End-of-Day report
Timeframe: Donnerstag 28-07-2022 18:00 - Freitag 29-07-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer
Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner.
https://heise.de/-7193953
Jetzt patchen! Attacken auf Atlassian Confluence
Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar.
https://heise.de/-7193458
LockBit operator abuses Windows Defender to load Cobalt Strike
Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.
https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-windows-defender-to-load-cobalt-strike/
Month of PowerShell - Renaming Groups of Files
In this article we look at how to automate a massive file-rename task using PowerShell.
https://www.sans.org/blog/renaming-groups-files?msc=rss
Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network
The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.
https://thehackernews.com/2022/07/researchers-warns-of-increase-in.html
ENISA: Telecom Security Incidents 2021
This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
https://www.enisa.europa.eu/publications/telecom-security-incidents-2021
UEFI rootkits and UEFI secure boot
Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all.
https://mjg59.dreamwidth.org/60654.html
Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack
Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks.
https://www.zdnet.com/article/microsoft-has-blocked-hackers-favourite-trick-so-now-they-are-looking-for-a-new-route-of-attack/
Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products
Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a -%- there are always two bytes. So, what would happen if after -%-, only one character existed?
https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html
Vulnerabilities
ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
https://www.zerodayinitiative.com/advisories/ZDI-22-1031/
ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control
These vulnerabilities affect the ABB Ability- Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm.
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001479&LanguageCode=en&DocumentPartId=&Action=Launch
Security updates for Friday
Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0).
https://lwn.net/Articles/902913/
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
https://webkitgtk.org/security/WSA-2022-0007.html
Synology-SA-22:10 Samba
CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...]
https://www.synology.com/en-global/support/security/Synology_SA_22_10
JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung
Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0860
Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0862
GitLab: Mehrere Schwachstellen
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0861
Rockwell Products Impacted by Chromium Type Confusion
https://us-cert.cisa.gov/ics/advisories/icsa-22-209-01
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-node-js-minimist-module-cve-2021-44906-2/
Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-vios-could-allow-a-remote-attacker-to-tamper-with-system-configuration-or-cause-a-denial-of-service-cve-2022-35643/
Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-included-websphere-application-server-and-ibm-http-server-used-by-websphere-application-server-2/
Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-cve-2021-44228-vulnerability-in-ibm-engineering-systems-design-rhapsody-rhapsody-2/
Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-by-apache-for-ibm-i-is-vulnerable-to-bypass-security-restrictions-and-obtain-sensitive-information-due-to-multiple-vulnerabilities/
Security Bulletin: AIX is affected by multiple vulnerabilities in Python
https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-affected-by-multiple-vulnerabilities-in-python/
Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-openssl-as-shipped-with-ibm-security-verify-bridge-docker-image-cve-2022-0778/
Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization - Publishing
https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerability-in-apache-log4j-affects-ibm-engineering-lifecycle-optimization-publishing-2/
Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220)
https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-cache-poisoning-due-to-isc-bind-cve-2021-25220/
Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2®
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-released-a-fix-in-response-to-multiple-vulnerabilities-found-in-ibm-db2-3/
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708)
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2018-25031-cve-2021-46708/