[CERT-daily] Tageszusammenfassung - 22.12.2022

Thu Dec 22 18:10:01 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 21-12-2022 18:00 − Donnerstag 22-12-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ FIN7 hackers create auto-attack platform to breach Exchange servers ∗∗∗
---------------------------------------------
The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-attack-platform-to-breach-exchange-servers/


∗∗∗ Ransomware and wiper signed with stolen certificates ∗∗∗
---------------------------------------------
In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.
---------------------------------------------
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/


∗∗∗ Microsoft research uncovers new Zerobot capabilities ∗∗∗
---------------------------------------------
The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/


∗∗∗ “Suspicious login” scammers up their game – take care at Christmas ∗∗∗
---------------------------------------------
A picture is worth 1024 words - we clicked through so you dont have to.
---------------------------------------------
https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-their-game-take-care-at-christmas/


∗∗∗ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab ∗∗∗
---------------------------------------------
Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf.
---------------------------------------------
https://heise.de/-7441440


∗∗∗ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata ∗∗∗
---------------------------------------------
If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the ‘url’ parameter to achieve a successful exploit.
---------------------------------------------
https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerabilities-to-steal-aws-metadata/


∗∗∗ Qakbot Being Distributed via Virtual Disk Files (*.vhd) ∗∗∗
---------------------------------------------
There’s been a recent increase in the distribution of malware using disk image files.
---------------------------------------------
https://asec.ahnlab.com/en/44662/


∗∗∗ Vidar Stealer Exploiting Various Platforms ∗∗∗
---------------------------------------------
Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.
---------------------------------------------
https://asec.ahnlab.com/en/44554/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Critical Windows code-execution vulnerability went undetected until now ∗∗∗
---------------------------------------------
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems.
---------------------------------------------
https://arstechnica.com/information-technology/2022/12/critical-windows-code-execution-vulnerability-went-undetected-until-now/


∗∗∗ Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren ∗∗∗
---------------------------------------------
Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein.
---------------------------------------------
https://heise.de/-7440888


∗∗∗ Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co. ∗∗∗
---------------------------------------------
Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen.
---------------------------------------------
https://heise.de/-7441040


∗∗∗ Puckungfu: A NETGEAR WAN Command Injection ∗∗∗
---------------------------------------------
This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN interface.
---------------------------------------------
https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/918379/


∗∗∗ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service ∗∗∗
---------------------------------------------
Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file-processing-issues-could-lead-to-arbitrary-code-execution-sensitive-information-leak-and-denial-of-service/


∗∗∗ Two New Security Flaws Reported in Ghost CMS Blogging Software ∗∗∗
---------------------------------------------
https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html


∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/


∗∗∗ Priva TopControl Suite ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01


∗∗∗ Rockwell Automation Studio 5000 Logix Emulate ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02


∗∗∗ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03


∗∗∗ Omron CX-Programmer ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04


∗∗∗ IBM Content Navigator is vulnerable to missing authorization. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6844453


∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851347


∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851337


∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851351


∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851339


∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851345


∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851343


∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851349


∗∗∗ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851341

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily