End-of-Day report
Timeframe: Mittwoch 17-08-2022 18:00 - Donnerstag 18-08-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
BlackByte ransomware gang is back with new extortion tactics
The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit.
https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is-back-with-new-extortion-tactics/
Microsoft Sysmon can now block malicious EXEs from being created
Microsoft has released Sysmon 14 with a new FileBlockExecutable option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware.
https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-block-malicious-exes-from-being-created/
Schwere Lücken: Vorsicht bei VPN-Nutzung auf Apple-Geräten
Wer über Apples iOS einen VPN-Dienst nutzt, ist nicht so sicher unterwegs, wie man es eigentlich vermuten würde.
https://futurezone.at/produkte/schwere-luecken-vorsicht-vpn-apple-iphone-ipad-ios/402115401
Clop: Ransomwaregruppe erpresst wohl falsches Wasserwerk
Eine Ransomwaregruppe hat sich nach einem Hack eines Wasserversorgungsunternehmens in Großbritannien offenbar vertan und ein anderes Werk erpresst.
https://www.golem.de/news/clop-ransomwaregruppe-erpresst-scheinbar-falsches-wasserwerk-2208-167659.html
Hacking: Der Bad-USB-Stick Rubber Ducky wird noch gefährlicher
Mit einer neuen Version des Bad-USB-Sticks Rubber Ducky lassen sich Rechner noch leichter angreifen und neuerdings auch heimlich Daten ausleiten.
https://www.golem.de/news/hacking-der-bad-usb-stick-rubber-ducky-wird-noch-gefaehrlicher-2208-167713.html
Hackers Using Bumblebee Loader to Compromise Active Directory Services
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities.
https://thehackernews.com/2022/08/hackers-using-bumblebee-loader-to.html
Deluge of of entries to Spamhaus blocklists includes various household names
Nastymail tracking service blames sloppy sending practices for swelling lists of dangerous mailers Spam-tracking service Spamhaus reported Tuesday that some of the worlds biggest brands are getting loose with their email practices, causing its spam blocklists (SBL) to swell significantly.
https://go.theregister.com/feed/www.theregister.com/2022/08/18/deluge_of_entries_to_spamhaus/
Real-Time Behavior-Based Detection on Android Reveals Dozens of Malicious Apps on Google Play Store
Cybersecurity researchers identify 35 apps, many downloaded over 100,000 times, that have been serving up malware to millions of Android users.
https://www.bitdefender.com/blog/labs/real-time-behavior-based-detection-on-android-reveal-dozens-of-malicious-apps-on-google-play-store
PayPal Phishing Scam Uses Invoices Sent Via PayPal
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge.
https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/
ASEC Weekly Malware Statistics (August 8th, 2022 - August 14th, 2022)
This post will list weekly statistics collected from August 8th, 2022 (Monday) to August 14th, 2022 (Sunday).
https://asec.ahnlab.com/en/37837/
Analyzing the Hidden Danger of Environment Variables for Keeping Secrets
While DevOps practitioners use environment variables to regularly keep secrets in applications, these could be conveniently abused by cybercriminals for their malicious activities, as our analysis shows.
https://www.trendmicro.com/en_us/research/22/h/analyzing-hidden-danger-of-environment-variables-for-keeping-secrets.html
Vulnerabilities
Aktive Exploits: macOS 12.5.1, iOS 15.6.1 und iPadOS 15.6.1 verfügbar
Apple legt nochmals Aktualisierungen für seine 2021er Betriebssysteme vor. Grund sind wichtige Sicherheitsfixes. Für die Apple Watch kommt ein Extra-Update.
https://heise.de/-7223549
Cisco Secure Web Appliance Privilege Escalation Vulnerability
A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-prv-esc-8PdRU8t8
Webkonferenzen: Teils kritische Lücken in Zoom
In mehreren Zoom-Varianten stecken teilweise kritische Sicherheitslücken. Updates sollen sie abdichten. Mac-Nutzer müssen erneut aktualisieren.
https://heise.de/-7223873
TP-Link: Schadcode-Schmuggel durch Sicherheitslücke in Routern
Sicherheitsforscher aus Vietnam haben im WLAN-Router TL-WR841N von TP-Link einen kritischen Fehler festgestellt, der Code-Ausführung auf dem Gerät ermöglicht.
https://heise.de/-7224392
Security updates for Thursday
Security updates have been issued by Debian (chromium, epiphany-browser, freecad, and schroot), Fedora (freeciv, microcode_ctl, qemu, and rsync), Oracle (httpd), SUSE (aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures, python-coverage, python-oniconfig, python-unittest-mixins, bluez, curl, gnutls, kernel, ntfs-3g_ntfsprogs, podman, and ucode-intel), and Ubuntu (zlib).
https://lwn.net/Articles/905072/
Apache ActiveMQ Artemis: Schwachstelle ermöglicht Darstellen falscher Informationen
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache ActiveMQ Artemis ausnutzen, um falsche Informationen darzustellen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1069
TypeORM 0.3.7 Information Disclosure
TypeORM 0.3.7 Information Disclosure Risk: I found what I think is a vulnerability in the latest typeorm 0.3.7.
https://cxsecurity.com/issue/WLB-2022080057
DSA-2022-238: Dell Client BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities
https://www.dell.com/support/kbdoc/de-at/000202475/dsa-2022-238-dell-client-bios-security-update-for-multiple-tianocore-edk2-vulnerabilities
Security Bulletin: Vulnerability in Moment affects IBM Process Mining . CVE-2022-31129
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-moment-affects-ibm-process-mining-cve-2022-31129/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022 - Includes Oracle April 2022 CPU (minus CVE-2022-21426)affects IBM Security Verify Governance, Identity Manager virtual appliance component
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-apr-2022-includes-oracle-april-2022-cpu-minus-cve-2022-21426affects-ibm-security-verify-governance-identity-manager-virtual-app/
Security Bulletin: Vulnerability in FasterXML jackson-databind affects IBM Process Mining . CVE-2020-36518
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxml-jackson-databind-affects-ibm-process-mining-cve-2020-36518/
Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL
https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-arbitrary-command-execution-cve-2022-1292-and-cve-2022-2068-or-an-attacker-may-obtain-sensitive-information-cve-2022-2097-due-to-openssl/
Security Bulletin: Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-due-to-openssl-and-node-js-which-affect-ibm-app-connect-enterprise-and-ibm-integration-bus/
Security Bulletin: Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-affect-ibm-cloud-pak-system-3/
Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester
https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerability-affects-ibm-rational-functional-tester-3/
Security Bulletin: Samba for IBM i is vulnerable to attacker obtaining sensitive information due to a memory leak with SMB1 requests (CVE-2022-32742)
https://www.ibm.com/blogs/psirt/security-bulletin-samba-for-ibm-i-is-vulnerable-to-attacker-obtaining-sensitive-information-due-to-a-memory-leak-with-smb1-requests-cve-2022-32742/
Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2020-36518
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-jetty-affects-ibm-process-mining-cve-2020-36518/