[CERT-daily] Tageszusammenfassung - 23.03.2022

Daily end-of-shift report team at cert.at
Wed Mar 23 18:22:14 CET 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 22-03-2022 18:00 − Mittwoch 23-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Okta confirms 2.5% customers impacted by hack in January ∗∗∗
---------------------------------------------
Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/


∗∗∗ Raccoon Stealer – An Insight into Victim “Gates” ∗∗∗
---------------------------------------------
Raccoon Stealer is an information stealer sold to ‘affiliates’ as a Malware-as-a-Service (MaaS) on multiple underground forums. Affiliates are provided access to a control panel hosted on the Tor network as an onion site, where they can generate new malware builds and review data collected from infected hosts.
---------------------------------------------
https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/


∗∗∗ Ransomware: Microsoft bestätigt Hack durch Lapsus$ ∗∗∗
---------------------------------------------
Nach der Veröffentlichung von Code durch Lapsus$ bestätigt Microsoft nun den Hack. Der sei aber sehr begrenzt gewesen.
---------------------------------------------
https://www.golem.de/news/ransomware-microsoft-bestaetigt-hack-durch-lapsus-2203-164085-rss.html


∗∗∗ DEV-0537 criminal actor targeting organizations for data exfiltration and destruction ∗∗∗
---------------------------------------------
The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads.
---------------------------------------------
https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/


∗∗∗ Exploring a New Class of Kernel Exploit Primitive ∗∗∗
---------------------------------------------
MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-exploit-primitive/


∗∗∗ Arkei Variants: From Vidar to Mars Stealer, (Wed, Mar 23rd) ∗∗∗
---------------------------------------------
Sometime in 2018, a new information stealer named Vidar appeared.  Analysis revealed Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time, Vidar has led to other Arkei-based variants. 
---------------------------------------------
https://isc.sans.edu/diary/rss/28468


∗∗∗ Dissecting a Phishing Campaign with a Captcha-based URL ∗∗∗
---------------------------------------------
In today’s environment, much of the population are doing their bank or financial transactions online and online banking or wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dissecting-a-phishing-campaign-with-a-captcha-based-url/


∗∗∗ A journey into IoT – Unknown Chinese alarm – Part 1 – Discover components and ports ∗∗∗
---------------------------------------------
So, after a couple of introductory articles, let’s start with a series of articles on an analysis executed on an unknown device. I received a Chinese smart alarm, clone of the Xiaomi Smart Home system, and it seemed perfect for the purpose.
---------------------------------------------
https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-1-discover-components-and-ports/


∗∗∗ Alte Tricks, neue Korplug‑Variante: Hodur von Mustang Panda ∗∗∗
---------------------------------------------
ESET-Forscher haben eine zuvor undokumentierte Korplug-Variante namens Hodur entdeckt, die von Mustang Panda verbreitet wird. Sie nutzt Phishing-Köder, die auf aktuelle Ereignisse in Europa anspielen, einschließlich der Invasion in der Ukraine.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/03/23/alte-tricks-neue-korplug-variante-hodur-von-mustang-panda/


∗∗∗ Fake-Shop auf idealo.com.de! ∗∗∗
---------------------------------------------
Kriminelle haben die Website der Preisvergleichsplattformen idealo.at und idealo.de nachgebaut.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shop-auf-idealocomde/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Netatalk < 3.1.13: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Netatalk 3.1.13 behebt die folgenden Schwachstellen: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, CVE-2022-0194
---------------------------------------------
https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial).
---------------------------------------------
https://lwn.net/Articles/888994/


∗∗∗ Bosch Fire Monitoring System (FSM) affected by log4net Vulnerability ∗∗∗
---------------------------------------------
A vulnerability has been discovered affecting the Bosch Fire Monitoring System (FSM-2500, FSM-5000, FSM-10k and obsolete FSM-10000). The issue applies to FSM server with version 5.6.630 and lower, and FSM client with version 5.6.2131 and lower.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-479793-bt.html


∗∗∗ ZDI-22-524: (Pwn2Own) NETGEAR R6700v3 libreadycloud.so Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-524/


∗∗∗ ZDI-22-523: (Pwn2Own) NETGEAR R6700v3 circled Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-523/


∗∗∗ ZDI-22-522: (Pwn2Own) NETGEAR R6700v3 readycloud_control.cgi Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-522/


∗∗∗ ZDI-22-521: (Pwn2Own) NETGEAR R6700v3 Missing Authentication for Critical Function Arbitrary File Upload Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-521/


∗∗∗ ZDI-22-520: (Pwn2Own) NETGEAR R6700v3 Improper Certificate Validation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-520/


∗∗∗ ZDI-22-519: (Pwn2Own) NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-519/


∗∗∗ ZDI-22-518: (Pwn2Own) NETGEAR R6700v3 httpd Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-518/


∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extender-advanced-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/


∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-service-registry-and-repository-in-packages-such-as-apache-struts-and-node-js/


∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Service Registry and Repository due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-service-registry-and-repository-due-to-january-2022-cpu-plus-deferred-cve-2021-35550-and-cve-2021-35603/


∗∗∗ Security Bulletin: IBM Db2 Big SQL is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-45046-cve-2021-45105/


∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2022-22310) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extender-advanced-is-vulnerable-to-information-exposure-due-to-ibm-websphere-application-server-liberty-cve-2022-22310/


∗∗∗ Security Bulletin: Vulnerability in Apache log4j affects WebSphere Service Registry and Repository (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-websphere-service-registry-and-repository-cve-2021-4104/


∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2021-29842) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extender-advanced-is-vulnerable-to-information-exposure-due-to-ibm-websphere-application-server-liberty-cve-2021-29842/


∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to LDAP injection due to WebSphere Application Server Liberty (CVE-2021-39031) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extender-advanced-is-vulnerable-to-ldap-injection-due-to-websphere-application-server-liberty-cve-2021-39031/


∗∗∗ Security Bulletin: Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-private-cloud-base-with-ibm-products-have-log-messages-vulnerable-to-arbitrary-code-execution-denial-of-service-remote-code-execution-and-sql-injection-due/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-ibm-websphere-application-server-cve-2022-22719-cve-2022-22720-cve-2022-22721/


∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2022-22316) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-denial-of-service-vulnerability-cve-2022-22316/


∗∗∗ Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-extreme-scale-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-v1-x-cve-2022-23307/


∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Elastic Storage System (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-elastic-storage-system-cve-2021-4104/


∗∗∗ VMSA-2022-0008 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0008.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list