End-of-Day report
Timeframe: Donnerstag 07-07-2022 18:00 - Freitag 08-07-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Gesundheitseinrichtungen im Visier nordkoreanischer Cyberkrimineller
US-amerikanische Sicherheitsbehörden warnen vor der Maui-Ransomware. Mit ihr greifen nordkoreanische Cybergangs Organisationen des Gesundheitswesens an.
https://heise.de/-7166692
Free decryptor released for AstraLocker, Yashma ransomware victims
New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.
https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-astralocker-yashma-ransomware-victims/
SiteCheck Malware Trends Report - Q2 2022
Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications.
https://blog.sucuri.net/2022/07/sitecheck-malware-trends-report-q2-2022.html
Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign
Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts.
https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.html
Koh: The Token Stealer
In this post I will introduce a toolkit called Koh that can indefinitely (..) harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I-ll go over the motivation for this approach, the technical background of why it-s possible and what changed in 2016, and briefly show what Koh can do.
https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6
New HavanaCrypt Ransomware Distributed as Fake Google Software Update
Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application.
https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-google-software-update
Vulnerabilities
IBM Security Bulletins 2022-07-07
IBM QRadar Network Security, IBM Engineering Lifecycle Management, IBM Rational Build Forge, IBM Tivoli Netcool/Omnibus, IBM Tivoli Network Manager, IBM Engineering Lifecycle Management, IBM CICS TX Standard, IBM CICS TX Advanced, IBM WebSphere Application Server Liberty, IBM Security Verify Information Queue, IBM Event Streams.
https://www.ibm.com/blogs/psirt/
Sicherheitsupdates: Root-Lücke in Dell-EMC-Software geschlossen
Angreifer könnten Systeme mit Dell PowerProtect Cyber Recovery oder Cloud Mobility for Dell EMC Storage attackieren. Hiergegen gibt es jetzt ein Update.
https://heise.de/-7166118
Security updates for Friday
Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim).
https://lwn.net/Articles/900443/
NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um Informationen offenzulegen, Daten zu manipulieren oder zu verändern und einen Denial of Service Zustand auszulösen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0608
Red Hat FUSE: Mehrere Schwachstellen
Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat FUSE ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen, einen Denial of Service Zustand herbeizuführen, Sicherheitsmaßnahmen zu umgehen, Daten und Informationen zu manipulieren und seine Privilegien zu erweitern.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0607
July 7th 2022 Security Releases
Updates are now available for the v18.x, v16.x, and v14.x Node.js release [...]
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases
Exploitation of Mitel MiVoice Connect SA CVE-2022-29499
Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet.
https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/
ZDI-22-955: Sante PACS Server SQL Injection Authentication Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-955/
K06524534: Linux kernel vulnerability CVE-2021-22555
https://support.f5.com/csp/article/K06524534
K49622415: Apache Tomcat vulnerability CVE-2022-25762
https://support.f5.com/csp/article/K49622415
10 Vulnerabilities Found in Widely Used Robustel Industrial Routers
https://www.securityweek.com/10-vulnerabilities-found-widely-used-robustel-industrial-routers
Eclipse Jetty: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0614
Foxit PDF Editor: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0613
tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0622
Rockwell Automation MicroLogix
https://us-cert.cisa.gov/ics/advisories/icsa-22-188-01
Bently Nevada ADAPT 3701/4X Series and 60M100
https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02