Tageszusammenfassung - 17.06.2022

End-of-Day report

Timeframe: Mittwoch 15-06-2022 18:00 - Freitag 17-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Security: Github informiert über Malware im Open-Source-Ökosystem

Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte.

https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-source-oekosystem-2206-166217-rss.html


Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen

In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen.

https://heise.de/-7142301


NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware

Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen.

https://heise.de/-7144383


Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben

WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen.

https://heise.de/-7143515


Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf!

Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern.

https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichten-im-namen-der-post-im-umlauf/


Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell

Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben.

https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-angriffs-auf-exchange-per-proxyshell/


Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike

The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources.

https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-old-telerik-flaws-to-deploy-cobalt-strike/


New MaliBot Android banking malware spreads as a crypto miner

Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain.

https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-malware-spreads-as-a-crypto-miner/


Facebook Messenger Scam Duped Millions

One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting.

https://threatpost.com/acebook-messenger-scam/179977/


WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data

Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss.

https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegram-bot-to-exfiltrate-stolen-data.html


Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning

For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra.

https://thehackernews.com/2022/06/difference-between-agent-based-and.html


Details of Twice-Patched Windows RDP Vulnerability Disclosed

Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches.

https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerability-disclosed


DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach

[...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.

https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/

Vulnerabilities

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType."

https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html


IBM Security Bulletins 2022-06-15 - 2022-06-16

IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server.

https://www.ibm.com/blogs/psirt/


Cisco Security Advisories 2022-06-15

Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity)

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F06%2F15&firstPublishedEndDate=2022%2F06%2F15


Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2

Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar.

https://heise.de/-7143710


VMSA-2022-0017

VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953)

https://www.vmware.com/security/advisories/VMSA-2022-0017.html


Security updates for Thursday

Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez).

https://lwn.net/Articles/898121/


Security updates for Friday

Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...]

https://lwn.net/Articles/898234/


Hillrom Medical Device Management

This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries.

https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01


AutomationDirect C-More EA9 HMI

This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products.

https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01


AutomationDirect DirectLOGIC with Serial Communication

This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication.

https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02


AutomationDirect DirectLOGIC with Ethernet

This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers.

https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03