[CERT-daily] Tageszusammenfassung - 26.04.2022

Daily end-of-shift report team at cert.at
Tue Apr 26 18:54:37 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 25-04-2022 18:00 − Dienstag 26-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Emotet war kaputt, infiziert jetzt aber wieder vermehrt Windows-Computer ∗∗∗
---------------------------------------------
Die hoch entwickelte Schadsoftware Emotet baut nach einem Fehler seine Attacken weltweit weiter aus.
---------------------------------------------
https://heise.de/-7064903


∗∗∗ Virustotal: Einbrecher führen eigenen Code auf Googles Servern aus ∗∗∗
---------------------------------------------
Update 26.04.2022 16:00 Uhr: Der Virustotal-Gründer Bernardo Quintero twitterte, dass keine VT-Maschinen direkt betroffen waren. Es handelte sich um Dritthersteller-und Partner-Maschinen etwa bei Antivirus-Herstellern, die die Daten von Virustotal für ihre Zwecke analysieren, erläutert Quintero dort.
---------------------------------------------
https://heise.de/-7065048


∗∗∗ Welpen kaufen im Internet: bulldogge-franzosische-welpen.com ist Betrug ∗∗∗
---------------------------------------------
Wer im Internet nach Welpen sucht, stößt höchstwahrscheinlich auf betrügerische Online-Shops für Welpen. „bulldogge-franzosische-welpen.com“ ist ein solcher Shop. Dort werden bezaubernde Welpen geboten, sogar mit Papieren. 900 Euro kostet eine französische Bulldogge. Doch Vorsicht: Sie erhalten trotz Bezahlung keinen Welpen.
---------------------------------------------
https://www.watchlist-internet.at/news/welpen-kaufen-im-internet-bulldogge-franzosische-welpencom-ist-betrug/


∗∗∗ Hackers exploit critical VMware RCE flaw to install backdoors ∗∗∗
---------------------------------------------
Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-rce-flaw-to-install-backdoors/


∗∗∗ Phishing goes KISS: Don’t let plain and simple messages catch you out! ∗∗∗
---------------------------------------------
Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because theyre uncomplicated.
---------------------------------------------
https://nakedsecurity.sophos.com/2022/04/25/phishing-goes-kiss-dont-let-plain-and-simple-messages-catch-you-out/


∗∗∗ WSO2 RCE exploited in the wild, (Tue, Apr 26th) ∗∗∗
---------------------------------------------
While investigating a malicious crypto-mining case, I discovered that attackers implanted the payload exploiting a recently patched RCE vulnerability (CVE-2022-29464) affecting multiple WSO2 products, including API Manager. The vulnerability was discovered by Orange Tsai and responsibly disclosed to WSO2.
---------------------------------------------
https://isc.sans.edu/diary/rss/28586


∗∗∗ Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks ∗∗∗
---------------------------------------------
We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks. Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000!
---------------------------------------------
https://www.shadowserver.org/news/over-18-8-million-ips-vulnerable-to-middlebox-tcp-reflection-ddos-attacks/


∗∗∗ Conti Ransomware Activity Surges Despite Exposure of Groups Operations ∗∗∗
---------------------------------------------
Conti ransomware activity has surged in the past weeks despite the recent exposure of the group’s operations by a pro-Ukraine hacktivist.
---------------------------------------------
https://www.securityweek.com/conti-ransomware-activity-surges-despite-exposure-groups-operations


∗∗∗ Lapsus$: The script kiddies are alright ∗∗∗
---------------------------------------------
One afternoon last month, the regional head of security for the identity management platform Okta, an Australian named Brett Winterford, was in the middle of a client meeting when his phone sprang to life. “The first message said, ‘It looks like you’re going to have a bad day,’” he recently recalled. “And the second message [...]
---------------------------------------------
https://therecord.media/lapsus-the-script-kiddies-are-alright/


∗∗∗ New Malware of Lazarus Threat Actor Group Exploiting INITECH Process ∗∗∗
---------------------------------------------
The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team has been monitoring the infection cases. In systems of the organizations infected with the malware, it was found that malicious behaviors stemmed from the process of INITECH (inisafecrosswebexsvc.exe), [...]
---------------------------------------------
https://asec.ahnlab.com/en/33801/


∗∗∗ Evasive Phishing Techniques Threat Actors Use to Circumvent Defense Mechanisms ∗∗∗
---------------------------------------------
Phishing continues to be the number one threat faced by companies of all sizes, and one of the main entry points threat actors use to infiltrate networks. As defenses continue to evolve, so do the tactics threat actors use to circumvent those defenses. In this article, the GoSecure Titan® Inbox Detection & Response (IDR) team shares examples of tactics threat actors have used to bypass anti-phishing defenses.
---------------------------------------------
https://www.gosecure.net/blog/2022/04/26/evasive-phishing-techniques-threat-actors-use-to-circumvent-defense-mechanisms/


∗∗∗ Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM ∗∗∗
---------------------------------------------
A few weeks ago, we wrote about a new threat actor we called RED-LILI and described their capabilities, including an in-depth walkthrough of the automated system for publishing malicious NPM packages from automatically created user accounts. After our publication, we [...]
---------------------------------------------
https://checkmarx.com/blog/attacker-adds-evasive-technique-to-their-ongoing-attacks-on-npm/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git).
---------------------------------------------
https://lwn.net/Articles/892674/


∗∗∗ Hitachi Energy System Data Manager ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Integer Overflow or Wraparound, Reachable Assertion, Type Confusion, Uncontrolled Recursion, and Observable Discrepancy vulnerabilities in Hitachi Energy System Data Manager products.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-116-01


∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series (Update B) ∗∗∗
---------------------------------------------
This updated advisory is a follow up to the advisory update titled ICSA-21-334-02 Mitsubishi Electric MELSEC and MELIPC Series (Update A) that was published January 27, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series software management platforms.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02


∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/04/25/cisa-adds-seven-known-exploited-vulnerabilities-catalog


∗∗∗ K53648360: Linux kernel vulnerability CVE-2022-27666 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K53648360


∗∗∗ Pepperl+Fuchs: Vulnerability in multiple VisuNet devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-012/


∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0499


∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD is vulnerable to a denial of service vulnerability (CVE-2022-22323, CVE-2022-22312) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-password-synchronization-plug-in-for-windows-ad-is-vulnerable-to-a-denial-of-service-vulnerability-cve-2022-22323-cve-2022-22312/


∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initialization-and-maintenance-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44832/


∗∗∗ Security Bulletin: IBM Robotic Process Automation may be vulnerable to an exposure of sensitive information by an aunauthorized actor through follow-redirects (CVE-2022-0536) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-may-be-vulnerable-to-an-exposure-of-sensitive-information-by-an-aunauthorized-actor-through-follow-redirects-cve-2022-0536/


∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-7/


∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-java-technology-edition-ibm-tivoli-application-dependency-discovery-manager-taddm-is-vulnerable-to-denial-of-service-3/


∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-13/


∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM Process Mining (CVE-2022-23181) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-tomcat-affects-ibm-process-mining-cve-2022-23181/


∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-22345, CVE-2020-8022, CVE-2021-33813, CVE-2020-9488) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-cve-2022-22345-cve-2020-8022-cve-2021-33813-cve-2020-9488/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list