Tageszusammenfassung - 22.12.2022

End-of-Day report

Timeframe: Mittwoch 21-12-2022 18:00 - Donnerstag 22-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

FIN7 hackers create auto-attack platform to breach Exchange servers

The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.

https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-attack-platform-to-breach-exchange-servers/

Ransomware and wiper signed with stolen certificates

In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.

https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/

Microsoft research uncovers new Zerobot capabilities

The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities.

https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/

-Suspicious login- scammers up their game - take care at Christmas

A picture is worth 1024 words - we clicked through so you dont have to.

https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-their-game-take-care-at-christmas/

Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab

Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf.

https://heise.de/-7441440

Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata

If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the -url- parameter to achieve a successful exploit.

https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerabilities-to-steal-aws-metadata/

Qakbot Being Distributed via Virtual Disk Files (*.vhd)

There-s been a recent increase in the distribution of malware using disk image files.

https://asec.ahnlab.com/en/44662/

Vidar Stealer Exploiting Various Platforms

Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.

https://asec.ahnlab.com/en/44554/

Vulnerabilities

Critical Windows code-execution vulnerability went undetected until now

Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it-s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems.

https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/

Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren

Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein.

https://heise.de/-7440888

Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co.

Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen.

https://heise.de/-7441040

Puckungfu: A NETGEAR WAN Command Injection

This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router-s WAN interface.

https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/

Security updates for Thursday

Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3).

https://lwn.net/Articles/918379/

Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service

Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.

https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file-processing-issues-could-lead-to-arbitrary-code-execution-sensitive-information-leak-and-denial-of-service/

Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition

https://www.ibm.com/support/pages/node/6851347

Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway

https://www.ibm.com/support/pages/node/6851337

Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon

https://www.ibm.com/support/pages/node/6851351

Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway

https://www.ibm.com/support/pages/node/6851339

Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition

https://www.ibm.com/support/pages/node/6851345

Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway

https://www.ibm.com/support/pages/node/6851343

Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon

https://www.ibm.com/support/pages/node/6851349

Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition

https://www.ibm.com/support/pages/node/6851341