Tageszusammenfassung - 11.08.2022

End-of-Day report

Timeframe: Mittwoch 10-08-2022 18:00 - Donnerstag 11-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer

News

OpenTIP, command line edition

We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools.

https://securelist.com/opentip-command-line-edition/107109/


InfoStealer Script Based on Curl and NSudo, (Thu, Aug 11th)

If sudo is a well known tool used daily by most UNIX system administrators, NSudo remains less below the radar. This is a tool running on Microsoft Windows which allows you to execute processes with different access tokens and privileges like System, TrustedInstaller and CurrentUser.

https://isc.sans.edu/diary/rss/28932


capa v4: casting a wider .NET

We are excited to announce version 4.0 of capa with support for analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering.

https://www.mandiant.com/resources/capa-v4-casting-wider-net


Detecting DNS implants: Old kitten, new tricks - A Saitama Case Study

A recently uncovered malware sample dubbed -Saitama- was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection.

https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-new-tricks-a-saitama-case-study/


Palo Alto Networks Firewalls Targeted for Reflected, Amplified DDoS Attacks

Palo Alto Networks is working on fixes for a reflected amplification denial-of-service (DoS) vulnerability that impacts PAN-OS, the platform powering its next-gen firewalls.

https://www.securityweek.com/palo-alto-networks-firewalls-targeted-reflected-amplified-ddos-attack


Years after claiming DogWalk wasn-t a vulnerability, Microsoft confirms flaw is being exploited and issues patch

This week Microsoft finally released a patch for a zero-day security flaw being exploited by hackers, that the company had claimed since 2019 was not actually a vulnerability.

https://www.bitdefender.com/blog/hotforsecurity/years-after-claiming-dogwalk-wasnt-a-vulnerability-microsoft-confirms-flaw-is-being-exploited-and-issues-patch/


BlueSky Ransomware: Fast Encryption via Multithreading

BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.

https://unit42.paloaltonetworks.com/bluesky-ransomware/


AA22-223A: #StopRansomware: Zeppelin Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022.

https://us-cert.cisa.gov/ncas/alerts/aa22-223a


Cisco Talos shares insights related to recent cyber attack on Cisco

On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.

http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Vulnerabilities

Critical Flaws Disclosed in Device42 IT Asset Management Software

Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems.

https://thehackernews.com/2022/08/critical-flaws-disclosed-in-device42-it.html


[R1] Nessus Version 8.15.6 Fixes Multiple Vulnerabilities

Two separate vulnerabilities that utilize the Audit functionality in Nessus were discovered, reported and fixed.

https://www.tenable.com/security/tns-2022-16


Cisco: Angreifer könnten an private RSA-Schlüssel in ASA und Firepower gelangen

Der Netzwerkausrüster Cisco schließt mit aktualisierter Software eine Sicherheitslücke in ASA und Firepower. Angreifer könnten private RSA-Keys auslesen.

https://heise.de/-7216863


Kritische Sicherheitslücke in Zoho ManageEngine OpManager

Zoho hat Updates veröffentlicht, die eine kritische und weitere Sicherheitslücken in ManageEngine OpManager schließen. Angreifer könnten unbefugt zugreifen.

https://heise.de/-7217521


Security updates for Thursday

Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).

https://lwn.net/Articles/904457/


Organizations Warned of Critical Vulnerabilities in NetModule Routers

Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks.

https://www.securityweek.com/organizations-warned-critical-vulnerabilities-netmodule-routers


BOSCH-SA-463993: SafeLogic Designer vulnerabilities

https://psirt.bosch.com/security-advisories/bosch-sa-463993.html


Drupal: jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

https://www.drupal.org/sa-contrib-2022-052


Security Bulletin: Vulnerability in the Node.js got module affects IBM Event Streams (CVE-2022-33987)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-node-js-got-module-affects-ibm-event-streams-cve-2022-33987/


Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129

https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-denial-of-service-due-to-cve-2022-31129/


Security Bulletin: Multiple security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-has-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/


Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-multiple-vulnerabilities/


Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote access due to Go CVE-2022-29526

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-remote-access-due-to-go-cve-2022-29526/


Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to information disclosure CVE-2022-30629

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-information-disclosure-cve-2022-30629/