Tageszusammenfassung - 21.12.2022

End-of-Day report

Timeframe: Dienstag 20-12-2022 18:00 - Mittwoch 21-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Hackers bombard PyPi platform with information-stealing malware

The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data.

https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platform-with-information-stealing-malware/

VirusTotal cheat sheet makes it easy to search for specific results

VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform.

https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes-it-easy-to-search-for-specific-results/

FBI warns of search engine ads pushing malware, phishing

The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.

https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-ads-pushing-malware-phishing/

Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT

After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat/

Fake jQuery Domain Redirects Site Visitors to Scam Pages

A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing.

https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html

Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren

Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf.

https://heise.de/-7435146

Adult popunder campaign used in mainstream ad fraud scheme

Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.

https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunder-campaign-used-in-mainstream-ad-fraud-scheme

Meddler-in-the-Middle Phishing Attacks Explained

Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.

https://unit42.paloaltonetworks.com/meddler-phishing-attacks/

Godfather: A banking Trojan that is impossible to refuse

Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries.

https://blog.group-ib.com/godfather-trojan

Didn-t Notice Your Rate Limiting: GraphQL Batching Attack

In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS).

https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching-attack/

A Technical Analysis of CVE-2022-22583 and CVE-2022-32800

This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report.

https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-2022-22583-and-cve-2022-32800.html

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.

https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html

Vulnerabilities

Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet

Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates.

https://heise.de/-7434860

Security updates for Wednesday

Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils).

https://lwn.net/Articles/918313/

Passwordless Persistence and Privilege Escalation in Azure

Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons.

https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f

Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries

https://jvn.jp/en/jp/JVN29902403/

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind

https://www.ibm.com/support/pages/node/6849213

GraphQL Denial of Service security vulnerability CVE-2022-37734

https://www.ibm.com/support/pages/node/6828663

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256)

https://www.ibm.com/support/pages/node/6849223

Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component

https://www.ibm.com/support/pages/node/6849249

OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617)

https://www.ibm.com/support/pages/node/6850775