End-of-Day report
Timeframe: Freitag 16-12-2022 18:00 - Montag 19-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Infostealer Malware with Double Extension, (Sun, Dec 18th)
Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines.
https://isc.sans.edu/diary/rss/29354
Day 3 - Next Level Font Obfuscation
Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable.
https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5
Venom
Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations.
https://github.com/Idov31/Venom
Exploiting API Framework Flexibility
The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.
https://attackshipsonfi.re/p/exploiting-api-framework-flexibility
Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft
Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind.
https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-die-betrugsmaschen-im-online-weihnachtsgeschaeft
BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor
Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server.
https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-bausteine-als-final-draft-vor/
Vulnerabilities
Cisco Security Advisories 2022-12-16 - 2022-12-18
Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium)
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastPublishedStartDate=2022%2F12%2F15&lastPublishedEndDate=2022%2F12%2F17
HP kümmert sich mit BIOS-Updates um Schadcode-Lücken
Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme.
https://heise.de/-7398783
Security updates for Monday
Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).
https://lwn.net/Articles/918203/
Synology-SA-22:24 Samba AD DC
Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server.
https://www.synology.com/en-global/support/security/Synology_SA_22_24
Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329
Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash.
https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bulletin-for-cve20223643-cve202242328-cve202242329
Zenphoto vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN06093462/
Corel Roxio Creator LJB starts a program with an unquoted file path
https://jvn.jp/en/jp/JVN13075438/
ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-1681/
DLL Search Order Hijacking Vulnerability in the DWG TrueView- Desktop Software
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024
Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628)
https://www.ibm.com/support/pages/node/6845928
IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364)
https://www.ibm.com/support/pages/node/6841801
IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256)
https://www.ibm.com/support/pages/node/6848587
IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166)
https://www.ibm.com/support/pages/node/6848585
IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012)
https://www.ibm.com/support/pages/node/6848583
IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486)
https://www.ibm.com/support/pages/node/6848577
UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705)
https://www.ibm.com/support/pages/node/6848581
Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator
https://www.ibm.com/support/pages/node/6848847
IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities
https://www.ibm.com/support/pages/node/6848879