End-of-Day report
Timeframe: Montag 14-11-2022 18:00 - Dienstag 15-11-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
DTrack activity targeting Europe and Latin America
DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. [..] So, what-s new? DTrack itself hasn-t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts.
https://securelist.com/dtrack-targeting-europe-latin-america/107798/
ABI compatibility in Python: How hard could it be?
This post will cover just one tiny piece of Python packaging-s complexity: the CPython stable ABI. We-ll see what the stable ABI is, why it exists, how it-s integrated into Python packaging, and how each piece goes terribly wrong to make accidental ABI violations easy.
https://blog.trailofbits.com/2022/11/15/python-wheels-abi-abi3audit/
Checkmk: Remote Code Execution by Chaining Multiple Bugs
Within the series of articles, we take a detailed look at multiple vulnerabilities we identified in Checkmk and its NagVis integration, which can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk.
https://blog.sonarsource.com/checkmk-rce-chain-3/
Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform
Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host.
Backstage has been using VM2 and Oxeye researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates.
https://www.securityweek.com/organizations-warned-critical-vulnerability-backstage-developer-portal-platform
Kreditbetrug: Vorsicht vor darlehenexpert.com
darlehenexpert.com gibt sich als Kreditgeber aus und ermöglicht angeblich Privat- und Autokredite, Hypotheken sowie Darlehen. Interessierte füllen online ein Kreditantragsformular aus und erhalten nach kurzer Zeit eine Zusage. Doch Vorsicht: darlehenexpert.com ist betrügerisch. Sie werden aufgefordert, vorab unterschiedliche Gebühren zu überweisen. Wenn Sie überweisen, verlieren Sie Ihr Geld und erhalten keinen Kredit!
https://www.watchlist-internet.at/news/kreditbetrug-vorsicht-vor-darlehenexpertcom/
Android malware: A million people downloaded these malicious apps before they were finally removed from Google Play
Cybersecurity researchers identify an aggressive adware campaign. The developer is now banned from Google Play - but if youve not uninstalled the apps, youre still infected. [..] The four apps that have been identified as malicious were from a developer called Mobile apps Group and were called 'Bluetooth Auto Connect', 'Bluetooth App Sender', 'Mobile transfer: smart switch', and 'Driver: Bluetooth, Wi-Fi, USB'.
https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over-a-million-downloads-from-google-play/
Windows Server 2012 R2: Sophos User-Authentifizierung mittels Heartbeat auf RDS-Servern abgeschaltet
Kurzer Hinweis für Administratoren, die Windows Server 2012 R2 einsetzen und sich auf die Sophos User-Authentifizierung per Sophos Security Heartbeats verlassen. Sophos hat ein Update verteilt, welches die Funktion auf Windows Server 2012 R2 stillschweigend außer Kraft setzt.
https://www.borncity.com/blog/2022/11/15/windows-server-2012-r2-sophos-user-authentifizierung-mittels-heartbeat-auf-rds-servern-abgeschaltet/
LKA warnt vor Betrugsmasche mit digitalen Kreditkarten (Nov. 2022)
Das LKA Niedersachsen warnt vor einer neue Betrugsmasche, die Cyber-Kriminelle erdacht haben. Mittels Phishing-E-Mails, gefälschten Webseiten und digitalen Kreditkarten versuchen sie an Zahlungsdaten der Opfer heranzukommen. Die Daten der digitalen Kreditkarte werden dann für eigene Einkäufe auf Kosten des Opfers missbraucht.
https://www.borncity.com/blog/2022/11/15/lka-warnt-vor-betrugsmasche-mit-digitalen-kreditkarten-nov-2022/
Firmware- und BIOS-Updates: AMD, Intel, Lenovo, HP (Nov. 2022)
Die Hersteller Lenovo und HP stopfen mit Firmware-Updates entdeckte Schwachstellen im BIOS (und in der Software) ihrer Systeme. Und die Prozessorhersteller AMD sowie Intel haben ebenfalls Sicherheitslücken in ihrer Firmware per Update im November 2022 geschlossen. Hier ein kompakter Überblick über diese Updates.
https://www.borncity.com/blog/2022/11/15/firmware-und-bios-updates-amd-intel-lenovo-hp-nov-2022/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Fedora (kernel and webkit2gtk3), Red Hat (dhcp, dovecot, flac, freetype, fribidi, frr, gimp, grafana, guestfs-tools, httpd, kernel-rt, libtirpc, mingw-gcc, mingw-glib2, pcs, php, protobuf, python3.9, qemu-kvm, redis, speex, and swtpm), SUSE (chromium, containerized-data-importer, jhead, kubevirt stack, nodejs14, nodejs16, python-Werkzeug, and xen), and Ubuntu (golang-1.13, nginx, and vim).
https://lwn.net/Articles/914952/
Security Vulnerabilities fixed in Thunderbird 102.5
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/
Security Vulnerabilities fixed in Firefox ESR 102.5
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/
Security Vulnerabilities fixed in Firefox 107
CVE-2022-45407: Loading fonts on workers was not thread-safe
CVE-2022-45403: Service Workers might have learned size of cross-origin media files
CVE-2022-45404: Fullscreen notification bypass
CVE-2022-45405: Use-after-free in InputStream implementation
CVE-2022-45406: Use-after-free of a JavaScript Realm
CVE-2022-45408: Fullscreen notification bypass via windowName
CVE-2022-45409: Use-after-free in Garbage Collection
CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5
https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/
TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation
https://jvn.jp/en/jp/JVN54728399/
ZDI-22-1592: Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-1592/
ZDI-22-1591: Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-1591/
ZDI-22-1590: Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-1590/
ABB PCM600 Cleartext Credentials Vulnerability
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001518
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-sdk-java-technology-edition-15/
Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulnerable-to-denial-of-service-due-to-libexpat-cve-2022-43680-cve-2013-0340-cve-2017-9233/
Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics - Log Analysis (CVE-2021-38153)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache-kafka-affect-ibm-operations-analytics-log-analysis-cve-2021-38153/
PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family
https://cert.vde.com/de/advisories/VDE-2022-051/
Mitsubishi Electric GT SoftGOT2000
https://us-cert.cisa.gov/ics/advisories/icsa-22-319-01