[CERT-daily] Tageszusammenfassung - 13.04.2022

Daily end-of-shift report team at cert.at
Wed Apr 13 18:20:24 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 12-04-2022 18:00 − Mittwoch 13-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Emotet modules and recent attacks ∗∗∗
---------------------------------------------
Emotet was disrupted in January 2021 and returned in November. This report provides technical description of its active modules and statistics on the malwares recent attacks.
---------------------------------------------
https://securelist.com/emotet-modules-and-recent-attacks/106290/


∗∗∗ Fodcha, a new DDos botnet ∗∗∗
---------------------------------------------
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims being targeted on a daily basis.
---------------------------------------------
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/


∗∗∗ TallGrass - A Python script that enumerates supported antiviruses and their exclusions on Windows hosts within a domain ∗∗∗
---------------------------------------------
Some antiviruses, like Windows Defender, expose their exclusions through the registry. Because of this, it is possible, and somewhat trivial, to enumerate them for potential means of AV evasion. TallGrass queries the domain controller for all domain-joined Windows hosts, then enumerates the AV exclusions for each host.
---------------------------------------------
https://github.com/chdav/TallGrass


∗∗∗ PCI DSS 4.0 veröffentlicht: Mehr Sicherheit für Kreditkartendaten ∗∗∗
---------------------------------------------
Die neue Version 4.0 von PCI DSS erweitert den De-facto-Standard der Security für Zahlungssysteme. Vor allem sollen die Ziele flexibler umzusetzen sein.
---------------------------------------------
https://heise.de/-6671323


∗∗∗ Achtung vor unseriösen Urlaubsangeboten wie reisebuero-fuchs.com! ∗∗∗
---------------------------------------------
Die Urlaubsplanungen für Frühling und Sommer sind längst voll in Gang. Das nützen auch Kriminelle und veröffentlichen betrügerische Plattformen zur Urlaubsbuchung. Dort finden Sie tolle Unterkünfte zu top Konditionen. Der Haken: Sie sollen vorab Anzahlungen leisten, die Inhaber:innen der Unterkünfte erfahren aber nichts von Ihren Buchungen und das Geld landet in der Tasche Krimineller! Fazit: Nichts bezahlen!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vor-unserioesen-urlaubsangeboten-wie-reisebuero-fuchscom/


∗∗∗ Coercing NTLM Authentication from SCCM ∗∗∗
---------------------------------------------
tl;dr: Disable NTLM for Client Push Installation
[...]
Client push installation accounts require local admin privileges to install software on systems in an SCCM site, so it is often possible to relay the credentials and execute actions in the context of a local admin on other SCCM clients in the site.
---------------------------------------------
https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a


∗∗∗ CVE-2022-26809: All your RPC are belong to us ∗∗∗
---------------------------------------------
Im April 2022 Patchday von Microsoft findet man wieder Updates [...] Spannender ist das Pärchen CVE-2022-26809/CVE-2022-24491 mit RCE: hier kommt zwar der Patch vor der ersten bekannten Ausnutzung der Schwachstelle, dafür sollten bei CVSS 9.8 die Alarmglocken laut läuten. Beim ersten geht es um das generische RPC Service, beim zweiten um den NFS Server. Während NFS nicht überall im Einsatz sein wird, ist Windows RPC auf Port 445 sehr weit verbreitet und innerhalb von Firmennetzen auch zwangsläufig sehr selten durch Firewalls geschützt.
---------------------------------------------
https://cert.at/de/aktuelles/2022/4/2022-04-windows-patchday


∗∗∗ [Caution] Virus/XLS Xanpei Infecting Normal Excel Files ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered the constant distribution of malware strains that spread the infection when Excel file is opened. Besides infecting normal Excel files, they can also perform additional malicious behaviors such as acting as a downloader and performing DNS Spoofing, therefore, users need to take great caution. 
---------------------------------------------
https://asec.ahnlab.com/en/33630/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical flaw in Elementor WordPress plugin may affect 500k sites ∗∗∗
---------------------------------------------
The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. [..] The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function. While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-wordpress-plugin-may-affect-500k-sites/


∗∗∗ Sicherheit: Git gibt Sicherheitslücken bekannt und veröffentlicht Patch ∗∗∗
---------------------------------------------
Git hat zwei Sicherheitslücken bekannt gegeben und gleich auch einen Patch bereitgestellt, der diese stopft: Update dringend empfohlen.
---------------------------------------------
https://www.golem.de/news/sicherheit-git-gibt-sicherheitsluecken-bekannt-und-veroeffentlicht-patch-2204-164609-rss.html


∗∗∗ Patchday: SAP dichtet 30 Sicherheitslücken ab ∗∗∗
---------------------------------------------
SAP hat zu Lücken in diversen Produkten 21 neue Meldungen veröffentlicht und neun ältere aktualisiert. Administratoren sollten die Updates bald installieren.
---------------------------------------------
https://heise.de/-6670382


∗∗∗ Sicherheitspatch für Apache Struts unvollständig – neues Updates soll es richten ∗∗∗
---------------------------------------------
Aufgrund der Gefahr von möglichen Schadcode-Attacken sollten Admins ihre Apache-Struts-Systeme auf den aktuellen Stand bringen.
---------------------------------------------
https://heise.de/-6670584


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion).
---------------------------------------------
https://lwn.net/Articles/891182/


∗∗∗ Apache Subversion: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Apache Subversion ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0436


∗∗∗ Citrix Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Original release date: April 12, 2022Citrix has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Citrix security bulletins and apply the necessary updates.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/04/12/citrix-releases-security-updates-multiple-products


∗∗∗ Motorola Android App Vulnerabilities ∗∗∗
---------------------------------------------
Some Motorola Android applications do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. [..] Update to latest version of the applications in the Product Impact section below. 
App Name: 'Ready For', 'Device Help'
---------------------------------------------
http://support.lenovo.com/product_security/PS500482-MOTOROLA-ANDROID-APP-VULNERABILITIES


∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗
---------------------------------------------
The following vulnerabilities were reported in ThinkPad BIOS.
CVE IDs: CVE-2022-1107, CVE-2022-1108
Update system firmware to the version (or newer) indicated for your model [..]
---------------------------------------------
http://support.lenovo.com/product_security/PS500480-THINKPAD-BIOS-VULNERABILITIES


∗∗∗ Lenovo System Update Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window.
---------------------------------------------
http://support.lenovo.com/product_security/PS500483-LENOVO-SYSTEM-UPDATE-PRIVILEGE-ESCALATION-VULNERABILITY


∗∗∗ Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968) ∗∗∗
---------------------------------------------
While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.
---------------------------------------------
https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968


∗∗∗ Bentley Security Advisory BE-2022-0006: IFC File Parsing Vulnerabilities in MicroStation and MicroStation-based applications ∗∗∗
---------------------------------------------
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006


∗∗∗ Security Bulletin: IBM Security SOAR is affected but not classified as vulnerable to remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-affected-but-not-classified-as-vulnerable-to-remote-code-execution-in-spring-framework-cve-2022-22965/


∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to arbitrary code exection due to Apache Log4j (CVE-2022-23307) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-vulnerable-to-arbitrary-code-exection-due-to-apache-log4j-cve-2022-23307/


∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU binutils affects IBM Netezza Analytics for NPS ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-in-gnu-binutils-affects-ibm-netezza-analytics-for-nps/


∗∗∗ Valmet DNA ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01


∗∗∗ Mitsubishi Electric MELSEC-Q Series C Controller Module ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02


∗∗∗ Inductive Automation Ignition ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03


∗∗∗ Mitsubishi Electric GT25-WLAN ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04


∗∗∗ Aethon TUG Home Base Server ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05


∗∗∗ NetApp Active IQ Unified Manager Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500484-NETAPP-ACTIVE-IQ-UNIFIED-MANAGER-INFORMATION-DISCLOSURE-VULNERABILITY


∗∗∗ Post-Auth Arbitrary File Read vulnerability Impacting End-Of-Life SRA Appliances and End-Of-Support SMA100 firmware versions ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0006

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list