[CERT-daily] Tageszusammenfassung - 29.04.2022

Daily end-of-shift report team at cert.at
Fri Apr 29 18:36:35 CEST 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 28-04-2022 18:00 − Freitag 29-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Ransomware und Wiper: Cyberangriffe auf deutsche Windenergieunternehmen ∗∗∗
---------------------------------------------
Seit Beginn des Ukrainekrieges sind Windkraftanlagen-Hersteller Opfer von Cyberangriffen geworden. Besonders schwer hatten es die Angreifer wohl nicht.
---------------------------------------------
https://www.golem.de/news/ransomware-und-wiper-cyberangriffe-auf-deutsche-windenergieunternehmen-2204-164932-rss.html


∗∗∗ Sicherheitsupdates: Angreifer könnten Firewalls von Cisco neu starten lassen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für Cisco Firepower Threat Defense und Adaptive Security Appliance.
---------------------------------------------
https://heise.de/-7069408


∗∗∗ Angreifer könnten in Installationsprozess von Sonicwall Global VPN einsteigen ∗∗∗
---------------------------------------------
Sicherheitslücken gefährden Sonicwall Global VPN Client und Sonicos. Sicherheitsupdates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-7069729


∗∗∗ Videokonferenzen: Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr ∗∗∗
---------------------------------------------
Mehrere Schwachstellen in der Zoom-Software könnten Angreifern ermöglichen, ihre Rechte im System auszuweiten oder unbefugt Informationen abzugreifen.
---------------------------------------------
https://heise.de/-7069420


∗∗∗ Studie: Active Directory je nach Branche unterschiedlich angreifbar ∗∗∗
---------------------------------------------
Einer Befragung von IT-Verantwortlichen zufolge spielt bei der Absicherung des Active Directory die Branche eine Rolle. Auch ist die Unternehmensgröße relevant.
---------------------------------------------
https://heise.de/-7069098


∗∗∗ EmoCheck now detects new 64-bit versions of Emotet malware ∗∗∗
---------------------------------------------
The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/


∗∗∗ Colibri Loaders Unique Persistence Technique Using Get-Variable Cmdlet ∗∗∗
---------------------------------------------
Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console. 
In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden 
To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run.
---------------------------------------------
https://fourcore.io/blogs/colibri-loader-powershell-get-variable-persistence


∗∗∗ Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th) ∗∗∗
---------------------------------------------
In so many penetration tests or assessments, the client gives you a set of subnets and says "go for it". This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name.
---------------------------------------------
https://isc.sans.edu/diary/rss/28596


∗∗∗ Don’t expect to get your data back from the Onyx ransomware group ∗∗∗
---------------------------------------------
Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/04/29/onyx-ransomware-destroy-files/


∗∗∗ Bypassing LDAP Channel Binding with StartTLS ∗∗∗
---------------------------------------------
Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller.
---------------------------------------------
https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html


∗∗∗ New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware ∗∗∗
---------------------------------------------
We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet).
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html


∗∗∗ The Package Analysis Project: Scalable detection of malicious open source packages ∗∗∗
---------------------------------------------
Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute.
---------------------------------------------
http://security.googleblog.com/2022/04/the-package-analysis-project-scalable.html


∗∗∗ Analyzing VSTO Office Files ∗∗∗
---------------------------------------------
VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for [...]
---------------------------------------------
https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/


∗∗∗ Trello From the Other Side: Tracking APT29 Phishing Campaigns ∗∗∗
---------------------------------------------
Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29’s efforts to evade detection through retooling and abuse of Atlassian's Trello service.
---------------------------------------------
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns



=====================
=  Vulnerabilities  =
=====================

∗∗∗ SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer ∗∗∗
---------------------------------------------
SonicWall Global VPN Client 4.10.7 installer (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0036


∗∗∗ AC500 V3 CODESYS VULNERABILITIES ∗∗∗
---------------------------------------------
All AC500 V3 products with firmware version smaller than 3.6.0 are affected by these vulnerabilities: CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22518 and CVE-2022-22519.
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010997&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/893102/


∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-006/


∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0521


∗∗∗ Mattermost security updates 6.6.1, 6.5.1, 6.4.3, 6.3.8 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-update-6-6-1-released/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to directory traversal due to CVE-2022-24785 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-operands-may-be-vulnerable-to-directory-traversal-due-to-cve-2022-24785/


∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-0155, CVE-2022-0536, CVE-2021-3749 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2022-0155-cve-2022-0536-cve-2021-3749/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1233 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integrationserver-components-that-use-designer-flows-may-be-vulnerable-to-cve-2022-1233/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1243 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integrationserver-components-that-use-designer-flows-may-be-vulnerable-to-cve-2022-1243/


∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM QRadar SIEM (CVE-2021-22543, CVE-2021-3653, CVE-2021-3656, CVE-2021-37576) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-linux-kernel-affect-ibm-qradar-siem-cve-2021-22543-cve-2021-3653-cve-2021-3656-cve-2021-37576/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to CVE-2022-25645 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designerauthoring-operands-may-be-vulnerable-to-arbitrary-code-execution-due-to-cve-2022-25645/


∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2022-0778 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-operands-may-be-vulnerable-to-denial-of-service-due-to-cve-2022-0778/


∗∗∗ Security Bulletin: Denial of Service Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-24921) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-golang-go-affects-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-red-hat-openshift-cve-2022-24921/


∗∗∗ Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-uc-deploy-container-images-may-contain-non-unique-https-certificates-and-database-encryption-key-cve-2021-39082/


∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-email-is-affected-by-a-embedded-websphere-application-server-admin-console-2/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list