[CERT-daily] Tageszusammenfassung - 15.02.2022

Daily end-of-shift report team at cert.at
Tue Feb 15 18:25:09 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 14-02-2022 18:00 − Dienstag 15-02-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Domain-Hijacking: Tausende NPM-Accounts könnten sich übernehmen lassen ∗∗∗
---------------------------------------------
Laut einer Untersuchung lassen sich verwaiste NPM-Pakete leicht übernehmen. Außerdem könnten einige Maintainer überarbeitet sein. [..] Das hat auch NPM-Besitzer Github erkannt und führt deshalb langsam die zwingende Nutzung einer Zweifaktorauthentifizierung ein.
---------------------------------------------
https://www.golem.de/news/domain-hijacking-tausende-npm-accounts-koennten-sich-uebernehmen-lassen-2202-163187-rss.html


∗∗∗ Who Are Those Bots?, (Tue, Feb 15th) ∗∗∗
---------------------------------------------
Im operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on a list of email addresses that have been crawled. [..] I extracted the list of IP addresses that generated authentication failures for the last 30 days and got a list of 11K addresses. They are part of botnets used to launch these attacks. But who are those bots? What kind of host are we facing?
---------------------------------------------
https://isc.sans.edu/diary/rss/28342


∗∗∗ New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin ∗∗∗
---------------------------------------------
A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems.
---------------------------------------------
https://thehackernews.com/2022/02/new-mylobot-malware-variant-sends.html


∗∗∗ Dropping Files on a Domain Controller Using CVE-2021-43893 ∗∗∗
---------------------------------------------
On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-controller-using-cve-2021-43893/


∗∗∗ macOS: Sicherheitsupdates für ältere Versionen ∗∗∗
---------------------------------------------
Big Sur und Catalina erhalten jeweils ein Patch-Paket – doch leider verrät Apple nichts zum Inhalt.
---------------------------------------------
https://heise.de/-6457597


∗∗∗ Qnap lässt Sicherheitsupdate-Support für einige NAS-Modelle aufleben ∗∗∗
---------------------------------------------
Wer einen älteren Netzwerkspeicher (NAS) von Qnap besitzt, könnte ab sofort wieder Sicherheitspatches bekommen.
---------------------------------------------
https://heise.de/-6474074


∗∗∗ Betrügerische Wohnungsinserate erkennen: So geht’s ∗∗∗
---------------------------------------------
Auf Plattformen wie immobilienscout24.at, willhaben.at oder im Facebook Marketplace werden immer wieder Fake-Inserate von Miet- und Eigentumswohnungen veröffentlicht. Fake-Inserate können aber anhand einiger Merkmale schnell entlarvt werden. Zum einen am günstigen Preis, zum anderen an der Kommunikation mit den Eigentümerinnen und Eigentümern.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-wohnungsinserate-erkennen-so-gehts/


∗∗∗ New Emotet Infection Method ∗∗∗
---------------------------------------------
As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. [..] The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload.
---------------------------------------------
https://unit42.paloaltonetworks.com/new-emotet-infection-method/


∗∗∗ Warning over mysterious hackers that have been targeting aerospace and defence industries for years ∗∗∗
---------------------------------------------
Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics.
---------------------------------------------
https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-the-aerospace-and-defence-industries-with-trojan-malware-for-years/


∗∗∗ Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud ∗∗∗
---------------------------------------------
Unpatched servers have been used to twist corporate email threads and conduct financial theft.
---------------------------------------------
https://www.zdnet.com/article/squirrelwaffle-loader-leverages-microsoft-exchange-server-vulns-for-financial-fraud/


∗∗∗ FBI and USSS Release Advisory on BlackByte Ransomware ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/15/fbi-and-usss-release-advisory-blackbyte-ransomware


∗∗∗ Sicherheitswarnung von Tuxedo Computer – dringend Passwort ändern ∗∗∗
---------------------------------------------
TUXEDO Computers ist ein in Augsburg angesiedelter Anbieter von Computern. [..] Bei diesem Hersteller hat es eine Sicherheitslücke gegeben, so dass der Hersteller die Kunden auffordert, ihre Kennwörter für deren Online-Konten zu ändern.
---------------------------------------------
https://www.borncity.com/blog/2022/02/15/sicherheitswarnung-von-tuxedo-computer-dringend-passwort-ndern/


∗∗∗ Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users ∗∗∗
---------------------------------------------
Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. [..] In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations.
---------------------------------------------
https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaign-targeting-microsoft-office-365-users/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Google announces zero-day in Chrome browser – update now! ∗∗∗
---------------------------------------------
Zero-day buses: none for a while, then three at once. Heres Google joining Apple and Adobe in "zero-day week"
---------------------------------------------
https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/


∗∗∗ Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (CVE-2022-24671) ∗∗∗
---------------------------------------------
The update resolves a vulnerability in the product that allows a local attacker to modify a file during the update process and escalate their privileges. Please note that an attacker must at least have low-level privileges on the system to attempt to exploit this vulnerability.
---------------------------------------------
https://helpcenter.trendmicro.com/en-us/article/TMKA-10937


∗∗∗ Unsichere Babymonitore von Nooie: Fremde könnten Vollzugriff erlangen ∗∗∗
---------------------------------------------
Bei der Analyse von zwei Babyphones von Nooie hat Bitdefender Sicherheitslücken entdeckt, durch die Angreifer etwa den Videostream anzapfen könnten.
---------------------------------------------
https://heise.de/-6475088


∗∗∗ Multiple Critical Vulnerabilities in multiple Zyxel devices ∗∗∗
---------------------------------------------
Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is the unauthenticated buffer overflow in the "zhttpd" webserver, which is developed by Zyxel. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution. Besides, vulnerabilities like unauthenticated file disclosure, authenticated command injection and processing of symbolic links in the FTP daemon were found in the firmware.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/


∗∗∗ VMSA-2022-0004 ∗∗∗
---------------------------------------------
CVSSv3 Range: 5.3-8.4
CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050
Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0004.html


∗∗∗ Symlink Directory Traversal in Linksys WLAN-Router (SYSS-2021-046) ∗∗∗
---------------------------------------------
Linksys WLAN-Router beinhaltet eine Schwachstelle, die es Angreifern erlaubt, Zugriff auf das gesamte interne Dateisystem des Routers zu erhalten.
---------------------------------------------
https://www.syss.de/pentest-blog/symlink-directory-traversal-in-linksys-wlan-router-syss-2021-046


∗∗∗ Unzureichender Schutz für Medieninhalte bei AVMs FRITZ!Box (SYSS-2021-050) ∗∗∗
---------------------------------------------
AVMs FRITZ!Box-Heimrouter ermöglichen es Angreifenden, in Heimnetzwerken auf Mediendaten wie z. B. Bilder oder Videos zuzugreifen.
---------------------------------------------
https://www.syss.de/pentest-blog/unzureichender-schutz-fuer-medieninhalte-bei-avms-fritzbox-syss-2021-050


∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 15 February 2022 ∗∗∗
---------------------------------------------
Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below.
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/


∗∗∗ ZDI-22-349: (Pwn2Own) Western Digital My Cloud Pro Series PR4100 ConnectivityService Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-349/


∗∗∗ ZDI-22-348: (Pwn2Own) Western Digital MyCloud PR4100 cgi_api Server-Side Request Forgery Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-348/


∗∗∗ ZDI-22-347: (Pwn2Own) Western Digital MyCloud PR4100 nasAdmin Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-347/


∗∗∗ ZDI-22-346: (Pwn2Own) Western Digital MyCloud PR4100 samba Configuration Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-346/


∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220216-01-priesc-en


∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-1-0-is-vulnerable-to-remote-code-execution-due-to-apache-log4j-cve-2021-44832/


∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-ibm-integrated-analytics-system/


∗∗∗ TYPO3-EXT-SA-2022-004: File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2022-004


∗∗∗ TYPO3-EXT-SA-2022-003: Insecure direct object reference in extension "Varnishcache" (varnishcache) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2022-003


∗∗∗ TYPO3-EXT-SA-2022-002: Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2022-002


∗∗∗ TYPO3-EXT-SA-2022-001: Server-side request forgery in extension "Kitodo.Presentation" (dlf) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2022-001


∗∗∗ Schneider Electric IGSS ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list