Tageszusammenfassung - 13.07.2022

End-of-Day report

Timeframe: Dienstag 12-07-2022 18:00 - Mittwoch 13-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud

A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user-s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA).

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/


Using Referers to Detect Phishing Attacks, (Wed, Jul 13th)

Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested.

https://isc.sans.edu/diary/rss/28836


Infected WordPress Site Reveals Malicious C&C Script

Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive - one of the most popular JavaScript based miners - shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans.

https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-cc-script.html


Researchers Uncover New Attempts by Qakbot Malware to Evade Detection

The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection.

https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html


Open-Source-Tool von Microsoft erstellt "Software Bill of Materials"

Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren.

https://heise.de/-7177889


Vorsicht vor Fake-Shops am Energiesektor!

Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden.

https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiesektor/


Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption

We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against.

https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/

Vulnerabilities

AMD Prozessoren: Mehrere Schwachstellen

Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665


Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650


Microsoft Security Update Summary (12. Juli 2022)

Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. - sowie für weitere Produkte - veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day.

https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-12-juli-2022/


Adobe dichtet teils kritische Lücken ab

In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch.

https://heise.de/-7177696


IBM Security Bulletins 2022-07-12

IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor.

https://www.ibm.com/blogs/psirt/


Security updates for Wednesday

Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland).

https://lwn.net/Articles/901029/


Ruby on Rails: Schwachstelle ermöglicht Codeausführung

Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662


ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-22-968/


ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-22-967/


VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2022-0020.html


VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities

https://www.vmware.com/security/advisories/VMSA-2022-0019.html


VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability

https://www.vmware.com/security/advisories/VMSA-2022-0018.html


Dahua ASI7213X-T1

https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01