End-of-Day report
Timeframe: Freitag 28-10-2022 18:00 - Montag 31-10-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Jetzt patchen! Es könnten Attacken auf VMware Cloud Foundation bevorstehen
Für eine kritische Sicherheitslücke in Cloud Foundation von VMware ist Exploit-Code in Umlauf.
https://heise.de/-7324777
Apple räumt ein: Nur aktuelles macOS stopft alle bekannten Sicherheitslücken
Apple hat zum ersten Mal bestätigt, dass der Hersteller in früheren macOS-Versionen nicht alle Schwachstellen beseitigt. Dasselbe gilt offensichtlich für iOS.
https://heise.de/-7324991
Backup-Software von ConnectWise für Ransomware-Attacken anfällig
Angreifer könnten Systeme mit Recover oder R1Soft Server Backup Manager von ConnectWise attackieren. Sicherheitsupdates sind verfügbar.
https://heise.de/-7324856
Gefälschtes A1-Mail im Umlauf
In einem gefälschten E-Mail von A1 behaupten Kriminelle, dass Sie bereits 80% Ihres Postfach-Speicherplatzes aufgebraucht haben. Sie werden aufgefordert, auf einen Link zu klicken, um zusätzlichen Speicherplatz freizuschalten. Klicken Sie nicht auf den Link, Sie landen auf einer manipulierten Login-Seite.
https://www.watchlist-internet.at/news/gefaelschtes-a1-mail-im-umlauf/
2022 OpenSSL vulnerability
This repo contains operational information regarding the recently announced vulnerability in OpenSSL 3. [...] Currently no complete overview of vulnerable products is available. Please see https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md for a list of products that are known to be vulnerable. The list is a work in progress.
https://github.com/NCSC-NL/OpenSSL-2022
Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th)
Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open-source projects to rethink how they address security issues and communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time. This week, OpenSSL announced they would release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1].
https://isc.sans.edu/diary/rss/29192
APT10: Tracking down LODEINFO 2022, part I
The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor.
https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/
APT10: Tracking down LODEINFO 2022, part II
In the second part of this report, we discuss improvements made to the LODEINFO backdoor shellcode in 2022.
https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/
NMAP without NMAP - Port Testing and Scanning with PowerShell, (Mon, Oct 31st)
Ever needed to do a portscan and didn't have nmap installed? I've had this more than once on an internal pentest or more often just on run-rate "is that port open? / is there a host firewall in the way?" testing.
https://isc.sans.edu/diary/rss/29202
WordPress Vulnerability & Patch Roundup October 2022
[...] To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
https://blog.sucuri.net/2022/10/wordpress-vulnerability-patch-roundup-october-2022.html
Hardware Trojans Under a Microscope
While the security industry generally focuses on software cyber attacks, we can-t forget the security impact of lower level hardware flaws, such as those that affect semiconductors.
https://ryancor.medium.com/hardware-trojans-under-a-microscope-bf542acbcc29
What I learnt from reading 217* Subdomain Takeover bug reports.
My two prior blogs, What I Learnt From Reading 220 IDOR bug reports, and What I Learnt From Reading 126 Information Disclosure Writeups*, were well received, so I-m continuing the series. I once more scraped ALL 143 SDTO bug reports from hackerone, and 74 detailed write-ups, then went into hiding as I read and took notes on them. I-m here to show you my actionable findings, and show you how to properly hunt for SDTOs.
https://medium.com/@nynan/what-i-learnt-from-reading-217-subdomain-takeover-bug-reports-c0b94eda4366
Free Micropatches For Bypassing MotW Security Warning with Invalid Signature (0day)
Nine days ago we issued micropatches for a vulnerability that allows attackers to bypass the warning Windows normally present to users when they try to open a document or executable obtained from an untrusted source (Internet, email, USB key, network drive). That vulnerability, affecting all supported and many legacy Windows versions, still has no official patch from Microsoft so our (free!) patches are the only actual patches in existence as of this writing. On the very same day we issued these micropatches, Will Dormann - who researched said vulnerability - replied to a tweet by another security researcher, Patrick Schläpfer. Patrick works at HP Wolf Security where they analyzed the Magniber Ransomware and wrote a detailed analysis of its working. Will asked Patrick about the ZIP files used in the malware campaign to see if they were exploiting the same vulnerability or employing some other trick to bypass the "Mark of the Web". [...] And so a new 0day - already exploited in the wild - was revealed.
https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-motw.html
The Defender-s Guide to the Windows Registry
Welcome to the Defender-s Guide. This is a series of blog posts designed to give you a ground-up start to defending a specific technology from potential attackers. While a lot of this information may be redundant to a more seasoned information security personnel, even the best of us rely on Google and blog posts to get information. These posts are designed to be a one-stop shop, bringing a lot of that information together.
https://posts.specterops.io/the-defenders-guide-to-the-windows-registry-febe241abc75?source=rssf05f8696e3cc4
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Learning about the variety of techniques used by banking Trojans can help us detect other activities of financially motivated threat groups.
https://unit42.paloaltonetworks.com/banking-trojan-techniques/
Follina Exploit Leads to Domain Compromise
In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.
https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
Vulnerabilities in Apache Batik Default Security Controls - SSRF and RCE Through Remote Class Loading
I stumbled upon the Apache Batik library while researching other Java-based products. It immediately caught my attention, as this library parses Scalable Vector Graphics (SVG) files and transforms them into different raster graphics formats (i.e., PNG, PDF, or JPEG). I was even more encouraged when I looked at the Batik documentation. It was obvious that such a library could be prone to Server-Side Request Forgery (SSRF) issues (e.g., loading of images from remote resources).
https://www.thezdi.com/blog/2022/10/28/vulnerabilities-in-apache-batik-default-security-controls-ssrf-and-rce-through-remote-class-loading
AgentTesla Being Distributed via VBS
The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.
https://asec.ahnlab.com/en/40890/
Vulnerabilities
IBM Security Bulletins
App Connect Professional, IBM Business Automation Manager Open Editions 8.0.1, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Pak for Business Automation, IBM Cloud Pak for Security, IBM Event Streams, IBM Host Access Transformation Services, IBM MQ Appliance
https://www.ibm.com/blogs/psirt/
CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.
https://spring.io/blog/2022/10/31/cve-2022-31690-privilege-escalation-in-spring-security-oauth2-client
CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for [CVE-2022-31692](https://tanzu.vmware.com/security/cve-2022-31692) affecting the AuthorizationFilter. Users are encouraged to update as soon as possible.
https://spring.io/blog/2022/10/31/cve-2022-31692-authorization-rules-can-be-bypassed-via-forward-or-include-in-spring-security
CISA Has Added One Known Exploited Vulnerability to Catalog
https://us-cert.cisa.gov/ncas/current-activity/2022/10/28/cisa-has-added-one-known-exploited-vulnerability-catalog