End-of-Day report
Timeframe: Mittwoch 07-12-2022 18:00 - Freitag 09-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Unsichtbare npm-Malware umgeht Sicherheitsprüfungen mit manipulierten Versionen
JFrog hat ein unerwartetes Verhalten der npm-Werkzeuge entdeckt: Für Pakete bestimmter Versionsformate zeigen sie wohl keine sicherheitsrelevanten Hinweise an.
https://heise.de/-7372357
So schützen Sie sich vor Fake-Shops
Fake-Shops locken mit gutem Design und unschlagbaren Preisen in die Falle. Doch wie erkennen Sie Fake-Shops und andere betrügerische Online-Shops, bevor es zu spät ist? Hier beschreiben wir hier die gängigsten Formen von Fake-Shops und ihre Erkennungsmerkmale. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen.
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-fake-shops/
Ransomware: Löschen statt entschlüsseln
Die defekte Ransomware Cryptonite kann Ihre Dateien nicht entschlüsseln, selbst wenn Sie das Lösegeld bezahlen. Stattdessen werden alle Daten einfach gelöscht.
https://www.zdnet.de/88405737/ransomware-loeschen-statt-entschluesseln/
New Zombinder platform binds Android malware with legitimate apps
A darknet platform dubbed Zombinder allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion.
https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/
Hacked corporate email accounts used to send MSP remote access tool
MuddyWater hackers, a group associated with Irans Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets.
https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/
DeathStalker targets legal entities with new Janicab variant
While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020.
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/
How to train your Ghidra
Brief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years.
https://securelist.com/how-to-train-your-ghidra/108272/
Finding Gaps in Syslog - How to find when nothing happened, (Wed, Dec 7th)
I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time. They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently.
https://isc.sans.edu/diary/rss/29314
Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!), (Fri, Dec 9th)
In the story I wrote in October about using PowerShell for Port Scanning (https://isc.sans.edu/diary/29202), I noted that the basic "test-connect" operation made for a pretty slow port scanner, which seems to be the message that everyone latched onto. Of course, my immediate response was "challenge accepted!", so let's go - let's make that operation faster!
https://isc.sans.edu/diary/rss/29324
Trojanized OneNote Document Leads to Formbook Malware
Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs- researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/
Compromised Cloud Compute Credentials: Case Studies From the Wild
A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies.
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
Fantasy - a new Agrius wiper deployed through a supply-chain attack
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius-s new wiper, with victims including the diamond industry
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
On hacking forums, even the scammers aren-t safe
Cybercriminals use a range of techniques to steal victims- money - from developing malicious software to siphon financial data to old-fashioned -rip-and-runs- - but that doesn-t mean they-re immune to falling for these scams themselves. Scammers scamming scammers, including sometimes the scammers who have scammed them, is -an entire sub-economy- on darknet marketplaces, according to [...]
https://therecord.media/on-hacking-forums-even-the-scammers-arent-safe/
OpenSSL CVE-2022-3786: Food for Thought on the Importance of Security Scanning
After a CVE on open source software has been discovered and a fix has been released, a fruitful practice for security researchers is to go deep into the nature of the CVE and the fix.
https://checkmarx.com/blog/openssl-cve-2022-3786-food-for-thought-on-the-importance-of-security-scanning/
Vulnerabilities
Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability
A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U
IBM Security Bulletins 2022-12-05
IBM App Connect Enterprise, IBM Cloud Transformation Advisor, IBM Event Streams, IBM InfoSphere Information Server, IBM Power System, IBM QRadar SIEM, IBM Rational Functional Tester, IBM Rational Test Automation Server, IBM Spectrum Scale, IBM Sterling Secure Proxy, IBM Watson Developer Cloud
https://www.ibm.com/support/pages/bulletin/
IBM Security Bulletins 2022-12-06
IBM Business Automation Workflow, IBM Content Navigator, IBM Operations Analytics, IBM Rational Business Developer, IBM SPSS Collaboration and Deployment Services, IBM Security SiteProtector System, IBM Sterling External Authentication Server, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Business Service Manager, IBM Tivoli Composite Application Manager for Transactions, IBM WebSphere Application Server
https://www.ibm.com/support/pages/bulletin/
IBM Security Bulletins 2022-12-07
AIX, HMC, IBM Business Automation Workflow Event Emitters, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Data Risk Manager, IBM Enterprise Content Management System Monitor, IBM Match 360, IBM PowerVM Novalink, IBM Virtualization Engine TS7700, IBM Watson Assistant for IBM Cloud Pak for Data
https://www.ibm.com/support/pages/bulletin/
IBM Security Bulletins 2022-12-08
AIX, IBM API Connect, IBM CICS Transaction Gateway, IBM Cloud Transformation Advisor, IBM InfoSphere Information Server, IBM MQ, IBM PowerVM Novalink, IBM Security Verify
https://www.ibm.com/support/pages/bulletin/
IBM Security Bulletins 2022-12-09
IBM App Connect Enterprise Certified Container, IBM Security Verify Governance, IBM Spectrum Copy Data Management, IBM Spectrum Protect for Space Management Client, IBM Tivoli Application Dependency Discovery Manager, z/Transaction Processing Facility
https://www.ibm.com/support/pages/bulletin/
VMSA-2022-0030
VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699)
https://www.vmware.com/security/advisories/VMSA-2022-0030.html
Security updates for Thursday
Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5).
https://lwn.net/Articles/917398/
Security updates for Friday
Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8).
https://lwn.net/Articles/917530/
Synology-SA-22:23 PWN2OWN TORONTO 2022
Multiple vulnerabilities reported by PWN2OWN TORONTO 2022 have been addressed.
https://www.synology.com/en-global/support/security/Synology_SA_22_23
AMI MegaRAC SP-X BMC Vulnerabilities
https://support.lenovo.com/product_security/PS500535-AMI-MEGARAC-SP-X-BMC-VULNERABILITIES
Security Advisory - Denial of Service Vulnerability in Huawei Smart WiFi Router
https://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-dosvihswr-8f632df1-en
K87046687: VMware Tools vulnerability CVE-2022-31676
https://support.f5.com/csp/article/K87046687
Advantech iView
https://us-cert.cisa.gov/ics/advisories/icsa-22-342-01
AVEVA InTouch Access Anywhere
https://us-cert.cisa.gov/ics/advisories/icsa-22-342-02
Rockwell Automation Logix controllers
https://us-cert.cisa.gov/ics/advisories/icsa-22-342-03