End-of-Day report
Timeframe: Dienstag 23-08-2022 18:00 - Mittwoch 24-08-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Fake Chrome extension Internet Download Manager has 200,000 installs
Google Chrome extension Internet Download Manager installed by more than 200,000 users is adware.
https://www.bleepingcomputer.com/news/security/fake-chrome-extension-internet-download-manager-has-200-000-installs/
Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams
A new business email compromise (BEC) campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle (AiTM) tactics to hack corporate executives Microsoft 365 accounts, even those protected by MFA.
https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-monitor-microsoft-365-accounts-for-bec-scams/
Ransomware updates & 1-day exploits
In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability.
https://securelist.com/ransomware-updates-1-day-exploits/107291/
Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC, (Wed, Aug 24th)
On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak).
https://isc.sans.edu/diary/rss/28974
Bomber is an application that scans SBoMs for security vulnerabilities.
So youve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what?
https://github.com/devops-kung-fu/bomber
Cyber-Angriff: Griechischer Gasnetzbetreiber Desfa Opfer von Ransomware-Gang
Die Ransomware-Gang hinter Ragnar Locker ist in die Netze des Betreibers des griechischen Erdgas-Netzes Desfa eingebrochen. Die Versorgung bleibt gesichert.
https://heise.de/-7241322
Einbruch bei Plex: Daten abgezogen, Passwortänderung nötig
Bösartige Akteure sind offenbar in die Datenbanken des Streaming-Dienstes und Medienservers Plex eingebrochen. Dort konnten sie persönliche Daten stehlen.
https://heise.de/-7241975
Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems
A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices.
https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-gapped-systems
Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity
Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT).
https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-targeted-ot-scanning-activity
HavanaCrypt Ransomware tarnt sich als Google Update
Die neu entdeckte HavanaCrypt Ransomware nutzt ausgefeilte Techniken und verkleidet sich als Google Update. Lösegeldforderungen gab es bisher nicht.
https://www.zdnet.de/88403049/havanacrypt-ransomware-tarnt-sich-als-google-update/
But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2)
In this blog post, we discuss a second prototype pollution vulnerability that allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox.
https://www.thezdi.com/blog/2022/8/23/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-renderer-part-2
BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool
The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool.
https://asec.ahnlab.com/en/37939/
AsyncRAT Being Distributed in Fileless Form
The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form.
https://asec.ahnlab.com/en/37954/
Vulnerabilities
Gefährliche Lücken bedrohen Sicherheit von kritischen Infrastrukturen
Angreifer könnten Industrie-Steuerungssysteme attackieren und im schlimmsten Fall die volle Kontrolle erlangen. Sicherheitsupdates sind verfügbar.
https://heise.de/-7241733
Updates für GitLab schließen kritische Sicherheitslücke
Für die GitLab Community- und Enterprise-Edition haben die Entwickler aktualisierte Versionen veröffentlicht, die eine kritische Sicherheitslücke schließen.
https://heise.de/-7241481
Security updates for Wednesday
Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted).
https://lwn.net/Articles/905853/
Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/oracle-sbc-multiple-security-vulnerabilities-leading-to-unauthorized-access-and-denial-of-service/
Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-sensitive-information-exposure-cve-2021-35550/
Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipped with IBM Tivoli Business Service Manager (CVE-2021-35603)
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-in-ibm-java-sdk-shipped-with-ibm-tivoli-business-service-manager-cve-2021-35603/
Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-vulnerable-to-multiple-vulnerabilities/
Security Bulletin: IBM Security Verify Governance is vulnerable to Denial of Service (CVE-2021-35578)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-is-vulnerable-to-denial-of-service-cve-2021-35578/
Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-exposure-of-sensitive-information-cve-2021-35603-3/
Security Bulletin: IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-is-vulnerable-to-identity-spoofing-due-to-ibm-websphere-application-server-liberty-cve-2022-22475/
Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-includes-components-with-multiple-known-vulnerabilities/
VMSA-2022-0024
https://www.vmware.com/security/advisories/VMSA-2022-0024.html
vim: Schwachstelle ermöglicht Codeausführung
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1157
Jenkins Plugins: Mehrere Schwachstellen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1166
F-Secure Produkte: Mehrere Schwachstellen ermöglichen Denial of Service
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1165
tribe29 checkmk: Schwachstelle ermöglicht Offenlegung von Informationen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1160
Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird
https://us-cert.cisa.gov/ncas/current-activity/2022/08/23/mozilla-releases-security-updates-firefox-firefox-esr-and