End-of-Day report
Timeframe: Donnerstag 21-07-2022 18:00 - Freitag 22-07-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
SATAn-Attacke: Zweckentfremdetes SATA-Kabel funkt geheime Infos
Sicherheitsforscher, die auf Attacken auf abgeschottete Air-Gap-Systeme spezialisiert sind, haben eine neue Methode vorgestellt.
https://heise.de/-7186463
Confluence Security Advisory 2022-07-20
Confluence hat zum 20. Juli 2022 das Security Advisory 2022-07-20 veröffentlicht und heute aktualisiert. Im Sicherheitshinweis geht es um Confluence-Konten mit fest kodierten Anmeldeinformationen, die von Questions for Confluence erstellt wurden. Das betrifft die Confluence-App für Confluence Server und Confluence Data Center.
https://www.borncity.com/blog/2022/07/21/confluence-security-advisory-2022-07-20/
Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too
After laying low, exploit seller Candiru rears its ugly head once more.
https://arstechnica.com/?p=1868594
Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st)
I found a malicious Office document with VBA code where most of the identifiers (variables, function names, ...) consist solely out of characters that are not ASCII (.e.g, these characters have values between 128 and 255).
https://isc.sans.edu/diary/rss/28866
An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd)
Cybercriminals and adversaries have long used phishing websites to obtain credentials and access systems they usually would not have access to. Indeed, it could be more cost-effective than other methods, such as buying zero-day vulnerabilities and weaponizing them. I was alerted to a phishing attempt and requested further details. After doing some analysis, I observed several differences and technological improvements that the adversaries had made as compared to the usual phishing attempts.
https://isc.sans.edu/diary/rss/28870
Month of PowerShell - Recording Your Session with Start-Transcript
PowerShell allows us to create a transaction file of all commands entered and output received, perfect for pentests, incident response, and more!
https://www.sans.org/blog/recording-your-session-with-start-transcript
Cryptominers & WebAssembly in Website Malware
WebAssembly (also referred to as Wasm) is a binary instruction format that runs in the browser to enable high-performance applications on web pages and can be executed much faster than traditional JavaScript. WebAssembly can be executed in a variety of environments, including servers, IoT devices, and mobile or desktop apps - but was originally designed to run on the web.
https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware.html
An Easier Way to Keep Old Python Code Healthy and Secure
Python has its pros and cons, but its nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python much more quickly than, say, C. However, Pythons inherent approachability also creates a couple of problems.
https://thehackernews.com/2022/07/an-easier-way-to-keep-old-python-code.html
Sh*Load Exploits (Episode V: Return of the Error)
Our first post in the Firmware Developers Need To Know blog series, Episode I: The Last Error, pointed out the benefits of adopting clean error codes. And then two weeks later, TLStorm, bam. Armis- research engineers announced the discovery of three vulnerabilities in APC devices -the key problem - ignoring error codes! Unfortunately, little attention or thought is paid to error codes within firmware code (and many critical open source projects).
https://dellfer.com/shload-exploits-episode-v-return-of-the-error/
PART 1: How I Met Your Beacon - Overview
During this research we will outline a number of effective strategies for hunting for beacons, supported by our BeaconHunter tool that we developed to execute these strategies and which we intend to open source in due course.
https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/
Cloud Threat Detection: To Agent or Not to Agent?
Should you be using agents to secure cloud applications, or not? The answer depends on what exactly youre trying to secure.
https://www.rapid7.com/blog/post/2022/07/22/cloud-threat-detection-to-agent-or-not-to-agent/
Vulnerabilities
IBM Security Bulletins 2022-07-21
IBM Cloud App Management, IBM Cloud Pak for Multicloud Management Monitoring, IBM Rational Build Forge, IBM Rational Build Forge, IBM Cloud App Management, IBM Tivoli Netcool Manager.
https://www.ibm.com/blogs/psirt/
Security updates for Friday
Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3).
https://lwn.net/Articles/902184/
Moodle: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0797
Veritas NetBackup: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Veritas NetBackup ausnutzen, um beliebigen Programmcode auszuführen oder seine Privilegien zu erweitern.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0801
Veritas NetBackup: Mehrere Schwachstellen
Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann eine Schwachstelle in Veritas NetBackup ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen, seine Privilegien zu erweitern und Verzeichnisse zu manipulieren.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0802
F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Denial of Service
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F-Secure Linux Security und F-Secure Internet Gatekeeper ausnutzen, um einen Denial of Service Angriff durchzuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0803
AutomationDirect Stride Field I/O
This advisory contains mitigations for an Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect products.
https://us-cert.cisa.gov/ics/advisories/icsa-22-202-05
ICONICS Suite and Mitsubishi Electric MC Works64 Products
This advisory contains mitigations for an Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in the SCADA products.
https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04
Rockwell Automation ISaGRAF Workbench
This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the ISaGRAF Workbench.
https://us-cert.cisa.gov/ics/advisories/icsa-22-202-03
Johnson Controls Metasys ADS, ADX, OAS
This advisory contains mitigations for an Missing Authentication for Critical Function vulnerability in the Metasys ADS, ADX, OAS.
https://us-cert.cisa.gov/ics/advisories/icsa-22-202-02
ABB Drive Composer, Automation Builder, Mint Workbench
This advisory contains mitigations for an Improper Privilege Management vulnerabilities in the ABB products.
https://us-cert.cisa.gov/ics/advisories/icsa-22-202-01
Unauthenticated SQL Injection in SonicWall GMS and Analytics
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0007