Tageszusammenfassung - 07.11.2022

End-of-Day report

Timeframe: Freitag 04-11-2022 18:00 - Montag 07-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Windows Malware with VHD Extension, (Sat, Nov 5th)

Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file.

https://isc.sans.edu/diary/rss/29222

IPv4 Address Representations, (Sun, Nov 6th)

A reader asked for help with this maldoc. Not with the analysis itself, but how to understand where the URL is pointing to.

https://isc.sans.edu/diary/rss/29224

Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data

Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.

https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html

AWS Organizations Defaults

[...] These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator. For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise.

https://hackingthe.cloud/aws/general-knowledge/aws_organizations_defaults/

Kommentar: Angriffe lassen sich nicht vermeiden - übernehmt die Verantwortung!

Shit happens, ebenso wie Sicherheitsvorfälle. Die Frage kann also nur sein, wie damit umzugehen ist - vorher wie nachher.

https://heise.de/-7328918

Versteckte Kosten für Kündigungen auf stornierenbei.de

Wenn Sie einen Vertrag kündigen wollen und dazu über Ihre Suchmaschine recherchieren, stoßen Sie womöglich auf stornierenbei.de. Dort wird eine einfache Kündigung von Verträgen unterschiedlichster Anbieter als Dienstleistung angeboten. Achtung: Statt der Kündigung des angegebenen Vertrages, kommen versteckte Kosten auf Sie zu, die auch eingemahnt werden! Bezahlen Sie nichts. Es besteht kein gültiger Vertrag mit stornierenbei.de.

https://www.watchlist-internet.at/news/versteckte-kosten-fuer-kuendigungen-auf-stornierenbeide/

BYODC - Bring Your Own Domain Controller

BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner.

https://blog.zsec.uk/byodc-attack/

Vulnerabilities

IBM Security Bulletins 2022-11-04

AIX LPARs in IBM PureData System for Operational Analytics, IBM App Connect Enterprise, IBM MQ, IBM WebSphere Application Server Liberty / CICS Transaction Gateway

https://www.ibm.com/blogs/psirt/

Security updates for Monday

Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans).

https://lwn.net/Articles/914012/

Shodan Verified Vulns 2022-11-01

Mit Stand 2022-11-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]

https://cert.at/de/aktuelles/2022/11/shodan-verified-vulns-2022-11-01

Nov 3 2022 Security Releases

(Update 04-November-2022) Security releases available Updates are now available for v14,x, v16.x, v18.x and v19.x Node.jsrelease lines for the following issues. [...]

https://nodejs.org/en/blog/vulnerability/november-2022-security-releases