Tageszusammenfassung - 10.11.2022

End-of-Day report

Timeframe: Mittwoch 09-11-2022 18:00 - Donnerstag 10-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

New StrelaStealer malware steals your Outlook, Thunderbird accounts

A new information-stealing malware named StrelaStealer is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients.

https://www.bleepingcomputer.com/news/security/new-strelastealer-malware-steals-your-outlook-thunderbird-accounts/


VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations

Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks.

https://kb.cert.org/vuls/id/434994


Windows breaks under upgraded IceXLoader malware

Were the malware of Nim! A malware loader deemed in June to be a "work in progress" is now fully functional and infecting thousands of Windows corporate and home PCs.-

https://go.theregister.com/feed/www.theregister.com/2022/11/10/icexloader_malware_microsoft_users/


[SANS ISC] Do you collect -Observables- or -IOCs-?

Indicators of Compromise, or IOCs, are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities or malware analysis.

https://blog.rootshell.be/2022/11/10/sans-isc-do-you-collect-observables-or-iocs/


Phishing-Resistant MFA Does Not Mean Un-Phishable

Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse -phishing-resistant- with being impossible to phish or socially engineer.

https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishable-roger-grimes/


The Case of Cloud9 Chrome Botnet

The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user-s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.

https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/


Certificates and Pwnage and Patches, Oh My!

A lot has happened since we released the -Certified Pre-Owned- blog post and whitepaper in June of last year. [...] A lot of organizations (and a lot of pentesters ;) definitely realized how pervasive misconfigurations in Active Directory Certificate Service are and how easy it is now to enumerate and abuse these issues. [...] With all of these changes, we wanted to revisit some of the offensive AD CS attacks, detail how the patch has affected some of the existing escalations, and

https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d


The November 2022 Security Update Review

Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

https://www.thezdi.com/blog/2022/11/8/the-november-2022-security-update-review


How LNK Files Are Abused by Threat Actors

LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors.

https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/


Penetration and Distribution Method of Gwisin Attacker

The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware.

https://asec.ahnlab.com/en/41565/

Vulnerabilities

Bios: Sicherheitslücken im UEFI etlicher Lenovo-Laptops

Lenovo hat Treiber verwendet, die nur für die Produktion vorgesehen waren. Dadurch lässt sich Secure Boot aus dem Betriebssystem heraus deaktivieren.

https://www.golem.de/news/bios-sicherheitsluecken-im-uefi-etlicher-lenovo-laptops-2211-169659.html


Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure

Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability.

https://jvn.jp/en/jp/JVN75437943/


Cisco Security Advisories 2022-11-09

Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F11%2F09&firstPublishedEndDate=2022%2F11%2F09


IBM Security Bulletins 2022-11-09

IBM Cloud Pak for Security, IBM Master Data Management, IBM Planning Analytics, IBM Planning Analytics Workspace, IBM QRadar, IBM Tivoli Business Service Manager

https://www.ibm.com/blogs/psirt/


HTML Injection in BMC Remedy ITSM-Suite

Die Anwendung BMC Remedy erlaubt es Benutzern Incidents über Email weiterzuleiten. Im Email Editor ist es möglich HTML-Code in das "To" Feld einzufügen. Danach zeigt die Anwendung an, dass der Incident an Empfänger weitergeleitet wurde. Durch Klicken auf die Anzahl der Empfänger wird der eingefügte HTML-Code geladen und ausgeführt.

https://sec-consult.com/de/vulnerability-lab/advisory/html-injection-in-bmc-remedy-itsm-suite/


CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine

A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges.

https://security.paloaltonetworks.com/CVE-2022-0031


Bugfix-Updates: Apple stellt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 bereit

Fehlerbehebungen und gestopfte Sicherheitslücken außer der Reihe: Apple legt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 für Mac, iPad und iPhone vor.

https://heise.de/-7335516


Security updates for Thursday

Security updates have been issued by Debian (libjettison-java and xorg-server), Slackware (sysstat and xfce4), SUSE (python3 and xen), and Ubuntu (firefox).

https://lwn.net/Articles/914347/


Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server

Unit 42 discovered three vulnerabilities in OpenLiteSpeed Web Server and LiteSpeed Web Server that could be used together for remote code execution.

https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/


[R1] Nessus Version 8.15.7 Fixes Multiple Vulnerabilities

Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, zlib) were found to contain vulnerabilities, and updated versions have been made available by the providers.Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues.

https://www.tenable.com/security/tns-2022-26


2022-12 Multiple Java SE vulnerabilities in Belden/Hirschmann software products

https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14996&mediaformatid=50063&destinationid=10016" target="_blank