End-of-Day report
Timeframe: Mittwoch 03-08-2022 18:00 - Donnerstag 04-08-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
TLP 2.0 is here
Earlier this week, the global Forum of Incident Response and Security Teams - or FIRST, as it is commonly known - published a new version of its Traffic Light Protocol standard. The Traffic Light Protocol (TLP) is commonly used in the incident response community, as well as in the wider security space, to quickly and in a standardized way indicate any limitations on further sharing of any transferred information.
https://isc.sans.edu/diary/rss/28914
PersistenceSniper
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.
https://github.com/last-byte/PersistenceSniper
Woody RAT: A new feature-rich malware spotted in the wild
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/
Dreiecksbetrug beim Verkauf von Gaming-Accounts über Kleinanzeigen
Vorsicht beim Kauf und Verkauf von Gaming-Accounts. Abgesehen davon, dass Kauf und Verkauf häufig durch die Spieleentwickler:innen verboten werden, kommt es immer wieder zu einem Dreiecksbetrug. Verkaufende verlieren ihren Gaming-Account und bekommen kein Geld oder Kaufende bekommen keinen Account und buchen das Geld zurück.
https://www.watchlist-internet.at/news/dreiecksbetrug-beim-verkauf-von-gaming-accounts-ueber-kleinanzeigen/
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
This blog presents a case study from recent Bumblebee malware activity distributed through Projector Libra that led to Cobalt Strike. Information presented here should provide a clearer picture of the group-s tactics and help security professionals better defend their organizations against this threat.
https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/
Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns
In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform.
http://blog.talosintelligence.com/2022/08/dark-utilities.html
Vulnerabilities
Cisco fixes critical remote code execution bug in VPN routers
Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.
https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-code-execution-bug-in-vpn-routers/
Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks
A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it's exploited, researchers warn that it could allow complete device takeover, along with access to the broader network.
https://www.darkreading.com/endpoint/critical-rce-bug-draytek-routers-smbs-zero-click-attacks
IBM Security Bulletins 2022-08-03
IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Db2, IBM Sterling File Gateway, IBM Sterling B2B Integrator, IBM Data Risk Manager, IBM Tivoli Application Dependency Discovery Manager, IBM Java SDK Technology Edition.
https://www.ibm.com/blogs/psirt/
Security Advisory - The input verification vulnerability of a Huawei Device product is involved.
A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks. (Vulnerability ID: HWPSIRT-2022-49379) Affected Product: CV81-WDM FW
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220810-01-8cfecdcc-en
Security updates for Thursday
Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server).
https://lwn.net/Articles/903816/
genua genugate: Schwachstelle ermöglicht nicht spezifizierten Angriff
Ein Angreifer kann eine Schwachstelle in genua genugate ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0906
D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0907
PostgreSQL: Schwachstelle ermöglicht SQL Injection
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PostgreSQL ausnutzen, um eine SQL Injection durchzuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0910
Nextcloud Server und Nextcloud Mail: Mehrere Schwachstellen
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0912
Cisco Security Advisories 2022-08-03
Cisco published 5 security advisories (1 critical, 4 medium severity).
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F08%2F03&firstPublishedEndDate=2022%2F08%2F03
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0901
Digi ConnectPort X2D
https://us-cert.cisa.gov/ics/advisories/icsa-22-216-01