Tageszusammenfassung - 17.08.2022

End-of-Day report

Timeframe: Dienstag 16-08-2022 18:00 - Mittwoch 17-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

Malware devs already bypassed Android 13s new security feature

Android malware developers are already adjusting their tactics to bypass a new Restricted settings security feature introduced by Google in the newly released Android 13.

https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/


SocGholish: 5+ Years of Massive Website Infections

Earlier this June, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of the most common website infections detected and cleaned by our remediation team in the last few years.This NDSW/NDSX malware - also referred to as FakeUpdates or SocGholish by other research groups - is responsible for redirecting site visitors to malicious pages designed to trick victims into loading and installing fake browser updates.

https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html


RubyGems now requires multi-factor auth for top package maintainers

Sign-on you crazy diamond: RubyGems.org, the Ruby programming communitys software package registry, now requires maintainers of popular "gems" to secure their accounts using multi-factor authentication (MFA).

https://www.theregister.com/2022/08/16/rubygems_package_registry_mfa/


Phishing Site used to Spread Typhon Stealer

During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe.

https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/


Cisco-ASA-Firewalls hacken per Metasploit und Open-Source-Tools

Ein Forscher hat zahlreiche Tools und Metasploit-Module zum Hacken von Cisco-Firewalls veröffentlicht. Ein aktuelles Update hilft nicht gegen eines der Tools.

https://heise.de/-7222976


Achtung: Disney+ Phishing-Mails im Umlauf!

Besitzen Sie ein Disney+ Konto? Dann nehmen Sie sich vor betrügerischen Phishing-Nachrichten in Acht. Kriminelle versenden massenhaft E-Mails, in denen behauptet wird, Sie müssten Ihre Zahlungsinformationen aktualisieren, da Ihr Abonnement abgelaufen sei.

https://www.watchlist-internet.at/news/achtung-disney-phishing-mails-im-umlauf/


How a spoofed email passed the SPF check and landed in my inbox

The Sender Policy Framework can-t help prevent spam and phishing if you allow billions of IP addresses to send as your domain.

https://www.welivesecurity.com/2022/08/16/spoofed-email-passed-spf-check-inbox/


Los VMware, noch einmal!

In den Monaten April und Mai dieses Jahres veröffentlichte VMware zwei Security Advisories (VMSA-2022-0011 & VMSA-2022-0014) zu schwerwiegenden Sicherheitslücken in mehreren Produkten, zu denen teilweise bereits Patches zur Verfügung standen. Besagte Sicherheitsaktualisierungen wurden daraufhin von verschiedenen Bedrohungsakteuren untersucht und dienten als Basis für erste Exploits, welche wiederum bereits binnen 48 Stunden nach dem Erscheinen der Advisories genutzt wurden um großflächig Systeme zu kompromittieren.

https://cert.at/de/blog/2022/8/los-vmware-machs-nochmal


GCP, therefore IAM

Managing access authorization for your cloud assets is a challenging task. Certainly, when dealing with multiple public/private resources, environments, services, providers, and users.

https://blog.checkpoint.com/2022/08/17/gcp-therefore-iam/


Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass

Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass.

http://blog.talosintelligence.com/2022/08/vuln-spotlight-wwbn-avideo-stream.html


Top Five Patch Management & Process Best Practices

Explore the top patch management best practices to mitigate the growing threat of vulnerability exploits in your organization.

https://www.trendmicro.com/en_us/ciso/22/h/patch-management-process-best-practices.html

Vulnerabilities

RTLS systems vulnerable to MiTM attacks, location manipulation

Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data.

https://www.bleepingcomputer.com/news/security/rtls-systems-vulnerable-to-mitm-attacks-location-manipulation/


IBM Security Bulletins 2022-08-16

IBM Cloud Pak System, BM Security Verify Governance, IBM Sterling Connect:Direct for Microsoft Windows, IBM InfoSphere Identity Insight, PowerVC.

https://www.ibm.com/blogs/psirt/


Google Chrome-Update: Exploit im Umlauf

Google hat in Chrome mehrere Sicherheitslücken gestopft. Mindestens eine davon gilt dem Hersteller als kritisch. Für eine weitere kursiert bereits ein Exploit.

https://heise.de/-7222389


Security updates for Wednesday

Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound).

https://lwn.net/Articles/904955/


Quarterly Security Patches Released for Splunk Enterprise

Splunk this week announced the release of a new set of quarterly patches, to address multiple vulnerabilities in Splunk Enterprise.

https://www.securityweek.com/quarterly-security-patches-released-splunk-enterprise


WAGO: Multiple Products Series affected by multiple CODESYS vulnerabilities

VDE-2022-031Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8217/xxx-xxxPFC 200 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200

https://cert.vde.com/de/advisories/VDE-2022-031/


WAGO: Multiple product series affected by multiple CODESYS vulnerabilities

VDE-2022-035Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 751-9301CC100 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 750-8202/xxx-xxxPFC

https://cert.vde.com/de/advisories/VDE-2022-035/


Microsoft Windows Defender: Mehrere Schwachstellen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1053


Ansible Automation Platform: Schwachstelle ermöglicht Privilegieneskalation

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1058


Delta Industrial Automation DRAS

https://us-cert.cisa.gov/ics/advisories/icsa-22-228-03