Tageszusammenfassung - 01.08.2022

End-of-Day report

Timeframe: Freitag 29-07-2022 18:00 - Montag 01-08-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer

News

Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen

Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen.

https://heise.de/-7194709


Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler

Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt.

https://heise.de/-7194655


Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher

Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können.

https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-isogenien-ist-unsicher-2207-167267.html


BlackCat ransomware claims attack on European gas pipeline

The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country.

https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-european-gas-pipeline/


A Detailed Analysis of the RedLine Stealer

RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc.

https://securityscorecard.com/research/detailed-analysis-redline-stealer


Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.

https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.html


A Little DDoS In the Morning, (Mon, Aug 1st)

Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API.

https://isc.sans.edu/diary/rss/28900


Month of PowerShell - PowerShell Remoting, Part 2

In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems.

https://www.sans.org/blog/powershell-remoting-part-2/


Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter

In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement.

https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/


Month of PowerShell - Keyboard Shortcuts Like a Boss

In this article we look at several keyboard shortcuts to speed up your PowerShell sessions.

https://www.sans.org/blog/keyboard-shortcuts-boss/

Vulnerabilities

WordPress Vulnerabilities & Patch Roundup - July 2022

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-july-2022.html


Arris / Arris-variant DSL/Fiber router critical vulnerability exposure

Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models).

https://derekabdine.com/blog/2022-arris-advisory


IBM Security Bulletins 2022-07-29

IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server.

https://www.ibm.com/blogs/psirt/


Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar

Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen.

https://heise.de/-7194671


Security updates for Monday

Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...]

https://lwn.net/Articles/903455/


HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen

Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870


D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867


HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen

Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866


Multiple Vulnerabilities in BF-OS

BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password.

https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html


K21192332: Apache HTTP Server vulnerability CVE-2022-31813

https://support.f5.com/csp/article/K21192332