[CERT-daily] Tageszusammenfassung - 09.12.2021

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 07-12-2021 18:00 − Donnerstag 09-12-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Malicious NPM packages are part of a malware “barrage” hitting repositories ∗∗∗
---------------------------------------------
Peoples trust in repositories make them the perfect vectors for malware.
---------------------------------------------
https://arstechnica.com/?p=1818997


∗∗∗ New Cerber ransomware targets Confluence and GitLab servers ∗∗∗
---------------------------------------------
Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/


∗∗∗ Grafana fixes zero-day vulnerability after exploits spread over Twitter ∗∗∗
---------------------------------------------
Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/grafana-fixes-zero-day-vulnerability-after-exploits-spread-over-twitter/


∗∗∗ Emotet now drops Cobalt Strike, fast forwards ransomware attacks ∗∗∗
---------------------------------------------
In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/


∗∗∗ The life cycle of phishing pages ∗∗∗
---------------------------------------------
Weve analyzed the life cycle of phishing pages, how they transform during their active period, and the domains where they're located.
---------------------------------------------
https://securelist.com/phishing-page-life-cycle/105171/


∗∗∗ Moobot Botnet Chews Up Hikvision Surveillance Systems ∗∗∗
---------------------------------------------
Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned.
---------------------------------------------
https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/


∗∗∗ PHP Re-Infectors – The Malware that Keeps On Giving ∗∗∗
---------------------------------------------
Attackers have developed some methods for protecting their work as we will explore in this post. We will also look at how you can remove this infection from a compromised website.
---------------------------------------------
https://blog.sucuri.net/2021/12/php-re-infectors-the-malware-that-keeps-on-giving.html


∗∗∗ Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs ∗∗∗
---------------------------------------------
At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.
---------------------------------------------
https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html


∗∗∗ Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks ∗∗∗
---------------------------------------------
Vulnerabilities in Microsoft and others’ popular OAuth2.0 implementations lead to redirection attacks that bypass most phishing detection solutions and email security solutions.
---------------------------------------------
https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection


∗∗∗ Virtualisiertes USB als Sicherheitslücke ∗∗∗
---------------------------------------------
USB+Cloud=Gefahr. Lücken in USB-über-Ethernet-Treibern für Clouddienste erlauben Angreifern, lokal und serverseitig beliebigen Code im Kernel-Modus auszuführen.
---------------------------------------------
https://heise.de/-6289521


∗∗∗ Is your web browser vulnerable to data theft? XS-Leak explained ∗∗∗
---------------------------------------------
IT security researchers recently exposed new cross-site leak (XS-Leak) attacks against modern-day browsers. But what is XS-Leak anyway?
---------------------------------------------
https://blog.malwarebytes.com/explained/2021/12/is-your-web-browser-vulnerable-to-data-theft-xs-leak-explained/


∗∗∗ Was threat actor KAX17 de-anonymizing the Tor network? ∗∗∗
---------------------------------------------
A threat actor was found to be running a high percentage of the Tor Networks servers.
---------------------------------------------
https://blog.malwarebytes.com/reports/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/


∗∗∗ Detecting Patient Zero Web Threats in Real Time With Advanced URL Filtering ∗∗∗
---------------------------------------------
Patient zero web threats are malicious URLs that are being seen for the first time. We discuss how to stop them despite attacker cloaking techniques.
---------------------------------------------
https://unit42.paloaltonetworks.com/patient-zero-web-threats/


∗∗∗ CISA Releases Guidance on Protecting Organization-Run Social Media Accounts ∗∗∗
---------------------------------------------
CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisa-releases-guidance-protecting-organization-run-social-media


∗∗∗ Two Birds with One Stone: An Introduction to V8 and JIT Exploitation ∗∗∗
---------------------------------------------
In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 – Google’s open-source high-performance JavaScript and WebAssembly engine – through the lens of a bug used during Pwn2Own Vancouver 2021.
---------------------------------------------
https://www.thezdi.com/blog/2021/12/6/two-birds-with-one-stone-an-introduction-to-v8-and-jit-exploitation


∗∗∗ Kernel Karnage – Part 6 (Last Call) ∗∗∗
---------------------------------------------
Having covered process, thread and image callbacks in the previous blogposts, I think it’s only fair if we conclude this topic with registry and object callbacks.
---------------------------------------------
https://blog.nviso.eu/2021/12/09/kernel-karnage-part-6-last-call/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ SanDisk SecureAccess bug allows brute forcing vault passwords ∗∗∗
---------------------------------------------
Western Digital has fixed a security vulnerability that enabled attackers to brute force SanDisk SecureAccess passwords and access the users protected files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sandisk-secureaccess-bug-allows-brute-forcing-vault-passwords/


∗∗∗ IBM Security Bulletins 2021-12-07 and 2021-12-08 ∗∗∗
---------------------------------------------
DB2, WebSphere Application Server, Tivoli Business Service Manager, PowerHA, Guardium Data Encryption, Watson Speech Services, Process Designer, Business Automation Workflow
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Jetzt patchen! Root-Lücke in Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗
---------------------------------------------
Sicherheitsupdates schließen unter anderem kritische Schwachstellen in Secure-Mobile-Access-Appliances.
---------------------------------------------
https://heise.de/-6290012


∗∗∗ FortiOS- und FortiProxy-Updates schließen Sicherheitslücken, Check empfohlen ∗∗∗
---------------------------------------------
Fortinet ist auf ein unterwandertes System gestoßen und empfiehlt Administratoren die Überprüfung auf Einbruchsspuren. Zudem stehen Aktualisierungen bereit.
---------------------------------------------
https://heise.de/-6290546


∗∗∗ LibreOffice zieht Update wegen kritischer Schwachstelle vor ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in der NSS-Bibliothek betrifft auch LibreOffice und ermöglicht das Unterschieben von Schadcode. Updates zur Absicherung stehen bereit.
---------------------------------------------
https://heise.de/-6290069


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (nss), Fedora (rubygem-rmagick), openSUSE (xen), Red Hat (firefox and nss), SUSE (kernel and xen), and Ubuntu (mailman and nss).
---------------------------------------------
https://lwn.net/Articles/878038/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez).
---------------------------------------------
https://lwn.net/Articles/878142/


∗∗∗ Bentley BE-2021-0005: Out-of-bounds and use-after-free vulnerabilities in Bentley MicroStation and Bentley View ∗∗∗
---------------------------------------------
https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005


∗∗∗ Helmholz: Remote user enumeration in myREX24/myREX24-virtual ∗∗∗
---------------------------------------------
http://cert.vde.com/de/advisories/VDE-2021-058/


∗∗∗ Helmholz: Privilege Escalation in shDialup ∗∗∗
---------------------------------------------
http://cert.vde.com/de/advisories/VDE-2021-057/


∗∗∗ Hitachi Energy RTU500 OpenLDAP ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-341-01


∗∗∗ Hitachi Energy XMC20 and FOX61x ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-341-02


∗∗∗ FANUC Robot Controllers ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-243-02


∗∗∗ Hillrom Welch Allyn Cardio Products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-343-01


∗∗∗ Hitachi Energy GMS600, PWC600, and Relion ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-343-01


∗∗∗ WECON LeviStudioU ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-343-02


∗∗∗ Multiple Vulnerabilities in Bosch BT software products ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-043434-bt.html


∗∗∗ Stack Buffer Overflow Vulnerability in Surveillance Station ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-46


∗∗∗ Reflected XSS Vulnerability in Kazoo Server ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-54


∗∗∗ Improper Authentication Vulnerability in Qfile ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-55

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily