End-of-Day report
Timeframe: Freitag 09-12-2022 18:00 - Montag 12-12-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Clop ransomware partners with TrueBot malware for access to networks
Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.
https://www.bleepingcomputer.com/news/security/clop-ransomware-partners-with-truebot-malware-for-access-to-networks/
Popular WAFs Subverted by JSON Bypass
Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format.
https://www.darkreading.com/application-security/popular-wafs-json-bypass
On-device WebAuthn and what makes it hard to do well
WebAuthn improves login security a lot by making it significantly harder for a users credentials to be misused - a WebAuthn token will only respond to a challenge if its issued by the site a secret was issued to, and in general will only do so if the user provides proof of physical presence[1]. But giving people tokens is tedious and also I have a new laptop which only has USB-C but does have a working fingerprint reader and I [...]
https://mjg59.dreamwidth.org/62746.html
Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant
Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress [...]
https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.html
Log4j-s Log4Shell Vulnerability: One Year Later, It-s Still Lurking
Despite mitigation, one of the worst bugs in internet history is still prevalent-and being exploited.
https://www.wired.com/story/log4j-log4shell-one-year-later/
Practically-exploitable Cryptographic Vulnerabilities in Matrix
We report several practically-exploitable cryptographic vulnerabilities in the end-to-end encryption in Matrix and describe proof-of-concept attacks exploiting these vulnerabilities. [...] Whilst the language of the paper and this website is in present tense, many of the vulnerabilities disclosed have been fixed. See our paper (or Matrix- website) for more details.
https://nebuchadnezzar-megolm.github.io/
Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability
Cisco informed customers on Thursday that it-s working on patches for a high-severity vulnerability affecting some of its IP phones.
https://www.securityweek.com/cisco-working-patch-publicly-disclosed-ip-phone-vulnerability
So schützen Sie sich vor problematischen Online-Shops
Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Lieferzeiten werden nicht eingehalten, die Qualität der Produkte lässt zu wünschen übrig, oder es kommt zu hohen Zoll- oder Retourenkosten. Wir zeigen Ihnen, worauf Sie achten müssen, um keine bösen Überraschungen beim Online-Shopping zu erleben!
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-problematischen-online-shops/
So schützen Sie sich vor Abo-Fallen im Internet
Auch im Internet hat niemand etwas zu verschenken! Lassen Sie Vorsicht walten bei Angeboten, die zu gut sind, um wahr zu sein. Diese -Angebote- nutzen Kriminelle, um Sie in die Falle zu locken. Wenn Sie bemerken, dass Geldbeträge ohne Ihre Zustimmung von Ihrem Konto abgebucht werden, handelt es sich möglicherweise um eine Abo-Falle!
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-abo-fallen-im-internet/
Was tun, wenn Sie in eine Abo-Falle getappt sind?
Auf der Suche nach kostenlosen Angeboten und gratis Testversionen werden Sie im Internet schnell fündig. Doch Vorsicht: Hier ist nicht alles Gold, was glänzt! Oft handelt es sich nämlich um Abo-Fallen, bei denen Ihnen unbegründet Rechnungen zugeschickt oder Geldbeträge vom Konto abgebucht werden und man Ihnen mit Inkassobüros oder Rechtsanwaltsschreiben droht. Die Lösung? Auf keinen Fall bezahlen!
https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-eine-abo-falle-getappt-sind/
Precious Gemstones: The New Generation of Kerberos Attacks
Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access.
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
Vulnerabilities
FortiOS - heap-based buffer overflow in sslvpnd
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise: [...]
https://www.fortiguard.com/psirt/FG-IR-22-398
Security updates for Monday
Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3).
https://lwn.net/Articles/917690/
IFM: weak password recovery vulnerability in moneo appliance
Summary: An unauthenticated remote attacker could reset the administrators password with information from the default, self-signed certificate.
Impact: An unathenticated attacker can remotely reset the administrator password.
Solution:
Mitigation: The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.
Remediation: The password-reset mechanism will be updated in a future version.
https://cert.vde.com/de/advisories/VDE-2022-050/
IBM Security Bulletins 2022-12-09 - 2022-12-12
Apache Commons HttpClient 3.x (and few others), Apache POI, IBM App Connect Enterprise, IBM® Db2® Net Search Extender, IBM Elastic Storage System, IBM Engineering Workflow Management (EWM), IBM InfoSphere Information Server, IBM Spectrum Copy Data Management, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, IBM Spectrum Scale packaged in IBM Elastic Storage Server, IBM Spectrum Scale packaged in IBM Elastic Storage System, IBM Tivoli Application Dependency Discovery Manager (TADDM), Rational Team Concert (RTC), z/Transaction Processing Facility
https://www.ibm.com/support/pages/bulletin/
Intel Data Center Manager 5.1 Local Privilege Escalation
https://cxsecurity.com/issue/WLB-2022120027