End-of-Day report
Timeframe: Freitag 15-07-2022 18:00 - Montag 18-07-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt"-
Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat.
https://heise.de/-7182800
Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp
Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer!
https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz-kontaktiert-kundinnen-auf-whatsapp/
Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt
Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können.
https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-passwort-cracking-tool-fr-industrie-steuerungen-leitsysteme-verteilt/
Supply Chain Attack Technique Spoofs GitHub Commit Metadata
Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories.
https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-commit-metadata
Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability
Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022.
https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk-client-side-encryption-padding-oracle-vulnerability/
Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements
In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier.
https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-message-elements?msc=rss
Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings
In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings.
https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-log-settings?msc=rss
Genesis - The Birth of a Windows Process (Part 2)
In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1.
https://fourcore.io/blogs/how-a-windows-process-is-created-part-2
Vulnerabilities
New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain
Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...]
https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html
Security updates for Monday
Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...]
https://lwn.net/Articles/901699/
Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre
Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...]
https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-schlft-dhs-sieht-problem-fr-jahre/
SonicWall Switch Post-Authenticated Remote Code Execution
A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013
Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system
https://cert.vde.com/de/advisories/VDE-2022-027/
Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system
https://cert.vde.com/de/advisories/VDE-2022-022/
Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-could-disclose-sensitive-database-information-to-a-local-user-in-plain-text-cve-2022-22367-2/
Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional.
https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulnerability-in-apache-tomcat-affects-app-connect-professional/
Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788)
https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulnerabilites-that-affect-ibm-engineering-requirements-quality-assistant-on-premises-cve-2022-0778-cve-2021-38868-cve-2021-29799-cve-2021-29790-cve-2021-297/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-multiple-vulnerabilities-due-to-its-use-of-ibm-java-cve-2021-35560-cve-2021-35578-cve-2021-35565-cve-2021-35/
Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware.
https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-service-access-to-the-fsp-power9-only-or-gains-admin-authority-to-a-partition-can-compromise-partition-firmware/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-a-denial-server-due-to-its-use-of-apache-xerces2-cve-2022-23437/
Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-cve-2022-0778-affects-powervm/
Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-2022-21299-in-ibm-java-sdk-affects-ibm-websphere-cast-iron-solution-app-connect-professional/
Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-vulnerable-to-information-disclosure-which-can-be-read-by-a-local-user-cve-2022-22366-2/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-multiple-security-vulnerabilities-due-to-its-use-of-nodejs-cve-2021-22918-cve-2021-22960-cve-2021-22959/
Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-opensource-package-affects-ibm-vm-recovery-manager-ha-dr-gui/
Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jackson-databind-component-affects-ibm-event-streams/