[CERT-daily] Tageszusammenfassung - 20.12.2021
Daily end-of-shift report
team at cert.at
Mon Dec 20 18:53:11 CET 2021
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-12-2021 18:00 − Montag 20-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
*** News zu Log4j ***
---------------------------------------------
Upgraded to log4j 2.16? Surprise, theres a 2.17 fixing DoS: https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/
Log4j vulnerability now used to install Dridex banking malware: https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
Log4Shell: Mehrheit der Java-Pakete hat noch kein Log4J-Update: https://www.golem.de/news/log4shell-mehrheit-der-java-pakete-hat-noch-kein-log4j-update-2112-161911-rss.html
Answering Log4Shell-related questions: https://securelist.com/answering-log4shell-related-questions/105402/
Third Log4J Bug Can Trigger DoS; Apache Issues Patch: https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/
TellYouThePass ransomware revived in Linux, Windows Log4j attacks: https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-revived-in-linux-windows-log4j-attacks/
New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability: https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
Second Log4j Vulnerability (CVE-2021-45046) Discovered - New Patch Released: https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html
Google: OSS-Fuzz soll Log4j-Fehler in Open-Source-Software finden: https://heise.de/-6298560
Erster Wurm "kriecht" durch Log4j-Sicherheitslücke: https://heise.de/-6299080
Was Geschäftsführer jetzt über Log4Shell wissen sollten: https://www.welivesecurity.com/deutsch/2021/12/17/was-geschaeftsfuehrer-ueber-log4shell-jetzt-wissen-sollten/
Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability: https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/
Log4j-Infos, belgisches Verteidigungsministerium betroffen?: https://www.borncity.com/blog/2021/12/20/log4j-infos-belgisches-verteidigungsministerium-betroffen/
---------------------------------------------
https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek
∗∗∗ Western Digital warns customers to update their My Cloud devices ∗∗∗
---------------------------------------------
Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/western-digital-warns-customers-to-update-their-my-cloud-devices/
∗∗∗ Office 2021: VBA Project Version, (Sun, Dec 19th) ∗∗∗
---------------------------------------------
2 years ago, in diary entry "VBA Office Document: Which Version?", I listed all internal VBA project version numbers for the Office versions I had access to.
---------------------------------------------
https://isc.sans.edu/diary/rss/28150
∗∗∗ Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store ∗∗∗
---------------------------------------------
A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge.
---------------------------------------------
https://thehackernews.com/2021/12/over-500000-android-users-downloaded.html
∗∗∗ Inside a PBX - Discovering a Firmware Backdoor ∗∗∗
---------------------------------------------
This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859).
---------------------------------------------
https://blog.redteam-pentesting.de/2021/inside-a-pbx/
∗∗∗ Weniger Datenklau am Geldautomaten: "Skimming nicht mehr interessant" ∗∗∗
---------------------------------------------
Kriminelle können mit per Skimming erbeuteten Daten von Bankkunden immer weniger anfangen. Weitaus größere Schäden richten inzwischen andere Methoden an.
---------------------------------------------
https://heise.de/-6298777
∗∗∗ Erpressergruppe Conti nutzt Sicherheitslücke "Log4Shell" für ihre Ransomware ∗∗∗
---------------------------------------------
Der Erpressungstrojaner der bekannten Conti-Gang wird bereits auf die Lücke "Log4Shell" losgelassen. Damit wächst das Bedrohungspotenzial deutlich.
---------------------------------------------
https://heise.de/-6298874
∗∗∗ Sicherheitsrisiko: Support für einige NAS-Systeme von Western Digital läuft aus ∗∗∗
---------------------------------------------
Mehrere NAS-Modelle der My-Cloud-Serie bekommen bald keine Sicherheitsupdates mehr. Diese Geräte sollten nicht mehr am Internet hängen.
---------------------------------------------
https://heise.de/-6299386
∗∗∗ Analyse, wie TeamTNT Docker-Hub-Konten kompromittiert ∗∗∗
---------------------------------------------
Und schon sind wir beim 19. Türchen im Security-Adventskalender meines Blogs und ich schiebe mal ein weiteres Sicherheitsthema hinter dieses Türchen. Der Sicherheitsanbieter Trend Micro hat einen Bericht veröffentlicht, der beleuchtet, wie der Bedrohungsakteur TeamTNT vorgeht, um Konten von Docker-Hubs [...]
---------------------------------------------
https://www.borncity.com/blog/2021/12/19/analyse-wie-teamtnt-docker-hub-konten-kompromittiert/
∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.5 ∗∗∗
---------------------------------------------
A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.5 & 4.4.
---------------------------------------------
https://blog.zsec.uk/cobalt-strike-profiles/
∗∗∗ Kernel Karnage – Part 7 (Out of the Lab and Back to Reality) ∗∗∗
---------------------------------------------
This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment.
---------------------------------------------
https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-back-to-reality/
∗∗∗ Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password ∗∗∗
---------------------------------------------
After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts. An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password.
---------------------------------------------
https://asec.ahnlab.com/en/29871/
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2021-0029 ∗∗∗
---------------------------------------------
VMware Workspace ONE UEM console patches address SSRF vulnerability (CVE-2021-22054)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0029.html
∗∗∗ VMSA-2021-0030 ∗∗∗
---------------------------------------------
VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0030.html
∗∗∗ XSA-392 ∗∗∗
---------------------------------------------
Guest can force Linux netback driver to hog large amounts of kernel memory
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-392.html
∗∗∗ XSA-391 ∗∗∗
---------------------------------------------
Rogue backends can cause DoS of guests via high frequency events
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-391.html
∗∗∗ XSA-376 ∗∗∗
---------------------------------------------
frontends vulnerable to backends
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-376.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu [...]
---------------------------------------------
https://lwn.net/Articles/879228/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2021-0007.html
∗∗∗ Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector [...]
---------------------------------------------
http://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html
*** Log4j Security Advisories ***
---------------------------------------------
Security Advisory - Apache Log4j2 CVE 2021-44228 (Log4Shell): https://www.beyondtrust.com/blog/entry/security-advisory-apache-log4j2-cve-2021-44228-log4shell
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Log4j Vulnerability CVE-2021-45105: What You Need to Know: https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-2021-45105/
An update on the Apache Log4j CVE-2021-44228 vulnerability: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
Citrix Security Advisory for Apache CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105: https://support.citrix.com/article/CTX335705
Log4j Zero-Day Vulnerability: https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90bc949
CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor: https://www.thezdi.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via-uncontrolled-recursion-in-log4j-strsubstitutor
CVE-2021-44228 Impact of Log4j Vulnerability CVE-2021-44228 and CVE-2021-45046 (Severity: CRITICAL): https://security.paloaltonetworks.com/CVE-2021-44228
SSA-661247 V1.5 (Last Update: 2021-12-19): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt
SSA-501673 V1.0: Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-501673.txt
Apache Log4j Vulnerability: http://security.googleblog.com/2021/12/apache-log4j-vulnerability.html
Log4j Update Patches New Vulnerability That Allows DoS Attacks: https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-dos-attacks
---------------------------------------------
https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1296
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list