End-of-Day report
Timeframe: Freitag 11-11-2022 18:00 - Montag 14-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Jetzt deinstallieren! Sicherheitslücken, aber keine Patches für VMware Hyperic
Der Support für die IT-Managementsoftware VMware Hyperic ist ausgelaufen. Admins sollten umsteigen.
https://heise.de/-7339160
Neue Betrugsmasche auf Amazon: Betrügerische Marketplace-Händler stornieren Bestellungen und empfehlen Kauf bei -Amazon-Partnershops-
Sabine sucht auf Amazon nach einer Kaffeemaschine. Bei einem Marketplace-Händler findet sie ein günstiges Angebot. Sie bestellt und wartet nun auf die Lieferung. Kurz nach der Bestellung wird der Kauf aber vom Händler storniert. Sie bekommt ein Mail, indem sich der Händler entschuldigt und ihr einen Shop nennt, bei dem sie die Kaffeemaschine zum gleichen Preis bestellen kann. Vorsicht: Dabei handelt es sich um Betrug!
https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-amazon-betruegerische-marketplace-haendler-stornieren-bestellungen-und-empfehl/
Extracting HTTP CONNECT Requests with Python, (Mon, Nov 14th)
Seeing abnormal Suricata alerts isnt too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts.
https://isc.sans.edu/diary/rss/29246
Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th)
https://isc.sans.edu/diary/rss/29244
KmsdBot: The Attack and Mine Malware
Akamai Security Research has observed a new malware that infected our honeypot, which we have dubbed KmsdBot. The botnet infects systems via an SSH connection that uses weak login credentials.
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware
Discover 2022-s Nastiest Malware
For the past year, hackers have been following close behind businesses and families just waiting for the right time to strike. In other words, 2022 has been an eventful year in the threat landscape, with malware continuing to take center stage. The 6 Nastiest Malware of 2022 Since the mainstreaming of ransomware payloads and the [...]
https://www.webroot.com/blog/2022/10/14/discover-2022s-nastiest-malware/
Typhon Reborn With New Capabilities
Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn.
https://unit42.paloaltonetworks.com/typhon-reborn-stealer/
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign.
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
Stories from the SOC: Fortinet authentication bypass observed in the wild
Fortinet-s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back-s of unpatched and exposed Fortinet devices.
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-fortinet-authentication-bypass-observed-in-the-wild
Vulnerabilities
HP-BIOS: Pufferüberlauf ermöglicht Rechteausweitung, Update ist verfügbar
HP warnt vor einer Sicherheitslücke im BIOS zahlreicher Notebooks und PC. Angreifer könnten dadurch ihre Rechte ausweiten oder beliebigen Code ausführen.
https://heise.de/-7339122
Security updates for Monday
Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird).
https://lwn.net/Articles/914811/
Path Traversal Schwachstelle in Payara Platform
Aufgrund einer fehlerhaften Pfadüberprüfung in der Payara Software ist es möglich, die Konfigurations- oder Sourcecode-Dateien von Webanwendungen in den Verzeichnissen WEB-INF und META-INF über eine Path Traversal Schwachstelle zu lesen.
https://sec-consult.com/de/vulnerability-lab/advisory/path-traversal-vulnerability-in-payara-platform/
Vielfältige Schwachstellen in BACKCLICK Professional (SYSS-2022-026 bis -037)
https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037
Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-denial-of-service-due-to-fasterxml-jackson-databind-cve-2022-42003/
Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44832-7/
Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-after-entering-a-specially-crafted-malformed-sql-statement-into-the-db2expln-tool-cve-2022-35637-2/
Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-denial-of-service-due-to-fasterxml-jackson-databind/
Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44228-6/
Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-file-agent-is-vulnerable-to-denial-of-service-due-to-fasterxml-jackson-databind-cve-2022-42004/
Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-in-some-scenarios-due-to-unauthorized-access-caused-by-improper-privilege-management-when-create-or-replace-command-2/
Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-45046-cve-2021-45105-6/
Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-caused-by-improper-privilege-management-when-table-function-is-used-cve-2022-22390-3/
Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru-traces-sensitive-data-cve-2022-35719/