End-of-Day report
Timeframe: Donnerstag 22-12-2022 18:00 - Freitag 23-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Vice Society ransomware gang switches to new custom encryptor
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.
https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang-switches-to-new-custom-encryptor/
Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd)
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware.
https://isc.sans.edu/diary/rss/29376
Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden
Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen.
https://heise.de/-7441929
Sourcecode vom Zugriffsmanagementdienst Okta geleakt
Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein.
https://heise.de/-7442131
IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html
Vulnerabilities
Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas?
Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed.
https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmbd/
Security updates for Friday
Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).
https://lwn.net/Articles/918486/
Threat Brief: OWASSRF Vulnerability Exploitation
We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow.
https://unit42.paloaltonetworks.com/threat-brief-owassrf/
CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/
Multiple vulnerabilities in IBM Java SDK affect AIX
https://www.ibm.com/support/pages/node/6851437
AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795)
https://www.ibm.com/support/pages/node/6851445
AIX is affected by a denial of service (CVE-2022-43680) due to Python
https://www.ibm.com/support/pages/node/6851439
Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022
https://www.ibm.com/support/pages/node/6848295
IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626)
https://www.ibm.com/support/pages/node/6851449
Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns
https://www.ibm.com/support/pages/node/6851613