End-of-Day report
Timeframe: Dienstag 22-11-2022 18:00 - Mittwoch 23-11-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Backdoored Chrome extension installed by 200,000 Roblox players
Chrome browser extension SearchBlox installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform.
https://www.bleepingcomputer.com/news/security/backdoored-chrome-extension-installed-by-200-000-roblox-players/
Ducktail Malware Operation Evolves with New Malicious Capabilities
The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign."The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victims Facebook account," ...
https://thehackernews.com/2022/11/ducktail-malware-operation-evolves-with.html
Mind the Gap
Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo and others). Devices with a Mali GPU are currently vulnerable.
https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice
In September 2022, Proofpoint researchers identified initial delivery of a penetration testing framework called Nighthawk. Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal.
https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice
Kritische Infrastruktur: EU-Richtlinie nimmt Betreiber in die Pflicht
Das EU-Parlament hat eine Richtlinie zur Resilienz kritischer Einrichtungen beschlossen. Sie gilt für elf Branchen. Manche Betreiber sind besonders wichtig.
https://heise.de/-7349574
Google will Missbrauch des Pentesting-Tools Cobalt Strike eindämmen
Damit Admins Netzwerk-Attacken durch Cobalt-Strike-Missbrauch besser erkennen können, hat Google unter anderem Erkennungsregeln auf Yara-Basis veröffentlicht.
https://heise.de/-7349813
Standard für maschinenlesbare Sicherheitshinweise verabschiedet
Das Common Security Advisory Framework soll Administratoren die Arbeit erleichtern und aktuelle Sicherheitsinformationen leichter auffindbar machen.
https://heise.de/-7350491
Angriffe auf Boa Web Server gefährden IoT
Anfällige SDK-Komponenten führen zu Lieferkettenrisiken in IoT- und OT-Umgebungen, insbesondere durch den veralteten Boa Web Server, warnt Microsoft Security Threat Intelligence (MSTI).
https://www.zdnet.de/88405186/angriffe-auf-boa-web-server-gefaehrden-iot/
Web Application Firewalls umgehen
Web Application Firewalls (WAFs) sind beliebte Infrastrukturkomponenten, die verwendet werden, um Angriffe auf Webanwendungen zu erschweren. Was bieten WAFs wirklich? Können sie auch nur theoretisch perfekt sein, um jede Art von Webangriff zu verhindern? Lassen Sie uns WAFs entmystifizieren!
https://certitude.consulting/blog/de/web-application-firewalls-umgehen/
CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack
In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. [..] The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug.
https://www.thezdi.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-overflow-in-the-freebsd-wi-fi-stack
CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products.
https://www.thezdi.com/blog/2022/11/22/cve-2022-40300-sql-injection-in-manageengine-privileged-access-management
Vulnerabilities
IBM Security Bulletins 2022-11-22
IBM Operations Analytics, IBM QRadar, IBM SDK, IBM Sterling Connect, Rational Service Tester, Rational Performance Tester, IBM HTTP Server, IBM Security Verify Governance, IBM InfoSphere DataStage, IBM Cloud Pak for Security
https://www.ibm.com/blogs/psirt/
Sicherheitslücke in HPE-Switches OfficeConnect gefährdet Netzwerke
Angreifer könnten Switches von Hewlett Packard Enterprise attackieren. Sicherheitsupdates stehen zum Download bereit.
https://heise.de/-7350116
Security updates for Wednesday
Security updates have been issued by Debian (heimdal, libarchive, and nginx), Fedora (varnish-modules and xterm), Red Hat (firefox), Scientific Linux (firefox, hsqldb, and thunderbird), SUSE (Botan, colord, containerized-data-importer, ffmpeg-4, java-1_8_0-ibm, krb5, nginx, redis, strongswan, tomcat, and xtrabackup), and Ubuntu (apr-util, freerdp2, and sysstat).
https://lwn.net/Articles/915802/
CISA Releases Eight Industrial Control Systems Advisories
Original release date: November 22, 2022CISA has released eight (8) Industrial Control Systems (ICS) advisories on 22 November 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
- ICSA-22-326-01 AVEVA Edge
- ICSA-22-326-02 Digital Alert Systems DASDEC
- ICSA-22-326-03 Phoenix Contact Automation Worx
- ICSA-22-326-04 GE Cimplicity
- ICSA-22-326-05 Moxa Multiple ARM-Based Computers
- ICSMA-21-152-01 Hillrom Medical Device Management (Update C)
- ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update I)
- ICSA-21-049-02 Mitsubishi Electric FA Engineering Software Products (Update G)
https://us-cert.cisa.gov/ncas/current-activity/2022/11/22/cisa-releases-eight-industrial-control-systems-advisories
WordPress BeTheme 26.5.1.4 PHP Object Injection
https://cxsecurity.com/issue/WLB-2022110040
Security Advisory - Improper Input Validation Vulnerability in a Huawei Childrens Watch
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-iivviahcw-5fb2d55c-en
Security Advisory - Insufficient Authentication Vulnerability in some Huawei Band Products
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221130-01-c7f72ffb-en
Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch
https://psirt.bosch.com/security-advisories/bosch-sa-247053-bt.html