End-of-Day report
Timeframe: Dienstag 16-08-2022 18:00 - Mittwoch 17-08-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
News
Malware devs already bypassed Android 13s new security feature
Android malware developers are already adjusting their tactics to bypass a new Restricted settings security feature introduced by Google in the newly released Android 13.
https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/
SocGholish: 5+ Years of Massive Website Infections
Earlier this June, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of the most common website infections detected and cleaned by our remediation team in the last few years.This NDSW/NDSX malware - also referred to as FakeUpdates or SocGholish by other research groups - is responsible for redirecting site visitors to malicious pages designed to trick victims into loading and installing fake browser updates.
https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html
RubyGems now requires multi-factor auth for top package maintainers
Sign-on you crazy diamond: RubyGems.org, the Ruby programming communitys software package registry, now requires maintainers of popular "gems" to secure their accounts using multi-factor authentication (MFA).
https://www.theregister.com/2022/08/16/rubygems_package_registry_mfa/
Phishing Site used to Spread Typhon Stealer
During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe.
https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/
Cisco-ASA-Firewalls hacken per Metasploit und Open-Source-Tools
Ein Forscher hat zahlreiche Tools und Metasploit-Module zum Hacken von Cisco-Firewalls veröffentlicht. Ein aktuelles Update hilft nicht gegen eines der Tools.
https://heise.de/-7222976
Achtung: Disney+ Phishing-Mails im Umlauf!
Besitzen Sie ein Disney+ Konto? Dann nehmen Sie sich vor betrügerischen Phishing-Nachrichten in Acht. Kriminelle versenden massenhaft E-Mails, in denen behauptet wird, Sie müssten Ihre Zahlungsinformationen aktualisieren, da Ihr Abonnement abgelaufen sei.
https://www.watchlist-internet.at/news/achtung-disney-phishing-mails-im-umlauf/
How a spoofed email passed the SPF check and landed in my inbox
The Sender Policy Framework can-t help prevent spam and phishing if you allow billions of IP addresses to send as your domain.
https://www.welivesecurity.com/2022/08/16/spoofed-email-passed-spf-check-inbox/
Los VMware, noch einmal!
In den Monaten April und Mai dieses Jahres veröffentlichte VMware zwei Security Advisories (VMSA-2022-0011 & VMSA-2022-0014) zu schwerwiegenden Sicherheitslücken in mehreren Produkten, zu denen teilweise bereits Patches zur Verfügung standen. Besagte Sicherheitsaktualisierungen wurden daraufhin von verschiedenen Bedrohungsakteuren untersucht und dienten als Basis für erste Exploits, welche wiederum bereits binnen 48 Stunden nach dem Erscheinen der Advisories genutzt wurden um großflächig Systeme zu kompromittieren.
https://cert.at/de/blog/2022/8/los-vmware-machs-nochmal
GCP, therefore IAM
Managing access authorization for your cloud assets is a challenging task. Certainly, when dealing with multiple public/private resources, environments, services, providers, and users.
https://blog.checkpoint.com/2022/08/17/gcp-therefore-iam/
Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass
Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass.
http://blog.talosintelligence.com/2022/08/vuln-spotlight-wwbn-avideo-stream.html
Top Five Patch Management & Process Best Practices
Explore the top patch management best practices to mitigate the growing threat of vulnerability exploits in your organization.
https://www.trendmicro.com/en_us/ciso/22/h/patch-management-process-best-practices.html
Vulnerabilities
RTLS systems vulnerable to MiTM attacks, location manipulation
Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data.
https://www.bleepingcomputer.com/news/security/rtls-systems-vulnerable-to-mitm-attacks-location-manipulation/
IBM Security Bulletins 2022-08-16
IBM Cloud Pak System, BM Security Verify Governance, IBM Sterling Connect:Direct for Microsoft Windows, IBM InfoSphere Identity Insight, PowerVC.
https://www.ibm.com/blogs/psirt/
Google Chrome-Update: Exploit im Umlauf
Google hat in Chrome mehrere Sicherheitslücken gestopft. Mindestens eine davon gilt dem Hersteller als kritisch. Für eine weitere kursiert bereits ein Exploit.
https://heise.de/-7222389
Security updates for Wednesday
Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound).
https://lwn.net/Articles/904955/
Quarterly Security Patches Released for Splunk Enterprise
Splunk this week announced the release of a new set of quarterly patches, to address multiple vulnerabilities in Splunk Enterprise.
https://www.securityweek.com/quarterly-security-patches-released-splunk-enterprise
WAGO: Multiple Products Series affected by multiple CODESYS vulnerabilities
VDE-2022-031Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8217/xxx-xxxPFC 200 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200
https://cert.vde.com/de/advisories/VDE-2022-031/
WAGO: Multiple product series affected by multiple CODESYS vulnerabilities
VDE-2022-035Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 751-9301CC100 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 750-8202/xxx-xxxPFC
https://cert.vde.com/de/advisories/VDE-2022-035/
Microsoft Windows Defender: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1053
Ansible Automation Platform: Schwachstelle ermöglicht Privilegieneskalation
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1058
Delta Industrial Automation DRAS
https://us-cert.cisa.gov/ics/advisories/icsa-22-228-03