End-of-Day report
Timeframe: Freitag 24-06-2022 18:00 - Montag 27-06-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Fake copyright infringement emails install LockBit ransomware
LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims.
https://www.bleepingcomputer.com/news/security/fake-copyright-infringement-emails-install-lockbit-ransomware/
Clever phishing method bypasses MFA using Microsoft WebView2 apps
A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victims authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts.
https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypasses-mfa-using-microsoft-webview2-apps/
NetSec Goggle shows search results only from cybersecurity sites
A new Brave Search Goggle modifies Brave Search results to only show reputable cybersecurity sites, making it easier to search for and find security information.
https://www.bleepingcomputer.com/news/security/netsec-goggle-shows-search-results-only-from-cybersecurity-sites/
LockBit 3.0 introduces the first ransomware bug bounty program
The LockBit ransomware operation has released LockBit 3.0, introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.
https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/
Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th)
Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting.
https://isc.sans.edu/diary/rss/28784
Encrypted Client Hello: Anybody Using it Yet?, (Mon, Jun 27th)
The first payload sent by a TLS client to a TLS server is a "Client Hello." It includes several parameters supported by the client, such as available cipher suites, to start negotiating a compatible set of TLS parameters with the server.
https://isc.sans.edu/diary/rss/28792
Ransomware-Gang Conti schließt Leak- und Verhandlungsplattform
Die Conti-Gruppe hinter dem gleichnamigen Erpressungstrojaner finalisiert ihren Rückzug und teilt sich weiter in kleinere Gangs auf.
https://heise.de/-7154035
Flut von Angriffen auf Paketmanager PyPI schleust Backdoor in Python-Pakete ein
Nachdem zunächst Sonatype einen Angriff auf fünf Pakete im Python-Paketmanager entdeckt hat, füllt sich die CVE-Schwachstellendatenbank mit weiteren Vorfällen.
https://heise.de/-7154405
Ransomware: Unternehmen im Gesundheitswesen zahlen am häufigsten Lösegeld
Verschlüsselungsangriffe haben vor allem in der Gesundheitsbranche in den vergangenen Monaten stark zugenommen. Die Daten sind bei Angreifern beliebt.
https://heise.de/-7154906
NIST Releases New macOS Security Guidance for Organizations
The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security.
https://www.securityweek.com/nist-releases-new-macos-security-guidance-organizations
Vorsicht vor Fake-E-Mails der Wiener Polizei
In einem gefälschten E-Mail der Polizei werden Sie beschuldigt, eine Straftat begangen zu haben. Es geht um Kinderpornografie, Pädophilie, Cyberpornografie und Exhibitionismus. Sie werden aufgefordert, per E-Mail eine Rechtfertigung zu schicken. Antworten Sie nicht und ignorieren Sie dieses Schreiben. Es ist Fake!
https://www.watchlist-internet.at/news/vorsicht-vor-fake-e-mails-der-wiener-polizei/
CISA Adds Eight Known Exploited Vulnerabilities to Catalog
CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
https://us-cert.cisa.gov/ncas/current-activity/2022/06/27/cisa-adds-eight-known-exploited-vulnerabilities-catalog
Vulnerabilities
Citrix dichtet Sicherheitslücken in Hypervisor ab
Der Hypervisor von Citrix enthält mehrere Schwachstellen. Angreifer könnten die Kontrolle übernehmen. Aktualisierte Pakete dichten die Lücken ab.
https://heise.de/-7154435
Security updates for Monday
Security updates have been issued by Debian (openssl), Fedora (dotnet6.0, mediawiki, and python2.7), Mageia (389-ds-base, chromium-browser-stable, exo, and libtiff), Oracle (httpd:2.4 and microcode_ctl), SUSE (dbus-broker, drbd, kernel, liblouis, mariadb, openssl, openssl-1_1, openSUSE kernel modules, oracleasm, php7, php72, python39, salt, and wdiff), and Ubuntu (linux, linux-hwe, mozjs91, and vim).
https://lwn.net/Articles/899158/
Security Bulletin: Multiple Vulnerabilities found in Apache Tika used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-found-in-apache-tika-used-by-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collect/
Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-for-microsoft-windows-is-vulnerable-to-an-unspecified-vulnerability-due-to-ibm-java-runtime-cve-2021-35603/
Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affects-rational-business-developer-8/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-business-developer-6/
Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affects-rational-business-developer-7/
Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-for-microsoft-windows-is-vulnerable-to-an-unspecified-vulnerability-due-to-ibm-java-runtime-cve-2021-35550/
Security Bulletin: IBM MQ is vulnerable to an issue within Jackson
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-an-issue-within-jackson/
Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to zlib (CVE-2018-25032)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-for-microsoft-windows-is-vulnerable-to-denial-of-service-due-to-zlib-cve-2018-25032/
Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java- Technology Edition affects WebSphere eXtreme Scale
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-runtime-environment-java-technology-edition-affects-websphere-extreme-scale/
Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-affected-by-a-remote-code-execution-in-spring-framework-cve-2022-22963-cve-2022-22965-cve-2022-22950/
Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation
https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/