End-of-Day report
Timeframe: Mittwoch 23-11-2022 18:00 - Donnerstag 24-11-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Investigating a backdoored PyPi package targeting FastAPI applications
On November 23rd, 2022, the Datadog Security Labs team identified a utility Python package on PyPI related to FastAPI, fastapi-toolkit, that has likely been compromised by a malicious actor.
https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-toolkit/
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
In this threat alert, the Cybereason team describes one attack scenario that started from a QBot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware.
https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
MSI Afterburner: Vorsicht vor Fake-Software mit Trojaner im Gepäck
Immer wieder versuchen Kriminelle Opfern Schadcode unter dem Deckmantel von legitimen Tools, wie aktuell dem GPU-Tool MSI Afterburner, unterzuschieben.
https://heise.de/-7351380
In eine Phishing-Falle getappt? Das können Sie tun:
Wurden Sie über ein betrügerisches E-Mail oder SMS auf eine gefälschte Login-Seiten gelockt? Haben Sie dort Ihre Daten eingetippt? Dann haben Kriminelle Zugriff auf Ihr Konto. Wir zeigen Ihnen, was Sie tun können, wenn Sie Ihre Benutzerdaten preisgegeben haben.
https://www.watchlist-internet.at/news/in-eine-phishing-falle-getappt-das-koennen-sie-tun/
Neue Betrugsmasche: Kriminelle stehlen Kreditkartendaten und hinterlegen sie für Apple Pay
Kriminelle erschleichen sich mit Phishing-Nachrichten per SMS oder E-Mail Kreditkartendaten und hinterlegen diese für Apple Pay. Betroffene werden dann unter falschen Vorwänden verleitet, den Aktivierungscode für Apple Pay an die Kriminellen weiterzugeben.
https://www.watchlist-internet.at/news/neue-betrugsmasche-kriminelle-stehlen-kreditkartendaten-und-hinterlegen-sie-fuer-apple-pay/
Bahamut cybermercenary group targets Android users with fake VPN apps
Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram.
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
IBM: RansomExx becomes latest ransomware group to create Rust variant
The RansomExx ransomware group has become the latest gang to create a variant in the Rust programming language, according to IBM Security X-Force Threat researchers.
https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-create-rust-variant/
Vulnerabilities
TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input
tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash.
https://jvn.jp/en/jp/JVN29657972/
Security update available in Foxit PDF Editor for Mac 11.1.4
Foxit has released Foxit PDF Editor for Mac 11.1.4, which addresses potential security and stability issues.
https://www.foxit.com/support/security-bulletins.html
SolarWinds Security Advisories 2022-11-22
SolarWinds published 7 Security Advisories (3 High, 1 Medium, 3 Low Severity).
https://www.solarwinds.com/trust-center/security-advisories
Security updates for Thursday
Security updates have been issued by Debian (vim), Fedora (drupal7-context, drupal7-link, firefox, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (container-tools:ol8, device-mapper-multipath, dotnet7.0, firefox, hsqldb, keylime, podman, python3.9, python39:3.9, thunderbird, and xorg-x11-server), SUSE (exiv2-0_26, keylime, libarchive, net-snmp, nginx, opensc, pixman, python-joblib, strongswan, and webkit2gtk3), and Ubuntu (expat, imagemagick, mariadb-10.3, mariadb-10.6, [...]
https://lwn.net/Articles/915929/
Security Bulletin: IBM Sterling Control Center vulnerable to multiple issues to due IBM Cognos Analystics (CVE-2022-4160, CVE-2021-3733)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-vulnerable-to-multiple-issues-to-due-ibm-cognos-analystics-cve-2022-4160-cve-2021-3733/
Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-denial-of-service-due-to-websphere-liberty-cve-2022-24839/
Security Bulletin: IBM Sterling Control Center is vulnerable to HTTP header injection due to Websphere Liberty (CVE-2022-34165)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-http-header-injection-due-to-websphere-liberty-cve-2022-34165/
Security Bulletin: Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167]
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-affects-cloud-pak-system-cve-2021-28167/
Security Bulletin: IBM Sterling Control Center is vulnerable to unauthenticated data manipulation due to Java SE (CVE-2021-2163)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-unauthenticated-data-manipulation-due-to-java-se-cve-2021-2163/
Security Bulletin: For IBM Cloudpak for Watson AIOPS 3.5.1
https://www.ibm.com/blogs/psirt/security-bulletin-for-ibm-cloudpak-for-watson-aiops-3-5-1/
Security Bulletin: Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-mariadb-affect-ibm-cloud-object-storage-systems-nov-2022v1/
Pilz: PAS 4000 prone to ZipSlip
https://cert.vde.com/de/advisories/VDE-2022-045/
Pilz: Multiple products affected by ZipSlip
https://cert.vde.com/de/advisories/VDE-2022-044/
Pilz: PASvisu and PMI affected by multiple vulnerabilities
https://cert.vde.com/de/advisories/VDE-2022-033/
2022-18Multiple vulnerabilities in BAT-C2
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15087-source/
2022-21Authenticated Command Injection in Hirschmann BAT-C2
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/
2022-20TinyXML vulnerability in Hirschmann HiLCOS products
https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15089-source/