[CERT-daily] Tageszusammenfassung - 17.03.2022

Daily end-of-shift report team at cert.at
Thu Mar 17 18:21:38 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 16-03-2022 18:00 − Donnerstag 17-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ SolarWinds warns of attacks targeting Web Help Desk instances ∗∗∗
---------------------------------------------
SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-targeting-web-help-desk-instances/


∗∗∗ Microsoft creates tool to scan MikroTik routers for TrickBot infections ∗∗∗
---------------------------------------------
The TrickBot trojan has just added one more trick up its sleeve, now using vulnerable IoT (internet of things) devices like modem routers as proxies for its C2 (command and control) server communication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-scan-mikrotik-routers-for-trickbot-infections/


∗∗∗ CISA: US-Behörde warnt vor 15 aktiv ausgenutzten Sicherheitslücken ∗∗∗
---------------------------------------------
Die US-Sicherheitsbehörde CISA warnt Unternehmen und Behörden vor 15 älteren Sicherheitslücken, die aktiv für Angriffe ausgenutzt werden.
---------------------------------------------
https://www.golem.de/news/cisa-us-behoerde-warnt-vor-15-aktiv-ausgenutzten-sicherheitsluecken-2203-163929-rss.html


∗∗∗ DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly ∗∗∗
---------------------------------------------
The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday.
---------------------------------------------
https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html


∗∗∗ LokiLocker ransomware family spotted with built-in wiper ∗∗∗
---------------------------------------------
BlackBerry says extortionists erase documents if ransom unpaid BlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is capable of erasing all non-system files from infected Windows PCs.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/


∗∗∗ Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks ∗∗∗
---------------------------------------------
What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives.
---------------------------------------------
https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks


∗∗∗ From BlackMatter to BlackCat: Analyzing two attacks from one affiliate ∗∗∗
---------------------------------------------
While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants.
---------------------------------------------
http://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers ∗∗∗
---------------------------------------------
A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host.
"Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," [..]
---------------------------------------------
https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db).
---------------------------------------------
https://lwn.net/Articles/888288/


∗∗∗ Red Hat Virtualization: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Virtualization ausnutzen, um Dateien zu manipulieren.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0328


∗∗∗ ISC Releases Security Advisories for BIND ∗∗∗
---------------------------------------------
Original release date: March 17, 2022The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/isc-releases-security-advisories-bind


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-affect-ibm-netezza-performance-portal-2/


∗∗∗ Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-vm2-module-affects-ibm-cloud-automation-manager-2/


∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo-affects-ibm-spectrum-protect-for-virtual-environments-cve-2021-23450-2/


∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-netcool-omnibus-probe-dsl-factory-framework-is-vulnerable-to-arbitrary-code-execution-cve-2022-23302-cve-2022-23307-and-sql-injection-cve-2022-2/


∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-has-applied-security-fixes-for-its-use-of-ibm-websphere-liberty-cve-2021-35517-cve-2021-36090/


∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44531) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-cve-2021-44531/


∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-cve-2022-0235/


∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-aix-cve-2021-25219-3/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db2-affect-ibm-spectrum-protect-server-cve-2021-38931-cve-2021-29678-cve-2021-20373-cve-2021-39002-cve-2021-38926-3/


∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-and-golang-go-affect-ibm-spectrum-protect-server-cve-2021-35578-cve-2021-44716-cve-2021-44717-4/


∗∗∗ Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-log4j-v1-2-affects-ibm-cloud-automation-manager/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list