End-of-Day report
Timeframe: Mittwoch 27-07-2022 18:00 - Donnerstag 28-07-2022 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
News
LofyLife: malicious npm packages steal Discord tokens and bank card data
This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign -LofyLife-.
https://securelist.com/lofylife-malicious-npm-packages/107014/
Month of PowerShell - PowerShell Remoting, Part 1
In this article, we discuss perhaps the most immediately-valuable feature in PowerShell for Windows administrators, the ability to run PowerShell commands on remote systems.
https://www.sans.org/blog/powershell-remoting-part-1?msc=rss
Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack
In this blog post, we explore another remotely reachable attack surface: ESXi-s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi-s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD.
This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP.
https://www.zerodayinitiative.com/blog/2022/7/25/looking-at-patch-gap-vulnerabilities-in-the-vmware-esxi-tcpip-stack
Vorsicht vor Fake Last-Minute-Angeboten auf Mallorca und Ibiza!
Die Hitze schlägt zu und Kurzentschlossene suchen nach den letzten verfügbaren Ferienhäusern, um ein paar Tage am Meer zu verbringen. Doch Vorsicht: Kriminelle versuchen Sie mit attraktiven Angeboten in die Falle zu locken! Wird eine Vorauszahlung für ein Ferienhaus verlangt, brechen Sie den Kontakt ab, Ihr Geld ist sonst verloren!
https://www.watchlist-internet.at/news/vorsicht-vor-fake-last-minute-angeboten-auf-mallorca-und-ibiza/
MFA hilft gegen Ransomware
Die Multi-Faktor-Authentifizierung (MFA) funktioniert. Die europäische Polizeibehörde Europol erklärt, wie Ransomware-Banden ihre Angriffe aufgegeben haben, als sie auf die MFA-Sicherheit trafen.
https://www.zdnet.de/88402613/mfa-hilft-gegen-ransomware/
IIS-Attacken auf Exchange Server
Microsoft warnt vor heimlichen Backdoor-Angriffen auf Exchange Server mittels bösartiger IIS-Erweiterungen.
https://www.zdnet.de/88402615/iis-attacken-auf-exchange-server/
CISA Releases Log4Shell-Related MAR
>From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization-s network and released a Malware Analysis Report of the findings.
https://us-cert.cisa.gov/ncas/current-activity/2022/07/28/cisa-releases-log4shell-related-mar-0
SharpTongue Deploys Clever Mail-Stealing Browser Extension -SHARPEXT-
One frequently encountered-that often results in forensics investigations on compromised systems-is tracked by Volexity as SharpTongue. [..] Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea ...
https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
Vulnerabilities
"JustSystems JUST Online Update for J-License" starts a program with an unquoted file path
"JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path.
https://jvn.jp/en/jp/JVN57073973/
Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051
Project: Tagify
Security risk: Moderately critical
Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.The module doesnt sufficiently check access for the add operation.
https://www.drupal.org/sa-contrib-2022-051
PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050
Project: PDF generator API
Security risk: Moderately critical
Description: This module enables you to generate PDF versions of content.Some installations of the module make use of the dompdf/dompdf third-party dependency.Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes.
https://www.drupal.org/sa-contrib-2022-050
Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049
Project: Context
Security risk: Moderately critical
Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".
https://www.drupal.org/sa-contrib-2022-049
Sicherheitsupdates: Angreifer könnten Veritas NetBackup vielfältig attackieren
Die Entwickler haben in aktuellen Versionen der Backuplösung NetBackup von Veritas unter anderem kritische Lücken geschlossen.
https://heise.de/-7192562
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen).
https://lwn.net/Articles/902795/
Trend Micro Produkte: Schwachstelle ermöglicht Privilegieneskalation
Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro Apex One und Trend Micro Worry-Free Business Security ausnutzen, um seine Privilegien zu erhöhen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0850
Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0849
McAfee Agent: Schwachstelle ermöglicht Privilegieneskalation
Ein lokaler Angreifer kann eine Schwachstelle im McAfee Agent ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code mit Administratorrechten auszuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0848
Jenkins: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um einen Cross Site Scripting oder CSRF Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder Daten zu manipulieren
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0852
Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068)
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vulnerable-to-arbitrary-command-execution-cve-2022-2068/
Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-vulnerable-to-multiple-vulnerabilities-4/
Security Bulletin: Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29526)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-golang-go-affects-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-red-hat-openshift-cve-2022-29526/
Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-identity-spoofing-cve-2022-22476-3/