Tageszusammenfassung - 23.12.2022

End-of-Day report

Timeframe: Donnerstag 22-12-2022 18:00 - Freitag 23-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Vice Society ransomware gang switches to new custom encryptor

The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.

https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang-switches-to-new-custom-encryptor/


Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd)

Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware.

https://isc.sans.edu/diary/rss/29376


Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden

Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen.

https://heise.de/-7441929


Sourcecode vom Zugriffsmanagementdienst Okta geleakt

Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein.

https://heise.de/-7442131


IcedID Botnet Distributors Abuse Google PPC to Distribute Malware

We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.

https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html

Vulnerabilities

Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas?

Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed.

https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmbd/


Security updates for Friday

Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).

https://lwn.net/Articles/918486/


Threat Brief: OWASSRF Vulnerability Exploitation

We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow.

https://unit42.paloaltonetworks.com/threat-brief-owassrf/


CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022


PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild

https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/


Multiple vulnerabilities in IBM Java SDK affect AIX

https://www.ibm.com/support/pages/node/6851437


AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795)

https://www.ibm.com/support/pages/node/6851445


AIX is affected by a denial of service (CVE-2022-43680) due to Python

https://www.ibm.com/support/pages/node/6851439


Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022

https://www.ibm.com/support/pages/node/6848295


IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626)

https://www.ibm.com/support/pages/node/6851449


Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns

https://www.ibm.com/support/pages/node/6851613