[CERT-daily] Tageszusammenfassung - 20.01.2022

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 19-01-2022 18:00 − Donnerstag 20-01-2022 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Revamped Community-Based DDoS Defense Tool Improves Filtering ∗∗∗
---------------------------------------------
Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses.
---------------------------------------------
https://www.darkreading.com/perimeter/revamped-community-based-ddos-defense-tool-improves-filtering


∗∗∗ MoonBounce: the dark side of UEFI firmware ∗∗∗
---------------------------------------------
At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.
---------------------------------------------
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/


∗∗∗ What Should You do if Your WordPress Site was Hacked? ∗∗∗
---------------------------------------------
This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers?
---------------------------------------------
https://blog.sucuri.net/2022/01/what-should-you-do-if-your-wordpress-site-was-hacked.html


∗∗∗ Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks ∗∗∗
---------------------------------------------
Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an " input validation vulnerability that could allow attackers to build a query given some input and [..]
---------------------------------------------
https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html


∗∗∗ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets ∗∗∗
---------------------------------------------
"BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday.
---------------------------------------------
https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html


∗∗∗ RedLine Stealer Delivered Through FTP ∗∗∗
---------------------------------------------
Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes).
---------------------------------------------
https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/


∗∗∗ Kritische Sicherheitslücke in Google Chrome geschlossen ∗∗∗
---------------------------------------------
In der aktualisierten Version von Google Chrome schließt das Unternehmen zahlreiche Schwachstellen. Mindestens eine davon stuft der Hersteller als kritisch ein.
---------------------------------------------
https://heise.de/-6332812


∗∗∗ Knapp 7 Millionen Passwörter von Open Subtitles entwendet ∗∗∗
---------------------------------------------
Die Webseiten und das Forum von Open Subtitles wurden Opfer von Cyberkriminellen. Die konnten alle Zugangsdaten erbeuten. Nutzer müssen jetzt aktiv werden.
---------------------------------------------
https://heise.de/-6332951


∗∗∗ Zahlreiche Facebook-Seiten bewerben Fernseher um 1,95€ ∗∗∗
---------------------------------------------
Einen QLED-Fernseher um nur 1,95 Euro? Das versprechen derzeit zahlreiche Facebook-Seiten. Alles was Sie dafür machen müssen, ist an einer kurzen Umfrage teilnehmen. Anschließend sollen Sie noch die Kreditkartendaten eingeben, um 1,95 Euro zu bezahlen und schon wird ein hochwertiger Fernseher zu Ihnen nach Hause geliefert. Wie so oft gilt: Das Angebot ist zu gut, um wahr zu sein. Tatsächlich landen Ihre Kreditkartendaten in den Händen von Kriminellen.
---------------------------------------------
https://www.watchlist-internet.at/news/zahlreiche-facebook-seiten-bewerben-fernseher-um-195eur/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 ∗∗∗
---------------------------------------------
Project: Drupal core
Security risk: Moderately critical
Vulnerability: Cross site scripting
Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.
---------------------------------------------
https://www.drupal.org/sa-core-2022-002


∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 ∗∗∗
---------------------------------------------
Project: Drupal core
Security risk: Moderately critical
Vulnerability: Cross Site Scripting
Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed  the following security issue that may affect Drupal 9 and 7
---------------------------------------------
https://www.drupal.org/sa-core-2022-001


∗∗∗ jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 ∗∗∗
---------------------------------------------
Project: jQuery UI Datepicker
Security risk: Moderately critical
Vulnerability: Cross Site Scripting
Description: jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-004


∗∗∗ Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated attacker to execute code ∗∗∗
---------------------------------------------
CVE-2021-22282: RCE through Project Upload from Target All versions of Automation Studio 4 are affected.
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/1640529306294-en-original-1.0.pdf


∗∗∗ Local file inclusion Schwachstelle in Land Software - FAUST iServer ∗∗∗
---------------------------------------------
Der von Land Software entwickelte Webserver namens FAUST iServer ist anfällig auf eine local file inclusion Schwachstelle. Ein Angreifer kann alle lokalen Dateien des zugrunde liegenden Betriebssystems im Kontext der aktuellen Festplatte lesen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/local-file-inclusion-schwachstelle-in-land-software-faust-iserver/


∗∗∗ Rechenfehler im Linux-Kernel erlaubt Rechteausweitung ∗∗∗
---------------------------------------------
Vor allem in Cloud-Systemen problematisch: An Linux-Systemen angemeldete Nutzer könnten aufgrund eines potenziellen Pufferüberlaufs ihre Rechte ausweiten.
---------------------------------------------
https://heise.de/-6333365


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, python-numpy) and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, qtsvg-opensource-src).
---------------------------------------------
https://lwn.net/Articles/881956/


∗∗∗ Canon: “Log4j” RCE [CVE-2021-44228], “Log4j” RCE [CVE-2021-45046] and “Log4j” DOS [CVE-2021-45105] vulnerabilities ∗∗∗
---------------------------------------------
We are currently in the process of investigating the impact of the ‘Log4j’ https://logging.apache.org/log4j/2.x/security.html vulnerability on Canon products. As information comes to light, we will update this article.
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/


∗∗∗ Canon: Cross-site scripting vulnerability for laser printers and multifunction devices for small offices ∗∗∗
---------------------------------------------
A cross-site scripting vulnerability has been identified in the Remote UI function of Canon laser printers and multifunction devices for small office – see the affected models below (vulnerability identification number: JVN # 64806328).
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/


∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-01-invalid-en


∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-01-log4j-en


∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-icpds-2-0-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/


∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-log4j-ibm-spectrum-conductor-is-vulnerable-to-arbitrary-code-execution-cve-2021-44832-and-cve-2021-45046-and-denial-of-service-cve-2021-45105/


∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-log4j-ibm-spectrum-symphony-is-vulnerable-to-arbitrary-code-execution-cve-2021-44832-and-cve-2021-45046-and-denial-of-service-cve-2021-45105/


∗∗∗ Security Bulletin: IBM® Security SOAR could be vulnerable to a downgrade attack because of missing Strict-Transport-Security headers for some endpoints (CVE-2021-29785). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-be-vulnerable-to-a-downgrade-attack-because-of-missing-strict-transport-security-headers-for-some-endpoints-cve-2021-29785/


∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-impacts-ibm-sterling-global-mailbox-cve-2021-45046-2/


∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-system-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/


∗∗∗ Security Bulletin: Apache log4j Vulnerability Affects IBM Sterling Global Mailbox (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-global-mailbox-cve-2021-44228-3/


∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-released-a-fix-in-response-to-multiple-vulnerabilities-found-in-ibm-db2-2/


∗∗∗ Security Bulletin: IBM® Disconnected Log Collector is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-collector-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/


∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046-and-cve-2021-44832/


∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-cloud-pak-for-data-system-2-0-3/


∗∗∗ Endress+Hauser: Multiple products affected by log4net vulnerability ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-044/


∗∗∗ ICONICS and Mitsubishi Electric HMI SCADA ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily