End-of-Day report
Timeframe: Freitag 06-05-2022 18:00 - Montag 09-05-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Hilfestellung für die Analyse schadbringender Dokumente
Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll.
https://heise.de/-7079601
Utimaco, der Krypto-Miner und ein Disclosure-Desaster-
Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt.
https://heise.de/-7079962
Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen
Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren.
https://heise.de/-7079049
Kaufen Sie keine Schuhe vom Instagram-Account -wesleyroberts375-
Auf der Instagram-Seite -wesleyroberts375- finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von -wesleyroberts375- steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes!
https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagram-account-wesleyroberts375/
Bedrohungen in der Cloud
Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag.
https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/
Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall
Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...]
https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s-protect-ein-totalausfall/
Caramel credit card stealing service is growing in popularity
A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud.
https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing-service-is-growing-in-popularity/
Constrained environment breakout. .NET Assembly exfiltration via Internet Options
It-s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...]
https://www.pentestpartners.com/security-blog/constrained-environment-breakout-net-assembly-exfiltration-via-internet-options/
Beware: This cheap and homemade malware is surprisingly effective
DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem.
https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-surprisingly-effective/
Introducing pyCobaltHound - Let Cobalt Strike unleash the Hound
During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...]
https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/
Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application
The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases.
https://asec.ahnlab.com/en/34010/
BPFDoor - an active Chinese global surveillance tool
Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...]
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?source=rss8343faddf0ec4
[Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic
Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report.
https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurations-dont-become-a-breach-statistic/
Vulnerabilities
Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows
Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log.
https://support.sophos.com/support/s/article/KB-000043980?language=en_US
Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken
Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch.
https://heise.de/-7079563
Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich
Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten.
https://heise.de/-7079644
Technical Advisory: Ruby on Rails - Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...]
https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-possible-xss-vulnerability-in-actionview-tag-helpers-cve-2022-27777/
Security updates for Monday
Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog).
https://lwn.net/Articles/894353/
RubyGems Fixes Critical Gem Takeover Vulnerability
RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager.
https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerability
SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability
A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103
https://support.f5.com/csp/article/K12492858
Foxit Reader: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0549