Tageszusammenfassung - 15.07.2022

End-of-Day report

Timeframe: Donnerstag 14-07-2022 18:00 - Freitag 15-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Callback-Phishing: Dringender Rückruf erbeten

Angreifer geben sich in E-Mails als Sicherheitsunternehmen aus und bitten um einen Rückruf. Doch statt einer Überprüfung wird der Rechner gehackt.

https://www.golem.de/news/callback-phishing-dringender-rueckruf-erbeten-2207-166913.html

Android-Malware mit 3 Millionen Installationen aus Google Play entfernt

Die Android-Malware Autolycos hat es auf insgesamt drei Millionen Installationen gebracht. Nach der Entdeckung hat Google die betroffenen Apps entfernt.

https://heise.de/-7180469

Windows Autopatch ab sofort allgemein verfügbar

Automatisch abgesicherte Updates für Windows verspricht Microsoft mit Autopatch - Administratoren steht so deutlich weniger händische Arbeit ins Haus.

https://heise.de/-7180876

Was kann ich bei Problemen mit Klarna tun?

-Das Produkt ist noch gar nicht gekommen, trotzdem will Klarna, das ich bezahle.- -Klarna schickt trotz Rücksendung Mahnungen.- -Ich habe Ramsch bekommen, Klarna fordert aber eine Zahlung.- Immer wieder berichten uns Konsument:innen von Problemen mit Klarna und sind ratlos. Wir zeigen Ihnen, was Sie bei ungerechtfertigten Zahlungsaufforderungen und Mahnungen von Klarna tun können.

https://www.watchlist-internet.at/news/was-kann-ich-bei-problemen-mit-klarna-tun/

YouTuber-Cash: Vorsicht vor Abzocke

YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! Die Kriminellen, die hinter diesen Angeboten stecken sind lediglich auf Ihre Daten oder Ihr Geld aus.

https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/

WordPress: Schwachstelle in Kaswara Modern WPBakery Page Builder wird angegriffen

WordPress-Nutzer, die das Kaswara Modern WPBakery Page Builder im Einsatz haben, sollten zügig handeln. In älteren Fassungen ist die Schwachstelle CVE-2021-24284 enthalten, die eine Übernahme der WordPress-Installation ermöglicht.

https://www.borncity.com/blog/2022/07/15/wordpress-schwachstelle-in-kaswara-modern-wpbakery-page-builder-wird-angegriffen/

New Phishing Kit Hijacks WordPress Sites for PayPal Scam

Attackers use scam security checks to steal victims government documents, photos, banking information, and email passwords, researchers warn.

https://www.darkreading.com/attacks-breaches/new-phishing-kit-hijacks-wordpress-sites-for-paypal-scam

The real reason why malware detection is hard-and underestimated

Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind.

https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard

Month of PowerShell: Working with Log Files

In this article we look at how we can leverage PowerShells object-passing pipeline to parse and retrieve data from an IIS web server log file.

https://www.sans.org/blog/powershell-working-with-log-files

Software Vendors Start Patching Retbleed CPU Vulnerabilities

Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors.

https://www.securityweek.com/software-vendors-start-patching-retbleed-cpu-vulnerabilities

Powerful Mantis DDoS Botnet Hits 1,000 Organizations in One Month

Web protection firm Cloudflare warns that a small but powerful botnet has launched distributed denial-of-service (DDoS) attacks on roughly 1,000 organizations over the past month alone.

https://www.securityweek.com/powerful-mantis-ddos-botnet-hits-1000-organizations-one-month

Digium Phones Under Attack: Insight Into the Web Shell Implant

We witnessed more than 500,000 unique samples of malicious traffic targeting Digium Asterisk software for VoIP phone devices.

https://unit42.paloaltonetworks.com/digium-phones-web-shell/

CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Quintin Crist of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by Yuki Chen. The bug is found in the implementation of Network File System (NFS)and is due to improper handling of NFSv4 requests. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM.

https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-network-file-system-v4-remote-code-execution-vulnerability

Vulnerabilities

Security Update Available for Adobe InDesign APSB22-30

Adobe has released a security update for Adobe InDesign.-This update addresses multiple-critical and an important vulnerability. Successful exploitation could lead to-arbitrary code execution and memory leak.

https://helpx.adobe.com/security/products/indesign/apsb22-30.html

Security Update Available for Adobe InCopy APSB22-29

Adobe has released a security update for Adobe InCopy.-This update addresses multiple--critical and an important vulnerability. Successful exploitation could lead to-arbitrary code execution and memory leak.

https://helpx.adobe.com/security/products/incopy/apsb22-29.html

ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access

ABB is aware of private reports of a vulnerability in the flow computer and remote controller product versions listed above. A flash update is available that resolves the vulnerability in the product versions listed above. Mitigation can be accomplished by proper network segmentation [...]

https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&LanguageCode=en&DocumentPartId=&Action=Launch

Security updates for Friday

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9).

https://lwn.net/Articles/901412/

Grafana: Mehrere Schwachstellen

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0696

SonicWall Hosted Email Security Capture ATP Bypass

Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0014

OpenSSL c_rehash script allows command injection CVE-2022-1292

A critical vulnerability (CVE-2022-1292) was found in OpenSSL c_rehash script. This is due to shell metacharacters not being properly sanitized, resulting in command injection. An attacker could execute arbitrary commands with the privileges of the script. After review, it has been determined that vulnerability tracked as CVE-2022-1292 is not applicable to the SonicWall product suite. However, SonicWall has decided to update the impacted OpenSSL package to the fixed version (OpenSSL 1.1.1o) [...]

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-35618

https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-35618/

Security Bulletin: IBM MQ Appliance is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-36518)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-fasterxml-jackson-databind-vulnerabilities-cve-2020-36518/

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-commons-compress-affect-websphere-application-server-3/

Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2022-0391)

https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed-vulnerability-in-ibm-tivoli-application-dependency-discovery-manager-cve-2022-0391-2/

Security Bulletin: Vulnerability in Json-schema library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-3918)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json-schema-library-affect-tivoli-netcool-omnibus-webgui-cve-2021-3918/

Security Bulletin: Vulnerability in Axios affects IBM Process Mining . CVE-2022-1214

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-axios-affects-ibm-process-mining-cve-2022-1214/

Security Bulletin: IBM MQ Appliance is affected by follow-redirects vulnerabilities (CVE-2022-0155 and CVE-2022-0536)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-follow-redirects-vulnerabilities-cve-2022-0155-and-cve-2022-0536/