Tageszusammenfassung - 20.12.2022

End-of-Day report

Timeframe: Montag 19-12-2022 18:00 - Dienstag 20-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Linux File System Monitoring & Actions, (Tue, Dec 20th)

There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless?

https://isc.sans.edu/diary/rss/29362

ChatGPT: Emerging AI Threat Landscape

ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-emerging-ai-threat-landscape/

Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems

Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications.

https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html

Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg

We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.

https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/

clif - simple command-line application fuzzer

clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification.

https://andy.codes/content/blog/2022-12-20-clif.html

Better Make Sure Your Password Manager Is Secure

As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application.

https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_password_manager_is_secure/index.html

New RisePro Infostealer Increasingly Popular Among Cybercriminals

A recently identified information stealer named -RisePro- is being distributed by pay-per-install malware downloader service -PrivateLoader-, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs.

https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-among-cybercriminals

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.

https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/

Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities

More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain.

https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-chain-and-discovering-3-new-sip-bypas.html

Raspberry Robin Malware Targets Telecom, Governments

We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.

https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html

Web3 IPFS Only Used for Phishing - So Far

We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.

https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishingso-far.html

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird).

https://lwn.net/Articles/918268/

FoxIt Patches Code Execution Flaws in PDF Tools

Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products.

https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools

Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16

https://www.ibm.com/support/pages/node/6849101

IBM UrbanCode Build is affected by CVE-2022-42252

https://www.ibm.com/support/pages/node/6849111

IBM UrbanCode Build is affected by CVE-2021-43980

https://www.ibm.com/support/pages/node/6849109

IBM UrbanCode Build is affected by CVE-2022-34305

https://www.ibm.com/support/pages/node/6849107