[CERT-daily] Tageszusammenfassung - 21.10.2022

Fri Oct 21 19:41:51 CEST 2022

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 20-10-2022 18:00 − Freitag 21-10-2022 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Synology: Kritische Lücken in NAS erlauben Angreifern Ausführen von Schadcode ∗∗∗
---------------------------------------------
Synology warnt vor kritischen Sicherheitslücken in der DSM-Software einiger NAS. Angreifer könnten Schadode ausführen und unbefugt an Informationen gelangen.
---------------------------------------------
https://heise.de/-7316623


∗∗∗ F5 BIG-IP und Nginx: Hersteller stopft teils kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken in den BIG-IP- und Nginx-Systemen von F5 könnten Angreifern etwa das Ausführen von Schadcode ermöglichen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7316039


∗∗∗ Gefahren für kritische Infrastrukturen: "Uns fehlt eine Schwachstellenanalyse" ∗∗∗
---------------------------------------------
Prof. Norbert Gebbeken, Gründer und Sprecher des Forschungszentrums RISK, über die Gefahren, die unserer kritischen Infrastruktur drohen – und was man tun kann.
---------------------------------------------
https://heise.de/-7315119


∗∗∗ Your Microsoft Exchange Server Is a Security Liability ∗∗∗
---------------------------------------------
Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. Its time to say goodbye to on-premise Exchange.
---------------------------------------------
https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/


∗∗∗ sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) ∗∗∗
---------------------------------------------
A campaign nicknamed "sczriptzzbn inject" can be identified by script using a variable named sczriptzzbn injected into files returned from a compromised website. This injected script causes a fake browser update page to appear in the victim's browser. The fake browser update page presents the malware payload for download. More information on the campaign can be found here. In previous weeks, this campaign pushed SolarMarker malware. I ran across one such example on 2022-09-27. This month, we've started seeing a payload for NetSupport RAT from the sczriptzzbn inject.
---------------------------------------------
https://isc.sans.edu/diary/rss/29170


∗∗∗ Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR ∗∗∗
---------------------------------------------
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sidestepping-self-unlocking-password-protected-rar/


∗∗∗ Wordfence Evasion Malware Conceals Backdoors ∗∗∗
---------------------------------------------
Malware authors, with some notable exceptions, tend to design their malicious code to hide from sight. The techniques they use help their malware stay on the victim’s website for as long as possible and ensure execution. For example — obfuscation techniques, fake code comments, naming conventions for injections that deploy SEO spam, redirect visitors to malicious third party websites, or steal credit card information from eCommerce stores.
---------------------------------------------
https://blog.sucuri.net/2022/10/wordfence-evasion-malware-conceals-backdoors.html


∗∗∗ Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware ∗∗∗
---------------------------------------------
A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victims resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report.
---------------------------------------------
https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html


∗∗∗ Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts ∗∗∗
---------------------------------------------
On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or “Text4Shell” on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022. Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve [...]
---------------------------------------------
https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/


∗∗∗ CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks.
---------------------------------------------
https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vulnerability-exploited-malware


∗∗∗ Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool ∗∗∗
---------------------------------------------
Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware


∗∗∗ Attackers Abusing Various Remote Control Tools ∗∗∗
---------------------------------------------
Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major programs used by attackers.
---------------------------------------------
https://asec.ahnlab.com/en/40263/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ IBM Security Bulletins 2022-10-20 ∗∗∗
---------------------------------------------
IBM Security Verify Gateway/Bridge, IBM Enterprise Records, IBM Sterling Order Management Netty, IBM WebSphere Application Server, IBM MQ Operator, IBM Sterling Order Management, IBM Enterprise Records, IBM Netezza Host Management.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ SolarWinds Security Advisories 2022-10-19 ∗∗∗
---------------------------------------------
SolarWinds released 4 new Security Advisories (3 high, 1 medium) for SolarWinds Platform 2022.4 RC1.
---------------------------------------------
https://www.solarwinds.com/trust-center/security-advisories


∗∗∗ SSA-640732 V1.0: Authentication Bypass Vulnerability in Siveillance Video Mobile Server ∗∗∗
---------------------------------------------
The mobile server component of Siveillance Video 2022 R2 contains an authentication bypass vulnerability that could allow an unauthenticated remote attacker to access the application without a valid account.Siemens has released a hotfix for Siveillance Video 2022 R2 and recommends to apply the hotfix on all installations of the mobile server.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-640732.txt


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (poppler), Oracle (firefox and thunderbird), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk, and java-17-openjdk), SUSE (bind, clone-master-clean-up, grafana, libksba, python3, tiff, and v4l2loopback), and Ubuntu (libreoffice).
---------------------------------------------
https://lwn.net/Articles/911989/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily