End-of-Day report
Timeframe: Dienstag 26-07-2022 18:00 - Mittwoch 27-07-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
15 Minuten nach Bekanntwerden einer Lücke starten Scans nach verwundbaren PCs
Einem aktuellen Bericht über IT-Sicherheitsvorfälle zufolge verschärft sich das Katz-und-Maus-Spiel zwischen Admins und Cyberkriminellen.
https://heise.de/-7191301
Cyberkriminalität: Weniger Ransomware, aber wieder mehr Malware
2022 stieg das Malware-Volumen erstmals wieder, bei gleichzeitig weniger Ransomware-Attacken - zumindest global, denn in Europa gilt der gegensätzliche Trend.
https://heise.de/-7191680
Student:innen aufgepasst: akademischeslektorat.com ist unseriös!
Wenn Sie auf der Suche nach einem Lektorat, einer Plagiatsprüfung oder Übersetzungsarbeiten für wissenschaftliche Arbeiten sind, stoßen Sie bei Ihrer Suche womöglich auf akademischeslektorat.com. Wir raten dazu, Abstand von den Angeboten zu nehmen, denn die Leistungen werden Erfahrungsberichten nach minderwertig oder gar nicht erbracht und auch frühere Mitarbeiter:innen sowie die Bewertungsseite Trustpilot warnen vor dem Angebot.
https://www.watchlist-internet.at/news/studentinnen-aufgepasst-akademischeslektoratcom-ist-unserioes/
Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits
MSTIC and MSRC disclose technical details of a private-sector offensive actor (PSOA) tracked as KNOTWEED using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers.
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
Month of PowerShell: Fileless Malware with Get-Clipboard
In this article we look at using PowerShell maliciously while evading detection.
https://www.sans.org/blog/fileless-malware-get-clipboard/
DHL Phishing Page Uses Telegram Bot for Exfiltration
One of the quickest ways for an attacker to harvest financial data, credentials, and sensitive personal information is through phishing. These social engineering attacks can typically be found masquerading as a trusted or recognizable service, intent on tricking unsuspecting users into submitting sensitive information on the attacker-s customized web page.
https://blog.sucuri.net/2022/07/dhl-phishing-page-uses-telegram-bot-for-exfiltration.html
Inside Matanbuchus: A Quirky Loader
This blog post will shed light on Matanbuchus- main stage, the second stage of the loader. From our point of view, the second stage is the more interesting component of the loader, as it involves many payload loading techniques. By dissecting the loader-s features and capabilities, we will attempt to answer whether Matanbuchus is a loader malware, as it markets itself, or if it is more like a bot service.
https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
Top 10 Awesome Open-Source Adversary Simulation Tools
Cyberattack simulation, aka Threat Simulation, is an emerging IT security technology that can help discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. We will take a look at the need for adversary simulation and the top ten open-source adversary simulation tools.
https://fourcore.io/blogs/top-10-open-source-adversary-emulation-tools
Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi-s implementation of the SLP service, VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c. In this blog post, we explore another remotely reachable attack surface: ESXi-s TCP/IP stack
https://www.thezdi.com/blog/2022/7/25/looking-at-patch-gap-vulnerabilities-in-the-vmware-esxi-tcpip-stack
What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads
In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations- harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization-s emails to deliver their threat.
http://blog.talosintelligence.com/2022/07/what-talos-incident-response-learned.html
Vulnerabilities
Security updates for Wednesday
Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim).
https://lwn.net/Articles/902642/
Samba: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand zu verursachen oder seine Rechte zu erweitern.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0842
MOXA NPort 5110
This advisory contains mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server.
https://us-cert.cisa.gov/ics/advisories/icsa-22-207-04
Honeywell Saia Burgess PG5 PCD
This advisory contains mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC.
https://us-cert.cisa.gov/ics/advisories/icsa-22-207-03
Honeywell Safety Manager
This advisory contains mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System.
https://us-cert.cisa.gov/ics/advisories/icsa-22-207-02
Inductive Automation Ignition
This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software.
https://us-cert.cisa.gov/ics/advisories/icsa-22-207-01
CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED)
This advisory covers a number of issues identified in Velociraptor and fixed as of Version 0.6.5-2, released July 26, 2022.
https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velociraptor-multiple-vulnerabilities-fixed/
Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest (CVE-2021-35561, CVE-2022-21299, CVE-2022-21496)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearquest-cve-2021-35561-cve-2022-21299-cve-2022-21496/
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-are-addressed-with-ibm-cloud-pak-for-business-automation-ifixes-for-june-2022-2/
Security Bulletin: IBM QRadar SIEM is vulnerable to local privilege escalation (CVE-2021-39088)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-local-privilege-escalation-cve-2021-39088/
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-0778, CVE-2022-1292)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-rational-clearquest-cve-2022-0778-cve-2022-1292/
Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2022-0778)
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qradar-siem-is-vulnerable-to-denial-of-service-cve-2022-0778/
Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearquest-3/
Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-application-framework-base-image-is-vulnerable-to-using-components-with-known-vulnerabilities-2/
Security Bulletin: Apache Commons Email as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2017-9801, CVE-2018-1294)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-email-as-used-by-ibm-qradar-siem-is-vulnerable-to-information-disclosure-cve-2017-9801-cve-2018-1294/
Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise are vulnerable to a denial of service due to jackson-databind (CVE-2020-36518)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-ibm-app-connect-enterprise-are-vulnerable-to-a-denial-of-service-due-to-jackson-databind-cve-2020-36518/
Security Bulletin: IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-ibm-maximo-manage-in-ibm-maximo-application-suite-and-ibm-maximo-manage-in-ibm-maximo-application-suite-as-a-service-may-be-affected-by-xml-external-ent/
Security Bulletin: Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-affect-ibm-engineering-test-management-product-due-to-xstream/
Security Bulletin: Apache Derby security vulnerabilities in IBM System Dashboard for Enterprise Content Manager (affected, not vulnerable)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-security-vulnerabilities-in-ibm-system-dashboard-for-enterprise-content-manager-affected-not-vulnerable/