Tageszusammenfassung - 24.11.2022

End-of-Day report

Timeframe: Mittwoch 23-11-2022 18:00 - Donnerstag 24-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Investigating a backdoored PyPi package targeting FastAPI applications

On November 23rd, 2022, the Datadog Security Labs team identified a utility Python package on PyPI related to FastAPI, fastapi-toolkit, that has likely been compromised by a malicious actor.

https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-toolkit/

THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies

In this threat alert, the Cybereason team describes one attack scenario that started from a QBot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware.

https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

MSI Afterburner: Vorsicht vor Fake-Software mit Trojaner im Gepäck

Immer wieder versuchen Kriminelle Opfern Schadcode unter dem Deckmantel von legitimen Tools, wie aktuell dem GPU-Tool MSI Afterburner, unterzuschieben.

https://heise.de/-7351380

In eine Phishing-Falle getappt? Das können Sie tun:

Wurden Sie über ein betrügerisches E-Mail oder SMS auf eine gefälschte Login-Seiten gelockt? Haben Sie dort Ihre Daten eingetippt? Dann haben Kriminelle Zugriff auf Ihr Konto. Wir zeigen Ihnen, was Sie tun können, wenn Sie Ihre Benutzerdaten preisgegeben haben.

https://www.watchlist-internet.at/news/in-eine-phishing-falle-getappt-das-koennen-sie-tun/

Neue Betrugsmasche: Kriminelle stehlen Kreditkartendaten und hinterlegen sie für Apple Pay

Kriminelle erschleichen sich mit Phishing-Nachrichten per SMS oder E-Mail Kreditkartendaten und hinterlegen diese für Apple Pay. Betroffene werden dann unter falschen Vorwänden verleitet, den Aktivierungscode für Apple Pay an die Kriminellen weiterzugeben.

https://www.watchlist-internet.at/news/neue-betrugsmasche-kriminelle-stehlen-kreditkartendaten-und-hinterlegen-sie-fuer-apple-pay/

Bahamut cybermercenary group targets Android users with fake VPN apps

Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram.

https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/

IBM: RansomExx becomes latest ransomware group to create Rust variant

The RansomExx ransomware group has become the latest gang to create a variant in the Rust programming language, according to IBM Security X-Force Threat researchers.

https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-create-rust-variant/

Vulnerabilities

TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input

tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash.

https://jvn.jp/en/jp/JVN29657972/

Security update available in Foxit PDF Editor for Mac 11.1.4

Foxit has released Foxit PDF Editor for Mac 11.1.4, which addresses potential security and stability issues.

https://www.foxit.com/support/security-bulletins.html

SolarWinds Security Advisories 2022-11-22

SolarWinds published 7 Security Advisories (3 High, 1 Medium, 3 Low Severity).

https://www.solarwinds.com/trust-center/security-advisories

Security updates for Thursday

Security updates have been issued by Debian (vim), Fedora (drupal7-context, drupal7-link, firefox, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (container-tools:ol8, device-mapper-multipath, dotnet7.0, firefox, hsqldb, keylime, podman, python3.9, python39:3.9, thunderbird, and xorg-x11-server), SUSE (exiv2-0_26, keylime, libarchive, net-snmp, nginx, opensc, pixman, python-joblib, strongswan, and webkit2gtk3), and Ubuntu (expat, imagemagick, mariadb-10.3, mariadb-10.6, [...]

https://lwn.net/Articles/915929/

Security Bulletin: IBM Sterling Control Center vulnerable to multiple issues to due IBM Cognos Analystics (CVE-2022-4160, CVE-2021-3733)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-vulnerable-to-multiple-issues-to-due-ibm-cognos-analystics-cve-2022-4160-cve-2021-3733/

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-denial-of-service-due-to-websphere-liberty-cve-2022-24839/

Security Bulletin: IBM Sterling Control Center is vulnerable to HTTP header injection due to Websphere Liberty (CVE-2022-34165)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-http-header-injection-due-to-websphere-liberty-cve-2022-34165/

Security Bulletin: Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167]

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-affects-cloud-pak-system-cve-2021-28167/

Security Bulletin: IBM Sterling Control Center is vulnerable to unauthenticated data manipulation due to Java SE (CVE-2021-2163)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-unauthenticated-data-manipulation-due-to-java-se-cve-2021-2163/

Security Bulletin: For IBM Cloudpak for Watson AIOPS 3.5.1

https://www.ibm.com/blogs/psirt/security-bulletin-for-ibm-cloudpak-for-watson-aiops-3-5-1/

Security Bulletin: Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-mariadb-affect-ibm-cloud-object-storage-systems-nov-2022v1/