End-of-Day report
Timeframe: Dienstag 12-07-2022 18:00 - Mittwoch 13-07-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user-s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA).
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
Using Referers to Detect Phishing Attacks, (Wed, Jul 13th)
Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested.
https://isc.sans.edu/diary/rss/28836
Infected WordPress Site Reveals Malicious C&C Script
Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive - one of the most popular JavaScript based miners - shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans.
https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-cc-script.html
Researchers Uncover New Attempts by Qakbot Malware to Evade Detection
The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection.
https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html
Open-Source-Tool von Microsoft erstellt "Software Bill of Materials"
Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren.
https://heise.de/-7177889
Vorsicht vor Fake-Shops am Energiesektor!
Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden.
https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiesektor/
Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against.
https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/
Vulnerabilities
AMD Prozessoren: Mehrere Schwachstellen
Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665
Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen
Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650
Microsoft Security Update Summary (12. Juli 2022)
Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. - sowie für weitere Produkte - veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day.
https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-12-juli-2022/
Adobe dichtet teils kritische Lücken ab
In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch.
https://heise.de/-7177696
IBM Security Bulletins 2022-07-12
IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor.
https://www.ibm.com/blogs/psirt/
Security updates for Wednesday
Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland).
https://lwn.net/Articles/901029/
Ruby on Rails: Schwachstelle ermöglicht Codeausführung
Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662
ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-968/
ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-967/
VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities
https://www.vmware.com/security/advisories/VMSA-2022-0020.html
VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities
https://www.vmware.com/security/advisories/VMSA-2022-0019.html
VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability
https://www.vmware.com/security/advisories/VMSA-2022-0018.html
Dahua ASI7213X-T1
https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01