End-of-Day report
Timeframe: Dienstag 27-09-2022 18:00 - Mittwoch 28-09-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Microsoft to retire Exchange Online client access rules in a year
Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023.
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchange-online-client-access-rules-in-a-year/
Leaked LockBit 3.0 builder used by -Bl00dy- ransomware gang in attacks
The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.
https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/
Prilex: the pricey prickle credit card complex
Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware.
https://securelist.com/prilex-atm-pos-malware-evolution/107551/
New Malware Variants Serve Bogus CloudFlare DDoS Captcha
When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it-s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month.
https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html
Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.
https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html
Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren
Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert.
https://heise.de/-7278355
Attacking Encrypted HTTP Communications
The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers.
https://www.pentestpartners.com/security-blog/attacking-encrypted-http-communications/
Decrypt -encrypted stub data- in Wireshark
I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I-m often interrupted in my enthusiasm by the payload dissected as -encrypted stub data-: Can we decrypt this -encrypted stub data?-
https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7
Stories from the SOC - C2 over port 22
The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses.
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-c2-over-port-22
Vulnerabilities
VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers
OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers.
https://kb.cert.org/vuls/id/855201
Cisco Security Advisories 2022-09-27 - 2022-09-28
Cisco published 23 Security Advisories (13 High, 10 Medium Severity)
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F09%2F27&firstPublishedEndDate=2022%2F09%2F28
Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks
Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen.
https://heise.de/-7277825
Security updates for Wednesday
Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15).
https://lwn.net/Articles/909676/
Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552
Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway.
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-was-fixed-in-ibm-application-gateway/
Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-is-vulnerable-to-server-side-request-forgery-cve-2022-35282/
Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771)
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-ibm-qradar-user-behavior-analytics-cve-2022-36771/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-app-connect-enterprise-and-ibm-integration-bus/
Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-to-identity-spoofing-by-an-authenticated-user-using-a-specially-crafted-request/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-functional-tester-9/
Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-to-http-header-injection-caused-by-improper-validation/
Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-cross-site-scripting-cve-2022-32750/
Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-decision-optimization-center-cve-2022-21299/
Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35721/
Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35722-2/
Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-an-xml-external-entity-injection-attack-cve-2022-31775/
Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-vulnerable-to-a-denial-of-service-due-to-zlib-cve-2018-25032/
Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878)
https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-platform-discloses-possible-path-command-executioncve-2021-41878/
Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-eclipse-paho-java-client-could-allow-a-remote-attacker-to-bypass-security-restric/
Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549
Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546
Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544