Tageszusammenfassung - 25.08.2022

End-of-Day report

Timeframe: Mittwoch 24-08-2022 18:00 - Donnerstag 25-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

PyPI packages hijacked after developers fall for phishing emails

A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages exotel and spam are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.

https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/


More hackers adopt Sliver toolkit as a Cobalt Strike alternative

Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.

https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-toolkit-as-a-cobalt-strike-alternative/


Twilio hackers hit over 130 orgs in massive Okta phishing attack

Threat analysts have discovered the phishing kit responsible for thousands of attacks against 136 high-profile organizations that have compromised 9,931 accounts.

https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-orgs-in-massive-okta-phishing-attack/


MagicWeb: NOBELIUM-s post-compromise trick to authenticate as anyone

Microsoft security researchers have discovered a post-compromise capability we-re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.

https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/


whids - Open Source EDR for Windows

EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules.

https://github.com/0xrawsec/whids


EDR: Nachfolger der Antiviren-Software kämpfen mit altbekannten Problemen

Die Security-Industrie preist Endpoint Detection & Response als das bessere Antivirus an. Tests zeigen, dass es oft an den gleichen Problemen scheitert.

https://heise.de/-7241955


Firefox ESR, Thunderbird: Angreifer könnten Nutzereingaben abfangen

Es gibt wichtige Sicherheitsupdates für den Mailclient Thunderbird und den Webbrowser Firefox ESR.

https://heise.de/-7242897


Doxing - was ist das und wie schützt man sich davor?

Doxing kann jeden treffen - hier erfahren Sie, wie Sie die Wahrscheinlichkeit verringern können, dass Ihre persönlichen Daten als Waffe gegen Sie eingesetzt werden.

https://www.welivesecurity.com/deutsch/2022/08/25/doxing-was-ist-das-und-wie-schutzt-man-sich-davor/


Vorsicht vor Coin-Fallen auf Dating-Portalen

Sie wollen herausfinden, ob es Ihrer Internetbekanntschaft wirklich ernst ist? Haben Sie Geld für Coins oder Guthaben investiert, um mit Ihrer Bekanntschaft zu chatten, es kommt aber nie zu einem persönlichen Treffen? Hier erfahren Sie alles über die Maschen von moderierten Dating-Portalen.

https://www.watchlist-internet.at/news/vorsicht-vor-coin-fallen-auf-dating-portalen/


Preparing Critical Infrastructure for Post-Quantum Cryptography

CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024.

https://us-cert.cisa.gov/ncas/current-activity/2022/08/24/preparing-critical-infrastructure-post-quantum-cryptography


Palo Alto warns of firewall vulnerability used in DDoS attack on service provider

Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 - which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software.

https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-ddos-attack-on-service-provider/


New Golang Ransomware Agenda Customizes Attacks

A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.

https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

Vulnerabilities

VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass

The following vendor-specific bootloaders were found vulnerable: Inherently vulnerable bootloader to bypass Secure Boot New Horizon Datasys Inc (CVE-2022-34302) UEFI Shell execution to bypass Secure Boot CryptoPro Secure Disk (CVE-2022-34301) Eurosoft (UK) Ltd (CVE-2022-34303) Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX).

https://kb.cert.org/vuls/id/309662


Movable Type XMLRPC API vulnerable to command injection

Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability.

https://jvn.jp/en/jp/JVN57728859/


Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

Project: Commerce Elavon Security risk: Moderately critical Vulnerability: Access bypass Description: This module enables you to accept payments from the Elavon payment provider. [..] This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.

https://www.drupal.org/sa-contrib-2022-053


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish).

https://lwn.net/Articles/906055/


Atlassian Bitbucket: Schwachstelle ermöglicht Codeausführung

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Bitbucket ausnutzen, um beliebigen Programmcode auszuführen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1185


HCL Notes und Domino: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HCL Notes und HCL Domino ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1180


Mattermost security updates 7.1.3 (ESR), 7.0.2, 6.3.10 (ESR) released

We-re informing you about a Mattermost security update, which addresses a medium-level severity vulnerability. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.1.3 (Extended Support Release), 7.0.2, and 6.3.10 (Extended Support Release) for both Team Edition and Enterprise Edition.

https://mattermost.com/blog/mattermost-security-updates-7-1-3-esr-7-0-2-6-3-10-esr-released/


Cisco Releases Security Updates for Multiple Products

Cisco has released security updates for vulnerabilities affecting ACI Multi-Site Orchestrator, FXOS, and NX-OS software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisco-releases-security-updates-multiple-products


SMA100 Exposure of Sensitive Information to an Unauthorized Actor

A vulnerability in the SonicWall SMA100 appliance could potentially expose sensitive information i.e., third-party packages and library versions used in the appliance firmware to a pre-authenticated actor.IMPORTANT: SMA 1000 series products are not affected by this vulnerability.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0020


SonicWall SMA100 Post-Auth Heap-based Buffer Overflow Vulnerability

A Heap-based Buffer Overflow vulnerability in the SonicWall SMA100 appliance allows a remote authenticated attacker to cause Denial of Service (DoS) on the appliance or potentially lead to code execution. This vulnerability impacts 10.2.1.5-34sv and earlier versions.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. CVE: CVE-2022-2915

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0019


Security Bulletin: IBM Connect:Direct Web Services vulnerable to remote security bypass due to PostgreSQL (CVE-2022-1552)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-connectdirect-web-services-vulnerable-to-remote-security-bypass-due-to-postgresql-cve-2022-1552/


Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service due to Linux Kernel (CVE-2020-35513)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-a-denial-of-service-due-to-linux-kernel-cve-2020-35513/


FATEK Automation FvDesigner

https://us-cert.cisa.gov/ics/advisories/icsa-22-237-01