End-of-Day report
Timeframe: Mittwoch 15-06-2022 18:00 - Freitag 17-06-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Security: Github informiert über Malware im Open-Source-Ökosystem
Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte.
https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-source-oekosystem-2206-166217-rss.html
Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen
In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen.
https://heise.de/-7142301
NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware
Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen.
https://heise.de/-7144383
Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben
WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen.
https://heise.de/-7143515
Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf!
Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern.
https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichten-im-namen-der-post-im-umlauf/
Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell
Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben.
https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-angriffs-auf-exchange-per-proxyshell/
Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike
The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources.
https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-old-telerik-flaws-to-deploy-cobalt-strike/
New MaliBot Android banking malware spreads as a crypto miner
Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain.
https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-malware-spreads-as-a-crypto-miner/
Facebook Messenger Scam Duped Millions
One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting.
https://threatpost.com/acebook-messenger-scam/179977/
WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data
Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss.
https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegram-bot-to-exfiltrate-stolen-data.html
Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning
For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra.
https://thehackernews.com/2022/06/difference-between-agent-based-and.html
Details of Twice-Patched Windows RDP Vulnerability Disclosed
Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.
https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerability-disclosed
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
[...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.
https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
Vulnerabilities
High-Severity RCE Vulnerability Reported in Popular Fastjson Library
Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType."
https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html
IBM Security Bulletins 2022-06-15 - 2022-06-16
IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server.
https://www.ibm.com/blogs/psirt/
Cisco Security Advisories 2022-06-15
Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity)
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F06%2F15&firstPublishedEndDate=2022%2F06%2F15
Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2
Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar.
https://heise.de/-7143710
VMSA-2022-0017
VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953)
https://www.vmware.com/security/advisories/VMSA-2022-0017.html
Security updates for Thursday
Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez).
https://lwn.net/Articles/898121/
Security updates for Friday
Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...]
https://lwn.net/Articles/898234/
Hillrom Medical Device Management
This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries.
https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01
AutomationDirect C-More EA9 HMI
This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products.
https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01
AutomationDirect DirectLOGIC with Serial Communication
This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication.
https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02
AutomationDirect DirectLOGIC with Ethernet
This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers.
https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03