[CERT-daily] Tageszusammenfassung - 22.03.2022

Tue Mar 22 18:38:36 CET 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 21-03-2022 18:00 − Dienstag 22-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Serpent malware campaign abuses Chocolatey Windows package manager ∗∗∗
---------------------------------------------
Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/


∗∗∗ Conti Ransomware V. 3, Including Decryptor, Leaked ∗∗∗
---------------------------------------------
The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s reportedly clunkier code.
Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal.
---------------------------------------------
https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/


∗∗∗ CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users ∗∗∗
---------------------------------------------
Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. 
---------------------------------------------
https://thehackernews.com/2022/03/cryptorom-crypto-scam-abusing-iphone.html


∗∗∗ Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen ∗∗∗
---------------------------------------------
Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe.
---------------------------------------------
https://heise.de/-6603364


∗∗∗ Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten ∗∗∗
---------------------------------------------
Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös!
---------------------------------------------
https://www.watchlist-internet.at/news/ausgesperrt-vorsicht-vor-unserioesen-schluesseldiensten/


∗∗∗ Sandworm: A tale of disruption told anew ∗∗∗
---------------------------------------------
[..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group – Sandworm. Who is Sandworm?
---------------------------------------------
https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/


∗∗∗ FBI and FinCEN Release Advisory on AvosLocker Ransomware ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware


∗∗∗ Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS ∗∗∗
---------------------------------------------
In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis.
---------------------------------------------
https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/


∗∗∗ Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten ∗∗∗
---------------------------------------------
Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen.
---------------------------------------------
https://www.borncity.com/blog/2022/03/22/facestealer-trojaner-aus-der-google-play-store-app-craftsart-cartoon-photo-tools-klaut-facebook-zugangsdaten/


∗∗∗ Cobalt Strike: Overview – Part 7 ∗∗∗
---------------------------------------------
This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods.
---------------------------------------------
https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/


∗∗∗ Detecting shadow credentials ∗∗∗
---------------------------------------------
This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials).
---------------------------------------------
https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/


∗∗∗ 8 Tips for Securing Networks When Time Is Scarce ∗∗∗
---------------------------------------------
In light of increased cyber risk surrounding the Russia-Ukraine conflict, we’ve put together 8 tips that defenders can take right now to prepare.
---------------------------------------------
https://www.rapid7.com/blog/post/2022/03/22/8-tips-for-securing-networks-when-time-is-scarce/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006 ∗∗∗
---------------------------------------------
Security risk: Moderately critical
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775
Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update  which may affect some Drupal sites.
---------------------------------------------
https://www.drupal.org/sa-core-2022-006


∗∗∗ Multiple Vulnerabilities in GARO Wallbox ∗∗∗
---------------------------------------------
1. Without Authentication(CVE-2021-45878)
2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877)
3. Unauthenticated Command Injection(CVE-2021-45876)
---------------------------------------------
https://github.com/delikely/advisory/tree/main/GARO


∗∗∗ Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen ∗∗∗
---------------------------------------------
Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe.
---------------------------------------------
https://heise.de/-6605306


∗∗∗ Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware ∗∗∗
---------------------------------------------
Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können.
---------------------------------------------
https://heise.de/-6602749


∗∗∗ Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar ∗∗∗
---------------------------------------------
Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen.
---------------------------------------------
https://heise.de/-6604576


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/888859/


∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-affects-ibm-spectrum-scale-smb-protocol-access-method-cve-2021-23192/


∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-7-0-8-0-8-5-9-0-and-liberty-17-0-0-3-through-21-0-0-9-could-allow-a-remote-user-to-enumerate-usernames-due-to-a-difference-of-responses-from-vali-2/


∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-impacts-ibm-watson-knowledge-catalog-in-cloud-pak-for-data-cve-2021-44228-2/


∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-affects-ibm-spectrum-scale-smb-protocol-access-method-cve-2016-2124/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-pak-for-data-system-1-0-2/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-db2-recovery-expert-for-linux-unix-and-windows/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-pak-for-data-system-1-0/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-semeru-runtime-may-affect-ibm-decision-optimization-for-ibm-cloud-pak-for-data-cve-2022-21282-cve-2022-21296-cve-2022-21299/


∗∗∗ K31323265: OpenSSL vulnerability CVE-2022-0778 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K31323265?utm_source=f5support&utm_medium=RSS


∗∗∗ PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-007/


∗∗∗ Delta Electronics DIAEnergie ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily