End-of-Day report
Timeframe: Mittwoch 24-08-2022 18:00 - Donnerstag 25-08-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
PyPI packages hijacked after developers fall for phishing emails
A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages exotel and spam are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email.
https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/
More hackers adopt Sliver toolkit as a Cobalt Strike alternative
Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative.
https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-toolkit-as-a-cobalt-strike-alternative/
Twilio hackers hit over 130 orgs in massive Okta phishing attack
Threat analysts have discovered the phishing kit responsible for thousands of attacks against 136 high-profile organizations that have compromised 9,931 accounts.
https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-orgs-in-massive-okta-phishing-attack/
MagicWeb: NOBELIUM-s post-compromise trick to authenticate as anyone
Microsoft security researchers have discovered a post-compromise capability we-re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments.
https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
whids - Open Source EDR for Windows
EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules.
https://github.com/0xrawsec/whids
EDR: Nachfolger der Antiviren-Software kämpfen mit altbekannten Problemen
Die Security-Industrie preist Endpoint Detection & Response als das bessere Antivirus an. Tests zeigen, dass es oft an den gleichen Problemen scheitert.
https://heise.de/-7241955
Firefox ESR, Thunderbird: Angreifer könnten Nutzereingaben abfangen
Es gibt wichtige Sicherheitsupdates für den Mailclient Thunderbird und den Webbrowser Firefox ESR.
https://heise.de/-7242897
Doxing - was ist das und wie schützt man sich davor?
Doxing kann jeden treffen - hier erfahren Sie, wie Sie die Wahrscheinlichkeit verringern können, dass Ihre persönlichen Daten als Waffe gegen Sie eingesetzt werden.
https://www.welivesecurity.com/deutsch/2022/08/25/doxing-was-ist-das-und-wie-schutzt-man-sich-davor/
Vorsicht vor Coin-Fallen auf Dating-Portalen
Sie wollen herausfinden, ob es Ihrer Internetbekanntschaft wirklich ernst ist? Haben Sie Geld für Coins oder Guthaben investiert, um mit Ihrer Bekanntschaft zu chatten, es kommt aber nie zu einem persönlichen Treffen? Hier erfahren Sie alles über die Maschen von moderierten Dating-Portalen.
https://www.watchlist-internet.at/news/vorsicht-vor-coin-fallen-auf-dating-portalen/
Preparing Critical Infrastructure for Post-Quantum Cryptography
CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024.
https://us-cert.cisa.gov/ncas/current-activity/2022/08/24/preparing-critical-infrastructure-post-quantum-cryptography
Palo Alto warns of firewall vulnerability used in DDoS attack on service provider
Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 - which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software.
https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-ddos-attack-on-service-provider/
New Golang Ransomware Agenda Customizes Attacks
A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.
https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
Vulnerabilities
VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass
The following vendor-specific bootloaders were found vulnerable:
Inherently vulnerable bootloader to bypass Secure Boot
New Horizon Datasys Inc (CVE-2022-34302)
UEFI Shell execution to bypass Secure Boot
CryptoPro Secure Disk (CVE-2022-34301)
Eurosoft (UK) Ltd (CVE-2022-34303)
Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX).
https://kb.cert.org/vuls/id/309662
Movable Type XMLRPC API vulnerable to command injection
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability.
https://jvn.jp/en/jp/JVN57728859/
Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053
Project: Commerce Elavon
Security risk: Moderately critical
Vulnerability: Access bypass
Description: This module enables you to accept payments from the Elavon payment provider. [..] This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.
https://www.drupal.org/sa-contrib-2022-053
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish).
https://lwn.net/Articles/906055/
Atlassian Bitbucket: Schwachstelle ermöglicht Codeausführung
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Bitbucket ausnutzen, um beliebigen Programmcode auszuführen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1185
HCL Notes und Domino: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HCL Notes und HCL Domino ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1180
Mattermost security updates 7.1.3 (ESR), 7.0.2, 6.3.10 (ESR) released
We-re informing you about a Mattermost security update, which addresses a medium-level severity vulnerability. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.1.3 (Extended Support Release), 7.0.2, and 6.3.10 (Extended Support Release) for both Team Edition and Enterprise Edition.
https://mattermost.com/blog/mattermost-security-updates-7-1-3-esr-7-0-2-6-3-10-esr-released/
Cisco Releases Security Updates for Multiple Products
Cisco has released security updates for vulnerabilities affecting ACI Multi-Site Orchestrator, FXOS, and NX-OS software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisco-releases-security-updates-multiple-products
SMA100 Exposure of Sensitive Information to an Unauthorized Actor
A vulnerability in the SonicWall SMA100 appliance could potentially expose sensitive information i.e., third-party packages and library versions used in the appliance firmware to a pre-authenticated actor.IMPORTANT: SMA 1000 series products are not affected by this vulnerability.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0020
SonicWall SMA100 Post-Auth Heap-based Buffer Overflow Vulnerability
A Heap-based Buffer Overflow vulnerability in the SonicWall SMA100 appliance allows a remote authenticated attacker to cause Denial of Service (DoS) on the appliance or potentially lead to code execution. This vulnerability impacts 10.2.1.5-34sv and earlier versions.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. CVE: CVE-2022-2915
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0019
Security Bulletin: IBM Connect:Direct Web Services vulnerable to remote security bypass due to PostgreSQL (CVE-2022-1552)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-connectdirect-web-services-vulnerable-to-remote-security-bypass-due-to-postgresql-cve-2022-1552/
Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service due to Linux Kernel (CVE-2020-35513)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-a-denial-of-service-due-to-linux-kernel-cve-2020-35513/
FATEK Automation FvDesigner
https://us-cert.cisa.gov/ics/advisories/icsa-22-237-01