[CERT-daily] Tageszusammenfassung - 11.11.2021

Thu Nov 11 18:08:51 CET 2021

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 10-11-2021 18:00 − Donnerstag 11-11-2021 18:00
Handler:     Dimitri Robl
Co-Handler:  Wolfgang Menezes

=====================
=       News        =
=====================

∗∗∗ Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more! ∗∗∗
---------------------------------------------
The crooks have shown that the'yre willing to learn and adapt their attacks, so we need to make sure we learn and adapt, too.
---------------------------------------------
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/


∗∗∗ Understanding .htaccess Malware ∗∗∗
---------------------------------------------
The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with blackhat SEO tactics, hide backdoors, inject content, modify php.ini values; the possibilities are endless. Many site owners are unaware of this file, due to it starting with a “.” making it a hidden file. .htaccess malware can be hard to pinpoint and clean on a server [...]
---------------------------------------------
https://blog.sucuri.net/2021/11/understanding-htaccess-malware.html


∗∗∗ A Detailed Analysis of Lazarus’ RAT Called FALLCHILL ∗∗∗
---------------------------------------------
FALLCHILL is a RAT that has been used by Lazarus Group since 2016. It implements a custom algorithm that is used to decode multiple DLL names and export functions, which will be imported at runtime.
---------------------------------------------
https://lifars.com/knowledge-center/a-detailed-analysis-of-lazarus-rat-called-fallchill/


∗∗∗ The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. ∗∗∗
---------------------------------------------
Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way...The post The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. appeared first on McAfee Blogs.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/


∗∗∗ ClusterFuzzLite: Continuous fuzzing for all ∗∗∗
---------------------------------------------
Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST’s guidelines for software verification, recently released in response to the White House Executive Order on
---------------------------------------------
http://security.googleblog.com/2021/11/clusterfuzzlite-continuous-fuzzing-for.html


∗∗∗ HändlerInnen aufgepasst: BetrügerInnen geben Fake-Bestellungen im Namen von ATOS auf ∗∗∗
---------------------------------------------
Kriminelle geben sich derzeit als das Unternehmen ATOS aus und bekunden per Mail Interesse an einer Großbestellung. Für die betroffenen HändlerInnen mag das nach einem schnellen und leichten Geschäft klingen, doch tatsächlich hat die seriöse Firma ATOS nichts mit dieser Bestellung am Hut. Stattdessen würden Sie ihre Produkte an Kriminelle versenden, Geld dafür erhalten Sie nicht.
---------------------------------------------
https://www.watchlist-internet.at/news/haendlerinnen-aufgepasst-betruegerinnen-geben-fake-bestellungen-im-namen-von-atos-auf/


∗∗∗ Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications ∗∗∗
---------------------------------------------
[...] In simple terms, capability abstraction provides a way to describe how a given attack technique interacts with the internal components of a targeted system. The abstraction map that this process produces helps us to understand the common denominator between distinct implementations of the same technique.
---------------------------------------------
https://posts.specterops.io/capability-abstraction-case-study-detecting-malicious-boot-configuration-modifications-1852e2098a65

∗∗∗ A Peek into Top-Level Domains and Cybercrime ∗∗∗
---------------------------------------------
We analyze which top-level domains (TLDs) have the highest rate of malicious domains and why, and suggest strategies for blocking malicious domains.
---------------------------------------------
https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/


∗∗∗ BazarBackdoor now abuses Windows 10 apps feature in call me back attack ∗∗∗
---------------------------------------------
AppInstaller.exe has been twisted in a new form of phishing attack.
---------------------------------------------
https://www.zdnet.com/article/bazarloader-now-abuses-windows-10-apps-feature-in-call-me-back-attack/


∗∗∗ October 2021’s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time ∗∗∗
---------------------------------------------
Check Point Research reveals that Trickbot is the most prevalent malware and a new vulnerability in Apache is one of the most exploited vulnerabilities worldwide.
---------------------------------------------
https://blog.checkpoint.com/2021/11/11/october-2021s-most-wanted-malware-trickbot-takes-top-spot-for-fifth-time/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-21-1303: NETGEAR R6400v2 UPnP uuid Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 routers. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-21-1303/


∗∗∗ Wordpress-Plug-in WP Reset Pro fixt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
In WP Reset Pro klaffte eine Sicherheitslücke, durch die angemeldete Nutzer auch ohne entsprechende Rechte ganze Wordpress-Webauftritte löschen konnten.
---------------------------------------------
https://heise.de/-6264564


∗∗∗ Sicherheitsupdate: Kritische Root-Lücke bedroht Firewalls von Palo Alto ∗∗∗
---------------------------------------------
Sind bestimmte Einstellungen aktiviert und Voraussetzungen gegeben, könnten Angreifer Palo-Alto-Firewalls attackieren.
---------------------------------------------
https://heise.de/-6264656


∗∗∗ Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin ∗∗∗
---------------------------------------------
On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” [...]
---------------------------------------------
https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py).
---------------------------------------------
https://lwn.net/Articles/875813/


∗∗∗ iCloud for Windows 13 ∗∗∗
---------------------------------------------
https://support.apple.com/kb/HT212953


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sterling-connectdirect-browser-user-interface-3/


∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by Cross-Site Scripting (CVE-2020-4140) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-cross-site-scripting-cve-2020-4140/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-connectdirect-web-services-3/


∗∗∗ Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Oracle MySQL ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-oracle-mysql-4/


∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by vulnerability CVE-2020-4146 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-vulnerability-cve-2020-4146/


∗∗∗ VMSA-2021-0026 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0026.html


∗∗∗ NGINX Ingress Controller vulnerability CVE-2021-23055 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K01051452?utm_source=f5support&utm_medium=RSS


∗∗∗ Micropatching Incompletely Patched Local Privilege Escalation in User Profile Service (CVE-2021-34484) ∗∗∗
---------------------------------------------
https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html


∗∗∗ Stack Buffer Overflow Vulnerability in Multimedia Console ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-45


∗∗∗ Reflected XSS Vulnerability in QmailAgent ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-47


∗∗∗ TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders ∗∗∗
---------------------------------------------
https://www.circl.lu/pub/tr-64

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily