Tageszusammenfassung - 28.07.2022

End-of-Day report

Timeframe: Mittwoch 27-07-2022 18:00 - Donnerstag 28-07-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner


LofyLife: malicious npm packages steal Discord tokens and bank card data

This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign -LofyLife-.


Month of PowerShell - PowerShell Remoting, Part 1

In this article, we discuss perhaps the most immediately-valuable feature in PowerShell for Windows administrators, the ability to run PowerShell commands on remote systems.


Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack

In this blog post, we explore another remotely reachable attack surface: ESXi-s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi-s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD. This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP.


Vorsicht vor Fake Last-Minute-Angeboten auf Mallorca und Ibiza!

Die Hitze schlägt zu und Kurzentschlossene suchen nach den letzten verfügbaren Ferienhäusern, um ein paar Tage am Meer zu verbringen. Doch Vorsicht: Kriminelle versuchen Sie mit attraktiven Angeboten in die Falle zu locken! Wird eine Vorauszahlung für ein Ferienhaus verlangt, brechen Sie den Kontakt ab, Ihr Geld ist sonst verloren!


MFA hilft gegen Ransomware

Die Multi-Faktor-Authentifizierung (MFA) funktioniert. Die europäische Polizeibehörde Europol erklärt, wie Ransomware-Banden ihre Angriffe aufgegeben haben, als sie auf die MFA-Sicherheit trafen.


IIS-Attacken auf Exchange Server

Microsoft warnt vor heimlichen Backdoor-Angriffen auf Exchange Server mittels bösartiger IIS-Erweiterungen.


CISA Releases Log4Shell-Related MAR

>From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization-s network and released a Malware Analysis Report of the findings.


SharpTongue Deploys Clever Mail-Stealing Browser Extension -SHARPEXT-

One frequently encountered-that often results in forensics investigations on compromised systems-is tracked by Volexity as SharpTongue. [..] Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea ...



"JustSystems JUST Online Update for J-License" starts a program with an unquoted file path

"JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path.


Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

Project: Tagify Security risk: Moderately critical Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.The module doesnt sufficiently check access for the add operation.


PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

Project: PDF generator API Security risk: Moderately critical Description: This module enables you to generate PDF versions of content.Some installations of the module make use of the dompdf/dompdf third-party dependency.Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes.


Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

Project: Context Security risk: Moderately critical Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".


Sicherheitsupdates: Angreifer könnten Veritas NetBackup vielfältig attackieren

Die Entwickler haben in aktuellen Versionen der Backuplösung NetBackup von Veritas unter anderem kritische Lücken geschlossen.


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen).


Trend Micro Produkte: Schwachstelle ermöglicht Privilegieneskalation

Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro Apex One und Trend Micro Worry-Free Business Security ausnutzen, um seine Privilegien zu erhöhen.


Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Informationen offenzulegen.


McAfee Agent: Schwachstelle ermöglicht Privilegieneskalation

Ein lokaler Angreifer kann eine Schwachstelle im McAfee Agent ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code mit Administratorrechten auszuführen.


Jenkins: Mehrere Schwachstellen

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um einen Cross Site Scripting oder CSRF Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder Daten zu manipulieren


Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068)


Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities


Security Bulletin: Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29526)


Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)