[CERT-daily] Tageszusammenfassung - 21.04.2022

Thu Apr 21 18:12:51 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 20-04-2022 18:00 − Donnerstag 21-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Microsoft Exchange servers hacked to deploy Hive ransomware ∗∗∗
---------------------------------------------
A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/


∗∗∗ REvils TOR sites come alive to redirect to new ransomware operation ∗∗∗
---------------------------------------------
REvil ransomwares servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/


∗∗∗ Multi-Cryptocurrency Clipboard Swapper, (Thu, Apr 21st) ∗∗∗
---------------------------------------------
It’s not the first time that I found a piece of code that monitors the clipboard and swap the BTC address found with the attacker's one. This time, the script that I found supports a lot of cryptocurrencies!
---------------------------------------------
https://isc.sans.edu/diary/rss/28574


∗∗∗ Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark ∗∗∗
---------------------------------------------
This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments.
---------------------------------------------
https://research.nccgroup.com/2022/04/20/mitigating-the-top-10-security-threats-to-gcp-using-the-cis-google-cloud-platform-foundation-benchmark%ef%bf%bc/


∗∗∗ Two OpenWrt updates ∗∗∗
---------------------------------------------
The OpenWrt 21.02.3 and 19.07.10 updates have been released. These updates contain some security fixes and improved device support.
---------------------------------------------
https://lwn.net/Articles/892161/


∗∗∗ Willhaben, ebay, Vinted & Co. im Fokus von Kriminellen! ∗∗∗
---------------------------------------------
Egal ob Sie etwas kaufen oder verkaufen wollen – nehmen Sie sich vor der Abzocke auf Kleinanzeigenplattformen in Acht! Wenn Sie dazu aufgefordert werden, die Transaktion mithilfe eines Kurierdienstes abzuwickeln, brechen Sie den Kontakt ab.
---------------------------------------------
https://www.watchlist-internet.at/news/willhaben-ebay-vinted-co-im-fokus-von-kriminellen/


∗∗∗ Abusing Azure Container Registry Tasks ∗∗∗
---------------------------------------------
In this post, I will explain how one Azure service supporting DevOps can start in a very solid “secure by default” state, but then quickly descend into a very dangerous configured state.
---------------------------------------------
https://posts.specterops.io/abusing-azure-container-registry-tasks-1f407bfaa465


∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6 ∗∗∗
---------------------------------------------
A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6
---------------------------------------------
https://blog.zsec.uk/cobalt-strike-profiles/


∗∗∗ TeamTNT targeting AWS, Alibaba ∗∗∗
---------------------------------------------
TeamTNT is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances.
---------------------------------------------
http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Security Advisories 2022-04-20 ∗∗∗
---------------------------------------------
Cisco published 12 Security Advisories (3 High, 9 Medium Severity)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F04%2F20&firstPublishedEndDate=2022%2F04%2F20


∗∗∗ Statischer SSH-Schlüssel macht Cloudsicherheitssystem Cisco Umbrella zu schaffen ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates für Hard- und Software von Cisco schließen mehrere Lücken. Angreifer könnten Admin-Zugangsdaten mitschneiden.
---------------------------------------------
https://heise.de/-7061311


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure,[...]
---------------------------------------------
https://lwn.net/Articles/892214/


∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2022-009


∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2022-008


∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-and-the-ibm-maximo-manage-application-in-ibm-maximo-application-suite-are-vulnerable-to-cross-site-scripting-cve-2022-22436/


∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-and-the-ibm-maximo-manage-application-in-ibm-maximo-application-suite-are-vulnerable-to-cross-site-scripting-cve-2022-22435/


∗∗∗ Security Bulletin: Vulnerability in OpenSSL affect App Connect Professional. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affect-app-connect-professional/


∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system-7/


∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-robotic-process-automation-2/


∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-12/


∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-11/


∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-kernel-affects-ibm-integrated-analytics-system-2/


∗∗∗ Security Bulletin: IBM Emptoris Supplier Lifecycle Management vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-supplier-lifecycle-management-vulnerable-to-unspecified-vulnerability-due-to-oracle-database-server-cve-2021-35576/


∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-10/


∗∗∗ Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-use-case-manager-app-is-vulnerable-to-using-components-with-known-vulnerabilities/


∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the included Expat 3rd party library (CVE-2022-23852 and CVE-2022-23990) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-multiple-vulnerabilities-in-the-included-expat-3rd-party-library-cve-2022-23852-and-cve-2022-23990/


∗∗∗ Security Bulletin: A Vulnerability in IBM WebSphere Application Server – Liberty affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/


∗∗∗ Jira Security Advisory 2022-04-20 ∗∗∗
---------------------------------------------
https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html


∗∗∗ Delta Electronics ASDA-Soft ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-111-01


∗∗∗ Johnson Controls Metasys SCT Pro ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-111-02


∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-111-03

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily