End-of-Day report
Timeframe: Donnerstag 18-08-2022 18:00 - Freitag 19-08-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Honeypot Attack Summaries with Python
We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal.
https://isc.sans.edu/diary/rss/28956
Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads
Under normal circumstances, DDoS pages usually don-t affect users much - they simply perform a check or request a skill testing question in order to proceed to the desired webpage. However, a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware.
https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html
But You Told Me You Were Safe: Attacking the Mozilla Firefox Renderer (Part 1)
At Pwn2Own Vancouver 2022, Manfred Paul compromised the Mozilla Firefox browser using a full chain exploit that broke the mold. Although his exploit used some memory corruptions, the vulnerable code was written in a memory-safe programming language: JavaScript!
https://www.zerodayinitiative.com/blog/2022/8/17/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-renderer-part-1
Auch TikTok-App soll mit internem iPhone-Browser spionieren können
Nachdem das Problem bereits bei Facebook und Instagram aufgedeckt worden war, hat sich ein Sicherheitsforscher nun auch den chinesischen Videodienst angesehen.
https://heise.de/-7235891
Aktive Angriffe auf iPhones, iPads und Macs: Was Nutzer jetzt tun sollten
Erneut warnt Apple vor schweren Sicherheitslücken, die wohl aktiv ausgenutzt werden. Es gibt Patches, aber nicht für alle Systeme und Bugs. Ein Überblick.
https://heise.de/-7237518
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.
https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-details-disclosed-hacker-conferences
Fake-Shop-Alarm: getvoltplug.com hilft Ihnen nicht beim Stromsparen
In Zeiten der Energiekrise wirbt getvoltplug.com mit einem attraktiven Angebot: Ein Gerät soll Ihnen helfen bis zu 90% Ihrer Stromrechnung zu sparen. Aber Achtung! Dieses Gerät existiert gar nicht, es handelt sich um Betrug.
https://www.watchlist-internet.at/news/fake-shop-alarm-getvoltplugcom-hilft-ihnen-nicht-beim-stromsparen/
Wissen: Webseite als kompromittiert gemeldet? Wie geht man vor?
Wer eine Webseite betreibt, wird möglicherweise gelegentlich mit dem Problem konfrontiert, dass diese von Sicherheitsportalen oder Benutzern als "riskant" gemeldet wird. Dann stellt sich die Frage, wie man vorgehen könnte, um herauszufinden, ob dies ein Fehlalarm ist oder die Webseite kompromittiert wurde.
https://www.borncity.com/blog/2022/08/19/wissen-webseite-als-kompromittiert-gemeldet-wie-geht-man-vor/
Ukraine war spotlights agriculture sectors vulnerability to cyber attack
The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs.
http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agriculture.html
Business Email Compromise Attack Tactics
Is BEC more damaging than ransomware? What tactics are BEC actors using? How can organizations bolster their defenses?
https://www.trendmicro.com/en_us/ciso/22/h/business-email-compromise-bec-attack-tactics.html
Vulnerabilities
ZDI-22-1076: PDF-XChange Editor submitForm Out-Of-Bounds Read Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-22-1076/
DSA-2022-241: Dell EMC PowerFlex Rack Security Update for Multiple Third-Party Component Vulnerabilities
Dell EMC PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
https://www.dell.com/support/kbdoc/de-at/000202540/dsa-2022-241-dell-emc-powerflex-rack-security-update-for-multiple-third-party-component-vulnerabilities
Virenscanner: Schwachstelle von McAfee erleichtert Angreifern das Einnisten
Angreifer hätten aufgrund einer Sicherheitslücke im Virenschutz McAfee Security Scan Plus ihre Rechte erhöhen können. Das erleichterte das Einnisten im System.
https://heise.de/-7235809
Security updates for Friday
Security updates have been issued by Debian (ruby-tzinfo), Mageia (nvidia-current and nvidia390), SUSE (python-PyYAML, ucode-intel, and zlib), and Ubuntu (linux-aws, postgresql-10, postgresql-12, postgresql-14, and rsync).
https://lwn.net/Articles/905265/
vim: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1076
Security Advisory - JAD-AL50: Permission Bypass Vulnerability in Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220819-01-7e0a6103-en
Security Bulletin: IBM MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2022-22489)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-explorer-is-vulnerable-to-an-xml-external-entity-injection-xxe-attack-cve-2022-22489/
Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-software-used-by-ibm-b-type-san-directors-and-switches-4/
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-35948 and CVE-2022-35949
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designerauthoring-operands-may-be-vulnerable-to-loss-of-confidentiality-due-to-cve-2022-35948-and-cve-2022-35949/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-25/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-24/
Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-vulnerable-to-docker-cli-cve-2021-41092-and-apache-log4j-cve-2021-4104-cve-2022-23302-cve-2022-23305-cve-2022-23307-weaknesses-2/
Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-vulnerable-to-multiple-weaknesses-related-to-ibm-websphere-application-server-liberty-and-openssl-cve-2022-2068-cve-2022-2097-cve-2022-22475/
Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531]
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-affected-by-vulnerabilities-in-icu-cve-2017-14952-and-cve-2020-10531/
Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-software-used-by-ibm-b-type-san-directors-and-switches-3/
Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2048
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-jetty-affects-ibm-process-mining-cve-2022-2048/