[CERT-daily] Tageszusammenfassung - 25.01.2022

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗
---------------------------------------------
Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek
---------------------------------------------
https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-sicherheitsluecken-2201-162189-rss.html


∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗
---------------------------------------------
Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können.
---------------------------------------------
https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-der-lockbit-ransomware/


∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗
---------------------------------------------
Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen.
---------------------------------------------
https://heise.de/-6337344


∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun.
---------------------------------------------
https://heise.de/-6337222


∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗
---------------------------------------------
Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake!
---------------------------------------------
https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahlung-und-versand-nicht-ueber-kurierdienst-post-oder-ebay-se/


∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗
---------------------------------------------
Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques.
---------------------------------------------
https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/


∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗
---------------------------------------------
The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.
---------------------------------------------
https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html


∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗
---------------------------------------------
A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...]
---------------------------------------------
https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.html


∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗
---------------------------------------------
We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42.
---------------------------------------------
https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/


∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗
---------------------------------------------
Attackers have targeted hundreds of organisations, says Microsoft security.
---------------------------------------------
https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-that-wants-to-read-your-emails/#ftag=RSSbaffb68


∗∗∗ Introducing Scanning Made Easy ∗∗∗
---------------------------------------------
A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy



=====================
=  Vulnerabilities  =
=====================

∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗
---------------------------------------------
CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-001/


∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗
---------------------------------------------
Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten.
---------------------------------------------
https://heise.de/-6337226


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan).
---------------------------------------------
https://lwn.net/Articles/882552/


∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗
---------------------------------------------
PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings.
---------------------------------------------
https://www.securityweek.com/printerlogic-patches-code-execution-flaws-printer-management-suite


∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗
---------------------------------------------
Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein.
---------------------------------------------
https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-security-critical-patch-2380-und-der-freie-disk-speicher/


∗∗∗ XSA-395 ∗∗∗
---------------------------------------------
Insufficient cleanup of passed-through device IRQs
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-395.html


∗∗∗ XSA-394 ∗∗∗
---------------------------------------------
A PV guest could DoS Xen while unmapping a grant
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-394.html


∗∗∗ XSA-393 ∗∗∗
---------------------------------------------
arm: guest_physmap_remove_page not removing the p2m mappings
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-393.html


∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0097


∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0096


∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0094


∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5-37-7-released/


∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/


∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-ldap-injection-cve-2021-39031/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-liberty-for-java-for-ibm-cloud-october-2021-cpu/


∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44832/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-data-studio-client-cve-2021-4104/


∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-execution-vulnerability-in-apache-solr-and-logstash-shipped-with-ibm-operations-analytics-log-analysis-cve-2021-44228-3/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-may-affect-ibm-spectrum-copy-data-management-cve-2021-44832/


∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2021-4104/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily