End-of-Day report
Timeframe: Mittwoch 21-09-2022 18:00 - Donnerstag 22-09-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
BlackCat ransomware-s data exfiltration tool gets an upgrade
The BlackCat ransomware (aka ALPHV) isnt showing any signs of slowing down, and the latest example of its evolution is a new version of the gangs data exfiltration tool used for double-extortion attacks.
https://www.bleepingcomputer.com/news/security/blackcat-ransomware-s-data-exfiltration-tool-gets-an-upgrade/
Critical Magento vulnerability targeted in new surge of attacks
Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.
https://www.bleepingcomputer.com/news/security/critical-magento-vulnerability-targeted-in-new-surge-of-attacks/
RAT Delivered Through FODHelper , (Thu, Sep 22nd)
I found a simple batch file that drops a Remcos RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper").
https://isc.sans.edu/diary/rss/29078
Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure
Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers.
https://thehackernews.com/2022/09/researchers-disclose-critical.html
Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions
Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 - a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure - the FileBlockExecutable event (ID 27).
https://www.huntandhackett.com/blog/bypassing-sysmon
A technical analysis of the leaked LockBit 3.0 builder
This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022.
https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/
You can-t stop me. MS Teams session hijacking and bypass
How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user.
https://www.pentestpartners.com/security-blog/you-cant-stop-me-ms-teams-session-hijacking-and-bypass/
Webinar: Love Scams im Internet erkennen
Am Mittwoch, den 28.09.2022 von 18:30 - 20:00 Uhr findet das kostenlose Webinar zum Thema -Love Scams" statt.
https://www.watchlist-internet.at/news/webinar-love-scams-im-internet-erkennen/
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
AA22-265A: Control System Defense: Know the Opponent
This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets.
https://us-cert.cisa.gov/ncas/alerts/aa22-265a
MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja
Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network.
https://www.thezdi.com/blog/2022/9/19/mindshare-analyzing-bsd-kernels-with-binary-ninja
Vulnerabilities
IBM Security Bulletins 2022-09-21
IBM Security Guardium, IBM Cloud Pak for Multicloud Management Managed Services, IBM Tivoli Netcool Impact, IBM Maximo Asset Management, IBM Spectrum Protect Plus SQL.
https://www.ibm.com/blogs/psirt/
Notfallpatch für Microsoft Endpoint Configuration Manager erschienen
Admins sollten die IT-Managementlösung Endpoint Configuration Manager von Microsoft aktualisieren. Es könnten Attacken bevorstehen.
https://heise.de/-7272195
Python: 15 Jahre alte Schwachstelle betrifft potenziell 350.000 Projekte
Das Issue zu der Directory-Traversal-Schwachstelle in dem Modul tarfile existiert seit 2007. Geschlossen wurde es mit einem Hinweis in der Dokumentation.
https://heise.de/-7272186
Security updates for Thursday
Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, [...]
https://lwn.net/Articles/909051/
Technical Advisory - Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
https://research.nccgroup.com/2022/09/22/technical-advisory-multiple-vulnerabilities-in-juplink-rx4-1800-wifi-router-cve-2022-37413-cve-2022-37414/
HP LaserJet: Mehrere Schwachstellen ermöglichen Codeausführung
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1499
Measuresoft ScadaPro Server
https://us-cert.cisa.gov/ics/advisories/icsa-22-265-01