Tageszusammenfassung - 18.07.2022

End-of-Day report

Timeframe: Freitag 15-07-2022 18:00 - Montag 18-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt"-

Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat.

https://heise.de/-7182800


Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp

Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer!

https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz-kontaktiert-kundinnen-auf-whatsapp/


Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt

Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können.

https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-passwort-cracking-tool-fr-industrie-steuerungen-leitsysteme-verteilt/


Supply Chain Attack Technique Spoofs GitHub Commit Metadata

Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories.

https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-commit-metadata


Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022.

https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk-client-side-encryption-padding-oracle-vulnerability/


Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements

In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier.

https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-message-elements?msc=rss


Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings

In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings.

https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-log-settings?msc=rss


Genesis - The Birth of a Windows Process (Part 2)

In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1.

https://fourcore.io/blogs/how-a-windows-process-is-created-part-2

Vulnerabilities

New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain

Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...]

https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html


Security updates for Monday

Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...]

https://lwn.net/Articles/901699/


Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre

Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...]

https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-schlft-dhs-sieht-problem-fr-jahre/


SonicWall Switch Post-Authenticated Remote Code Execution

A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013


Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system

https://cert.vde.com/de/advisories/VDE-2022-027/


Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system

https://cert.vde.com/de/advisories/VDE-2022-022/


Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-could-disclose-sensitive-database-information-to-a-local-user-in-plain-text-cve-2022-22367-2/


Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional.

https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulnerability-in-apache-tomcat-affects-app-connect-professional/


Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788)

https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulnerabilites-that-affect-ibm-engineering-requirements-quality-assistant-on-premises-cve-2022-0778-cve-2021-38868-cve-2021-29799-cve-2021-29790-cve-2021-297/


Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-multiple-vulnerabilities-due-to-its-use-of-ibm-java-cve-2021-35560-cve-2021-35578-cve-2021-35565-cve-2021-35/


Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware.

https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-service-access-to-the-fsp-power9-only-or-gains-admin-authority-to-a-partition-can-compromise-partition-firmware/


Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-a-denial-server-due-to-its-use-of-apache-xerces2-cve-2022-23437/


Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-cve-2022-0778-affects-powervm/


Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional

https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-2022-21299-in-ibm-java-sdk-affects-ibm-websphere-cast-iron-solution-app-connect-professional/


Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-vulnerable-to-information-disclosure-which-can-be-read-by-a-local-user-cve-2022-22366-2/


Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-multiple-security-vulnerabilities-due-to-its-use-of-nodejs-cve-2021-22918-cve-2021-22960-cve-2021-22959/


Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-opensource-package-affects-ibm-vm-recovery-manager-ha-dr-gui/


Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jackson-databind-component-affects-ibm-event-streams/