Tageszusammenfassung - 29.07.2022

End-of-Day report

Timeframe: Donnerstag 28-07-2022 18:00 - Freitag 29-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter


Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer

Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner.


Jetzt patchen! Attacken auf Atlassian Confluence

Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar.


LockBit operator abuses Windows Defender to load Cobalt Strike

Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.


Month of PowerShell - Renaming Groups of Files

In this article we look at how to automate a massive file-rename task using PowerShell.


Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network

The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.


ENISA: Telecom Security Incidents 2021

This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.


UEFI rootkits and UEFI secure boot

Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all.


Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack

Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks.


Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products

Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a -%- there are always two bytes. So, what would happen if after -%-, only one character existed?



ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.


ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control

These vulnerabilities affect the ABB Ability- Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm.


Security updates for Friday

Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0).


WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution.


Synology-SA-22:10 Samba

CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...]


JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung

Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen.


Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen


GitLab: Mehrere Schwachstellen

Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen.


Rockwell Products Impacted by Chromium Type Confusion


Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906)


Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643)


Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server


Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody)


Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities.


Security Bulletin: AIX is affected by multiple vulnerabilities in Python


Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778)


Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization - Publishing


Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220)


Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2®


Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708)