End-of-Day report
Timeframe: Dienstag 02-08-2022 18:00 - Mittwoch 03-08-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Wolf in sheep-s clothing: how malware tricks users and antivirus
One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how-malware-tricks-users-and-antivirus/
Open Source: Gut getarnte Malware-Kampagne in Tausenden Github Repos
Ein Sicherheitsforscher hat eine groß angelegte Malware-Kampagne entdeckt, die versucht, sich durch einfache Pull Requests einzuschmuggeln.
https://www.golem.de/news/open-source-gut-getarnte-malware-kampagne-in-tausenden-github-repos-2208-167352.html
Creating Processes Using System Calls
When we think about EDR or AV evasion, one of the most widespread methods adopted by offensive teams is the use of system calls (syscalls) to carry out specific actions.
https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
EMBA v1.1.0: The security analyzer for embedded device firmware
EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a report.
https://github.com/e-m-b-a/emba/releases
PART 3: How I Met Your Beacon - Brute Ratel
In part three of this series, we will analyse Brute Ratel, a command and control framework developed by Dark Vortex.
https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/
Ransomware in Python-Paketmanager PyPI: Die Rückkehr der Skriptkiddies
Eine Reihe von Paketen hat auf Typosquatting gesetzt und Code verbreitet, der unter Windows Dateien verschlüsselt. Die Motive sind schleierhaft.
https://heise.de/-7200335
Vorsicht vor Fake-Mails der bank99
Kriminelle geben sich als bank99 aus und wollen, dass Sie die -Okay99 App- herunterladen. Klicken Sie nicht auf -Aktivierung starten-, da sonst Ihre Daten in die Hände der Kriminellen kommen.
https://www.watchlist-internet.at/news/vorsicht-vor-fake-mails-der-bank99/
Detection Rules for Lightning Framework (and How to Make Them With Osquery)
On 21 July, 2022, we released a blog post about a new malware called Lightning Framework. Lightning is a modular malware framework targeting Linux. At the time of the publication, the Core module had one suspicious detection and the Downloader module was not detected by any scanning engines on VirusTotal.
https://www.intezer.com/blog/threat-hunting/lightning-framework-linux-detection-rules-osquery/
Vulnerabilities
Forti Security Advisories 2022-08-02
Forti published 3 Security Advisories (1 High, 2 Medium Severity).
https://fortiguard.fortinet.com/psirt?date=08-2022
Security updates for Wednesday
Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), [...]
https://lwn.net/Articles/903676/
Android Patchday August 2022
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und beliebigen Code auszuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0887
Chrome 104.0.5112.x fixt Schwachstellen
Google hat zum 2. August 2022 das Update des Google Chrome 104.0.5112.79 für Linux und MacOS sowie 104.0.5112.79/80/81 für Windows auf dem Desktop im Stable Channel freigegeben. Mit dem Sicherheitsupdate werden zahlreiche Schwachstellen geschlossen.
https://www.borncity.com/blog/2022/08/03/chrome-104-0-5112-x-fixt-schwachstellen/
Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities - IBM JDK 8.0.7.6
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-using-a-component-with-multiple-known-vulnerabilities-ibm-jdk-8-0-7-6/
K14649763: Overview of F5 vulnerabilities (August 2022)
https://support.f5.com/csp/article/K14649763
High Severity Vulnerability Patched in Download Manager Plugin
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/
Synology-SA-22:14 USB Copy
https://www.synology.com/en-global/support/security/Synology_SA_22_14
Synology-SA-22:13 SSO Server
https://www.synology.com/en-global/support/security/Synology_SA_22_13
Synology-SA-22:12 Synology Note Station Client
https://www.synology.com/en-global/support/security/Synology_SA_22_12
Synology-SA-22:11 Storage Analyzer
https://www.synology.com/en-global/support/security/Synology_SA_22_11
Ipswitch WS_FTP Server: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0895
Nvidia GPU Treiber und NVIDIA vGPU software: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0894
Rsync: Schwachstelle ermöglicht Manipulation von Dateien
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0891
2022-13 Denial of Service Vulnerability in EagleSDV
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14662&mediaformatid=50063&destinationid=10016