End-of-Day report
Timeframe:   Mittwoch 16-11-2022 18:00 - Donnerstag 17-11-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Thomas Pribitzer
      News       
Evil Maid Attacks - Remediation for the Cheap, (Wed, Nov 16th)
The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way.
https://isc.sans.edu/diary/rss/29256
WASP malware stings Python developers
Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages.
https://www.theregister.com/2022/11/16/wasp_python_malware_checkmarx/
Disneyland Malware Team: It-s a Puny World After All
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian.
https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/
Onlinebetrug-Simulator: Testen Sie Ihr Wissen zu Betrugsmaschen im Internet
Um Sie für die Gefahren von Fake-Shops und Phishing-Emails zu sensibilisieren und Sie im Bereich der Cyber-Sicherheit zu schulen, hat die AK Niederösterreich in Kooperation mit der Universität Wien den Onlinebetrug-Simulator ins Leben gerufen.
https://www.watchlist-internet.at/news/onlinebetrug-simulator-testen-sie-ihr-wissen-zu-betrugsmaschen-im-internet/
Domain Controller gegen Angriffe absichern
Active Directory ist eine kritische Infrastruktur und sollte als solche behandelt werden. Aber wie sichert man als Administrator seine Domain Controller gegen Angriffe?
https://www.borncity.com/blog/2022/11/17/domain-controller-gegen-angriffe-absichern/
Get a Loda This: LodaRAT meets new friends
LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta. Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
https://blog.talosintelligence.com/get-a-loda-this/
 Vulnerabilities 
Schadcode-Attacken auf Bitbucket Server und Data Center möglich
Eine Sicherheitslücke bedroht mehrere Versionen von Atlassians Versionsverwaltungssoftware.
https://heise.de/-7343226
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (expat, xen, and xorg-x11-server), Oracle (kernel, kernel-container, qemu, xorg-x11-server, and zlib), Scientific Linux (xorg-x11-server), Slackware (firefox, krb5, samba, and thunderbird), SUSE (ant, apache2-mod_wsgi, jsoup, rubygem-nokogiri, samba, and tomcat), and Ubuntu (firefox and linux, linux-aws, linux-aws-hwe, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon).
https://lwn.net/Articles/915245/
Samba Releases Security Updates
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system.
https://us-cert.cisa.gov/ncas/current-activity/2022/11/16/samba-releases-security-updates
Security Bulletin: IBM Partner Engagement Manager is vulnerable to sensitive data exposure (CVE-2022-34354)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-partner-engagement-manager-is-vulnerable-to-sensitive-data-exposure-cve-2022-34354/
Security Bulletin: IBM Planning Analytics Workspace is affected by a vulnerability [CVE-2022-31129]
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-a-vulnerability-cve-2022-31129-2/
Security Bulletin: CVE-2022-3676 may affect IBM® SDK, Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-3676-may-affect-ibm-sdk-java-technology-edition/
Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow - CVE-2022-38390
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-business-automation-workflow-cve-2022-38390/
Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752]
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-is-vulnerable-to-a-command-injection-vulnerability-cve-2022-40752-3/
Security Bulletin: Tivoli Business Service Manager is vulnerable to cross-site scripting due to improper validation in Angular (CVE-2022-25869)
https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-business-service-manager-is-vulnerable-to-cross-site-scripting-due-to-improper-validation-in-angular-cve-2022-25869/
Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35721-3/
Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-management-is-vulnerable-to-stored-cross-site-scripting-cve-2022-35722-3/
Security Bulletin: IBM Urbancode Deploy (UCD) is vulnerable to Insufficiently Protected LDAP Search Credentials ( CVE-2022-40751 )
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-is-vulnerable-to-insufficiently-protected-ldap-search-credentials-cve-2022-40751/
Security Bulletin: Apache Tomcat could allow a remote attacker to obtain sensitive information (CVE-2021-43980)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-could-allow-a-remote-attacker-to-obtain-sensitive-information-cve-2021-43980/
Technical Advisory - NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
https://research.nccgroup.com/2022/11/17/cve-2022-45163/
Red Lion Crimson
https://us-cert.cisa.gov/ics/advisories/icsa-22-321-01
Cradlepoint IBR600
https://us-cert.cisa.gov/ics/advisories/icsa-22-321-02