End-of-Day report
Timeframe: Donnerstag 22-09-2022 18:00 - Freitag 23-09-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Schadsoftware: Betrüger verteilen Malware mit gefälschten Zoom-Webseiten
Die Webseiten geben sich als Downloadseite für Zoom aus, doch verteilen sie eine Schadsoftware, die es auf Bankdaten abgesehen hat.
https://www.golem.de/news/schadsoftware-betrueger-verteilen-malware-mit-gefaelschten-zoom-webseiten-2209-168494.html
Google Play Store: Trojaner Harly kommt auf 4,8 Millionen Downloads
Im Google Play Store entdeckt Kaspersky zahlreiche trojanisierte Apps, die den Schädling Harly enthalten. Der schließt kostenpflichtige Dienste-Abos ab.
https://heise.de/-7273522
Fingerabdruck & Co. - Wie funktionieren biometrische Anmeldeverfahren?
Ihre Augen können das Fenster zu Ihrer Seele sein, aber sie können auch Ihre Bordkarte für das Flugzeug oder der Schlüssel zum Entsperren Ihres Telefons sein. Welche Vor- und Nachteile birgt die Verwendung biometrischer Merkmale für die Authentifizierung?
https://www.welivesecurity.com/deutsch/2022/09/22/fingerabdruck-co-wie-funktionieren-biometrische-anmeldeverfahren/
Microsoft: Windows KB5017383 preview update added to WSUS by mistake
Microsoft says that KB5017383, this months Windows preview update, has been accidentally listed in Windows Server Update Services (WSUS) and may lead to security update install problems in some managed environments.
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383-preview-update-added-to-wsus-by-mistake/
Malicious OAuth applications used to compromise email servers and spread spam
Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange servers to launch spam runs.
https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
Kids Like Cookies, Malware Too!, (Fri, Sep 23rd)
Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won't discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user.
https://isc.sans.edu/diary/rss/29082
Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts
GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations.
https://thehackernews.com/2022/09/hackers-using-fake-circleci.html
WAF bypasses via 0days
In May, I participated in 1337up0522 from Intigriti which was about hacking OWASP ModSecurity Core Rule Set (CRS). I-ve got 13 findings accepted including 3 exceptional, 2 critical, and 8 high severity vulnerabilities. In this article, I will showcase a couple of interesting findings.
https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec
Surge in Magento 2 template attacks
The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack.
https://sansec.io/research/magento-2-template-attacks
Cross-Site Scripting: The Real WordPress Supervillain
Vulnerabilities are a fact of life for anyone managing a website, even when using a well-established content management system like WordPress. Not all vulnerabilities are equal, with some allowing access to sensitive data that would normally be hidden from public view, while others could allow a malicious actor to take full control of an affected [...]
https://www.wordfence.com/blog/2022/09/cross-site-scripting-the-real-wordpress-supervillain/
CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of cyberattacks targeting a recently addressed vulnerability in Zoho ManageEngine.
https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability-exploitation
NSA and CISA: Heres how hackers are going after critical systems, and what you need to do about it
NSA and CISA offer some advice for critical infrastructure operators to protect their industrial control systems.
https://www.zdnet.com/article/nsa-and-cisa-heres-how-hackers-are-going-after-critical-systems-and-what-you-need-to-do-about-it/
Experts fear LockBit spread after ransomware builder leaked
A toolkit to create DIY versions of the LockBit ransomware has leaked, raising alarms among incident responders and cybersecurity experts warning of more widespread use in attacks. The leak, for the LockBit 3.0 ransomware encryptor, was announced on Wednesday by security researcher 3xp0rt. Several experts and researchers confirmed to The Record that the builder works [...]
https://therecord.media/experts-fear-lockbit-spread-after-ransomware-builder-leaked/
FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers
The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
https://asec.ahnlab.com/en/39152/
Vulnerabilities
HP-Drucker: Kritische Lücke erlaubt Codeschmuggel in diversen Modellen
HP warnt vor Sicherheitslücken in zahlreichen Druckermodellen, die Angreifern das Einschleusen von Schadcode ermöglichen. Der Hersteller stellt Updates bereit.
https://heise.de/-7250538
IBM Security Bulletins 2022-09-22
IBM CICS TX Advanced, IBM CICS TX Standard, IBM Common Cryptographic Architecture (CCA), IBM InfoSphere Information Server, IBM Jazz for Service Management, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM Partner Engagement Manager, IBM Security Guardium, IBM Spectrum Control, Operations Dashboard, TXSeries for Multiplatforms, Watson Explorer and Watson Explorer Content Analytics Studio, z/Transaction Processing Facility
https://www.ibm.com/blogs/psirt/
Security updates for Friday
Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, [...]
https://lwn.net/Articles/909208/
New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access
Firmware security company Binarly has discovered another round of potentially serious firmware vulnerabilities that could allow an attacker to gain persistent access to any of the millions of affected devices.
https://www.securityweek.com/new-firmware-vulnerabilities-affecting-millions-devices-allow-persistent-access