Tageszusammenfassung - 16.09.2022

End-of-Day report

Timeframe: Donnerstag 15-09-2022 18:00 - Freitag 16-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Sicherheitslücke in WordPress-Plug-in WPGateway macht Angreifer zu Admins

Angreifer attackieren WordPress-Websites mit WPGateway. Sicherheitsupdates sind noch nicht verfügbar.

Update für Exchange Extended Protection-Script, aber weiterhin Fehler

Mit den Sicherheitsupdates vom August 2022 für Microsoft Exchange (On-Premises-Lösung) ist es erforderlich, Extended Protection (EP) zu aktivieren, um alle Schwachstellen zu schließen. Die Aktivierung erfolgt per Script, welches Microsoft bereitgestellt hat - was aber zu Problemen führte.

https://www.borncity.com/blog/2022/09/16/update-fr-exchange-extended-protection-script-aber-weiterhin-fehler/

PS2 Emulator: Exploit in PS4 und PS5 soll nicht behebbar sein

Eine Lücke im integrierten PS2-Emulator der Playstation 4 und 5 soll sich "grundsätzlich" nicht beheben lassen. Das reicht, um Code auszuführen.

https://www.golem.de/news/ps2-emulator-exploit-in-ps4-und-ps5-soll-nicht-behebbar-sein-2209-168319.html

Bitdefender releases free decryptor for LockerGoga ransomware

Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom.

https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-decryptor-for-lockergoga-ransomware/

Microsoft Edge-s News Feed ads abused for tech support scams

An ongoing malvertising campaign is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.

https://www.bleepingcomputer.com/news/security/microsoft-edge-s-news-feed-ads-abused-for-tech-support-scams/

Water Tank Management System Used Worldwide Has Unpatched Security Hole

A water tank management system used by organizations worldwide is affected by a critical vulnerability that can be exploited remotely and the vendor does not appear to want to patch it.read more

https://www.securityweek.com/water-tank-management-system-used-worldwide-has-unpatched-security-hole

Word Maldoc With CustomXML and Renamed VBAProject.bin, (Fri, Sep 16th)

Friend and colleague 0xThiebaut just gave me a heads up for this interesting sample: 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139

https://isc.sans.edu/diary/rss/29056

Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies

Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.

https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html

Vulnerabilities

Security updates for Friday

Security updates have been issued by Debian (bzip2, chromium, glib2.0, libraw, mariadb-10.3, and mod-wsgi), Fedora (kdiskmark, wordpress, and zlib), Oracle (.NET 6.0, .NET Core 3.1, mariadb:10.3, nodejs:14, nodejs:16, ruby:2.7, and ruby:3.0), Red Hat (.NET 6.0, php:7.4, and webkit2gtk3), SUSE (389-ds, flatpak, kernel, libgit2, and thunderbird), and Ubuntu (sqlite3, vim, and wayland).

https://lwn.net/Articles/908297/

Synology-SA-22:15 GLPI

Multiple vulnerabilities allow remote attackers or remote authenticated users to obtain sensitive information, inject arbitrary web script or HTML or inject SQL command via a susceptible version of GLPI.

https://www.synology.com/en-global/support/security/Synology_SA_22_15

CISA Adds Six Known Exploited Vulnerabilities to Catalog

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates.

https://us-cert.cisa.gov/ncas/current-activity/2022/09/15/cisa-adds-six-known-exploited-vulnerabilities-catalog

Achtung: Backdoor in TechLogix Networx Power Delivery-Unit, vom Internet isolieren und patchen

In Stromversorgungskomponenten (Power Delivery-Units) des US-Herstellers TechLogix Networx gibt es eine gravierende Schwachstelle in deren Firmware. Die Firmware nimmt in älteren Versionen (vor Version 2.0.2a) keine Authentifizierung vor, d.h. man kann über Netzwerk die Power Delivery-Unit abschalten.

https://www.borncity.com/blog/2022/09/16/achtung-backdoor-in-techlogix-networx-power-delivery-unit-vom-internet-isolieren-und-patchen/

Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-3/

Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-sensitive-information-exposure-cve-2021-35550-2/

Security Bulletin: IBM Sterling Connect:Direct for UNIX container is vulnerable to obtain sensitive information due to OpenSSL (CVE-2022-2097)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-for-unix-container-is-vulnerable-to-obtain-sensitive-information-due-to-openssl-cve-2022-2097/

Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-denial-of-service-cve-2021-35578-2/

Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-exposure-of-sensitive-information-cve-2021-35603-4/