End-of-Day report
Timeframe: Freitag 12-08-2022 18:00 - Dienstag 16-08-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
News
SOVA malware adds ransomware feature to encrypt Android devices
The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices.
https://www.bleepingcomputer.com/news/security/sova-malware-adds-ransomware-feature-to-encrypt-android-devices/
John Deere: Hacker präsentiert Jailbreak für Traktoren
Nicht nur Telefonhersteller vernageln ihre Geräte. Der Hacker Sick Codes zeigt, wie Root-Zugriff auf die Systeme der Traktoren zu erlangen ist.
https://www.golem.de/news/john-deere-ein-hacker-praesentiert-ein-jailbreak-fuer-traktoren-2208-167611.html
Threat in your browser: what dangers innocent-looking extensions hold for users
In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them.
https://securelist.com/threat-in-your-browser-extensions/107181/
Two more malicious Python packages in the PyPI
We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI.
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/
Disrupting SEABORGIUM-s ongoing phishing operations
The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM in campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.
https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
Realtek SDK SIP ALG Vulnerability: A Big Deal, but not much you can do about it. CVE 2022-27255, (Sun, Aug 14th)
On Friday, Octavio Gianatiempo & Octavio Galland released details about a vulnerability in Realtek's eCos SDK.
https://isc.sans.edu/diary/rss/28940
Finanzsanierungen nicht mit Krediten verwechseln!
Kreditsuchende stoßen bei ihren Recherchen immer wieder auf Werbeanzeigen für Finanzsanierungsangebote. Achtung: Bei Finanzsanierungsangeboten handelt es sich um keine Kredite, sondern um eine sogenannte Schuldenregulierung. Diese ist in Österreich kostenlos erhältlich, weshalb bei kostenpflichtigen Angeboten zu Abstand zu raten ist!
https://www.watchlist-internet.at/news/finanzsanierungen-nicht-mit-krediten-verwechseln/
Typosquatting Campaign Targeting Python-s Top Packages, Dropping GitHub Hosted Malware with DGA Capabilities
On Saturday, August 13th, Checkmarx-s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware.
https://checkmarx.com/blog/typosquatting-campaign-targeting-pythons-top-packages-dropping-github-hosted-malware-with-dga-capabilities/
What Exposed OPA Servers Can Tell You About Your Applications
This blog entry discusses what an OPA is and what it-s for, what we-ve discovered after identifying 389 exposed OPA servers via Shodan, and how exposed OPAs can negatively impact your applications- overall security.
https://www.trendmicro.com/en_us/research/22/h/what-exposed-opa-servers-can-tell-you-about-your-applications-.html
Vulnerabilities
Evil PLC Attack: Using a Controller as Predator Rather than Prey
Team82 has developed a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks.
https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey
Process injection: breaking all macOS security layers with a single vulnerability
In this post, we will first describe what process injection is, then the details of this vulnerability and finally how we abused it.
https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/
Database Integrity Vulnerabilities in Boeing-s Onboard Performance Tool
Security gaps in older, unprotected Windows desktop versions of Boeing-s Onboard Performance Tool (OPT) could make certain Electronic Flight Bags (EFB) more susceptible to attack.
https://www.pentestpartners.com/security-blog/database-integrity-vulnerabilities-in-boeings-onboard-performance-tool/
IBM Security Bulletins 2022-08-15
IBM Sterling B2B Integrator, IBM SPSS Modeler, IBM Cloud Pak System, IBM Sterling File Gateway
https://www.ibm.com/blogs/psirt/
Zoom für macOS: Update-Funktion reißt Sicherheitslücke
Die populäre Videokonferenz-App hat auf dem Mac einmal mehr ein Security-Problem. Nutzer sollten dringend aktualisieren. Perfekt ist der Fix noch nicht.
https://heise.de/-7219942
DefCon 30: Unsicherheiten durch Microsoft in UEFI Secure Boot
Microsofts ausschweifende Signier-Praxis produziert Schwachstellen der Secure-Boot-Umgebung. Das kritisierten Sicherheitsforscher auf der DefCon 30.
https://heise.de/-7221728
Fernwartung: Kritische Sicherheitslücken in HPE Integrated Lights-Out (iLO)
Die Fernverwaltung HPE Integrated Lights-Out ermöglichte Angreifern das Einschmuggeln von Schadcode. Aktualisierte Software behebt die Fehler.
https://heise.de/-7219923
Security updates for Monday
Security updates have been issued by Debian (trafficserver), Fedora (freeciv, gnutls, kernel, libldb, mingw-gdk-pixbuf, owncloud-client, rust-ffsend, samba, thunderbird, and zlib), Gentoo (apache, binutils, chromium, glibc, gstreamer, libarchive, libebml, nokogiri, puma, qemu, xen, and xterm), Mageia (golang, libtiff, poppler, python-django, and ruby-sinatra), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (chromium, cifs-utils, kernel, open-iscsi, and trousers), and Ubuntu (webkit2gtk).
https://lwn.net/Articles/904741/
Security updates for Tuesday
Security updates have been issued by CentOS (kernel), Debian (kernel), Fedora (webkit2gtk3), Oracle (.NET 6.0, .NET Core 3.1, kernel, and kernel-container), Slackware (rsync), and SUSE (canna, ceph, chromium, curl, kernel, opera, python-Twisted, and seamonkey).
https://lwn.net/Articles/904842/
Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution
Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device.
http://blog.talosintelligence.com/2022/08/vuln-spotlight-hdf5-library.html
TRUMPF: Products prone to Unified Automation vulnerabilities
https://cert.vde.com/de/advisories/VDE-2022-034/
Google Android: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1042
CoreDNS: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1047
ESRI ArcGIS: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1046
npm: Schwachstelle ermöglicht Manipulation von Dateien
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1049
vim: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1048
Yokogawa CENTUM Controller FCS
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-01
LS ELECTRIC PLC and XG5000
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-02
Softing Secure Integration Server
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-04
B&R Industrial Automation Automation Studio 4
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-05
Emerson Proficy Machine Edition
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-06
Sequi PortBloque S
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-07
Two DoS vulnerabilities eliminated from Mitsubishi industrial controllers
https://www.ptsecurity.com/ww-en/about/news/two-dos-vulnerabilities-eliminated-from-mitsubishi-industrial-controllers
Multiple Vulnerabilities in Samba
https://www.qnap.com/en-us/security-advisory/QSA-22-22
Multiple Vulnerabilities in Apache HTTP Server
https://www.qnap.com/en-us/security-advisory/QSA-22-23
Remote Support Authentication Vulnerability in IBM Spectrum Virtualize and Lenovo Storage V Series
http://support.lenovo.com/product_security/PS500514-REMOTE-SUPPORT-AUTHENTICATION-VULNERABILITY-IN-IBM-SPECTRUM-VIRTUALIZE-AND-LENOVO-STORAGE-V-SERIES