[CERT-daily] Tageszusammenfassung - 16.03.2022

Wed Mar 16 18:10:01 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 15-03-2022 18:00 − Mittwoch 16-03-2022 18:00
Handler:     Robert Waldner
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Android trojan persists on the Google Play Store since January ∗∗∗
---------------------------------------------
Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-the-google-play-store-since-january/


∗∗∗ Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th) ∗∗∗
---------------------------------------------
On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Today's diary provides a quick review of the infection activity.
---------------------------------------------
https://isc.sans.edu/diary/rss/28448


∗∗∗ The Attack of the Chameleon Phishing Page ∗∗∗
---------------------------------------------
Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-of-the-chameleon-phishing-page/


∗∗∗ Werbe-SMS „Bewerbung erhalten“ führt zu Investment-Betrug ∗∗∗
---------------------------------------------
Aktuell versenden Kriminelle SMS, in denen von einer angeblichen Bewerbung durch die EmpfängerInnen die Rede ist. Wie die Kriminellen an Namen und Telefonnummer der Betroffenen gelangen, ist unklar. Klar hingegen ist, dass der enthaltene Link auf eine betrügerische Investment-Werbung führt.
---------------------------------------------
https://www.watchlist-internet.at/news/werbe-sms-bewerbung-erhalten-fuehrt-zu-investment-betrug/


∗∗∗ Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ∗∗∗
---------------------------------------------
This blog will explain the RAT malware named Gh0stCringe. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT.
---------------------------------------------
https://asec.ahnlab.com/en/32572/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters ∗∗∗
---------------------------------------------
Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations.
---------------------------------------------
https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html


∗∗∗ 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS ∗∗∗
---------------------------------------------
The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials.
---------------------------------------------
https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/


∗∗∗ Sicherheitslücke: Präparierte TLS-Zertifikate können OpenSSL-Systeme gefährden ∗∗∗
---------------------------------------------
Angreifer könnten Clients und Server mit präparierten TLS-Zertifikaten auf Basis von elliptischen Kurven lahmlegen.
---------------------------------------------
https://heise.de/-6550820


∗∗∗ Sicherheitsupdates: Angreifer könnten Schadcode durch pfSense-Firewall schieben ∗∗∗
---------------------------------------------
Mehrere Schwachstellen gefährden Systeme mit der Firewall-Distribution pfSense.
---------------------------------------------
https://heise.de/-6577971


∗∗∗ Sicherheitsupdates: Schadcode-Schlupflöcher in Dell-BIOS ∗∗∗
---------------------------------------------
Angreifer könnten Dell-Computer attackieren und im schlimmsten Fall die volle Kontrolle über Geräte erlangen.
---------------------------------------------
https://heise.de/-6550647


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, [...]
---------------------------------------------
https://lwn.net/Articles/888093/


∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2022-005


∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/


∗∗∗ Security Bulletin: A security vulnerability in Node.js follow-redirects module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-follow-redirects-module-affects-ibm-cloud-automation-manager/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Network Automation (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-pak-for-network-automation-cve-2021-44228/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-openssl-denial-of-service-vulnerabilities-cve-2021-23840-cve-2021-23841/


∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform upgrade from Log4j 2.17 to 2.17.1 to protect from infinite recursion in lookup evaluation ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-component-of-ibm-tririga-application-platform-upgrade-from-log4j-2-17-to-2-17-1-to-protect-from-infinite-recursion-in-lookup-evaluation/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-ibm-websphere-application-server-due-to-expat-vulnerabilities-4/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-business-developer-5/


∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-fetch-module-affects-ibm-cloud-automation-manager-2/


∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-marked-module-affects-ibm-cloud-automation-manager-2/


∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-module-affects-ibm-cloud-automation-manager-3/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-10/


∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-are-vulnerable-to-clickjacking-cve-2021-39038-2/


∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-module-affects-ibm-cloud-automation-manager-2/


∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-golang-affects-ibm-cloud-automation-manager-2/


∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-golang-affects-ibm-cloud-automation-manager/


∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2021-33198 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-denial-of-service-by-go-vulnerability-cve-2021-33198/


∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-marked-module-affects-ibm-cloud-automation-manager/


∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affects-rational-business-developer-6/


∗∗∗ Improper Restriction of XML External Entity Reference in BVMS ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-506619-bt.html


∗∗∗ Google Releases Security Updates for Chrome ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/03/16/google-releases-security-updates-chrome

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily