[CERT-daily] Tageszusammenfassung - 29.03.2022

Tue Mar 29 18:24:34 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 28-03-2022 18:00 − Dienstag 29-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Sophos warns critical firewall bug is being actively exploited ∗∗∗
---------------------------------------------
British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-bug-is-being-actively-exploited/


∗∗∗ Triton Malware Still Targeting Energy Firms ∗∗∗
---------------------------------------------
The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting-energy-firms


∗∗∗ Linux-Kernel: Netfilter-Bug gibt Nutzern Root-Rechte ∗∗∗
---------------------------------------------
Im Linux-Kernel sind mehrere Fehler im Netfilter-Code gefunden worden, die es einem Nutzer ermöglichen, Root-Rechte zu erlangen. Das Kernel-Team hat für alle unterstützten Versionszweige Updates veröffentlicht.
CVE-2022-1015, CVE-2022-1016).
---------------------------------------------
https://www.golem.de/news/linux-kernel-netfilter-bug-gibt-nutzern-root-rechte-2203-164225-rss.html


∗∗∗ A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages ∗∗∗
---------------------------------------------
A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules.
---------------------------------------------
https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html


∗∗∗ Betrügerische SMS im Namen der Volksbank ∗∗∗
---------------------------------------------
Aktuell kursieren betrügerische SMS im Namen der Volksbank. EmpfängerInnen werden dringlich aufgefordert, auf einen Link zu klicken – angeblich, weil das Konto gesperrt wurde. Achtung: Dabei handelt es sich um Betrug. Wer den Link anklickt, landet auf einer gefälschten Login-Seite der Volksbank. Dort werden Zugangsdaten gestohlen!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-sms-im-namen-der-volksbank/


∗∗∗ Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners ∗∗∗
---------------------------------------------
A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated.
According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. 
---------------------------------------------
https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/


∗∗∗ Verblecon: Sophisticated New Loader Used in Low-level Attacks ∗∗∗
---------------------------------------------
Indications the attacker may not realize the potential capabilities of the malware they are using.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord


∗∗∗ Mitigating Attacks Against Uninterruptable Power Supply Devices ∗∗∗
---------------------------------------------
CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/03/29/mitigating-attacks-against-uninterruptable-power-supply-devices


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Wyze Cam flaw lets hackers remotely access your saved videos ∗∗∗
---------------------------------------------
The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019.
The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery.
The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-remotely-access-your-saved-videos/


∗∗∗ ZDI-22-545: (0Day) Siemens Simcenter Femap NEU File Parsing Out-Of-Bounds Write Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens Simcenter Femap. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-545/


∗∗∗ Kritische Schadcode-Lücke in In-Memory-Datenbank Redis geschlossen ∗∗∗
---------------------------------------------
Das Zusammenspiel von Debian-Systemen und Redis kann zu ernsten Sicherheitsproblemen führen. Dagegen abgesicherte Versionen schaffen Abhilfe.
---------------------------------------------
https://heise.de/-6655726


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko).
---------------------------------------------
https://lwn.net/Articles/889571/


∗∗∗ Sicherheitswarnung: Authentifizierungsschwachstelle CVE-2022-0342 in Zyxel USG/ZyWALL ∗∗∗
---------------------------------------------
In verschiedenen Zyxel Firewall-Produkten gibt es eine kritische Authentifizierungs-Schwachstelle (CVE-2022-0342). Durch diese Sicherheitslücke wird eine Übernahme der Firewall möglich. Zyxel stellt zwar für Geräte, die noch im Support sind, Firmware-Updates bereits.
---------------------------------------------
https://www.borncity.com/blog/2022/03/29/sicherheitswarnung-authentifizierungsschwachstelle-cve-2022-0342-in-zyxel-usg-zywall/


∗∗∗ CVE-2018-25032: Zlib Memory Corruption Vulnerability ∗∗∗
---------------------------------------------
You may be thinking: ‘Wait, this new CVE starts with 2018.., this must be a mistake?’. In fact, it is not a mistake. This is about a CVE that everyone thought was patched years ago but now appears to be alive and well.
[...]
Linux distributions such as Ubuntu and Alpine have already implemented the fix in their latest releases, so you may want to update Zlib to your platform’s release of version 1.2.12, and re-compile any programs with the updated library.
---------------------------------------------
https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-cve-2018-25032/


∗∗∗ Security Bulletin: CVE-2021-44228 log4j affects MAS Monitor 8.4, 8.5 and 8.6 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-44228-log4j-affects-mas-monitor-8-4-8-5-and-8-6/


∗∗∗ Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-mas-monitor-8-4-8-5-and-8-6-log4j/


∗∗∗ Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-critical-vulnerabilities-in-libraries-used-by-libraries-that-ibm-spectrum-discover-is-using-libraries-of-libraries/


∗∗∗ K33548065: Eclipse Jetty vulnerability CVE-2018-12536 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K33548065?utm_source=f5support&utm_medium=RSS


∗∗∗ K03674368: Linux kernel vulnerability CVE-2021-3715 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K03674368?utm_source=f5support&utm_medium=RSS


∗∗∗ Philips e-Alert ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-088-01


∗∗∗ Rockwell Automation ISaGRAF ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-088-01


∗∗∗ Omron CX-Position ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-088-02


∗∗∗ Hitachi Energy LinkOne WebView ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-088-03


∗∗∗ Modbus Tools Modbus Slave ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-088-04

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily