End-of-Day report
Timeframe: Freitag 23-12-2022 18:00 - Dienstag 27-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
EarSpy attack eavesdrops on Android phones via motion sensors
A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech.
https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-android-phones-via-motion-sensors/
Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes
A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.
https://www.darkreading.com/cloud/container-verification-bug-malicious-images-free-rein-kubernetes
BlueNoroff introduces new methods bypassing MoTW
We continue to track the BlueNoroff group-s activities and this October we observed the adoption of new malware strains in its arsenal.
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
DShield Sensor Setup in Azure, (Wed, Dec 21st)
In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed.
https://isc.sans.edu/diary/rss/29370
GuLoader Malware Utilizing New Techniques to Evade Security Software
Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html
Navigating the Vast Ocean of Sandbox Evasions
After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more.
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/
Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet
Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online ausläuft und im kommenden Jahr abgeschaltet wird.
https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-in-exchange-online-wird-2023-abgeschaltet/
Caution! Malware Signed With Microsoft Certificate
Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later).
https://asec.ahnlab.com/en/44726/
Distribution of Magniber Ransomware Stops (Since November 29th)
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted.
https://asec.ahnlab.com/en/43858/
Inside the IcedID BackConnect Protocol
As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID-s BackConnect (BC) protocol.
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
Vulnerabilities
Ksmbd: Kritische Lücke im SMB-Dienst des Linux-Kernels
Der Linux-Kernel verfügt seit vergangenem Jahr über eine eigene SMB-Implementierung. Diese enthält eine sehr gefährliche Lücke - Updates stehen bereit.
https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-kernel-2212-170747.html
Security updates for Monday
Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).
https://lwn.net/Articles/918607/
Security updates for Tuesday
Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).
https://lwn.net/Articles/918631/
Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks
Defiant-s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks.
https://www.securityweek.com/critical-vulnerability-premium-gift-cards-wordpress-plugin-exploited-attacks
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
https://webkitgtk.org/security/WSA-2022-0011.html
Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051)
Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende können somit JavaScript-Code im Browser ausführen.
https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-lucee-server-syss-2022-051
MISP 2.4.167 released with many improvements, bugs fixed and security fixes.
https://github.com/MISP/MISP/releases/tag/v2.4.167