[CERT-daily] Tageszusammenfassung - 10.12.2021

Fri Dec 10 19:43:02 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 09-12-2021 18:00 − Freitag 10-12-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps ∗∗∗
---------------------------------------------
Eine Zero-Day-Schwachstelle in Apaches Log4j ermöglicht Angreifern, etwa auf Servern von Cloud-Diensten oder in Anwendungen Schadcode einzuschmuggeln.
---------------------------------------------
https://heise.de/-6291653


∗∗∗ Dark Mirai botnet targeting RCE on popular TP-Link router ∗∗∗
---------------------------------------------
The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-rce-on-popular-tp-link-router/


∗∗∗ Python Shellcode Injection From JSON Data, (Fri, Dec 10th) ∗∗∗
---------------------------------------------
My hunting rules detected a niece piece of Python code. It's interesting to see how the code is simple, not deeply obfuscated, and with a very low VT score: 2/56![1]. I see more and more malicious Python code targeting the Windows environments. Thanks to the library ctypes[2], Python is able to use any native API calls provided by DLLs.
---------------------------------------------
https://isc.sans.edu/diary/rss/28118


∗∗∗ Click "OK" to defeat MFA ∗∗∗
---------------------------------------------
A sophisticated threat actor has been using a very unsophisticated method to defeat multi-factor authentication.
---------------------------------------------
https://blog.malwarebytes.com/reports/2021/12/click-ok-to-defeat-mfa/


∗∗∗ 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs ∗∗∗
---------------------------------------------
Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites.
---------------------------------------------
https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/


∗∗∗ Winterurlaub geplant? Buchen Sie nicht über dein-berghuettenurlaub.de! ∗∗∗
---------------------------------------------
Bald ist der Lockdown in Österreich vorbei. Dementsprechend freuen sich wohl schon einige auf eine Auszeit über Weihnachten oder Silvester. Was wäre aufgrund der aktuellen Corona-Lage besser geeignet als eine einsame Hütte? Doch Vorsicht, wer online eine solche Hütte buchen will, könnte auf betrügerische Seiten stoßen!
---------------------------------------------
https://www.watchlist-internet.at/news/winterurlaub-geplant-buchen-sie-nicht-ueber-dein-berghuettenurlaubde/


∗∗∗ This old malware has just picked up some nasty new tricks ∗∗∗
---------------------------------------------
The crafty Qakbot trojan has added ransomware delivery to its malware building blocks.
---------------------------------------------
https://www.zdnet.com/article/this-decade-old-malware-has-picked-up-some-nasty-new-tricks/


∗∗∗ Microsoft launches center for reporting malicious drivers ∗∗∗
---------------------------------------------
Microsoft has launched this week a special web portal where users and researchers can report malicious drivers to the companys security team.
---------------------------------------------
https://therecord.media/microsoft-launches-center-for-reporting-malicious-drivers/


∗∗∗ Twitter-Thread zur log4j-Schwachstelle ∗∗∗
---------------------------------------------
https://twitter.com/TimPhSchaefers/status/1469271197993115655


=====================
=  Vulnerabilities  =
=====================

∗∗∗ RCE in log4j, Log4Shell, or how things can get bad quickly, (Fri, Dec 10th) ∗∗∗
---------------------------------------------
If you have been following developments on Twitter and various other security sources, by now you have undoubtedly heard about the latest vulnerability in the very popular Apache log4j library.
---------------------------------------------
https://isc.sans.edu/diary/rss/28120


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/878279/


∗∗∗ WD Updates SanDisk SecureAccess to Prevent Dictionary, Brute Force Attacks ∗∗∗
---------------------------------------------
Western Digital has updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks.
---------------------------------------------
https://www.securityweek.com/wd-updates-sandisk-secureaccess-prevent-dictionary-brute-force-attacks


∗∗∗ Cisco Releases Security Advisory for Multiple Products Affected by Apache HTTP Server Vulnerabilities ∗∗∗
---------------------------------------------
Cisco has released a security advisory to address Cisco products affected by multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisco-releases-security-advisory-multiple-products-affected-apache


∗∗∗ Schwachstellen in Oracle-Datenbankservern (SYSS-2021-061/-062) ∗∗∗
---------------------------------------------
In Oracle-Datenbankservern wurden Schwachstellen identifiziert. Sie erlauben es Angreifern, Zugang zur Datenbank von legitimen Benutzern zu erhalten.
---------------------------------------------
https://www.syss.de/pentest-blog/syss-2021-061/syss-2021-062


∗∗∗ TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j) ∗∗∗
---------------------------------------------
CVE-2021-44228 vulnerability enables remote code injection on systems running Log4j. The attacker has to trigger a log entry generation containing a JNDI request. The vulnerability can be exploited without authentication. The exploit needs to be processed by Log4j. Impacted Log4j versions are: 2.0 to 2.14.1.
---------------------------------------------
https://www.circl.lu/pub/tr-65


∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1266


∗∗∗ Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-local-user-elevated-privileges-due-to-allowing-modification-of-columns-of-existing-tasks-cve-2021-38926-2/


∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-v11-is-affected-by-vulnerabilities-in-node-js-cve-2021-23358-3/


∗∗∗ Security Bulletin: Vulnerabilities in Node.js, IBM WebSphere Application Server Liberty, and OpenSSL affect IBM Spectrum Control ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-ibm-websphere-application-server-liberty-and-openssl-affect-ibm-spectrum-control/


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Dec. 2021 V1) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-dec-2021-v1/


∗∗∗ Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable-to-an-information-disclosure-when-using-the-load-utility-as-under-certain-circumstances-the-load-utility-does-not-enforce-directory-restricti-2/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-as-it-uses-weaker-than-expected-cryptographic-algorithms-that-could-allow-an-attacker-to-decrypt-highly-sensitive-in-2/


∗∗∗ Security Bulletin: The PowerVM hypervisor is vulnerable to a carefully crafted IBMi hypervisor call that can lead to a system crash ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-is-vulnerable-to-a-carefully-crafted-ibmi-hypervisor-call-that-can-lead-to-a-system-crash/


∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-an-information-disclosure-as-a-user-with-dbadm-authority-is-able-to-access-other-databases-and-read-or-modify-files-cve-2021-29678-2/


∗∗∗ Security Bulletin: The PowerVM hypervisor can allow an attacker that gains service access to the FSP to read and write system memory ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-can-allow-an-attacker-that-gains-service-access-to-the-fsp-to-read-and-write-system-memory/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily