[CERT-daily] Tageszusammenfassung - 12.01.2022

Wed Jan 12 18:18:29 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00
Handler:     Stephan Richter
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗
---------------------------------------------
TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-returns-as-a-cross-platform-golang-threat/


∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗
---------------------------------------------
Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected.
---------------------------------------------
https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-update-guide-notification-system/


∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗
---------------------------------------------
Here, we analyze the macOS versions of a cross-platform backdoor.
---------------------------------------------
https://objective-see.com/blog/blog_0x6C.html


∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗
---------------------------------------------
Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise.
---------------------------------------------
https://isc.sans.edu/diary/rss/28234


∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗
---------------------------------------------
This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside


∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗
---------------------------------------------
Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-term-recom-oder-den-homecom/


∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗
---------------------------------------------
With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours.
---------------------------------------------
https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-email-security-and-make-for-tasty-phishes/

∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗
---------------------------------------------
ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation.
---------------------------------------------
https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/


∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗
---------------------------------------------
Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten.
---------------------------------------------
https://certitude.consulting/blog/de/ransomware-leak-de/


∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗
---------------------------------------------
Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware. 
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files/


∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗
---------------------------------------------
Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten.
---------------------------------------------
https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/


∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗
---------------------------------------------
The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities.
---------------------------------------------
https://asec.ahnlab.com/en/30645/


∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗
---------------------------------------------
Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information.
---------------------------------------------
http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗
---------------------------------------------
Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_multiple_vulns/


∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗
---------------------------------------------
1 Critical, 8 Medium severity
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F01%2F12&firstPublishedEndDate=2022%2F01%2F12


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM published 14 Security Bulletins
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft.
---------------------------------------------
https://heise.de/-6323634


∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗
---------------------------------------------
Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe.
---------------------------------------------
https://heise.de/-6323723


∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗
---------------------------------------------
Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio.
---------------------------------------------
https://heise.de/-6323843


∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗
---------------------------------------------
Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind.
---------------------------------------------
https://heise.de/-6323936


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml).
---------------------------------------------
https://lwn.net/Articles/881144/


∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗
---------------------------------------------
The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-40-vulnerabilities


∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗
---------------------------------------------
When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/


∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗
---------------------------------------------
Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2022-exchange-server-security-updates/ba-p/3050699


∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗
---------------------------------------------
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000090868


∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0037


∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-57


∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-59


∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-60

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily