[CERT-daily] Tageszusammenfassung - 02.12.2022

Fri Dec 2 18:32:48 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 01-12-2022 18:00 − Freitag 02-12-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Unpatched Redis servers targeted in new Redigo malware attacks ∗∗∗
---------------------------------------------
A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unpatched-redis-servers-targeted-in-new-redigo-malware-attacks/


∗∗∗ Samsung, Mediatek, LG: Android-Malware mit OEM-Zertifikaten signiert ∗∗∗
---------------------------------------------
Google hat Malware gefunden, die mit den Zertifikaten von Android-Herstellern signiert sind. Das kann für Systemberechtigungen genutzt werden.
---------------------------------------------
https://www.golem.de/news/samsung-mediatek-lg-android-malware-mit-oem-zertifikaten-signiert-2212-170219.html


∗∗∗ obama224 distribution Qakbot tries .vhd (virtual hard disk) images, (Fri, Dec 2nd) ∗∗∗
---------------------------------------------
Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years.  During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader.
---------------------------------------------
https://isc.sans.edu/diary/rss/29294


∗∗∗ Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection ∗∗∗
---------------------------------------------
New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool.
---------------------------------------------
https://thehackernews.com/2022/11/researchers-find-way-malicious-npm.html


∗∗∗ Flaws in GX Works3 Threaten Mitsubishi Electric Safety PLC Security ∗∗∗
---------------------------------------------
In this blog, we uncover three additional vulnerabilities that affect Mitsubishi Electric GX Works3, tracked under CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 (Mitsubishi Electric advisory 2022-015, CISA advisory ICSA-22-333-05), and that, in the worst-case scenario, may lead to the compromise of safety PLCs with the only requirement being the possession of associated GX Works3 project files.
---------------------------------------------
https://www.nozominetworks.com/blog/flaws-in-gx-works3-threaten-mitsubishi-electric-safety-plc-security/


∗∗∗ Jetzt patchen! Angreifer attackieren Firewalls und Proxies von Fortinet ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen vor Attacken auf Firmen. Der Grund ist eine kritische Lücke in Fortinet-Produkten.
---------------------------------------------
https://heise.de/-7364286


∗∗∗ Wordpress: Attackiert schon während der Installation ∗∗∗
---------------------------------------------
Noch bevor das System live geht, haben Angreifer es oft unbemerkt mit Hintertüren versehen. Die stehen nämlich schon nach wenigen Minuten auf der Matte.
---------------------------------------------
https://heise.de/-7364588


∗∗∗ IBM Cloud Vulnerability Exposed Users to Supply Chain Attacks ∗∗∗
---------------------------------------------
IBM recently patched a vulnerability in IBM Cloud Databases for PostgreSQL that could have exposed users to supply chain attacks. The vulnerability has been named Hell’s Keychain by cloud security firm Wiz, whose researchers discovered the issue. It has been described by the company as a “first-of-its-kind supply-chain attack vector impacting a cloud provider’s infrastructure”.
---------------------------------------------
https://www.securityweek.com/ibm-cloud-vulnerability-exposed-users-supply-chain-attacks


∗∗∗ Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges ∗∗∗
---------------------------------------------
Qualys’ Threat Research Unit has shown how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system.
---------------------------------------------
https://www.securityweek.com/three-innocuous-linux-vulnerabilities-chained-obtain-full-root-privileges


∗∗∗ Blowing Cobalt Strike Out of the Water With Memory Analysis ∗∗∗
---------------------------------------------
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic.
---------------------------------------------
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/


∗∗∗ Protecting major events: an incident response blueprint ∗∗∗
---------------------------------------------
Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events.
---------------------------------------------
https://blog.talosintelligence.com/protecting-major-events-an-incident-response-blueprint/


∗∗∗ Industry 4.0: CNC Machine Security Risks Part 2 ∗∗∗
---------------------------------------------
This three-part blog series explores the risks associated with CNC machines
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-2.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins 2022-12-01 ∗∗∗
---------------------------------------------
IBM Watson, IBM App Connect, Rational Functional Tester, IBM Security Guardium, IBM Cloud Object Storage Systems, IBM API Connect.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff).
---------------------------------------------
https://lwn.net/Articles/916658/


∗∗∗ BD BodyGuard Pumps ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-335-01


∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-335-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily