End-of-Day report
Timeframe: Mittwoch 10-08-2022 18:00 - Donnerstag 11-08-2022 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
OpenTIP, command line edition
We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools.
https://securelist.com/opentip-command-line-edition/107109/
InfoStealer Script Based on Curl and NSudo, (Thu, Aug 11th)
If sudo is a well known tool used daily by most UNIX system administrators, NSudo remains less below the radar. This is a tool running on Microsoft Windows which allows you to execute processes with different access tokens and privileges like System, TrustedInstaller and CurrentUser.
https://isc.sans.edu/diary/rss/28932
capa v4: casting a wider .NET
We are excited to announce version 4.0 of capa with support for analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering.
https://www.mandiant.com/resources/capa-v4-casting-wider-net
Detecting DNS implants: Old kitten, new tricks - A Saitama Case Study
A recently uncovered malware sample dubbed -Saitama- was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection.
https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-new-tricks-a-saitama-case-study/
Palo Alto Networks Firewalls Targeted for Reflected, Amplified DDoS Attacks
Palo Alto Networks is working on fixes for a reflected amplification denial-of-service (DoS) vulnerability that impacts PAN-OS, the platform powering its next-gen firewalls.
https://www.securityweek.com/palo-alto-networks-firewalls-targeted-reflected-amplified-ddos-attack
Years after claiming DogWalk wasn-t a vulnerability, Microsoft confirms flaw is being exploited and issues patch
This week Microsoft finally released a patch for a zero-day security flaw being exploited by hackers, that the company had claimed since 2019 was not actually a vulnerability.
https://www.bitdefender.com/blog/hotforsecurity/years-after-claiming-dogwalk-wasnt-a-vulnerability-microsoft-confirms-flaw-is-being-exploited-and-issues-patch/
BlueSky Ransomware: Fast Encryption via Multithreading
BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses.
https://unit42.paloaltonetworks.com/bluesky-ransomware/
AA22-223A: #StopRansomware: Zeppelin Ransomware
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022.
https://us-cert.cisa.gov/ncas/alerts/aa22-223a
Cisco Talos shares insights related to recent cyber attack on Cisco
On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
Vulnerabilities
Critical Flaws Disclosed in Device42 IT Asset Management Software
Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems.
https://thehackernews.com/2022/08/critical-flaws-disclosed-in-device42-it.html
[R1] Nessus Version 8.15.6 Fixes Multiple Vulnerabilities
Two separate vulnerabilities that utilize the Audit functionality in Nessus were discovered, reported and fixed.
https://www.tenable.com/security/tns-2022-16
Cisco: Angreifer könnten an private RSA-Schlüssel in ASA und Firepower gelangen
Der Netzwerkausrüster Cisco schließt mit aktualisierter Software eine Sicherheitslücke in ASA und Firepower. Angreifer könnten private RSA-Keys auslesen.
https://heise.de/-7216863
Kritische Sicherheitslücke in Zoho ManageEngine OpManager
Zoho hat Updates veröffentlicht, die eine kritische und weitere Sicherheitslücken in ManageEngine OpManager schließen. Angreifer könnten unbefugt zugreifen.
https://heise.de/-7217521
Security updates for Thursday
Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).
https://lwn.net/Articles/904457/
Organizations Warned of Critical Vulnerabilities in NetModule Routers
Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks.
https://www.securityweek.com/organizations-warned-critical-vulnerabilities-netmodule-routers
BOSCH-SA-463993: SafeLogic Designer vulnerabilities
https://psirt.bosch.com/security-advisories/bosch-sa-463993.html
Drupal: jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052
https://www.drupal.org/sa-contrib-2022-052
Security Bulletin: Vulnerability in the Node.js got module affects IBM Event Streams (CVE-2022-33987)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-node-js-got-module-affects-ibm-event-streams-cve-2022-33987/
Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-denial-of-service-due-to-cve-2022-31129/
Security Bulletin: Multiple security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-has-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics/
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-multiple-vulnerabilities/
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote access due to Go CVE-2022-29526
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-remote-access-due-to-go-cve-2022-29526/
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to information disclosure CVE-2022-30629
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-information-disclosure-cve-2022-30629/