End-of-Day report
Timeframe: Freitag 22-07-2022 18:00 - Montag 25-07-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Windows-Sicherheit: Microsoft härtet RDP, MS-Office und geschützte Prozesse-
Automatische Login-Sperren, Schutz vor Makros und Passwortklau - hinter den Kulissen tut sich einiges. Mit der Kommunikation tut sich Microsoft jedoch schwer.
https://heise.de/-7189313
Vorsicht vor gefälschten Post und DHL-Mails
Kriminelle geben sich als Post oder DHL aus und versenden wahllos betrügerische E-Mails. In den E-Mails mit dem Betreff -Ihr Paket wartet auf die Zustellung- oder -Ihr Paket ist gerade bei der örtlichen Post angekommen- wird behauptet, dass ein Paket angekommen sei, es aber nicht zugestellt werden kann, weil noch Zoll- bzw. Lieferkosten offen seien. Sie werden aufgefordert, auf einen Link zu klicken. Ignorieren Sie derartige E-Mails. Es handelt sich um Fake!
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-post-und-dhl-mails/
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor.
https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
Month of PowerShell: Process Threat Hunting, Part 1
PowerShell is a powerful tool for threat hunting. Here we look at PowerShell threat hunting steps by assessing processes on Windows.
https://www.sans.org/blog/process-threat-hunting-part-1/
Month of PowerShell - The Curious Case of AD User Properties
Where are all of the user properties for Active Directory users for Get-ADUSer?
https://www.sans.org/blog/curious-case-ad-user-properties/
Month of PowerShell: Process Threat Hunting, Part 2
We continue our look at PowerShell threat hunting through process analysis, identifying Command & Control/C2 threats on a Windows system.
https://www.sans.org/blog/process-threat-hunting-part-2/
Defeating Javascript Obfuscation
To make a long story short, I-m releasing a Javascript deobfuscation tool called REstringer. To make a short story long - I want to share my incentive for creating the tool, some design decisions, and the process through which I-m adding new capabilities to it - so you can join in on the fun!
https://www.perimeterx.com/tech-blog/2022/defeating-javascript-obfuscation/
A repository of Windows persistence mechanisms
The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
https://persistence-info.github.io/
IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation
We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS.
https://unit42.paloaltonetworks.com/iam-deescalate/
Case closed: DIVD-2022-00009 - SolarMan backend administrator account/password
DIVD researcher Jelle Ursem found the password of the super user of the web backend for all SolarMan / Solis / Omnik / Ginlong inverters, loggers, and batteries. The password has been changed now, and the repository containing the password has been deleted.
https://csirt.divd.nl/cases/DIVD-2022-00009/
Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers
The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched.
https://asec.ahnlab.com/en/36820/
Vulnerabilities
Google Chrome: Update schließt Hochrisiko-Sicherheitslöcher
Google veröffentlicht ein Update für Chrome, das elf potenzielle Sicherheitsschwachstellen schließt - fünf davon sind mit High Risk bewertet.
https://www.golem.de/news/google-chrome-update-schliesst-hochrisiko-sicherheitsloecher-2207-167127.html
Angreifer könnten Scan-Engine von F-Secure und WithSecure crashen lassen
Patches schließen mehrere Lücken in Sicherheitsprodukten von WithSecure ehemals F-Secure.
https://heise.de/-7189082
Technical Advisory - Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven vulnerabilities were discovered.
https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/
Security updates for Monday
Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1).
https://lwn.net/Articles/902400/
WordPress Plugin "Newsletter" vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN77850327/
Multiple vulnerabilities in untangle
https://jvn.jp/en/jp/JVN30454777/
K08152433: Intel processors MMIO stale data vulnerability CVE-2022-21166
https://support.f5.com/csp/article/K08152433/
Unify OpenScape Branch: Schwachstelle ermöglicht Codeausführung
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0814
Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288)
https://www.ibm.com/blogs/psirt/security-bulletin-a-failed-attempt-to-regenerate-an-ibm-security-verify-information-queue-api-token-reveals-sensitive-data-cve-2022-35288/
Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-pak-for-multicloud-management-managed-services-2/
Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics - Log Analysis (CVE-2019-17571, CVE-2020-9488)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4j-affect-ibm-operations-analytics-log-analysis-cve-2019-17571-cve-2020-9488/
Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-apache-struts-affect-ibm-sterling-file-gateway-cve-2019-0233-cve-2019-0230-4/
Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-distributes-configuration-files-with-hard-coded-credentials-cve-2022-35287/
Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307).
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2022-23307/
Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics - Log Analysis (CVE-2021-44832, CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4j-core-2-16-0-jar-affect-ibm-operations-analytics-log-analysis-cve-2021-44832-cve-2021-45105-2/
Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics - Log Analysis
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-log4j-1-2-16-jar-used-by-ibm-operations-analytics-log-analysis/
Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285)
https://www.ibm.com/blogs/psirt/security-bulletin-audit-events-query-facility-in-ibm-security-verify-information-queue-is-vulnerable-to-sql-injection-cve-2022-35285/
Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284)
https://www.ibm.com/blogs/psirt/security-bulletin-session-cookie-used-by-ibm-security-verify-information-queue-is-not-properly-secured-cve-2022-35284/
Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-pak-for-multicloud-management-managed-services/