=====================
= End-of-Day report =
=====================
Timeframe: Montag 17-01-2022 18:00 − Dienstag 18-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Microsoft releases emergency fixes for Windows Server, VPN bugs ∗∗∗
---------------------------------------------
Microsoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2022 Patch Tuesday.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergenc…
∗∗∗ Telenot-Schließanlage: Schwacher Zufall sorgt für offene Türen ∗∗∗
---------------------------------------------
Ein Alarmanlagen- und Schließsystem erstellte Zufallszahlen mit einer dafür nicht geeigneten C-Funktion.
---------------------------------------------
https://www.golem.de/news/telenot-schliessanlage-schwacher-zufall-sorgt-fue…
∗∗∗ Understanding Website SQL Injections ∗∗∗
---------------------------------------------
SQL injection is one of the most common types of web hacking techniques used today. As data breaches continue to happen to some of the most high-profile corporations and brands, it’s become more important for web users to adapt to these increased breaches with changes in behavior like system generated passwords and 2FA. In this post, we’ll be discussing SQL Injections in further detail, and why, as a website owner, you should care about this kind of attack.
---------------------------------------------
https://blog.sucuri.net/2022/01/understanding-website-sql-injections.html
∗∗∗ Zoho Patches Critical Vulnerability in Endpoint Management Solutions ∗∗∗
---------------------------------------------
Zoho Corp on Monday said it has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine.
---------------------------------------------
https://www.securityweek.com/zoho-patches-critical-vulnerability-endpoint-m…
∗∗∗ Kreditbetrug auf globalekredit-fin.com & darlehenexpert.com ∗∗∗
---------------------------------------------
Sie möchten einen Kredit aufnehmen und suchen im Internet nach günstigen Konditionen? Wir raten zur Vorsicht. In den Suchergebnissen lauern auch betrügerische Angebote wie globalekredit-fin.com oder darlehenexpert.com. Wer dort eine Anfrage stellt, läuft Gefahr viel Geld zu verlieren. Und: Kredite gibt es hier keine!
---------------------------------------------
https://www.watchlist-internet.at/news/kreditbetrug-auf-globalekredit-finco…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2022-0002 ∗∗∗
---------------------------------------------
VMware Workstation and Horizon Client for Windows updates address a denial-of-service vulnerability (CVE-2022-22938)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0002.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (slurm-llnl), openSUSE (apache2, ghostscript, and watchman), Red Hat (kernel and telnet), SUSE (apache2, ghostscript, and kernel), and Ubuntu (clamav).
---------------------------------------------
https://lwn.net/Articles/881648/
∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2341) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-36160) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-34798) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects Cloud Pak for Security (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Host header injection vulnerability in Business Automation Studio in Cloud Pak for Automation (CVE-2021-29872) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-host-header-injection-vul…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-39275) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-42013) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi…
∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-33193) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-is…
∗∗∗ Security Bulletin: A vulnerability in Apache log4j (CVE-2021-45105) affects IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache…
∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Apache Log4j CVE-2021-45046 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-…
∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: Multiple security vulnerabilities fixed in Cloud Pak for Automation components ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera…
∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it.(CVE-2021-40438) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-2161) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
∗∗∗ Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Java version used in it.(CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 14-01-2022 18:00 − Montag 17-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Security baseline for Microsoft Edge v97 ∗∗∗
---------------------------------------------
We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 97! We have reviewed the settings in Microsoft Edge version 97 and updated our guidance with the addition of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 97 package from the Security Compliance Toolkit.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit…
∗∗∗ Log4Shell Attacks Getting "Smarter", (Mon, Jan 17th) ∗∗∗
---------------------------------------------
Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (CVE-2021-44228).
---------------------------------------------
https://isc.sans.edu/diary/rss/28246
∗∗∗ New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking ∗∗∗
---------------------------------------------
A software bug introduced in Apple Safari 15s implementation of the IndexedDB API could be abused by a malicious website to track users online activity in the web browser and worse, even reveal their identity. The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021.
---------------------------------------------
https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.ht…
∗∗∗ Domain Persistence – Machine Account ∗∗∗
---------------------------------------------
Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence. This involves either the addition of an arbitrary machine account to a high privilege group such as the domain admins or the modification of the “userAccountControl” attribute [...]
---------------------------------------------
https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/
∗∗∗ "Smishing"-Masche: Weiter massenhaft Betrugs-SMS auf Handys ∗∗∗
---------------------------------------------
Wer eine SMS von unbekannt mit einem Link bekommt, sollte vorsichtig sein. Es könnte sich um eine Betrugs-SMS handeln. "Smishing" ist noch immer nicht vorbei.
---------------------------------------------
https://heise.de/-6328158
∗∗∗ Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide ∗∗∗
---------------------------------------------
The GoSecure Titan Labs team saw an opportunity to further explore the topic of hash capturing (which is a must in the arsenal of any offensive team). This blog will examine RDP security modes, how they work and how to put that into action to capture NetNTLMv2 hashes via the RDP protocol using PyRDP—a library created by GoSecure.
---------------------------------------------
https://www.gosecure.net/blog/2022/01/17/capturing-rdp-netntlmv2-hashes-att…
=====================
= Vulnerabilities =
=====================
∗∗∗ Serious Security: Linux full-disk encryption bug fixed – patch now! ∗∗∗
---------------------------------------------
Imagine if someone who didnt have your password could sneakily modify data that was encrypted with it.
---------------------------------------------
https://nakedsecurity.sophos.com/2022/01/14/serious-security-linux-full-dis…
∗∗∗ Über drei Millionen PCs in Deutschland mit unsicherem Windows-System ∗∗∗
---------------------------------------------
Vor zwei Jahren stellte Microsoft den Support für Windows 7 ein. Trotzdem schaffen es viele Anwender nicht, sich von dem unsicheren System zu trennen.
---------------------------------------------
https://heise.de/-6328189
∗∗∗ Virenschutz: Microsoft Defender erleichtert Einnisten von Schädlingen ∗∗∗
---------------------------------------------
Eine kleine Schwachstelle bei Zugriffsrechten des Microsoft Defender unter Windows 10 ermöglicht Angreifern, Malware vor Scans zu verstecken.
---------------------------------------------
https://heise.de/-6329300
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, ghostscript, libreswan, prosody, sphinxsearch, thunderbird, and uriparser), Fedora (cryptsetup, flatpak, kernel, mingw-uriparser, python-celery, python-kombu, and uriparser), Mageia (htmldoc, mbedtls, openexr, perl-CPAN, systemd, thunderbird, and vim), openSUSE (chromium and prosody), Red Hat (httpd, kernel, and samba), Scientific Linux (kernel), Slackware (expat), SUSE (ghostscript), and Ubuntu (pillow).
---------------------------------------------
https://lwn.net/Articles/881545/
∗∗∗ Oracle to Release Nearly 500 New Security Patches ∗∗∗
---------------------------------------------
Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022.
---------------------------------------------
https://www.securityweek.com/oracle-release-nearly-500-new-security-patches
∗∗∗ Microsoft Januar 2022 Patchday-Revisionen (14.1.2022) ∗∗∗
---------------------------------------------
Zum 11. Januar 2022 hat Microsoft eine Reihe Sicherheitsupdates für Windows und Office freigegeben, die Schwachstellen beseitigen sollen. Einige dieser Updates führten aber zu Problemen, so dass Funktionen in Windows gestört wurden. Am 14. Januar 2022 hat Microsoft eine Liste [...]
---------------------------------------------
https://www.borncity.com/blog/2022/01/17/microsoft-januar-2022-patchday-rev…
∗∗∗ ZDI-22-081: TP-Link TL-WA1201 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-081/
∗∗∗ ZDI-22-080: TP-Link Archer C90 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-080/
∗∗∗ OpenBMCS 2.4 Secrets Disclosure ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php
∗∗∗ OpenBMCS 2.4 Unauthenticated SSRF / RFI ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php
∗∗∗ OpenBMCS 2.4 Create Admin / Remote Privilege Escalation ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability (UPDATE A) ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-041/
∗∗∗ GNU libc: Mehrere Schwachstellen ermöglichen Codeausführung und Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0054
∗∗∗ Stored Cross-Site Scripting Schwachstelle in Typo3 Extension "femanager" ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 13-01-2022 18:00 − Freitag 14-01-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft Defender weakness lets hackers bypass malware detection ∗∗∗
---------------------------------------------
Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-…
∗∗∗ Nach Log4J: Google will zusammen mit Regierungen Open Source absichern ∗∗∗
---------------------------------------------
Seit langem sucht Google nach Wegen, Open-Source-Software besser abzusichern. Nach der Log4J-Lücke kommen nun auch Regierungen ins Spiel.
---------------------------------------------
https://www.golem.de/news/nach-log4j-google-will-zusammen-mit-regierungen-o…
∗∗∗ Microsoft Yanks Buggy Windows Server Updates ∗∗∗
---------------------------------------------
Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.
---------------------------------------------
https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/
∗∗∗ A closer look at Flubot’s DoH tunneling ∗∗∗
---------------------------------------------
[...] The following blog post will take a closer look at Flubot version 4.9, and in particular its Command and Control (C&C) communication, based on the data F-Secure gathered during that campaign.
---------------------------------------------
https://blog.f-secure.com/flubot_doh_tunneling/
∗∗∗ Verwundbare Exchange-Server der öffentlichen Verwaltung ∗∗∗
---------------------------------------------
20 Exchange-Server in öffentlicher Hand waren für eine Sicherheitslücke anfällig. Kriminelle hätten die Kontrolle übernehmen können.
---------------------------------------------
https://heise.de/-6320504
∗∗∗ Citrix liefert Sicherheitsupdates für Workspace App und Hypervisor ∗∗∗
---------------------------------------------
Sicherheitslücken in der Citrix Workspace App for Linux und im Hypervisor ermöglichten Angreifern die Rechteausweitung oder DoS-Attacken auf den Host.
---------------------------------------------
https://heise.de/-6327171
∗∗∗ Aus für iOS 14? Verwirrung über fehlende Sicherheits-Updates ∗∗∗
---------------------------------------------
Neben iOS 15 stellte Apple erstmals Updates für die Vorjahresversion des Betriebssystems in Aussicht. Es fehlen aber wichtige Patches für iOS 14.
---------------------------------------------
https://heise.de/-6327709
∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Unified Contact Manager ∗∗∗
---------------------------------------------
Admins von Cisco-Hard- und -Software sind gefragt, ihre Systeme abzusichern.
---------------------------------------------
https://heise.de/-6327050
∗∗∗ Schadcode-Schlupflöcher in Qnap NAS geschlossen ∗∗∗
---------------------------------------------
Die Qnap-Entwickler haben ihr NAS-Betriebssystem und zwei Apps gegen mögliche Attacken abgesichert.
---------------------------------------------
https://heise.de/-6327201
∗∗∗ Juniper Networks stopft zahlreiche Sicherheitslücken ∗∗∗
---------------------------------------------
In Geräten und Diensten von Juniper hätten Angreifer Schwachstellen etwa für DoS-Angriffe, die Ausweitung von Rechten oder Schlimmeres missbrauchen können.
---------------------------------------------
https://heise.de/-6327645
∗∗∗ Signierte Kernel‑Treiber – unbewachte Zugänge zum Windows‑Kern ∗∗∗
---------------------------------------------
ESET Forscher untersuchen Schwachstellen in signierten Windows-Treibern, die trotz Gegenmaßnahmen immer noch ein Sicherheitsproblem darstellen.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/01/13/signierte-kernel-treiber-…
∗∗∗ Telefon-Betrug: Drücken Sie nicht die Taste 1! ∗∗∗
---------------------------------------------
LeserInnen der Watchlist Internet melden uns derzeit betrügerische Anrufe: Dabei werden willkürlich Personen angerufen und mit einer Bandansage darauf hingewiesen, dass es einen Haftbefehl gegen sie gäbe. Um mehr zu erfahren, solle die Taste 1 gedrückt werden. Machen Sie das auf keinen Fall! Die BetrügerInnen wollen Sie damit in eine Kostenfalle locken.
---------------------------------------------
https://www.watchlist-internet.at/news/telefon-betrug-druecken-sie-nicht-di…
∗∗∗ Schwachstellen in AWS Glue und AWS Cloud Formation entdeckt ∗∗∗
---------------------------------------------
Das Orca Security Research Team hat Sicherheitslücken im Amazon Web Services AWS Glue-Service sowie zur Zero-Day-Schwachstelle BreakingFormation erkannt. Beide Unternehmen konnten binnen weniger Tagen die Fehler beheben.
---------------------------------------------
https://www.zdnet.de/88398803/schwachstellen-in-aws-glue-und-aws-cloud-form…
∗∗∗ Detection Rules for Sysjoker (and How to Make Them With Osquery) ∗∗∗
---------------------------------------------
On January 11, 2022, we released a blog post on a new malware called SysJoker. SysJoker is a malware targeting Windows, macOS, and Linux. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. As a consequence to this, we decided to release a followup [...]
---------------------------------------------
https://www.intezer.com/blog/cloud-security/detection-rules-sysjoker-osquer…
∗∗∗ Adobe Acrobat (Reader) DC 21.011.20039, Installationsfehler und offene Bugs ∗∗∗
---------------------------------------------
Kurzer Sammelbeitrag zum Acrobat Gelump, was Adobe auf die Rechner der Nutzer kippt. Zum 11. Januar 2022 gab es ein Sicherheitsupdate für den Adobe Acrobat (Reader) DC auf die Version 21.011.20039. Weiterhin haben mich die letzten Tage einige Nutzer auf eine Latte an offenen Bugs hingewiesen, die ich hier mal einfach einstellen will. Soll ja niemand behaupten, ich ließe die "Qualitätsupdates" von Adobe zum Acrobat unerwähnt.
---------------------------------------------
https://www.borncity.com/blog/2022/01/14/adobe-acrobat-reader-dc-21-011-200…
=====================
= Vulnerabilities =
=====================
∗∗∗ Positive Technologies Uncovers Vulnerability in IDEMIA Biometric Identification Devices That Can Unlock Doors and Turnstiles ∗∗∗
---------------------------------------------
Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnsites.
---------------------------------------------
https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (cockpit, python-cvxopt, and vim), openSUSE (libmspack), Oracle (webkitgtk4), Scientific Linux (firefox and thunderbird), SUSE (kernel and libmspack), and Ubuntu (firefox and pillow).
---------------------------------------------
https://lwn.net/Articles/881407/
∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Lack of Administrator Control Over Security vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-013-01
∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Initialization vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block,
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-013-07
∗∗∗ Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update B) ∗∗∗
---------------------------------------------
[...] 4.1 AFFECTED PRODUCTS [...]
Begin Update B Part 1 of 1
- L 02/06/26 CPU (-P), L 26 CPU - (P) BT, serial number 23121 and earlier
End Update B Part 1 of 1
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-20-303-01
∗∗∗ Trane Symbio (Update B) ∗∗∗
---------------------------------------------
[...] 3. RISK EVALUATION
Begin Update B Part 1 of 1
Successful exploitation of this vulnerability could allow a user to execute arbitrary code on the controller.
End Update B Part 1 of 1
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-21-266-01
∗∗∗ Ivanti Updates Log4j Advisory with Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Ivanti security advisories pages for Avalanche; File Director; and MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector and apply the necessary updates and workarounds.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-lo…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0050
∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0052
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 12-01-2022 18:00 − Donnerstag 13-01-2022 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ 19-jähriger Hacker kann Teslas in 13 Ländern fernsteuern ∗∗∗
---------------------------------------------
Der junge IT-Sicherheitsexperte kann die Autos lokalisieren, Türen öffnen und das Entertainment-System fernsteuern. [..] In einem Twitter-Beitrag, den er am Montag veröffentlichte, erklärte er auch, dass es sich bei dem Fehler nicht um eine Schwachstelle in der Infrastruktur von Tesla handelt. Es sei der Fehler der Besitzer*innen. Weiters schreibt Colombo, dass er das Problem an das Sicherheitsteam von Tesla gemeldet hat, das die Angelegenheit untersucht.
---------------------------------------------
https://futurezone.at/digital-life/19-jaehriger-hacker-25-teslas-in-13-laen…
∗∗∗ Adobe Cloud Abused to Steal Office 365, Gmail Credentials ∗∗∗
---------------------------------------------
Threat actors are creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate to target Office 365 and Gmail users, researchers from Avanan discovered.
---------------------------------------------
https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/17762…
∗∗∗ Decrypting Qakbot’s Encrypted Registry Keys ∗∗∗
---------------------------------------------
One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created. We duly jumped into this task, and, as it was a bit of fun, decided to blog about it.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-…
∗∗∗ Viele Lücken im Software-System Jenkins entdeckt – und noch nicht geschlossen ∗∗∗
---------------------------------------------
Entwickler sollten ihre Jenkins-Umgebung aus Sicherheitsgründen auf den aktuellen Stand bringen. Viele Updates sind jedoch noch nicht verfügbar.
---------------------------------------------
https://heise.de/-6326362
∗∗∗ 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability ∗∗∗
---------------------------------------------
We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021. We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins..
---------------------------------------------
https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-th…
∗∗∗ Free Micropatches for "RemotePotato0", a "WONT FIX" Local Privilege Escalation Affecting all Windows Systems ∗∗∗
---------------------------------------------
[..] a local privilege escalation vulnerability they had found in Windows and reported to Microsoft, who decided not to fix because "Servers must defend themselves against NTLM relay attacks." As far as real world goes, many servers do not, in fact, defend themselves against NTLM relay attacks. Since the vulnerability is present on all supported Windows versions as of today (as well as all unsupported versions which we had security-adopted), we decided to fix it ourselves.
---------------------------------------------
https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html
∗∗∗ Code-Signatur-Prozesse sichern ∗∗∗
---------------------------------------------
DevOps steht unter Druck, wie unter anderem bei der Attacke auf SolarWinds offenkundig wurde. Fünf Wege zur Absicherung von Code-Signatur-Prozessen schildert Tony Hadfield, Director Solutions Architect bei Venafi, in einem Gastbeitrag.
---------------------------------------------
https://www.zdnet.de/88398761/code-signatur-prozesse-sichern/
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master" ∗∗∗
---------------------------------------------
* Cross-site request forgery (CWE-352) - CVE-2022-0180
* Reflected cross-site scripting (CWE-79) - CVE-2022-0181
* Stored cross-site scripting (CWE-79) - CVE-2022-0182
Solution: Update the plugin
---------------------------------------------
https://jvn.jp/en/jp/JVN72788165/
∗∗∗ Juniper Security Advisories ∗∗∗
---------------------------------------------
Juniper hat 34 Security Advisories veröffentlicht.
---------------------------------------------
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS…
∗∗∗ Klartextspeicherung des Kennwortes in Cisco IP Telefonen ∗∗∗
---------------------------------------------
Mehrere Cisco IP Telefone speichern das konfigurierte Verwalterkennwort als Klartext im unverschlüsselten Flash Speicher. Somit ist die Extrahierung des Kennworts bei physischem Zugriff auf ein Telefon problemlos möglich. Wird dieses Kennwort nun bei mehreren Telefonen verwendet, bekommt ein Angreifer Zugriff auf die administrativen Einstellungen aller Geräte im Netzwerk.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/klartextspeicherung-d…
∗∗∗ Apache Log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗
---------------------------------------------
Product / System line - Potentially affected products and versions
* B&R Products - See further details in specific advisory
* ABB Remote Service - ABB Remote Access Platform (RAP)
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language…
∗∗∗ iOS 15.2.1 und iPadOS 15.2.1: Wartungsupdates für iPhone und iPad ∗∗∗
---------------------------------------------
Apple hat eine Bugfix- und Sicherheitsaktualisierung für seine Handys und Tablets. Neben einigen Fehler wird auch ein Sicherheitsproblem behoben.
---------------------------------------------
https://heise.de/-6325566
∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht Computer mit HP-UX ∗∗∗
---------------------------------------------
HPE-Entwickler haben eine kritische Schwachstelle im Unix-Betriebssystem HP-UX geschlossen.
---------------------------------------------
https://heise.de/-6326104
∗∗∗ IBM sichert sein Server- und Workstation-System AIX ab ∗∗∗
---------------------------------------------
Angreifer könnten AIX-Systeme von IBM attackieren und Schadcode ausführen. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-6326080
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd).
---------------------------------------------
https://lwn.net/Articles/881303/
∗∗∗ Cisco Patches Critical Vulnerability in Contact Center Products ∗∗∗
---------------------------------------------
Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited remotely to elevate privileges to administrator.
---------------------------------------------
https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-c…
∗∗∗ Citrix Hypervisor Security Update - CTX335432 ∗∗∗
---------------------------------------------
Several security issues have been identified in Citrix Hypervisor, that may each allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues have the following identifiers: CVE-2021-28704, CVE-2021-28705, CVE-2021-28714, CVE-2021-28715
All of these issues affect all currently supported versions of Citrix Hypervisor. Citrix has released hotfixes to address these issues
---------------------------------------------
https://support.citrix.com/article/CTX335432
∗∗∗ CVE-2022-0015 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: HIGH) ∗∗∗
---------------------------------------------
A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges.
This issue impacts:
* Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12;
* Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0015
∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Archive Enterprise Edition (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Archive Enterprise Edition (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system due to Apache Log4j (CVE-2021-44832) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v…
∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle…
∗∗∗ Security Bulletin: IBM Db2 Big SQL for Hortonworks Data Platform, for Cloudera Data Platform Private Cloud, and IBM Db2 Big SQL on Cloud Pak for Data are affected by critical vulnerability in Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-for-horto…
∗∗∗ Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-the-ibm-i-extended-dynami…
∗∗∗ January 12, 2022 TNS-2022-03 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2022-03
∗∗∗ CVE-2022-0014 Cortex XDR Agent: Unintended Program Execution When Using Live Terminal Session (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0014
∗∗∗ CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0013
∗∗∗ CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0012
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗
---------------------------------------------
TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re…
∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗
---------------------------------------------
Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected.
---------------------------------------------
https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-upd…
∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗
---------------------------------------------
Here, we analyze the macOS versions of a cross-platform backdoor.
---------------------------------------------
https://objective-see.com/blog/blog_0x6C.html
∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗
---------------------------------------------
Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise.
---------------------------------------------
https://isc.sans.edu/diary/rss/28234
∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗
---------------------------------------------
This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-…
∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗
---------------------------------------------
Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-te…
∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗
---------------------------------------------
With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours.
---------------------------------------------
https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-em…
∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗
---------------------------------------------
ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation.
---------------------------------------------
https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-g…
∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗
---------------------------------------------
Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten.
---------------------------------------------
https://certitude.consulting/blog/de/ransomware-leak-de/
∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗
---------------------------------------------
Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-o…
∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗
---------------------------------------------
Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten.
---------------------------------------------
https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherh…
∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗
---------------------------------------------
The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities.
---------------------------------------------
https://asec.ahnlab.com/en/30645/
∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗
---------------------------------------------
Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information.
---------------------------------------------
http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spr…
=====================
= Vulnerabilities =
=====================
∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗
---------------------------------------------
Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_mu…
∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗
---------------------------------------------
1 Critical, 8 Medium severity
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM published 14 Security Bulletins
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft.
---------------------------------------------
https://heise.de/-6323634
∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗
---------------------------------------------
Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe.
---------------------------------------------
https://heise.de/-6323723
∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗
---------------------------------------------
Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio.
---------------------------------------------
https://heise.de/-6323843
∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗
---------------------------------------------
Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind.
---------------------------------------------
https://heise.de/-6323936
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml).
---------------------------------------------
https://lwn.net/Articles/881144/
∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗
---------------------------------------------
The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a…
∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗
---------------------------------------------
When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/
∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗
---------------------------------------------
Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-…
∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗
---------------------------------------------
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe…
∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0037
∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-57
∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-59
∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-60
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 10-01-2022 18:00 − Dienstag 11-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner ∗∗∗
---------------------------------------------
Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert.
---------------------------------------------
https://heise.de/-6323191
∗∗∗ macOS-Lücke: Spionieren über Teams und andere Apps ∗∗∗
---------------------------------------------
Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt.
---------------------------------------------
https://heise.de/-6322269
∗∗∗ Facebook-Währung „Diem“ nicht bei thediemtoken.com kaufen ∗∗∗
---------------------------------------------
Diem – eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie „thediemtoken.com“ an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-the…
∗∗∗ Linux version of AvosLocker ransomware targets VMware ESXi servers ∗∗∗
---------------------------------------------
AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-…
∗∗∗ Night Sky ransomware uses Log4j bug to hack VMware Horizon servers ∗∗∗
---------------------------------------------
The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-lo…
∗∗∗ Millions of Routers Exposed to RCE by USB Kernel Bug ∗∗∗
---------------------------------------------
The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al.
---------------------------------------------
https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netus…
∗∗∗ Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters ∗∗∗
---------------------------------------------
TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client’s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-tit…
∗∗∗ Domain Escalation – sAMAccountName Spoofing ∗∗∗
---------------------------------------------
Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0
---------------------------------------------
https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofin…
∗∗∗ What Is FIM (File Integrity Monitoring)? ∗∗∗
---------------------------------------------
Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization’s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...]
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/securit…
∗∗∗ SFile (Escal) ransomware ported for Linux attacks ∗∗∗
---------------------------------------------
The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems.
---------------------------------------------
https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/
∗∗∗ New SysJoker Backdoor Targets Windows, Linux, and macOS ∗∗∗
---------------------------------------------
Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical SonicWall NAC Vulnerability Stems from Apache Mods ∗∗∗
---------------------------------------------
Researchers offer more detail on the bug, which can allow attackers to completely take over targets.
---------------------------------------------
https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/
∗∗∗ Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data ∗∗∗
---------------------------------------------
Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdi…
∗∗∗ Siemens Security Advisories ∗∗∗
---------------------------------------------
Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9)
---------------------------------------------
https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffent…
∗∗∗ PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack ∗∗∗
---------------------------------------------
The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-059/
∗∗∗ HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code ∗∗∗
---------------------------------------------
A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions.
---------------------------------------------
https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018…
∗∗∗ SAP Security Patch Day - January 2022 ∗∗∗
---------------------------------------------
On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes.
---------------------------------------------
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035
∗∗∗ Citrix Workspace App for Linux Security Update ∗∗∗
---------------------------------------------
A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux.
---------------------------------------------
https://support.citrix.com/article/CTX338435
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
Update on IBM’s response: IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...]
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...]
---------------------------------------------
https://lwn.net/Articles/881005/
∗∗∗ Synology-SA-22:01 DSM ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_01
∗∗∗ Johnson Controls VideoEdge ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01
∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-know…
∗∗∗ January 10th 2022 Security Releases ∗∗∗
---------------------------------------------
Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use.
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0026
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗
---------------------------------------------
Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien.
---------------------------------------------
https://heise.de/-6321079
∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗
---------------------------------------------
The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e…
∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗
---------------------------------------------
Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m…
∗∗∗ Wheres the Interpreter!? ∗∗∗
---------------------------------------------
CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why!
---------------------------------------------
https://objective-see.com/blog/blog_0x6A.html
∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗
---------------------------------------------
TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T".
---------------------------------------------
https://isc.sans.edu/diary/rss/28194
∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗
---------------------------------------------
There is also a video of this analysis.
---------------------------------------------
https://isc.sans.edu/diary/rss/28200
∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗
---------------------------------------------
Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science.
---------------------------------------------
https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h…
∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗
---------------------------------------------
The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books.
---------------------------------------------
https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s…
∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗
---------------------------------------------
tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters.
---------------------------------------------
https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names…
∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗
---------------------------------------------
The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools.
---------------------------------------------
https://www.securityweek.com/us-government-issues-warning-over-commercial-s…
∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗
---------------------------------------------
Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks.
---------------------------------------------
https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c…
∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗
---------------------------------------------
When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar.
---------------------------------------------
https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗
---------------------------------------------
Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.
---------------------------------------------
https://kb.cert.org/vuls/id/142629
∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗
---------------------------------------------
A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...]
---------------------------------------------
https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html
∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗
---------------------------------------------
Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates.
---------------------------------------------
https://heise.de/-6321485
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...]
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2).
---------------------------------------------
https://lwn.net/Articles/880807/
∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗
---------------------------------------------
Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates.
---------------------------------------------
https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir…
∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗
---------------------------------------------
Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...]
---------------------------------------------
http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0016
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗
---------------------------------------------
A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu…
∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗
---------------------------------------------
Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans…
∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗
---------------------------------------------
A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples…
∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗
---------------------------------------------
This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly.
---------------------------------------------
https://isc.sans.edu/diary/rss/28224
∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗
---------------------------------------------
When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point.
---------------------------------------------
https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html
∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗
---------------------------------------------
Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt.
---------------------------------------------
https://heise.de/-6319430
∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗
---------------------------------------------
Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht.
---------------------------------------------
https://heise.de/-6320248
∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗
---------------------------------------------
LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter.
---------------------------------------------
https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v…
=====================
= Vulnerabilities =
=====================
∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗
---------------------------------------------
QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar…
∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗
---------------------------------------------
UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit…
∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗
---------------------------------------------
Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month.
---------------------------------------------
https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 36 Security Bulletins veröffentlicht
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗
---------------------------------------------
In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-6320363
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...]
---------------------------------------------
https://lwn.net/Articles/880564/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/880672/
∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2022-01
∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2022-02
∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0006
∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0014
∗∗∗ Omron CX-One ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01
∗∗∗ Fernhill SCADA ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02
∗∗∗ IDEC PLCs ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03
∗∗∗ Philips Engage Software ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗
---------------------------------------------
Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-…
∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗
---------------------------------------------
Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve?
---------------------------------------------
https://isc.sans.edu/diary/rss/28216
∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗
---------------------------------------------
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information.
---------------------------------------------
https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html
∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗
---------------------------------------------
Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money.
---------------------------------------------
https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati…
∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗
---------------------------------------------
Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte.
---------------------------------------------
https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio…
∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗
---------------------------------------------
Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗
---------------------------------------------
IBM hat 26 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗
---------------------------------------------
VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch.
---------------------------------------------
https://heise.de/-6318269
∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗
---------------------------------------------
IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten.
---------------------------------------------
https://heise.de/-6318740
∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗
---------------------------------------------
Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können.
---------------------------------------------
https://heise.de/-6318885
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django).
---------------------------------------------
https://lwn.net/Articles/880454/
∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗
---------------------------------------------
Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS.
---------------------------------------------
https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20…
∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K10396196
∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗
---------------------------------------------
http://cert.vde.com/de/advisories/VDE-2021-060/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗
---------------------------------------------
I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53).
---------------------------------------------
https://isc.sans.edu/diary/rss/28212
∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗
---------------------------------------------
The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way.
---------------------------------------------
https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle…
∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗
---------------------------------------------
Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden.
---------------------------------------------
https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm…
∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗
---------------------------------------------
A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites.
---------------------------------------------
https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗
---------------------------------------------
Organizations mights not realize their environments are already compromised.
---------------------------------------------
https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble…
∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗
---------------------------------------------
A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs.
---------------------------------------------
https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server).
---------------------------------------------
https://lwn.net/Articles/880327/
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana…
∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ VMSA-2022-0001 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0001.html
∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0002
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗
---------------------------------------------
Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro…
∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗
---------------------------------------------
Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year.
---------------------------------------------
https://isc.sans.edu/diary/rss/28202
∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗
---------------------------------------------
I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared.
---------------------------------------------
https://isc.sans.edu/diary/rss/28208
∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗
---------------------------------------------
Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis.
---------------------------------------------
https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗
---------------------------------------------
Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten.
---------------------------------------------
https://heise.de/-6316020
∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗
---------------------------------------------
Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe.
---------------------------------------------
https://heise.de/-6315605
∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗
---------------------------------------------
Or, “Can large language models generate exploits?”
---------------------------------------------
https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang…
∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗
---------------------------------------------
We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous.
---------------------------------------------
https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep…
∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗
---------------------------------------------
Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde.
---------------------------------------------
https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01
∗∗∗ Log4j Scanners ∗∗∗
---------------------------------------------
There are 19 tools, and each has certain stipulations with it. I would suggest take a look.
---------------------------------------------
https://securitythreatnews.com/2022/01/03/log4j-scanners/
=====================
= Vulnerabilities =
=====================
∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗
---------------------------------------------
Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben.
---------------------------------------------
https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un…
∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗
---------------------------------------------
Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat.
---------------------------------------------
https://heise.de/-6315714
∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗
---------------------------------------------
Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen.
---------------------------------------------
https://heise.de/-6316037
∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen.
---------------------------------------------
https://heise.de/-6316263
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl).
---------------------------------------------
https://lwn.net/Articles/880100/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana).
---------------------------------------------
https://lwn.net/Articles/880232/
∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy…
∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac…
∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 29-12-2021 18:00 − Donnerstag 30-12-2021 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Hiding malware inside the flex capacity space on modern SSDs ∗∗∗
---------------------------------------------
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location thats beyond the reach of the user and security solutions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-fl…
∗∗∗ Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th) ∗∗∗
---------------------------------------------
Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration.
---------------------------------------------
https://isc.sans.edu/diary/rss/28190
∗∗∗ LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ∗∗∗
---------------------------------------------
Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches.
---------------------------------------------
https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98cr…
∗∗∗ Android 12: Samsung überrascht zum Jahresende mit regelrechter Update-Flut ∗∗∗
---------------------------------------------
Updates für praktisch alle High-End-Smartphones der vergangenen drei Jahre veröffentlicht. Selbst erste Tablets werden schon bedient.
---------------------------------------------
https://www.derstandard.at/story/2000132240383/android-12-samsung-ueberrasc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb).
---------------------------------------------
https://lwn.net/Articles/880039/
∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Guardium Data Encryption (GDE) (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Trend Micro Apex One und Trend Micro Worry-Free Business Security: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1320
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 28-12-2021 18:00 − Mittwoch 29-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ RedLine malware shows why passwords shouldnt be saved in browsers ∗∗∗
---------------------------------------------
The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-pa…
∗∗∗ Microsoft Defender Log4j scanner triggers false positive alerts ∗∗∗
---------------------------------------------
Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-sc…
∗∗∗ Wieder Sicherheitslücken in Herzschrittmachern gefunden ∗∗∗
---------------------------------------------
Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben.
---------------------------------------------
https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3…
∗∗∗ Responsible Disclosure: Deine Software, die Sicherheitslücken und ich ∗∗∗
---------------------------------------------
Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API)
---------------------------------------------
https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherh…
∗∗∗ LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th) ∗∗∗
---------------------------------------------
A supervised learning approach to Living off the Land attack classification from Adobe SI
---------------------------------------------
https://isc.sans.edu/diary/rss/28184
∗∗∗ Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics ∗∗∗
---------------------------------------------
An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,"
---------------------------------------------
https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html
∗∗∗ Turning bad SSRF to good SSRF: Websphere Portal ∗∗∗
---------------------------------------------
In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF.
---------------------------------------------
https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
∗∗∗ Storage Devices of Major Vendors Impacted by Encryption Software Flaws ∗∗∗
---------------------------------------------
Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks.
SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security.
---------------------------------------------
https://www.securityweek.com/storage-devices-major-vendors-impacted-encrypt…
∗∗∗ Sicher kaufen auf Willhaben, Shpock & Co. ∗∗∗
---------------------------------------------
Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten.
---------------------------------------------
https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-c…
∗∗∗ Threat actor uses HP iLO rootkit to wipe servers ∗∗∗
---------------------------------------------
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.
---------------------------------------------
https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/
=====================
= Vulnerabilities =
=====================
∗∗∗ Log4Shell vulnerability Number Four: “Much ado about something” ∗∗∗
---------------------------------------------
CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one.
---------------------------------------------
https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-…
∗∗∗ SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products ∗∗∗
---------------------------------------------
This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl).
---------------------------------------------
https://lwn.net/Articles/879995/
∗∗∗ D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1313
∗∗∗ Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. ∗∗∗
---------------------------------------------
Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
- Citrix Endpoint Management (Citrix XenMobile Server): Impacted – Customers are advised to apply the latest CEM rolling patch updates
- Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only)
---------------------------------------------
https://support.citrix.com/article/CTX335705
∗∗∗ Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud ∗∗∗
---------------------------------------------
CVE identifier: CVE-2021-34347
Affected products: All QNAP NAS
A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-53
∗∗∗ Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 27-12-2021 18:00 − Dienstag 28-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers ∗∗∗
---------------------------------------------
Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature thats dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group.
---------------------------------------------
https://thehackernews.com/2021/12/experts-detail-logging-tool-of.html
∗∗∗ V8 Heap pwn and /dev/memes - WebOS Root LPE ∗∗∗
---------------------------------------------
This is a writeup for my latest WebOS local root exploit chain, which Im calling WAMpage. ... This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root.
---------------------------------------------
https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html
∗∗∗ Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution ∗∗∗
---------------------------------------------
Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines. [...] The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload.
---------------------------------------------
https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beac…
=====================
= Vulnerabilities =
=====================
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
Update December 28, 10:01am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions).
---------------------------------------------
https://lwn.net/Articles/879952/
∗∗∗ Security Bulletin:IBM SPSS Modeler is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulner…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ SSA-661247 V2.0 (Last Update: 2021-12-27): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 23-12-2021 18:00 − Montag 27-12-2021 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Rook ransomware is yet another spawn of the leaked Babuk code ∗∗∗
---------------------------------------------
A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rook-ransomware-is-yet-anoth…
∗∗∗ QNAP NAS devices hit in surge of ech0raix ransomware attacks ∗∗∗
---------------------------------------------
Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qnap-nas-devices-hit-in-surg…
∗∗∗ Example of how attackers are trying to push crypto miners via Log4Shell, (Fri, Dec 24th) ∗∗∗
---------------------------------------------
While following Log4Shell's exploit attempts hitting our honeypots, I came across another campaign trying to push a crypto miner on the victims machines.
---------------------------------------------
https://isc.sans.edu/diary/rss/28172
∗∗∗ More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild ∗∗∗
---------------------------------------------
A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes.
---------------------------------------------
https://therecord.media/more-than-1200-phishing-toolkits-capable-of-interce…
∗∗∗ QNAP Firmware-Update Version QTS 5.0.0.1891 build 20211221 und log4j-Schwachstelle ∗∗∗
---------------------------------------------
Der Hersteller QNAP hat kurz vor Weihnachten ein Firmware-Update für sein QTS 5 freigegeben. Das Update schließt einige Schwachstellen. Zudem wurde eine log4j-Schwachstelle in QNAP-Software gemeldet.
---------------------------------------------
https://www.borncity.com/blog/2021/12/26/qnap-firmware-update-version-qts-5…
=====================
= Vulnerabilities =
=====================
∗∗∗ Garrett Walk-Through Metal Detectors Can Be Hacked Remotely ∗∗∗
---------------------------------------------
A number of security flaws have been uncovered in a networking component in Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, tamper with metal detector configurations, and even execute arbitrary code on the devices.
---------------------------------------------
https://thehackernews.com/2021/12/garrett-walk-through-metal-detectors.html
∗∗∗ Remote Code Execution Vulnerabilities in Veritas Enterprise Vault ∗∗∗
---------------------------------------------
Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server. CVSS v3.1 Base Score 9.8 CVEs: CVE-2021-44679, CVE-2021-44680, CVE-2021-44678, CVE-2021-44677, CVE-2021-44682, CVE-2021-44681
---------------------------------------------
https://www.veritas.com/content/support/en_US/security/VTS21-003
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 33 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (httpd and singularity), Mageia (ldns, netcdf, php, ruby, thrift/golang-github-apache-thrift, thunderbird, and webkit2), openSUSE (go1.16, go1.17, libaom, and p11-kit), and SUSE (go1.16, go1.17, htmldoc, libaom, libvpx, logstash, openssh-openssl1, python3, and runc).
---------------------------------------------
https://lwn.net/Articles/879791/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j2, libextractor, libpcap, and wireshark), Fedora (grub2, kernel, libopenmpt, log4j, mingw-binutils, mingw-python-lxml, and seamonkey), Mageia (golang, lapack/openblas, and samba), and openSUSE (go1.16, libaom, log4j12, logback, and runc).
---------------------------------------------
https://lwn.net/Articles/879891/
∗∗∗ SolarWinds - multiple advisories ∗∗∗
---------------------------------------------
https://www.solarwinds.com/trust-center/security-advisories
∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-…
∗∗∗ K16090693: Apache HTTP server vulnerability CVE-2021-44224 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K16090693
∗∗∗ Moxa MGate Protocol Gateways ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-357-01
∗∗∗ Johnson Controls exacq Enterprise Manager ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-357-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 22-12-2021 18:00 − Donnerstag 23-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Dridex malware trolls employees with fake job termination emails ∗∗∗
---------------------------------------------
A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a seasons greeting message.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employ…
∗∗∗ Microsoft Azure App Service flaw exposed customer source code ∗∗∗
---------------------------------------------
A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code for at least four years, since 2017.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-azure-app-service-…
∗∗∗ Honeypot experiment reveals what hackers want from IoT devices ∗∗∗
---------------------------------------------
A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-…
∗∗∗ Attackers, CSIRTs and Individual Rights: Clarified ∗∗∗
---------------------------------------------
A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”.
---------------------------------------------
https://regulatorydevelopments.jiscinvolve.org/wp/2021/12/22/attackers-csir…
∗∗∗ Microsoft Teams blockiert Notrufe mit Android-Handys – Update einspielen ∗∗∗
---------------------------------------------
Die Android-App für Microsoft Teams kann unter Umständen Notrufe vom Handy verhindern. Die aktuelle Version soll das unterlassen. [...] Wie es überhaupt dazu kommen kann, dass eine App ohne Root-Rechte die wichtigste Funktion des Telefons sabotieren kann, verraten weder Google noch Microsoft. [...] Das zugrundeliegende Sicherheitsproblem in Android möchte Google mit dem ersten Android-Sicherheitsupdate im neuen Jahr beheben.
---------------------------------------------
https://heise.de/-6306221
∗∗∗ Audio bugging with the Fisher Price Chatter Bluetooth Telephone ∗∗∗
---------------------------------------------
The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute!
Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances.
---------------------------------------------
https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher…
∗∗∗ This new ransomware has simple but very clever tricks to evade PC defenses ∗∗∗
---------------------------------------------
One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.
---------------------------------------------
https://www.zdnet.com/article/this-new-ransomware-has-simple-but-very-cleve…
∗∗∗ Log4j Vulnerabilities: Attack Insights ∗∗∗
---------------------------------------------
Symantec [..] has observed numerous variations in attack requests primarily aimed at evading detection. [..] Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc.
Payloads: Muhstik Botnet, XMRig miner, Malicious class file backdoor, Reverse Bash shell. Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo…
=====================
= Vulnerabilities =
=====================
∗∗∗ Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047 ∗∗∗
---------------------------------------------
Project: Mail Login
Security risk: Moderately critical
Description: This modules enables users to login via email address.This module does not sufficiently check user status when authenticating.Solution: Install the latest version
If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-047
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 46 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ CVE-2021-44790: Apache HTTP Server / mod_lua ∗∗∗
---------------------------------------------
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
---------------------------------------------
https://www.openwall.com/lists/oss-security/2021/12/20/4
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/879675/
∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
A malicious privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1304
∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-…
∗∗∗ SSA-661247 V1.8 (Last Update: 2021-12-22): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 21-12-2021 18:00 − Mittwoch 22-12-2021 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ CISA releases Apache Log4j scanner to find vulnerable apps ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of a scanner for identifying web services impacted by& two Apache Log4j remote code execution vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-s…
∗∗∗ The Biggest Cyber Security Developments in 2021 ∗∗∗
---------------------------------------------
As we charge towards another new year, we decided to pulse our threat intelligence team (@teamcymru_s2) for their views on what they perceive to be the biggest developments in cyber security over the past twelve months.
---------------------------------------------
https://team-cymru.com/blog/2021/12/21/the-biggest-cyber-security-developme…
∗∗∗ Vorsicht vor betrügerischer BAWAG-SMS ∗∗∗
---------------------------------------------
Eine SMS-Falle kursiert, die dazu aufruft eine angebliche Sicherheits-App von der BAWAG-Bank zu installieren.
---------------------------------------------
https://futurezone.at/digital-life/betrug-bawag-sms-phishing/401851228
∗∗∗ Java Code Repository Riddled with Hidden Log4j Bugs; Here’s Where to Look ∗∗∗
---------------------------------------------
There are 17,000 unpatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits.
---------------------------------------------
https://threatpost.com/java-supply-chain-log4j-bug/177211/
∗∗∗ December 2021 Forensic Contest: Answers and Analysis, (Wed, Dec 22nd) ∗∗∗
---------------------------------------------
Thanks to everyone who participated in our December 2021 forensic challenge! You can still find the pcap for our December 2021 forensic contest here.
---------------------------------------------
https://isc.sans.edu/diary/rss/28160
∗∗∗ Vorsicht beim Autokauf: Privatkäufe nicht über easycarpay.net abwickeln ∗∗∗
---------------------------------------------
Wer auf der Suche nach günstigen Gebrauchtautos ist, wird oft auf Kleinanzeigenplattformen fündig. Doch seien Sie vorsichtig, wenn Ihr Gegenüber sich plötzlich im Ausland befindet oder andere Ausreden erfindet, wieso eine Besichtigung des Fahrzeugs nicht möglich sei. Spätestens wenn die Verkäuferin oder der Verkäufer vorschlägt, den Kauf über die Webseite easycarpay.net abzuwickeln, sollten Sie den Kontakt abbrechen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-beim-autokauf-privatkaeufe-…
∗∗∗ Ubisoft erneut Opfer eines Cyberangriffs ∗∗∗
---------------------------------------------
Der Spielegigant Ubisoft hat einen Cyberangriff auf seine IT-Infrastruktur bestätigt, der auf das beliebte Spiel Just Dance abzielte. Laut Ubisoft gab es einen Einbruch in die IT-Infrastruktur des Unternehmens.
---------------------------------------------
https://www.zdnet.de/88398543/ubisoft-erneut-opfer-eines-cyberangriffs/
∗∗∗ Mitigating Log4Shell and Other Log4j-Related Vulnerabilities ∗∗∗
---------------------------------------------
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/22/mitigating-log4sh…
=====================
= Vulnerabilities =
=====================
∗∗∗ NVIDIA discloses applications impacted by Log4j vulnerability ∗∗∗
---------------------------------------------
NVIDIA has released a security advisory detailing what products are affected by the Log4Shell vulnerability that is currently exploited in a wide range of attacks worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nvidia-discloses-application…
∗∗∗ VU#692873: Saviynt Enterprise Identity Cloud vulnerable to local user enumeration and authentication bypass ∗∗∗
---------------------------------------------
Saviynt Enterprise Identity Cloud contains user enumeration and authentication bypass vulnerabilities in the local password reset feature. Together, these vulnerabilities could allow a remote, unauthenticated attacker to gain administrative privileges if an SSO solution is not configured for authentication.
---------------------------------------------
https://kb.cert.org/vuls/id/692873
∗∗∗ Active Directory: Microsoft warnt vor einfacher Domain-Übernahme ∗∗∗
---------------------------------------------
Zwei bekannte und bereits behobene Fehler in Active Directory ließen sich leicht ausnutzen, warnt Microsoft und empfiehlt dringend Updates.
---------------------------------------------
https://www.golem.de/news/active-directory-microsoft-warnt-vor-einfacher-do…
∗∗∗ Four Bugs in Microsoft Teams Left Platform Vulnerable Since March ∗∗∗
---------------------------------------------
Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack.
---------------------------------------------
https://threatpost.com/microsoft-teams-bugs-vulnerable-march/177225/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 68 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ WordPress-Plug-in: Kritische Lücke in All In One SEO bedroht Millionen Websites ∗∗∗
---------------------------------------------
Angreifer könnten WordPress-Websites mit All in One SEO mit Schadcode attackieren. Eine abgesicherte Version schafft Abhilfe.
---------------------------------------------
https://heise.de/-6304412
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, ipa, log4j, and samba), Debian (sogo, spip, and xorg-server), Fedora (jansi and log4j), Mageia (apache, apache-mod_security, kernel, kernel-linus, and x11-server), openSUSE (log4j and xorg-x11-server), Oracle (kernel, log4j, and openssl), and SUSE (libqt4 and xorg-x11-server).
---------------------------------------------
https://lwn.net/Articles/879492/
∗∗∗ Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021 (UPDATE) ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ SSA-479842: Apache Log4j Vulnerabilities - Impact to Siemens Energy Sensformer (Platform, Basic and Advanced) ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-479842.txt
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 20-12-2021 18:00 − Dienstag 21-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Malware: Wer hat Angst vor Androids Barrierefreiheit? ∗∗∗
---------------------------------------------
Schadsoftware unter Android nutzt häufig die Accessibility Services, um Sicherheitsfunktionen auszuhebeln. Doch Apps können sich schützen.
---------------------------------------------
https://www.golem.de/news/malware-wer-hat-angst-vor-androids-barrierefreihe…
∗∗∗ Xcode: Hotfix soll Log4j-Lücke umfahren ∗∗∗
---------------------------------------------
Apples Entwicklungsumgebung enthält eine angreifbare Version der Java-Logging-Bibliothek log4j. Beim Upload von iOS-Apps soll aber ein Fix greifen.
---------------------------------------------
https://heise.de/-6301988
∗∗∗ Have I Been Pwned: 225 Millionen neue Passwörter von britischer Polizeibehörde ∗∗∗
---------------------------------------------
Der Datensatz des Passwort-Prüfdiensts wächst immer weiter. Für Strafverfolgungsbehörden gibt es nun einen Weg, sichergestellte Daten direkt einzuspeisen.
---------------------------------------------
https://heise.de/-6301963
∗∗∗ Google entfernt Malware-infizierte SMS-App aus Play Store ∗∗∗
---------------------------------------------
Auf mehr als 500.000 Installationen kam eine Messages-App in Googles App-Store, die die Malware Joker einschleppte. Inzwischen hat Google die App entfernt.
---------------------------------------------
https://heise.de/-6302544
∗∗∗ Sicher verkaufen auf Willhaben, Shpock & Co ∗∗∗
---------------------------------------------
Sie möchten ungenutzte Gegenstände weiterverkaufen? Mit Plattformen wie willhaben, shpock oder Facebook haben Sie zahlreiche Möglichkeiten, alte Möbel, vernachlässigte Sportausrüstung oder Elektrogeräte an den Mann oder die Frau zu bringen. Dabei gibt es aber einiges zu beachten! Wir zeigen Ihnen, wie Sie sicher über Kleinanzeigenplattformen verkaufen.
---------------------------------------------
https://www.watchlist-internet.at/news/sicher-verkaufen-auf-willhaben-shpoc…
∗∗∗ Backdoor CVE-2021-40859 in Auerswald Telefonanlagen (z.B. COMpact 5500R 7.8A & 8.0B) gefixt ∗∗∗
---------------------------------------------
Auerswald ist ein deutscher Hersteller von Telefonanlagen für den Unternehmenseinsatz. Sicherheitsforscher haben in der Firmware von Auerswald Telefonanlagen (z.B. COMpact 5500R) Hintertüren entdeckt, über die man das Administrator-Passwort zurücksetzen konnte. Dies wurde zum 20.12.2021 offen gelegt. Hier einige Informationen dazu.
---------------------------------------------
https://www.borncity.com/blog/2021/12/21/backdoor-cve-2021-40859-in-auerswa…
∗∗∗ Two Active Directory Bugs Lead to Easy Windows Domain Takeover ∗∗∗
---------------------------------------------
Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12.
---------------------------------------------
https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/
∗∗∗ Day 10: where we are with log4j from honeypot’s perspective ∗∗∗
---------------------------------------------
Our team spent great deal of effort on simulating different protocols, applications and vulnerabilities with our honeypot (Anglerfish and Apacket) system. When big event happens, we are always curious what we see from the honeypot side. Since log4j came to light 10 days ago, we have published two related blogs,
---------------------------------------------
https://blog.netlab.360.com/apache-log4j2-vulnerability-attack-trend-from-t…
∗∗∗ [SANS ISC] More Undetected PowerShell Dropper ∗∗∗
---------------------------------------------
I published the following diary on isc.sans.edu: “More Undetected PowerShell Dropper“: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it’s a dropper with multiple obfuscation techniques in place.
---------------------------------------------
https://blog.rootshell.be/2021/12/21/sans-isc-more-undetected-powershell-dr…
∗∗∗ Velociraptor & Loki ∗∗∗
---------------------------------------------
Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server [...]
---------------------------------------------
https://blog.rootshell.be/2021/12/21/velociraptor-loki/
∗∗∗ RCE in Visual Studio Codes Remote WSL for Fun and Negative Profit ∗∗∗
---------------------------------------------
The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system.
---------------------------------------------
https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-f…
∗∗∗ Log4j vulnerability: what should boards be asking? ∗∗∗
---------------------------------------------
Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be…
∗∗∗ FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability ∗∗∗
---------------------------------------------
The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho’s ManageEngine Desktop Central product.
---------------------------------------------
https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-d…
∗∗∗ After ransomware attack, global logistics firm Hellmann warns of scam calls and mail ∗∗∗
---------------------------------------------
Hellmann said customers need to make sure they are really communicating with an employee through all calls or mail.
---------------------------------------------
https://www.zdnet.com/article/after-ransomware-attack-global-logistics-firm…
∗∗∗ Why vulnerabilities are like buses ∗∗∗
---------------------------------------------
How organisations can address the growing trend in which multiple vulnerabilities within a single product are exploited over a short period.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/why-vulnerabilities-are-like-buses
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 30 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/879360/
∗∗∗ mySCADA myPRO ∗∗∗
---------------------------------------------
This advisory contains mitigations for Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, and OS Command Injection vulnerabilities in the mySCADA myPRO HMI/SCADA system.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-01
∗∗∗ Horner Automation Cscape EnvisionRV ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in Horner Automation Cscape EnvisionRV industrial remote viewing software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-02
∗∗∗ WECON LeviStudioU ∗∗∗
---------------------------------------------
This advisory contains mitigations for Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in WECON LeviStudioU HMI programming software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-03
∗∗∗ Emerson DeltaV ∗∗∗
---------------------------------------------
This advisory contains mitigations for Missing Authentication for Critical Function, and Uncontrolled Search Path Element vulnerabilities in the Emerson DeltaV control system controllers and workstations.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-355-04
∗∗∗ Schneider Electric Rack PDU (Update A) ∗∗∗
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-21-348-02 Schneider Electric Rack PDU that was published December 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Schneider Electric Rack Power Distribution Unit (PDU).
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02
∗∗∗ Fresenius Kabi Agilia Connect Infusion System ∗∗∗
---------------------------------------------
This advisory contains mitigations for several vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-21-355-01
∗∗∗ Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products ∗∗∗
---------------------------------------------
BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a denial of service by sending a crafted string to the framework. From Bosch Rexroth, only the IoT Gateway software has been identified as affected.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-572602.html
∗∗∗ SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt
∗∗∗ Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-…
∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 (Severity: CRITICAL) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2021-44228
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-12-2021 18:00 − Montag 20-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
*** News zu Log4j ***
---------------------------------------------
Upgraded to log4j 2.16? Surprise, theres a 2.17 fixing DoS: https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surpri…
Log4j vulnerability now used to install Dridex banking malware: https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used…
Log4Shell: Mehrheit der Java-Pakete hat noch kein Log4J-Update: https://www.golem.de/news/log4shell-mehrheit-der-java-pakete-hat-noch-kein-…
Answering Log4Shell-related questions: https://securelist.com/answering-log4shell-related-questions/105402/
Third Log4J Bug Can Trigger DoS; Apache Issues Patch: https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/
TellYouThePass ransomware revived in Linux, Windows Log4j attacks: https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re…
New Local Attack Vector Expands the Attack Surface of Log4j Vulnerability: https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.ht…
Second Log4j Vulnerability (CVE-2021-45046) Discovered - New Patch Released: https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html
Google: OSS-Fuzz soll Log4j-Fehler in Open-Source-Software finden: https://heise.de/-6298560
Erster Wurm "kriecht" durch Log4j-Sicherheitslücke: https://heise.de/-6299080
Was Geschäftsführer jetzt über Log4Shell wissen sollten: https://www.welivesecurity.com/deutsch/2021/12/17/was-geschaeftsfuehrer-ueb…
Apache releases new 2.17.0 patch for Log4j to solve denial of service vulnerability: https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to…
Log4j-Infos, belgisches Verteidigungsministerium betroffen?: https://www.borncity.com/blog/2021/12/20/log4j-infos-belgisches-verteidigun…
---------------------------------------------
https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap…
∗∗∗ Western Digital warns customers to update their My Cloud devices ∗∗∗
---------------------------------------------
Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/western-digital-warns-custom…
∗∗∗ Office 2021: VBA Project Version, (Sun, Dec 19th) ∗∗∗
---------------------------------------------
2 years ago, in diary entry "VBA Office Document: Which Version?", I listed all internal VBA project version numbers for the Office versions I had access to.
---------------------------------------------
https://isc.sans.edu/diary/rss/28150
∗∗∗ Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store ∗∗∗
---------------------------------------------
A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge.
---------------------------------------------
https://thehackernews.com/2021/12/over-500000-android-users-downloaded.html
∗∗∗ Inside a PBX - Discovering a Firmware Backdoor ∗∗∗
---------------------------------------------
This blog post illustrates how RedTeam Pentesting discovered a real-world backdoor in a widely used Auerswald phone system (see also the advisory and CVE-2021-40859).
---------------------------------------------
https://blog.redteam-pentesting.de/2021/inside-a-pbx/
∗∗∗ Weniger Datenklau am Geldautomaten: "Skimming nicht mehr interessant" ∗∗∗
---------------------------------------------
Kriminelle können mit per Skimming erbeuteten Daten von Bankkunden immer weniger anfangen. Weitaus größere Schäden richten inzwischen andere Methoden an.
---------------------------------------------
https://heise.de/-6298777
∗∗∗ Erpressergruppe Conti nutzt Sicherheitslücke "Log4Shell" für ihre Ransomware ∗∗∗
---------------------------------------------
Der Erpressungstrojaner der bekannten Conti-Gang wird bereits auf die Lücke "Log4Shell" losgelassen. Damit wächst das Bedrohungspotenzial deutlich.
---------------------------------------------
https://heise.de/-6298874
∗∗∗ Sicherheitsrisiko: Support für einige NAS-Systeme von Western Digital läuft aus ∗∗∗
---------------------------------------------
Mehrere NAS-Modelle der My-Cloud-Serie bekommen bald keine Sicherheitsupdates mehr. Diese Geräte sollten nicht mehr am Internet hängen.
---------------------------------------------
https://heise.de/-6299386
∗∗∗ Analyse, wie TeamTNT Docker-Hub-Konten kompromittiert ∗∗∗
---------------------------------------------
Und schon sind wir beim 19. Türchen im Security-Adventskalender meines Blogs und ich schiebe mal ein weiteres Sicherheitsthema hinter dieses Türchen. Der Sicherheitsanbieter Trend Micro hat einen Bericht veröffentlicht, der beleuchtet, wie der Bedrohungsakteur TeamTNT vorgeht, um Konten von Docker-Hubs [...]
---------------------------------------------
https://www.borncity.com/blog/2021/12/19/analyse-wie-teamtnt-docker-hub-kon…
∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.5 ∗∗∗
---------------------------------------------
A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.5 & 4.4.
---------------------------------------------
https://blog.zsec.uk/cobalt-strike-profiles/
∗∗∗ Kernel Karnage – Part 7 (Out of the Lab and Back to Reality) ∗∗∗
---------------------------------------------
This week I emerge from the lab and put on a different hat. 1. Switching hats With Interceptor being successful in blinding $vendor2 sufficiently to run a meterpreter reverse shell, it is time to put on the red team hat and get out of the perfect lab environment.
---------------------------------------------
https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-b…
∗∗∗ Case of Ransomware Infection in a Company Using Local Administrator Accounts Set with Same Password ∗∗∗
---------------------------------------------
After analyzing the infected systems of the company that suffered damage from the recent Lockis ransomware infection, the ASEC analysis team discovered that the attacker executed the ransomware after RDP accessing the infected systems with local Administrator accounts. An investigation of local Administrator information of the infected systems showed that their passwords have not been changed for 1-2 years and that they were all set with the same password.
---------------------------------------------
https://asec.ahnlab.com/en/29871/
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2021-0029 ∗∗∗
---------------------------------------------
VMware Workspace ONE UEM console patches address SSRF vulnerability (CVE-2021-22054)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0029.html
∗∗∗ VMSA-2021-0030 ∗∗∗
---------------------------------------------
VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0030.html
∗∗∗ XSA-392 ∗∗∗
---------------------------------------------
Guest can force Linux netback driver to hog large amounts of kernel memory
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-392.html
∗∗∗ XSA-391 ∗∗∗
---------------------------------------------
Rogue backends can cause DoS of guests via high frequency events
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-391.html
∗∗∗ XSA-376 ∗∗∗
---------------------------------------------
frontends vulnerable to backends
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-376.html
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j2, firefox-esr, libssh2, modsecurity-apache, and tang), Fedora (lapack, log4j, rust-libsqlite3-sys, rust-rusqlite, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (bind, botan2, chromium-browser-stable, dovecot, hiredis, keepalived, log4j, matio, mediawiki, olm, openssh, pjproject, privoxy, vim, and watchdog), openSUSE (barrier, nim, and python-pip), Oracle (ipa and samba), Scientific Linux (ipa and samba), SUSE (log4j), and Ubuntu [...]
---------------------------------------------
https://lwn.net/Articles/879228/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2021-0007.html
∗∗∗ Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector [...]
---------------------------------------------
http://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-dete…
*** Log4j Security Advisories ***
---------------------------------------------
Security Advisory - Apache Log4j2 CVE 2021-44228 (Log4Shell): https://www.beyondtrust.com/blog/entry/security-advisory-apache-log4j2-cve-…
Vulnerabilities in Apache Log4j Library Affecting Cisco Products: December 2021: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
Log4j Vulnerability CVE-2021-45105: What You Need to Know: https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-…
An update on the Apache Log4j CVE-2021-44228 vulnerability: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
Citrix Security Advisory for Apache CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105: https://support.citrix.com/article/CTX335705
Log4j Zero-Day Vulnerability: https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90…
CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor: https://www.thezdi.com/blog/2021/12/17/cve-2021-45105-denial-of-service-via…
CVE-2021-44228 Impact of Log4j Vulnerability CVE-2021-44228 and CVE-2021-45046 (Severity: CRITICAL): https://security.paloaltonetworks.com/CVE-2021-44228
SSA-661247 V1.5 (Last Update: 2021-12-19): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-661247.txt
SSA-501673 V1.0: Apache Log4j Denial of Service Vulnerability (CVE-2021-45105) - Impact to Siemens Products: https://cert-portal.siemens.com/productcert/txt/ssa-501673.txt
Apache Log4j Vulnerability: http://security.googleblog.com/2021/12/apache-log4j-vulnerability.html
Log4j Update Patches New Vulnerability That Allows DoS Attacks: https://www.securityweek.com/log4j-update-patches-new-vulnerability-allows-…
---------------------------------------------
https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-ap…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1296
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 16-12-2021 18:00 − Freitag 17-12-2021 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Log4j attackers switch to RMI to inject code and mine Monero ∗∗∗
---------------------------------------------
Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/log4j-attackers-switch-to-rm…
∗∗∗ Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16) ∗∗∗
---------------------------------------------
After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the “log4shell” mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution.
---------------------------------------------
https://www.shadowserver.org/news/log4j-scanning-and-cve-2021-44228-exploit…
∗∗∗ How to Find and Fix a WordPress Pharma Hack ∗∗∗
---------------------------------------------
Did you know that one quarter of all spam emails are accredited to pharmaceutical ads? Pharma hacks go beyond the inbox and spam websites by redirecting traffic and adding fake keywords and subdomains to the search results. Why, and how did the medical world get tangled up in spam emails, SEO spam, redirects, and website spam injection? The answer is - money.
---------------------------------------------
https://blog.sucuri.net/2021/12/how-to-find-and-fix-a-wordpress-pharma-hack…
∗∗∗ SWITCH Security Report November/December 2021 ∗∗∗
---------------------------------------------
Dear Reader The latest issue of our bi-monthly SWITCH Security Report is available. The main topics of the current report are: GoldDust but no nuggets: seven REvil partners caught, but the real orchestrators are still out there / EasyHack? Data belonging to COVID-19 loan recipients stolen from EasyGov platform / Tor under siege: massive de-anonymisation attacks target Tor network [...]
---------------------------------------------
https://securityblog.switch.ch/2021/12/17/switch-security-report-2021-10-11/
∗∗∗ Kritische Lücke bedroht Desktop-Management-System VMware Workspace ONE UEM ∗∗∗
---------------------------------------------
Angreifer könnten auf Servern liegende Informationen einsehen. Dagegen abgesicherte Versionen von VMwares Management-Software sind erschienen.
---------------------------------------------
https://heise.de/-6297742
∗∗∗ CISA orders federal agencies to mitigate Log4J vulnerabilities in emergency directive ∗∗∗
---------------------------------------------
CISA had previously given civilian federal agencies until December 24 to apply any patches.
---------------------------------------------
https://www.zdnet.com/article/cisa-orders-federal-agencies-to-mitigate-log4…
∗∗∗ NSA and CISA Release Final Part IV of Guidance on Securing 5G Cloud Infrastructures ∗∗∗
---------------------------------------------
CISA has announced the joint National Security Agency (NSA) and CISA publication of the final of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part IV: Ensure Integrity of Cloud Infrastructure focuses on platform integrity, microservices infrastructure integrity, launch time integrity, and build time security to ensure that 5G cloud resources are not modified without authorization.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/16/nsa-and-cisa-rele…
∗∗∗ Conti ransomware group adopts Log4Shell exploit ∗∗∗
---------------------------------------------
The Conti gang has become the first professional ransomware operation to adopt and incorporate the Log4Shell vulnerability in their daily operations.
---------------------------------------------
https://therecord.media/conti-ransomware-group-adopts-log4shell-exploit/
∗∗∗ Insides zu Irlands Health Service Executive Ransomware-Fall im Mai 2021 ∗∗∗
---------------------------------------------
Heute ist Türchen Nummer 17 im Sicherheits-Adventskalender dran. Ich habe da einen besonderen "Leckerbissen" für Administratoren hinterlegt. Im Mai 2021 gab es einen Ransomware-Angriff auf die Gesundheitsbehörden Irlands (Health Service Executive, HSE). PricewaterhouseCoopers hat kürzlich eine Analyse vorgelegt, was da [...]
---------------------------------------------
https://www.borncity.com/blog/2021/12/17/insides-zu-irlands-health-service-…
=====================
= Vulnerabilities =
=====================
∗∗∗ UNIVERGE DT Series vulnerable to missing encryption of sensitive data ∗∗∗
---------------------------------------------
UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers (IP Phone Manager and Data Maintenance Tool) provided by NEC Platforms, Ltd. contain a missing encryption vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN13464252/
∗∗∗ An update on the Apache Log4j CVE-2021-44228 vulnerability ∗∗∗
---------------------------------------------
Update December 17, 11:37 am IBM is focused on the original CVE-2021-44228 as the prevalent risk, requiring our attention and our customers’ attention. With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly.
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ VMSA-2021-0028 ∗∗∗
---------------------------------------------
Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts).
---------------------------------------------
https://lwn.net/Articles/879020/
∗∗∗ Xylem AquaView ∗∗∗
---------------------------------------------
This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Xylem AquaView SCADA system.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-01
∗∗∗ Delta Electronics CNCSoft ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Out-of-bounds Read vulnerability in Delta Electronics CNCSoft industrial automation software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-02
∗∗∗ Wibu-Systems CodeMeter Runtime ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Privilege Management vulnerability in the Wibu-Systems CodeMeter Runtime server.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-03
∗∗∗ Mitsubishi Electric GX Works2 ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Handling of Length Parameter Inconsistency vulnerability in #Mitsubishi Electrics GX Works2 engineering software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-04
∗∗∗ Mitsubishi Electric FA Engineering Software ∗∗∗
---------------------------------------------
This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software engineering software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an issue in Apache Log4j (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-…
∗∗∗ Security Bulletin: Apache Log4J vulnerabilities affect IBM Cloud Object Storage File Access (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ K32171392: Apache Log4j2 vulnerability CVE-2021-45046 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K32171392
∗∗∗ Logback: Schwachstelle ermöglicht Codeausführung ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1295
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 15-12-2021 18:00 − Donnerstag 16-12-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Large-scale phishing study shows who bites the bait more often ∗∗∗
---------------------------------------------
A large-scale phishing study involving 14,733 participants over a 15-month experiment has produced some surprising findings that contradict previous research results that formed the basis for popular industry practices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-s…
∗∗∗ Emotet starts dropping Cobalt Strike again for faster attacks ∗∗∗
---------------------------------------------
Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobal…
∗∗∗ Hive ransomware enters big league with hundreds breached in four months ∗∗∗
---------------------------------------------
The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-l…
∗∗∗ A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution ∗∗∗
---------------------------------------------
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works.
---------------------------------------------
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-cl…
∗∗∗ PseudoManuscrypt: a mass-scale spyware attack campaign ∗∗∗
---------------------------------------------
Kaspersky ICS CERT experts identified malware whose loader has some similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s arsenal.
---------------------------------------------
https://securelist.com/pseudomanuscrypt-a-mass-scale-spyware-attack-campaig…
∗∗∗ 'DarkWatchman' RAT Shows Evolution in Fileless Malware ∗∗∗
---------------------------------------------
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.
---------------------------------------------
https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/
∗∗∗ How the "Contact Forms" campaign tricks people, (Thu, Dec 16th) ∗∗∗
---------------------------------------------
"Contact Forms" is a campaign that uses a web site's contact form to email malicious links disguised as some sort of legal complaint.
---------------------------------------------
https://isc.sans.edu/diary/rss/28142
∗∗∗ Log4j-Lücke: Erste Angriffe mit Ransomware und von staatlicher Akteuren ∗∗∗
---------------------------------------------
Die bisherigen Angriffsversuche waren wohl vor allem Tests. Doch jetzt wird es Ernst. Cybercrime und Geheimdienste nutzen die Lücke gezielt für ihre Zwecke.
---------------------------------------------
https://heise.de/-6296549
∗∗∗ When is a Scrape a Breach? ∗∗∗
---------------------------------------------
A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. It's not clear if the car was locked or not. Is this a data breach?
---------------------------------------------
https://www.troyhunt.com/when-is-a-scrape-a-breach/
∗∗∗ Achtung: giesswein-outdoor.de ist ein Fake-Shop! ∗∗∗
---------------------------------------------
Die Webseite giesswein-outdoor.de sieht auf den ersten Blick sehr seriös aus. Doch tatsächlich handelt es sich um einen Fake-Shop, der das österreichische Unternehmen Giesswein imitiert.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-giesswein-outdoorde-ist-ein-…
∗∗∗ The dirty dozen of Latin America: From Amavaldo to Zumanek ∗∗∗
---------------------------------------------
The grand finale of our series dedicated to demystifying Latin American banking trojans.
---------------------------------------------
https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavald…
∗∗∗ Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware ∗∗∗
---------------------------------------------
New ransomware used in mid-November attack, ConnectWise was likely infection vector.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no…
∗∗∗ Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions ∗∗∗
---------------------------------------------
Check Point Research (CPR) spots a botnet variant that has stolen nearly half a million dollars’ worth of cryptocurrency through a technique called “crypto clipping”. The new variant, named Twizt and a descendant of Phorpiex, steals cryptocurrency during transactions by automatically substituting the intended wallet address with the threat actor’s wallet address.
---------------------------------------------
https://blog.checkpoint.com/2021/12/16/phorpiex-botnet-is-back-with-a-new-t…
=====================
= Vulnerabilities =
=====================
∗∗∗ Lenovo laptops vulnerable to bug allowing admin privileges ∗∗∗
---------------------------------------------
Lenovo laptops, including ThinkPad and Yoga models, are vulnerable to a privilege elevation bug in the ImControllerService service allowing attackers to execute commands with admin privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lenovo-laptops-vulnerable-to…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache-log4j2 and mediawiki), Fedora (libmysofa, libolm, and vim), Oracle (httpd), Red Hat (go-toolset:rhel8), and Ubuntu (apache-log4j2 and mumble).
---------------------------------------------
https://lwn.net/Articles/878844/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ SSA-714170: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-714170.txt
∗∗∗ TYPO3-PSA-2021-004: Statement on Recent log4j/log4shell Vulnerabilities (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-psa-2021-004
∗∗∗ TYPO3-PSA-2021-003: Mitigation of Cache Poisoning Caused by Untrusted URL Query Parameters ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-psa-2021-003
∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1290
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 14-12-2021 18:00 − Mittwoch 15-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New ransomware now being deployed in Log4Shell attacks ∗∗∗
---------------------------------------------
The first public case of the Log4j Log4Shell vulnerability used to download and install ransomware has been discovered by researchers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-dep…
∗∗∗ Simple but Undetected PowerShell Backdoor, (Wed, Dec 15th) ∗∗∗
---------------------------------------------
For a while, most security people agree on the fact that antivirus products are not enough for effective protection against malicious code. If they can block many threats, some of them remain undetected by classic technologies. Here is another example with a simple but effective PowerShell backdoor that I spotted yesterday.
---------------------------------------------
https://isc.sans.edu/diary/rss/28138
∗∗∗ GitHubs Antwort auf die kritische Log4j-Lücke ∗∗∗
---------------------------------------------
Zu der kritischen Sicherheitslücke im Log4j-Logging-Framework hat der Code-Hoster Sicherheitshinweise veröffentlicht. Ein Update auf Log4j 2.16 schafft Abhilfe.
---------------------------------------------
https://heise.de/-6294120
∗∗∗ Patchday: Kritische Sicherheitslücken in SAP-Geschäftssoftware ∗∗∗
---------------------------------------------
15 Sicherheitslücken melden die Walldorfer zum Dezember-Patchday in ihrer Business-Software. Viele schätzt SAP als hohes oder gar kritisches Risiko ein.
---------------------------------------------
https://heise.de/-6294773
∗∗∗ Patchday: Adobe schließt kritische Lücken in Experience Manager & Co. ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe. In einigen Fällen könnten Angreifer Schadcode auf Computern ausführen.
---------------------------------------------
https://heise.de/-6295316
∗∗∗ Patchday: Sechs Windows-Lücken öffentlich bekannt, durch eine schlüpft Emotet ∗∗∗
---------------------------------------------
Microsoft schließt zahlreiche Sicherheitslücken in beispielsweise Azure, Office und Windows. Darunter sind auch als kritisch eingestufte Lücken.
---------------------------------------------
https://heise.de/-6295264
∗∗∗ Neue Probleme - Log4j-Patch genügt nicht ∗∗∗
---------------------------------------------
Version 2.15.0 von Log4j sollte die Log4Shell-Sicherheitslücke schließen. Das reichte jedoch nicht. Log4j 2.16.0 behebt nun noch eine weitere Schwachstelle.
---------------------------------------------
https://heise.de/-6295343
∗∗∗ Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks ∗∗∗
---------------------------------------------
CISA has released CISA Insights: Preparing For and Mitigating Potential Cyber Threats to provide critical infrastructure leaders with steps to proactively strengthen their organization’s operational resiliency against sophisticated threat
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/15/immediate-steps-s…
∗∗∗ No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages ∗∗∗
---------------------------------------------
NPM modules are a valuable target for threat actors due to their popularity amongst developers. They also have a high prevalence of complex dependencies, where one package installs another as a dependency often without the knowledge of the developer.
---------------------------------------------
https://www.mandiant.com/resources/supply-chain-node-js
=====================
= Vulnerabilities =
=====================
∗∗∗ Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) ∗∗∗
---------------------------------------------
After the log4j maintainers released version 2.15.0 to address the Log4Shell vulnerability, an additional attack vector was identified and reported in CVE-2021-45046.
---------------------------------------------
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
Apache Log4J information, WebSphere Application Server, i2 Analyze, i2 Connect, Analyst’s Notebook Premium, Security Access Manager, Security Verify Access, App Connect, Integration Bus, QRadar SIEM Application Framework, Sterling File Gateway, Cloud Transformation Advisor, MQ Blockchain bridge, WebSphere Cast Iron, Power System, Rational Asset Analyzer, Disconnected Log Collector, SPSS Statistics, Power HMC
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Intel Product Advisory for Apache Log4j2 Vulnerabilities (CVE-2021-44228 & CVE-2021-45046) ∗∗∗
---------------------------------------------
Security vulnerabilities in Apache Log4j2 for some Intel® products may allow escalation of privilege or denial of service.
---------------------------------------------
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0…
∗∗∗ Apache log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗
---------------------------------------------
ABB is still investigating the potentially affected products and to date ABB has identified the following products which are likely affected by the vulnerabilities in log4j (ABB products not listed are initially evaluated as not impacted).
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland).
---------------------------------------------
https://lwn.net/Articles/878749/
∗∗∗ Security Advisory - Intel Microarchitectural Data Sampling (MDS) vulnerabilities ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20190712-…
∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-…
∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1277
∗∗∗ OpenSSL: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1282
∗∗∗ Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500458-AUTHENTICATION-BYPASS-V…
∗∗∗ Lenovo Vantage Component Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500461-LENOVO-VANTAGE-COMPONEN…
∗∗∗ TLB Poisoning Attacks on AMD Secure Encrypted Virtualization (SEV) ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500459-TLB-POISONING-ATTACKS-O…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-12-2021 18:00 − Montag 13-12-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Schutz vor Log4j-Lücke – was hilft jetzt und was eher nicht ∗∗∗
---------------------------------------------
"Warnstufe Rot" für Anwender und Firmen, doch was bedeutet das konkret? So testen Sie Dienste auf die Log4j-Lücke und reduzieren ihr Risiko vor Angriffen.
---------------------------------------------
https://heise.de/-6292961
∗∗∗ log4j-scan ∗∗∗
---------------------------------------------
We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability.
---------------------------------------------
https://github.com/fullhunt/log4j-scan
∗∗∗ Ten families of malicious samples are spreading using the Log4j2 vulnerability Now ∗∗∗
---------------------------------------------
On December 11, 2021, at 8:00 pm, we published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10.
---------------------------------------------
https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading…
∗∗∗ log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 ∗∗∗
---------------------------------------------
tl;dr Run add our new tool, -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes [...]
---------------------------------------------
https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitiga…
∗∗∗ Malicious PyPI packages with over 10,000 downloads taken down ∗∗∗
---------------------------------------------
The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers report.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with…
∗∗∗ Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group ∗∗∗
---------------------------------------------
A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, [...]
---------------------------------------------
https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html
∗∗∗ HANCITOR DOC drops via CLIPBOARD ∗∗∗
---------------------------------------------
Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via…
∗∗∗ Diavol Ransomware ∗∗∗
---------------------------------------------
In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware.
---------------------------------------------
https://thedfirreport.com/2021/12/13/diavol-ransomware/
∗∗∗ Bugs in the Cloud: How One Vulnerability Exposed 'Offline' Devices to a Security Risk ∗∗∗
---------------------------------------------
The post Bugs in the Cloud: How One Vulnerability Exposed ‘Offline’ Devices to a Security Risk appeared first on Claroty.
---------------------------------------------
https://claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vuln…
∗∗∗ Von wegen Darknet – Ransomware-Gangs setzen Opfer per Social Media unter Druck ∗∗∗
---------------------------------------------
Ransomware-Gruppen nutzen soziale Netzwerkkanäle, um ihre Angriffe zu bewerben und damit ihre Opfer weiter zur Lösegeldzahlung unter Druck zu setzen.
---------------------------------------------
https://blog.emsisoft.com/de/39431/von-wegen-darknet-ransomware-gangs-setze…
∗∗∗ Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits ∗∗∗
---------------------------------------------
Deserialization vulnerabilities are a class of bugs that have plagued multiple languages and applications over the years. These include Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more. Fundamentally, these bugs are a result of applications placing too much trust in data that a user (or attacker) can tamper with.
---------------------------------------------
https://www.mandiant.com/resources/hunting-deserialization-exploits
=====================
= Vulnerabilities =
=====================
∗∗∗ Log4j Vulnerability (CVE-2021-44228) ∗∗∗
---------------------------------------------
This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228).
---------------------------------------------
https://github.com/NCSC-NL/log4shell
∗∗∗ VMSA-2021-0028 ∗∗∗
---------------------------------------------
[...] Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
∗∗∗ Log4j Zero-Day Vulnerability ∗∗∗
---------------------------------------------
IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90…
∗∗∗ Bugs in billions of WiFi, Bluetooth chips allow password, data theft ∗∗∗
---------------------------------------------
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves its possible to extract passwords and manipulate traffic on a WiFi chip by targeting a devices Bluetooth component.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-blu…
∗∗∗ IBM Security Bulletins 2021-12-10 - 2021-13 ∗∗∗
---------------------------------------------
WebSphere Application Server, Rational Application Developer for WebSphere, Spectrum Copy Data Management, Tivoli Netcool, Spectrum Protect, i2 Analystss Notebook, Decision Optimization Center, ILOG CPLEX Optimization Studio, PowerVM, Db2
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, [...]
---------------------------------------------
https://lwn.net/Articles/878520/
∗∗∗ CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirtee…
∗∗∗ Oracle Security Alert for CVE-2021-44228 - 10 December 2021 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
∗∗∗ Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Citrix Security Advisory for Apache CVE-2021-44228 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX335705
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 09-12-2021 18:00 − Freitag 10-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps ∗∗∗
---------------------------------------------
Eine Zero-Day-Schwachstelle in Apaches Log4j ermöglicht Angreifern, etwa auf Servern von Cloud-Diensten oder in Anwendungen Schadcode einzuschmuggeln.
---------------------------------------------
https://heise.de/-6291653
∗∗∗ Dark Mirai botnet targeting RCE on popular TP-Link router ∗∗∗
---------------------------------------------
The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dark-mirai-botnet-targeting-…
∗∗∗ Python Shellcode Injection From JSON Data, (Fri, Dec 10th) ∗∗∗
---------------------------------------------
My hunting rules detected a niece piece of Python code. It's interesting to see how the code is simple, not deeply obfuscated, and with a very low VT score: 2/56![1]. I see more and more malicious Python code targeting the Windows environments. Thanks to the library ctypes[2], Python is able to use any native API calls provided by DLLs.
---------------------------------------------
https://isc.sans.edu/diary/rss/28118
∗∗∗ Click "OK" to defeat MFA ∗∗∗
---------------------------------------------
A sophisticated threat actor has been using a very unsophisticated method to defeat multi-factor authentication.
---------------------------------------------
https://blog.malwarebytes.com/reports/2021/12/click-ok-to-defeat-mfa/
∗∗∗ 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs ∗∗∗
---------------------------------------------
Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites.
---------------------------------------------
https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/
∗∗∗ Winterurlaub geplant? Buchen Sie nicht über dein-berghuettenurlaub.de! ∗∗∗
---------------------------------------------
Bald ist der Lockdown in Österreich vorbei. Dementsprechend freuen sich wohl schon einige auf eine Auszeit über Weihnachten oder Silvester. Was wäre aufgrund der aktuellen Corona-Lage besser geeignet als eine einsame Hütte? Doch Vorsicht, wer online eine solche Hütte buchen will, könnte auf betrügerische Seiten stoßen!
---------------------------------------------
https://www.watchlist-internet.at/news/winterurlaub-geplant-buchen-sie-nich…
∗∗∗ This old malware has just picked up some nasty new tricks ∗∗∗
---------------------------------------------
The crafty Qakbot trojan has added ransomware delivery to its malware building blocks.
---------------------------------------------
https://www.zdnet.com/article/this-decade-old-malware-has-picked-up-some-na…
∗∗∗ Microsoft launches center for reporting malicious drivers ∗∗∗
---------------------------------------------
Microsoft has launched this week a special web portal where users and researchers can report malicious drivers to the companys security team.
---------------------------------------------
https://therecord.media/microsoft-launches-center-for-reporting-malicious-d…
∗∗∗ Twitter-Thread zur log4j-Schwachstelle ∗∗∗
---------------------------------------------
https://twitter.com/TimPhSchaefers/status/1469271197993115655
=====================
= Vulnerabilities =
=====================
∗∗∗ RCE in log4j, Log4Shell, or how things can get bad quickly, (Fri, Dec 10th) ∗∗∗
---------------------------------------------
If you have been following developments on Twitter and various other security sources, by now you have undoubtedly heard about the latest vulnerability in the very popular Apache log4j library.
---------------------------------------------
https://isc.sans.edu/diary/rss/28120
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/878279/
∗∗∗ WD Updates SanDisk SecureAccess to Prevent Dictionary, Brute Force Attacks ∗∗∗
---------------------------------------------
Western Digital has updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks.
---------------------------------------------
https://www.securityweek.com/wd-updates-sandisk-secureaccess-prevent-dictio…
∗∗∗ Cisco Releases Security Advisory for Multiple Products Affected by Apache HTTP Server Vulnerabilities ∗∗∗
---------------------------------------------
Cisco has released a security advisory to address Cisco products affected by multiple vulnerabilities in Apache HTTP Server 2.4.48 and earlier releases. An unauthenticated remote attacker could exploit this vulnerability to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisco-releases-se…
∗∗∗ Schwachstellen in Oracle-Datenbankservern (SYSS-2021-061/-062) ∗∗∗
---------------------------------------------
In Oracle-Datenbankservern wurden Schwachstellen identifiziert. Sie erlauben es Angreifern, Zugang zur Datenbank von legitimen Benutzern zu erhalten.
---------------------------------------------
https://www.syss.de/pentest-blog/syss-2021-061/syss-2021-062
∗∗∗ TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j) ∗∗∗
---------------------------------------------
CVE-2021-44228 vulnerability enables remote code injection on systems running Log4j. The attacker has to trigger a log entry generation containing a JNDI request. The vulnerability can be exploited without authentication. The exploit needs to be processed by Log4j. Impacted Log4j versions are: 2.0 to 2.14.1.
---------------------------------------------
https://www.circl.lu/pub/tr-65
∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K21-1266
∗∗∗ Security Bulletin: IBM® Db2® could allow a local user elevated privileges due to allowing modification of columns of existing tasks (CVE-2021-38926) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-could-allow-a-loc…
∗∗∗ Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris…
∗∗∗ Security Bulletin: Vulnerabilities in Node.js, IBM WebSphere Application Server Liberty, and OpenSSL affect IBM Spectrum Control ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j…
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Dec. 2021 V1) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM® Db2® may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. (CVE-2021-20373) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-may-be-vulnerable…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure as it uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. (CVE-2021-39002) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: The PowerVM hypervisor is vulnerable to a carefully crafted IBMi hypervisor call that can lead to a system crash ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-is…
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an Information Disclosure as a user with DBADM authority is able to access other databases and read or modify files (CVE-2021-29678) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-…
∗∗∗ Security Bulletin: The PowerVM hypervisor can allow an attacker that gains service access to the FSP to read and write system memory ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-the-powervm-hypervisor-ca…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily