[CERT-daily] Tageszusammenfassung - 12.09.2022

Daily end-of-shift report team at cert.at
Mon Sep 12 19:08:00 CEST 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 09-09-2022 18:00 − Montag 12-09-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Krypto-Malware Shikitega überlistet den herkömmlichen Linux-Schutz ∗∗∗
---------------------------------------------
AT&T Alien Labs hat eine Analyse zur neuen Linux-Malware Shikitega veröffentlicht. Der Schädling verschafft sich Root-Zugriff, seine Entdeckung ist schwierig.
---------------------------------------------
https://heise.de/-7260803


∗∗∗ Bericht: Um nicht erwischt zu werden, verschlüsselt Ransomware Daten partiell ∗∗∗
---------------------------------------------
Sicherheitsforscher beobachten bei Erpressungstrojanern einen Trend zur schnelleren Verschlüsselung.
---------------------------------------------
https://heise.de/-7261001


∗∗∗ SMS von der Post? Klicken Sie nicht auf den Link! ∗∗∗
---------------------------------------------
„Die Zustellung Ihres letzten Pakets hat sich aufgrund zusätzlicher Zollgebühren verzögert“ lautet eine SMS-Benachrichtigung von der Post. Im SMS ist ein Link, den Sie anklicken sollten, um das Problem zu lösen. Wir raten zur Vorsicht: Diese Nachricht ist nicht von der Post. Wer auf den Link klickt, tappt in eine Internetfalle!
---------------------------------------------
https://www.watchlist-internet.at/news/sms-von-der-post-klicken-sie-nicht-auf-den-link/


∗∗∗ SharkBot-Trojaner im Play Store – Risiko "Antivirus-Apps" ∗∗∗
---------------------------------------------
Im Google Play Store ist erneut der Banking-Trojaner SharkBot aufgetaucht und hat sich als Antiviren- und Cleaner-App getarnt. Sicherheitsforscher von CyberNews schreiben: Android-Nutzer sollten es sich zweimal überlegen, bevor sie kostenlose Apps zur Reinigung ihres Mobiltelefons und zum "Schutz" vor Viren herunterladen - denn viele von ihnen enthalten Daten-Tracker und einige scheinen sogar Links zu potenziell bösartigen Domains zu beinhalten.
---------------------------------------------
https://www.borncity.com/blog/2022/09/12/sharkbot-trojaner-im-play-store-risiko-antivirus-apps/


∗∗∗ Maldoc With Decoy BASE64, (Fri, Sep 9th) ∗∗∗
---------------------------------------------
There is also a video for this analysis: "Maldoc Analysis: Rehearsed vs. Unrehearsed". 
I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it's easy to analyze. 
But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy.
---------------------------------------------
https://isc.sans.edu/diary/rss/29032


∗∗∗ WMI Internals Part 3 ∗∗∗
---------------------------------------------
In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when an instance of this class is created the COM method ITaskServices:NewTask is invoked. 
This blog will take this process a step further and look at what happens after the COM method ITaskServices:NewTask.
---------------------------------------------
https://posts.specterops.io/wmi-internals-part-3-38e5dad016be?source=rss----f05f8696e3cc---4


∗∗∗ Dead or Alive? An Emotet Story ∗∗∗
---------------------------------------------
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after [...]
---------------------------------------------
https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/


∗∗∗ Ransomware attacks on retail increase, average retail payment grows to more than $200K ∗∗∗
---------------------------------------------
More than 300 organizations in the retail industry said they were hit with ransomware attacks in 2021, according to a survey conducted by security company Sophos. Sophos researchers spoke to 422 IT workers at mid-sized organizations in the retail sector across 31 countries, finding startling increases in the number of respondents who said their organizations [...]
---------------------------------------------
https://therecord.media/ransomware-attacks-on-retail-increase-average-retail-payment-grows-to-more-than-200k/


∗∗∗ Security Breaks: TeamTNT’s DockerHub Credentials Leak ∗∗∗
---------------------------------------------
One of our honeypots based on exposed Docker REST APIs showed cybercriminal group TeamTNT’s potential attack scenario and leak of container registry credentials for docker-abuse malware. The full version of this research will be presented at the c0c0n XV Hacking and Cyber Security Conference in September 2022.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Firmware bugs in many HP computer models left unfixed for over a year ∗∗∗
---------------------------------------------
A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-computer-models-left-unfixed-for-over-a-year/


∗∗∗ Patchday: Ansatzpunkte für Angreifer in Android 10, 11 und 12 geschlossen ∗∗∗
---------------------------------------------
Angreifer könnten sich auf Android-Geräten weitreichende Nutzerrechte erschleichen. In Googles Pixel-Serie wurden kritische Lücken ausgebessert.
---------------------------------------------
https://heise.de/-7260572


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff).
---------------------------------------------
https://lwn.net/Articles/907770/


∗∗∗ Critical KEPServerEX Flaws Can Put Attackers in Powerful Position in OT Networks ∗∗∗
---------------------------------------------
Critical KEPServerEX vulnerabilities that impact the products of several major industrial automation vendors can put attackers in a powerful position in OT networks.read more
---------------------------------------------
https://www.securityweek.com/critical-kepserverex-flaws-can-put-attackers-powerful-position-ot-networks


∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um beliebigen Programmcode auszuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1376


∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375


∗∗∗ Jenkins: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Jenkins ausnutzen, um einen Denial of Service Angriff durchzuführen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1373


∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-and-the-ibm-maximo-manage-application-in-ibm-maximo-application-suite-may-be-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-1-2-cve-2021-410-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Liberty affect SPSS Collaboration and Deployment Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-liberty-affect-spss-collaboration-and-deployment-services/


∗∗∗ Security Bulletin: qs (QueryString) package in the Service Portal of IBM Control Desk is vulnerable (CVE-2014-7191 and CVE-2017-1000048) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-qs-querystring-package-in-the-service-portal-of-ibm-control-desk-is-vulnerable-cve-2014-7191-and-cve-2017-1000048/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list