Tageszusammenfassung - 28.09.2022

End-of-Day report

Timeframe: Dienstag 27-09-2022 18:00 - Mittwoch 28-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

Microsoft to retire Exchange Online client access rules in a year

Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023.

https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchange-online-client-access-rules-in-a-year/


Leaked LockBit 3.0 builder used by -Bl00dy- ransomware gang in attacks

The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies.

https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/


Prilex: the pricey prickle credit card complex

Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware.

https://securelist.com/prilex-atm-pos-malware-evolution/107551/


New Malware Variants Serve Bogus CloudFlare DDoS Captcha

When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it-s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month.

https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html


Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems

A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.

https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html


Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren

Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert.

https://heise.de/-7278355


Attacking Encrypted HTTP Communications

The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers.

https://www.pentestpartners.com/security-blog/attacking-encrypted-http-communications/


Decrypt -encrypted stub data- in Wireshark

I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I-m often interrupted in my enthusiasm by the payload dissected as -encrypted stub data-: Can we decrypt this -encrypted stub data?-

https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshark-deb132c076e7


Stories from the SOC - C2 over port 22

The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses.

https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-c2-over-port-22

Vulnerabilities

VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers

OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers.

https://kb.cert.org/vuls/id/855201


Cisco Security Advisories 2022-09-27 - 2022-09-28

Cisco published 23 Security Advisories (13 High, 10 Medium Severity)

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F09%2F27&firstPublishedEndDate=2022%2F09%2F28


Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks

Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen.

https://heise.de/-7277825


Security updates for Wednesday

Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15).

https://lwn.net/Articles/909676/


Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552


Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway.

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-was-fixed-in-ibm-application-gateway/


Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-is-vulnerable-to-server-side-request-forgery-cve-2022-35282/


Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771)

https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-in-ibm-qradar-user-behavior-analytics-cve-2022-36771/


Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-app-connect-enterprise-and-ibm-integration-bus/


Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-to-identity-spoofing-by-an-authenticated-user-using-a-specially-crafted-request/


Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-functional-tester-9/


Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-to-http-header-injection-caused-by-improper-validation/


Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-cross-site-scripting-cve-2022-32750/


Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-decision-optimization-center-cve-2022-21299/


Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35721/


Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35722-2/


Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulnerable-to-an-xml-external-entity-injection-attack-cve-2022-31775/


Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-vulnerable-to-a-denial-of-service-due-to-zlib-cve-2018-25032/


Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878)

https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-platform-discloses-possible-path-command-executioncve-2021-41878/


Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-because-ibm-websphere-application-server-liberty-vulnerable-eclipse-paho-java-client-could-allow-a-remote-attacker-to-bypass-security-restric/


Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549


Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546


Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544