Tageszusammenfassung - 26.08.2022

End-of-Day report

Timeframe: Donnerstag 25-08-2022 18:00 - Freitag 26-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer


Living off the land, AD CS style

Unless you have been living under a rock for the last year or so, Active Directory Certificate Services (AD CS) abuse continues to be a hot topic in offensive security, ever since the excellent research released by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_).


Threat Assessment: Black Basta Ransomware

Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.


Automatic Execution of Code Upon Package Download on Python Package Manager

Automatic code execution is triggered upon downloading approximately one third of the packages on PyPi. A worrying feature in pip/PyPi allows code to automatically run when developers are merely downloading a package.



Lücken in Ciscos FXOS und NX-OS ermöglichen Übernahme der Kontrolle

In Ciscos Router- und Firewall-Betriebssystemen FXOS und NX-OS hätten Angreifer beliebigen Code mit root-Rechten ausführen können. Updates stehen bereit.


Security updates for Friday

Security updates have been issued by Debian (zlib), Fedora (dotnet3.1, firefox, java-1.8.0-openjdk-aarch32, thunderbird, and zlib), Mageia (canna, chromium-browser-stable, dovecot, firefox/nss, freeciv, freetype2, gnutls, kernel, kernel-linus, kicad, ldb/samba/sssd, libgsasl, microcode, nodejs, rsync, thunderbird, and unbound), Oracle (php:7.4 and systemd), Scientific Linux (firefox, rsync, systemd, and thunderbird), Slackware (vim), and SUSE (bluez, gstreamer-plugins-good, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libcroco, postgresql10, postgresql13, python-lxml, and webkit2gtk3).


CISA Adds Ten Known Exploited Vulnerabilities to Catalog

CISA has added ten new vulnerabilities to its-Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.


[R1] Nessus Agent Version 8.3.4 Fixes Multiple Vulnerabilities

Custom audit files bring tremendous power and flexibility when assessing the configuration of your assets. Two separate vulnerabilities that utilize this custom Audit functionality were identified, reported and fixed. With the release of Nessus Agent 8.3.4, Tenable has mitigated the reported issues by enabling the ability to sign and verify custom audit files.


ABB Security Advisory: ARM600 Cyber Security Notification: UEFI vulnerability


Security Bulletin: Vulnerability in IBM Java Runtime(CVE-2021-35603) affects DB2 Recovery Expert for Linux, Unix and Windows


Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak


Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115)


Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack


Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714)


Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak


Security Bulletin: IBM Security Directory Integrator as shipped with IBM Security Directory Suite is affected by Apache Log4j vulnerability (CVE-2021-4104)


Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in Java SE related to the JSSE component


F5: K42795243: Apache Xalan Java Library vulnerability CVE-2022-34169


WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008


vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff