Tageszusammenfassung - 30.06.2022

End-of-Day report

Timeframe: Mittwoch 29-06-2022 18:00 - Donnerstag 30-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Atlassian warnt vor Sicherheitslücke in Projektverwaltung Jira

Vor einer Sicherheitslücke mit hohem Risiko in Jira warnt Hersteller Atlassian. Updates stehen bereit. Auch ein Workaround bietet das Unternehmen an.

https://heise.de/-7157892


Recovery-Scams: Kriminelle geben sich als FMA und Börsenaufsicht aus!

Sind Sie Opfer einer unseriösen Trading-Plattform geworden? Anbieter wie börsenaufsicht.net, finanzmarktaufsicht.net und payback-ltd.com versprechen Ihr verlorenes Geld zurückzuholen. Vorsicht! Es handelt sich um betrügerische Dienste, die Sie noch weiter abzocken wollen.

https://www.watchlist-internet.at/news/recovery-scams-kriminelle-geben-sich-als-fma-und-boersenaufsicht-aus/


Microsoft Exchange Server: Remote Code Execution-Schwachstelle CVE-2022-23277 trotz Patch ausnutzbar?

Sind auf dem aktuellen Patch-Stand befindliche Microsoft Exchange Server über die Remote Code Execution-Schwachstelle CVE-2022-23277 immer noch angreifbar? Mir sind gerade einige Informationsfragmente unter die Augen gekommen, die dies zumindest nahelegen, dass der betreffende Patch die Möglichkeiten zur Ausnutzung nicht [...]

https://www.borncity.com/blog/2022/06/30/microsoft-exchange-server-remote-code-execution-schwachstelle-cve-2022-23277-trotz-patch-ausnutzbar/


CISA warns of hackers exploiting PwnKit Linux vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-pwnkit-linux-vulnerability/


AstraLocker 2.0 infects users directly from Word attachments

A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.

https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users-directly-from-word-attachments/


XFiles info-stealing malware adds support for Follina delivery

The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers.

https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware-adds-support-for-follina-delivery/


The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

https://securelist.com/the-sessionmanager-iis-backdoor/106868/


Toll fraud malware: How an Android application can drain your wallet

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware - and it continues to evolve.

https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/


Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th)

How do threat actors behind a Cobalt Strike server keep it running after its domain is taken down? If the server is not hosted through the domain registrar, it merely keeps running on the same IP address. Today's diary is a case study where Cobalt Strike remained active on the same IP address at least one week after its domain was suspended.

https://isc.sans.edu/diary/rss/28804


Flubot: the evolution of a notorious Android Banking Malware

Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the [...]

https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/


Amazon Photos vulnerability could have given attackers access to user files and data

The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers.

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/amazon-photos-vulnerability-could-have-given-attackers-access-to-user-files-and-data/


Cloudy with a Chance of Risk: Managing Risks in Cloud-Managed OT Networks

In this blog, we'll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively.

https://claroty.com/2022/06/30/blog-research-cloudy-with-a-chance-of-risk/


Reducing data exfiltration by malicious insiders

Advice and recommendations for mitigating this type of insider behaviour.

https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-insiders

Vulnerabilities

IBM Security Bulletins 2022-06-29

IBM Spectrum Protect, IBM Watson Discovery, IBM Sterling B2B Integrator, IBM Sterling Connect, IBM Cloud Pak, IBM Tivoli Netcool Impact, IBM Db2

https://www.ibm.com/blogs/psirt/


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init).

https://lwn.net/Articles/899483/


Mitsubishi Electric FA Engineering Software (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software products.

https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05


CODESYS Gateway Server (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products.

https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02


Revision von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) vom 28. Juni 2022

Microsoft hat seine Beschreibung von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) zum 28. Juni 2022 revidiert. Es wurden die Sicherheitsupdates für Windows 10 Version 21H2, Windows 11 und Windows Server 2022 hinzugefügt, da diese Windows-Versionen ebenfalls von dieser Sicherheitslücke [...]

https://www.borncity.com/blog/2022/06/29/revision-von-cve-2022-26414-windows-dcom-server-security-feature-bypass-vom-28-juni-2022/


Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

https://www.drupal.org/sa-contrib-2022-047


Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

https://www.drupal.org/sa-contrib-2022-046