[CERT-daily] Tageszusammenfassung - 21.12.2021

Tue Dec 21 19:07:49 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 20-12-2021 18:00 − Dienstag 21-12-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Malware: Wer hat Angst vor Androids Barrierefreiheit? ∗∗∗
---------------------------------------------
Schadsoftware unter Android nutzt häufig die Accessibility Services, um Sicherheitsfunktionen auszuhebeln. Doch Apps können sich schützen.
---------------------------------------------
https://www.golem.de/news/malware-wer-hat-angst-vor-androids-barrierefreiheit-2112-161930-rss.html


∗∗∗ Xcode: Hotfix soll Log4j-Lücke umfahren ∗∗∗
---------------------------------------------
Apples Entwicklungsumgebung enthält eine angreifbare Version der Java-Logging-Bibliothek log4j. Beim Upload von iOS-Apps soll aber ein Fix greifen.
---------------------------------------------
https://heise.de/-6301988


∗∗∗ Have I Been Pwned: 225 Millionen neue Passwörter von britischer Polizeibehörde ∗∗∗
---------------------------------------------
Der Datensatz des Passwort-Prüfdiensts wächst immer weiter. Für Strafverfolgungsbehörden gibt es nun einen Weg, sichergestellte Daten direkt einzuspeisen.
---------------------------------------------
https://heise.de/-6301963


∗∗∗ Google entfernt Malware-infizierte SMS-App aus Play Store ∗∗∗
---------------------------------------------
Auf mehr als 500.000 Installationen kam eine Messages-App in Googles App-Store, die die Malware Joker einschleppte. Inzwischen hat Google die App entfernt.
---------------------------------------------
https://heise.de/-6302544


∗∗∗ Sicher verkaufen auf Willhaben, Shpock & Co ∗∗∗
---------------------------------------------
Sie möchten ungenutzte Gegenstände weiterverkaufen? Mit Plattformen wie willhaben, shpock oder Facebook haben Sie zahlreiche Möglichkeiten, alte Möbel, vernachlässigte Sportausrüstung oder Elektrogeräte an den Mann oder die Frau zu bringen. Dabei gibt es aber einiges zu beachten! Wir zeigen Ihnen, wie Sie sicher über Kleinanzeigenplattformen verkaufen.
---------------------------------------------
https://www.watchlist-internet.at/news/sicher-verkaufen-auf-willhaben-shpock-co/


∗∗∗ Backdoor CVE-2021-40859 in Auerswald Telefonanlagen (z.B. COMpact 5500R 7.8A & 8.0B) gefixt ∗∗∗
---------------------------------------------
Auerswald ist ein deutscher Hersteller von Telefonanlagen für den Unternehmenseinsatz. Sicherheitsforscher haben in der Firmware von Auerswald Telefonanlagen (z.B. COMpact 5500R) Hintertüren entdeckt, über die man das Administrator-Passwort zurücksetzen konnte. Dies wurde zum 20.12.2021 offen gelegt. Hier einige Informationen dazu.
---------------------------------------------
https://www.borncity.com/blog/2021/12/21/backdoor-cve-2021-40859-in-auerswaldtelefonanlagen-z-b-compact-5500r-7-8a-8-0b-gefixt/


∗∗∗ Two Active Directory Bugs Lead to Easy Windows Domain Takeover ∗∗∗
---------------------------------------------
Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12.
---------------------------------------------
https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/


∗∗∗ Day 10: where we are with log4j from honeypot’s perspective ∗∗∗
---------------------------------------------
Our team spent great deal of effort on simulating different protocols, applications and vulnerabilities with our honeypot (Anglerfish and Apacket) system. When big event happens, we are always curious what we see from the honeypot side. Since log4j came to light 10 days ago, we have published two related blogs,
---------------------------------------------
https://blog.netlab.360.com/apache-log4j2-vulnerability-attack-trend-from-the-perspective-of-honeypot-en/


∗∗∗ [SANS ISC] More Undetected PowerShell Dropper ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place.
---------------------------------------------
https://blog.rootshell.be/2021/12/21/sans-isc-more-undetected-powershell-dropper/


∗∗∗ Velociraptor & Loki ∗∗∗
---------------------------------------------
Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server [...]
---------------------------------------------
https://blog.rootshell.be/2021/12/21/velociraptor-loki/


∗∗∗ RCE in Visual Studio Codes Remote WSL for Fun and Negative Profit ∗∗∗
---------------------------------------------
The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system.
---------------------------------------------
https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-for-fun-and-negative-profit/


∗∗∗ Log4j vulnerability: what should boards be asking? ∗∗∗
---------------------------------------------
Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be-asking


∗∗∗ FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product.
---------------------------------------------
https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-desktop-central-vulnerability


∗∗∗ After ransomware attack, global logistics firm Hellmann warns of scam calls and mail ∗∗∗
---------------------------------------------
Hellmann said customers need to make sure they are really communicating with an employee through all calls or mail.
---------------------------------------------
https://www.zdnet.com/article/after-ransomware-attack-global-logistics-firm-hellmann-warns-of-scam-calls-and-mail/


∗∗∗ Why vulnerabilities are like buses ∗∗∗
---------------------------------------------
How organisations can address the growing trend in which multiple vulnerabilities within a single product are exploited over a short period.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/why-vulnerabilities-are-like-buses


=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 30 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/879360/


∗∗∗ mySCADA myPRO ∗∗∗
---------------------------------------------
This advisory contains mitigations for Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, and OS Command Injection vulnerabilities in the mySCADA myPRO HMI/SCADA system.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-01


∗∗∗ Horner Automation Cscape EnvisionRV ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in Horner Automation Cscape EnvisionRV industrial remote viewing software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-02


∗∗∗ WECON LeviStudioU ∗∗∗
---------------------------------------------
This advisory contains mitigations for Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in WECON LeviStudioU HMI programming software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-03


∗∗∗ Emerson DeltaV ∗∗∗
---------------------------------------------
This advisory contains mitigations for Missing Authentication for Critical Function, and Uncontrolled Search Path Element vulnerabilities in the Emerson DeltaV control system controllers and workstations.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-04


∗∗∗ Schneider Electric Rack PDU (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-21-348-02 Schneider Electric Rack PDU that was published December 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Schneider Electric Rack Power Distribution Unit (PDU).
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02


∗∗∗ Fresenius Kabi Agilia Connect Infusion System ∗∗∗
---------------------------------------------
This advisory contains mitigations for several vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-355-01


∗∗∗ Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products ∗∗∗
---------------------------------------------
BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a denial of service by sending a crafted string to the framework. From Bosch Rexroth, only the IoT Gateway software has been identified as affected.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-572602.html


∗∗∗ SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt


∗∗∗ Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-4-2-if16-apache-log4j-vulnerability-cve-2021-45046/


∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/


∗∗∗ CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 (Severity: CRITICAL) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2021-44228

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily