIS logs.

https://symantec-enterprise-blogs.security.com/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan

Vulnerabilities

Sicherheitsupdates für älteres iOS und iPadOS

iPadOS 15.7.1 und iOS 15.7.1 stopfen problematische Sicherheitslücken für alle, die nicht auf iPadOS 16 und iOS 16 aktualisieren wollen - oder können.

https://heise.de/-7323199


Webbrowser: Entwickler schließen hochriskante Sicherheitslücke in Chrome

Google hat ein Update für den Webbrowser Chrome veröffentlicht. Darin dichten die Programmierer eine Schwachstelle mit hohem Risiko ab.

https://heise.de/-7322963


IBM Security Bulletins

CP4D Match 360, IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier, IBM Cloud Pak System, IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data, Db2 Warehouse® on Cloud Pak for Data, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM QRadar SIEM, IBM TXSeries for Multiplatforms, IBM Voice Gateway, IBM Watson Assistant for IBM Cloud Pak for Data, IBM® SDK, Java- Technology Edition, Liberty for Java for IBM Cloud, node.js

https://www.ibm.com/blogs/psirt/


Security updates for Friday

Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff).

https://lwn.net/Articles/912873/


Corel Coreldraw graphics suite vulnerabilities

https://secalerts.co/vulnerabilities/corel/coreldraw_graphics_suite


Case update: DIVD-2022-00020 - Multiple injection vulnerabilities identified within Feathers.js

https://csirt.divd.nl/cases/DIVD-2022-00020/


Case update: DIVD-2022-00045 - Injection vulnerability found within Socket.io

https://csirt.divd.nl/cases/DIVD-2022-00045/


[R1] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2022-21