End-of-Day report
Timeframe: Freitag 29-07-2022 18:00 - Montag 01-08-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen
Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen.
https://heise.de/-7194709
Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler
Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt.
https://heise.de/-7194655
Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher
Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können.
https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-isogenien-ist-unsicher-2207-167267.html
BlackCat ransomware claims attack on European gas pipeline
The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country.
https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-attack-on-european-gas-pipeline/
A Detailed Analysis of the RedLine Stealer
RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc.
https://securityscorecard.com/research/detailed-analysis-redline-stealer
Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys
Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News.
https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.html
A Little DDoS In the Morning, (Mon, Aug 1st)
Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API.
https://isc.sans.edu/diary/rss/28900
Month of PowerShell - PowerShell Remoting, Part 2
In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems.
https://www.sans.org/blog/powershell-remoting-part-2/
Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter
In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement.
https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/
Month of PowerShell - Keyboard Shortcuts Like a Boss
In this article we look at several keyboard shortcuts to speed up your PowerShell sessions.
https://www.sans.org/blog/keyboard-shortcuts-boss/
Vulnerabilities
WordPress Vulnerabilities & Patch Roundup - July 2022
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-july-2022.html
Arris / Arris-variant DSL/Fiber router critical vulnerability exposure
Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models).
https://derekabdine.com/blog/2022-arris-advisory
IBM Security Bulletins 2022-07-29
IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server.
https://www.ibm.com/blogs/psirt/
Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar
Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen.
https://heise.de/-7194671
Security updates for Monday
Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...]
https://lwn.net/Articles/903455/
HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen
Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870
D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867
HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen
Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866
Multiple Vulnerabilities in BF-OS
BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password.
https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html
K21192332: Apache HTTP Server vulnerability CVE-2022-31813
https://support.f5.com/csp/article/K21192332