End-of-Day report
Timeframe: Dienstag 15-11-2022 18:00 - Mittwoch 16-11-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Forscher erraten Passwörter via Wärmebild mit Machine Learning und KI
In einem Versuchsaufbau haben Sicherheitsforscher auf einer Tastatur eingetippte zwölfstellige Passwörter mit einer Erfolgsquote von 83 Prozent rekonstruiert.
https://heise.de/-7341957
ESET APT Activity Report T2 2022
Ein Überblick über die Aktivitäten ausgewählter APT-Gruppen, die von ESET Research in T2 2022 untersucht und analysiert wurden.
https://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-2022/
Fake Black Friday Gewinnspiele auf WhatsApp und Instagram im Umlauf
Vorsicht vor betrügerischen Gewinnspielen rund um den Black Friday. Zahlreiche WhatsApp- und Instagram-Nutzer:innen erhalten aktuell betrügerische Nachrichten von Unbekannten, aber auch eigenen Kontakten, die beispielsweise Gewinnspiele im Namen Amazons bewerben. Achtung: Es handelt sich um einen Versuch, Sie in eine Abo-Falle zu locken. Folgen Sie keinen Links in solchen Nachrichten und geben Sie keine Kreditkartendaten bekannt!
https://www.watchlist-internet.at/news/fake-black-friday-gewinnspiele-auf-whatsapp-und-instagram-im-umlauf/
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend
By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as -DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC-. After successful validation, it was immediately submitted to Microsoft. They patched both bugs along with several other Exchange vulnerabilities in the November Patch Tuesday release. It is a beautiful chain, with an ingenious vector [...]
https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend
CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures
Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response.
https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/
Magento stores targeted in massive surge of TrojanOrders attacks
At least seven hacking groups are behind a massive surge in TrojanOrders attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers.
https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/
Token tactics: How to prevent, detect, and respond to cloud token theft
As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose.
https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/
Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th)
A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below.
https://isc.sans.edu/diary/rss/29252
New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim-s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware attacks against corporations and other organizations.
https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-compression-evasive-techniques.html
Researchers Discover Hundreds of Amazon RDS Instances Leaking Users Personal Data
"Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it."
https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.html
Vulnerabilities
Cisco Secure Email Gateway Malware Detection Evasion
This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time
frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known.
https://cxsecurity.com/issue/WLB-2022110021
Cisco Identity Services Engine Vulnerabilities
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-7Q4TNYUx
Security updates for Wednesday
Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako).
https://lwn.net/Articles/915097/
RICOH Aficio SP 4210N vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN24659622/
Multiple vulnerabilities in Movable Type
https://jvn.jp/en/jp/JVN37014768/
Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-due-to-the-october-2022-cpu/
Security Bulletin: IBM SDK, Java Technology Edition, Security Update July 2022
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-security-update-july-2022/
Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.2ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 - 2022.4.0
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-less-than-firefox-102-2esr-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if16-2022-4-0/