[CERT-daily] Tageszusammenfassung - 03.06.2022

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 02-06-2022 18:00 − Freitag 03-06-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Chinese LuoYu hackers deploy cyber-espionage malware via app updates ∗∗∗
---------------------------------------------
A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/chinese-luoyu-hackers-deploy-cyber-espionage-malware-via-app-updates/


∗∗∗ Evil Corp switches to LockBit ransomware to evade sanctions ∗∗∗
---------------------------------------------
The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets networks to evade sanctions imposed by the U.S. Treasury Departments Office of Foreign Assets Control (OFAC).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-lockbit-ransomware-to-evade-sanctions/


∗∗∗ Analysis of the Massive NDSW/NDSX Malware Campaign ∗∗∗
---------------------------------------------
Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive infections don’t go unnoticed by Sucuri and we immediately recognized that the infection in their writeup belonged to the campaign we internally refer to as “ndsw/ndsx” malware.
---------------------------------------------
https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html


∗∗∗ Reich mit Öl? Vorsicht vor der betrügerischen Investment-Plattform „Öl-Profit“! ∗∗∗
---------------------------------------------
Noch nie war der Online-Ölhandel so einfach wie heute. Jede Person könne hier reich werden – ohne etwas über Öl oder Wirtschaft zu wissen. So heißt es in einem angeblichen Artikel der deutschen Tageszeitung BILD.
---------------------------------------------
https://www.watchlist-internet.at/news/reich-mit-oel-vorsicht-vor-der-betruegerischen-investment-plattform-oel-profit/


∗∗∗ Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor ∗∗∗
---------------------------------------------
We observed a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed Popping Eagle.
---------------------------------------------
https://unit42.paloaltonetworks.com/popping-eagle-malware/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Angriffe auf Code-Execution-Lücke bedrohen Confluence-Installationen​ ∗∗∗
---------------------------------------------
Seit Anfang der Woche installieren Angreifer Backdoors über eine neue Lücke in Confluence. Admins sollten noch vor dem langen Wochenende Maßnahmen ergreifen.
---------------------------------------------
https://heise.de/-7131081


∗∗∗ GitLab Issues Security Patch for Critical Account Takeover Vulnerability ∗∗∗
---------------------------------------------
GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company.
---------------------------------------------
https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim).
---------------------------------------------
https://lwn.net/Articles/897016/


∗∗∗ Security Bulletin: IBM Edge Application Manager is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-edge-application-manager-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/


∗∗∗ Security Bulletin: IBM DataPower Gateway Virtual Edition uses out of date ICU libraries in open-vm-tools ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-virtual-edition-uses-out-of-date-icu-libraries-in-open-vm-tools/


∗∗∗ Security Bulletin: IBM Telco Network Cloud Manager – Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-telco-network-cloud-manager-performance-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44832cve-2022-23302-and-cve-2022-23305/


∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data-is-vulnerable-to-improper-input-validation-in-spring-framework-cve-2022-22950/


∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-affected-by-vulnerabilities-in-kerberos/


∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-firmware-products-are-affected-by-a-vulnerability-in-glibc-cve-2021-35942/


∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-a-vulnerability-in-glibc-cve-2021-35942/


∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java-runtime-for-ibm-i-are-vulnerable-to-unauthenticated-attacker-obtaining-sensitive-information-and-other-attacks-due-to-multiple-vulnerabilities/


∗∗∗ Security Bulletin: IBM Spectrum Protect Plus may disclose sensitive information in virgo log file (CVE-2022-22396) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus-may-disclose-sensitive-information-in-virgo-log-file-cve-2022-22396/


∗∗∗ D-LINK Router: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0682

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily