[CERT-daily] Tageszusammenfassung - 23.02.2022

Wed Feb 23 18:10:09 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 22-02-2022 18:00 − Mittwoch 23-02-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ LockBit, Conti most active ransomware targeting industrial sector ∗∗∗
---------------------------------------------
Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ransomware-targeting-industrial-sector/


∗∗∗ Entropy ransomware linked to Dridex malware downloader ∗∗∗
---------------------------------------------
Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/entropy-ransomware-linked-to-dridex-malware-downloader/


∗∗∗ Creaky Old WannaCry, GandCrab Top the Ransomware Scene ∗∗∗
---------------------------------------------
Nothing like zombie campaigns: WannaCrys old as dirt, and GandCrab threw in the towel years ago. Theyre on auto-pilot at this point, researchers say.
---------------------------------------------
https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/


∗∗∗ How to Fix the specialadves WordPress Redirect Hack ∗∗∗
---------------------------------------------
Attackers are regularly exploiting vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites.
---------------------------------------------
https://blog.sucuri.net/2022/02/how-to-fix-the-specialadves-wordpress-redirect-hack.html


∗∗∗ 25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository ∗∗∗
---------------------------------------------
Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down.
---------------------------------------------
https://thehackernews.com/2022/02/25-malicious-javascript-libraries.html


∗∗∗ Cisco warns firewall customers of four-day window for urgent updates ∗∗∗
---------------------------------------------
Firewalls are supposed to update so they block new threats – miss this deadline and they might not.
---------------------------------------------
https://www.theregister.com/2022/02/23/cisco_firepower_rapid_update_required/


∗∗∗ SameSite: Hax – Exploiting CSRF With The Default SameSite Policy ∗∗∗
---------------------------------------------
Default SameSite settings are not the same as SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF.
---------------------------------------------
https://pulsesecurity.co.nz/articles/samesite-lax-csrf


∗∗∗ Shadowserver Starts Conducting Daily Scans to Help Secure ICS ∗∗∗
---------------------------------------------
The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.
---------------------------------------------
https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-help-secure-ics


∗∗∗ Investieren Sie nicht bei bottic.org! ∗∗∗
---------------------------------------------
Schnell, viel Geld verdienen mit Crypto-Investments, das verspricht eine Vielzahl an unseriösen Investitionsplattformen. Wir raten zur Vorsicht!
---------------------------------------------
https://www.watchlist-internet.at/news/investieren-sie-nicht-bei-botticorg/


∗∗∗ Increased Phishing Attacks Disguised as Microsoft ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages.
---------------------------------------------
https://asec.ahnlab.com/en/31994/


∗∗∗ (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware ∗∗∗
---------------------------------------------
UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group.
---------------------------------------------
https://www.mandiant.com/resources/unc2596-cuba-ransomware


=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM Planning Analytics, IBM Planning Analytics Workspace, IBM Cúram Social Program Management, IBM SDK Java Technology Edition, IBM Cloud Application Business Insights, IBM Sterling Global Mailbox, Content Collector, IBM WebSphere Application Server, CICS Transaction Gateway
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Cisco Security Advisories 2022-02-23 ∗∗∗
---------------------------------------------
Cisco has published 4 Security Advisories: 3 High, 1 Medium Severity
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F02%2F23&firstPublishedEndDate=2022%2F02%2F23


∗∗∗ ZDI-22-404: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr1 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-404/


∗∗∗ ZDI-22-403: (0Day) WECON LeviStudioU UMP File Parsing XY Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-403/


∗∗∗ ZDI-22-402: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr2 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-402/


∗∗∗ ZDI-22-401: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-401/


∗∗∗ ZDI-22-400: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-400/


∗∗∗ ZDI-22-399: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-399/


∗∗∗ ZDI-22-398: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-398/


∗∗∗ ZDI-22-397: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-397/


∗∗∗ ZDI-22-396: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-396/


∗∗∗ ZDI-22-395: (0Day) WECON LeviStudioU UMP File Parsing Disc Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-395/


∗∗∗ SSA-306654: Insyde BIOS Vulnerabilities in Siemens Industrial Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-306654.txt


∗∗∗ Remote Code Execution in pfSense <= 2.5.2 ∗∗∗
---------------------------------------------
https://www.shielder.it/advisories/pfsense-remote-command-execution/


∗∗∗ CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool ∗∗∗
---------------------------------------------
https://www.securityweek.com/cisa-warns-attacks-exploiting-recent-vulnerabilities-zabbix-monitoring-tool


∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0223


∗∗∗ SA45038 - CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES ∗∗∗
---------------------------------------------
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-23852-Expat-aka-libexpat-before-2-4-4-has-a-signed-integer-overflow-in-XML-GetBuffer-for-configurations-with-a-nonzero-XML-CONTEXT-BYTES

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily