[CERT-daily] Tageszusammenfassung - 01.12.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 30-11-2021 18:00 − Mittwoch 01-12-2021 18:00
Handler:     Wolfgang Menezes
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Microsoft Exchange servers hacked to deploy BlackByte ransomware ∗∗∗
---------------------------------------------
BlackByte ransomware actors were observed exploiting the ProxyShell set of vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to compromise Microsoft Exchange servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/


∗∗∗ Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st) ∗∗∗
---------------------------------------------
We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site.
---------------------------------------------
https://isc.sans.edu/diary/rss/28088


∗∗∗ Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors ∗∗∗
---------------------------------------------
RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file.
---------------------------------------------
https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread


∗∗∗ l+f: Emotet-Fehlalarm vom Microsoft Defender ∗∗∗
---------------------------------------------
Microsofts Virenschutz hat Nutzer und Administratoren unnötig aufgeschreckt: Ein fehlerhaftes Erkennungs-Update sah Emotet-Infektionen, wo keine waren.
---------------------------------------------
https://heise.de/-6280766


∗∗∗ Tracking a P2P network related with TA505 ∗∗∗
---------------------------------------------
For the past few months, NCC Group has been tracking very closely the operations of TA505 and the development of different projects (e.g. Clop) by them.
---------------------------------------------
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/


∗∗∗ Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution ∗∗∗
---------------------------------------------
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
---------------------------------------------
http://blog.talosintelligence.com/2021/12/vuln-spotlight-chrome-.html


∗∗∗ E-Mail: „Ihr Paket ist in der Warteschleife“ ist Fake ∗∗∗
---------------------------------------------
Warten Sie gerade auf ein Paket? Dann nehmen Sie sich vor E-Mails mit dem Betreff „Ihr Paket ist in der Warteschleife“ in Acht. Kriminelle geben sich als DHL aus und behaupten, dass Zollgebühren ausständig sind.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-ihr-paket-ist-in-der-warteschleife-ist-fake/


∗∗∗ Play Your Cards Right: Detecting Wildcard DNS Abuse ∗∗∗
---------------------------------------------
Wildcard DNS records can be used constructively, but their flexibility also provides attackers with a variety of options for executing attacks.
---------------------------------------------
https://unit42.paloaltonetworks.com/wildcard-dns-abuse/


∗∗∗ Shodan Verified Vulns 2021-12-01 ∗∗∗
---------------------------------------------
Insgesamt gibt es kaum Veränderungen zum Vormonat, wobei die Anzahl der verwundbaren Microsoft Exchange Server relativ deutlich zurückging – Props an die Administrator:innen!
---------------------------------------------
https://cert.at/de/aktuelles/2021/12/shodan-verified-vulns-2021-12-01


∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/01/cisa-adds-five-known-exploited-vulnerabilities-catalog


∗∗∗ FBI document shows what data can be obtained from encrypted messaging apps ∗∗∗
---------------------------------------------
A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.
---------------------------------------------
https://therecord.media/fbi-document-shows-what-data-can-be-obtained-from-encrypted-messaging-apps/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins 2021-11-30 ∗∗∗
---------------------------------------------
IBM QRadar SIEM, IBM Integration Bus, IBM App Connect Enterprise, IBM HTTP Server, IBM Cloud Pak for Data, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Match 360, IBM SDK (Java™ Technology Edition), IBM WebSphere Application Server
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (rsync, rsyslog, and uriparser), Fedora (containerd, freeipa, golang-github-containerd-ttrpc, libdxfrw, libldb, librecad, mingw-speex, moby-engine, samba, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and samba), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, [...])
---------------------------------------------
https://lwn.net/Articles/877284/


∗∗∗ Verwaltungssoftware Jamf Pro für Apple-Geräte könnte Zugangsdaten leaken ∗∗∗
---------------------------------------------
https://heise.de/-6281352


∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211201-01-buffer-en


∗∗∗ XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2021/12/xss-vulnerability-patched-in-plugin-designed-to-enhance-woocommerce/


∗∗∗ Mozilla Foundation Security Advisory 2021-51: Memory corruption in NSS via DER-encoded DSA and RSA-PSS signatures ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/


∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02


∗∗∗ Johnson Controls CEM Systems AC2000 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-04


∗∗∗ Hitachi Energy Retail Operations and CSB Software ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-05

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily