Tageszusammenfassung - 14.07.2022

End-of-Day report

Timeframe: Mittwoch 13-07-2022 18:00 - Donnerstag 14-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer

News

Month of PowerShell - Working with the Event Log, Part 2 - Threat Hunting with Event Logs

We continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques.

https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with-event-logs/

Introducing Decompiler Explorer

Today, we-re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It-s basically the same thing as Matt Godbolt-s awesome Compiler Explorer, but in reverse.

https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html

CVE-2022-29885 - Dont Open That Port - A Denial Of Service vulnerability on Apache Tomcat Cluster Service Listener

While performing the analysis I discovered that this was a part of a research made by 4ra1n, who reported the issue to the Apache Tomcat Security Team on 17 April 2022 and marked as CVE-2022-29885. Nonetheless, I had no luck finding a suitable PoC of the vulnerability.

https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/

Genesis - The Birth of a Windows Process (Part 1)

This is the first part of a two part series. In this post, I cover how Windows spawns a process, the various APIs and data structures involved and different types of processess available on Windows. The Windows API provides several functions for creating a process. We will go through some of the important APIs and structures Win32 offers before diving into the process creation procedure.

https://fourcore.io/blogs/how-a-windows-process-is-created-part-1

Exploiting Arbitrary Object Instantiations in PHP without Custom Classes

PHP-s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes.

https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/

-RedAlert,- LILITH and 0mega leading a wave of Ransomware Campaigns

Multiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs for monetary gains.

https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/

Office-Nutzer im Visier: Phishing-Kampagne umgeht Multi-Faktor-Authentifizierung

Microsofts Sicherheitsforscher haben eine große Phishing-Kampagne aufgedeckt. Dabei stehlen Angreifer Session-Cookies, um MFA-Schutzmaßnahmen zu umgehen.

https://heise.de/-7179750

PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.

https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/

YouTuber-Cash: Vorsicht vor Abzocke

YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen!

https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/

Vulnerabilities

X.org servers update closes 2 security holes, adds neat component tweaks

Arbitrary code execution flaws in the X Keyboard Extension were bad news X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too.

https://go.theregister.com/feed/www.theregister.com/2022/07/13/xorg_servers_updated/

Tableau Server Leaks Sensitive Information From Reflected XSS

GoSecure Titan Labs has identified a vulnerability within the Tableau Server that could allow malicious actors to extract sensitive data from the application. Tableau Server is an analytics platform owned by Salesforce used to see and understand data.

https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-information-from-reflected-xss/

IBM Security Bulletins 2022-07-13

IBM Db2, IBM MQ Appliance, IBM i, IBM WebSphere Application Server, IBM Engineering Lifecycle Optimization, IBM Cloud Pak, IBM Netezza Platform, IBM Security Verify Information Queue, IBM Security Verify Governance.

https://www.ibm.com/blogs/psirt/

Lücke in VMware vCenter Server und Cloud Foundation zum Teil abgedichtet

In VMwares vCenter Server und der Cloud Foundation klafft eine Sicherheitslücke in der Integrated Windows Authentication. Nun gibt es ein Software-Update.

https://heise.de/-7179181

Security updates for Thursday

Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim).

https://lwn.net/Articles/901190/

UEFI-Firmware-Bug gefährdet über 70 Lenovo Notebooks (Juli 2022)

Hinweis für Blog-Leser und -Leserinnen, die Notebooks von Lenovo (und IBM) verwenden. Sicherheitsforscher von ESET haben gravierenden Schwachstellen in der UEFI-Firmware von Lenovo Notebooks gefunden, die eine Übernahme des Betriebssystems in der frühen Boot-Phase ermöglicht.

https://www.borncity.com/blog/2022/07/14/uefi-firmware-bug-gefhrdet-ber-70-lenovo-notebooks-juli-2022/

Internet Explorer 11: Update KB5015805 (12. Juli 2022)

Microsoft hat zum 12. Juli 2022 ein Sicherheitsupdate (KB5015805) für den Internet Explorer freigegeben. Dieses ist aber nur für ausgesuchte Windows-Versionen als kumulatives Update separat erhältlich. Hier ein Überblick über diesen Patch, der Schwachstellen im Browser schließen soll.

https://www.borncity.com/blog/2022/07/14/internet-explorer-11-update-kb5015805-12-juli-2022/

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

https://www.drupal.org/sa-contrib-2022-048

Juniper JUNOS (Verschiedene Plattformen): Mehrere Schwachstellen ermöglichen Denial of Service

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0683

Lenovo XClarity: Mehrere Schwachstellen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0687