=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗
---------------------------------------------
TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re…
∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗
---------------------------------------------
Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected.
---------------------------------------------
https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-upd…
∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗
---------------------------------------------
Here, we analyze the macOS versions of a cross-platform backdoor.
---------------------------------------------
https://objective-see.com/blog/blog_0x6C.html
∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗
---------------------------------------------
Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise.
---------------------------------------------
https://isc.sans.edu/diary/rss/28234
∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗
---------------------------------------------
This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-…
∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗
---------------------------------------------
Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen.
---------------------------------------------
https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-te…
∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗
---------------------------------------------
With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours.
---------------------------------------------
https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-em…
∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗
---------------------------------------------
ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation.
---------------------------------------------
https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-g…
∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗
---------------------------------------------
Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten.
---------------------------------------------
https://certitude.consulting/blog/de/ransomware-leak-de/
∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗
---------------------------------------------
Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-o…
∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗
---------------------------------------------
Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten.
---------------------------------------------
https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherh…
∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗
---------------------------------------------
The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities.
---------------------------------------------
https://asec.ahnlab.com/en/30645/
∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗
---------------------------------------------
Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information.
---------------------------------------------
http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spr…
=====================
= Vulnerabilities =
=====================
∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗
---------------------------------------------
Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_mu…
∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗
---------------------------------------------
1 Critical, 8 Medium severity
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM published 14 Security Bulletins
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft.
---------------------------------------------
https://heise.de/-6323634
∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗
---------------------------------------------
Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe.
---------------------------------------------
https://heise.de/-6323723
∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗
---------------------------------------------
Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio.
---------------------------------------------
https://heise.de/-6323843
∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗
---------------------------------------------
Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind.
---------------------------------------------
https://heise.de/-6323936
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml).
---------------------------------------------
https://lwn.net/Articles/881144/
∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗
---------------------------------------------
The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a…
∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗
---------------------------------------------
When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/
∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗
---------------------------------------------
Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-…
∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗
---------------------------------------------
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe…
∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0037
∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-57
∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-59
∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-60
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 10-01-2022 18:00 − Dienstag 11-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner ∗∗∗
---------------------------------------------
Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert.
---------------------------------------------
https://heise.de/-6323191
∗∗∗ macOS-Lücke: Spionieren über Teams und andere Apps ∗∗∗
---------------------------------------------
Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt.
---------------------------------------------
https://heise.de/-6322269
∗∗∗ Facebook-Währung „Diem“ nicht bei thediemtoken.com kaufen ∗∗∗
---------------------------------------------
Diem – eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie „thediemtoken.com“ an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-the…
∗∗∗ Linux version of AvosLocker ransomware targets VMware ESXi servers ∗∗∗
---------------------------------------------
AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-…
∗∗∗ Night Sky ransomware uses Log4j bug to hack VMware Horizon servers ∗∗∗
---------------------------------------------
The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-lo…
∗∗∗ Millions of Routers Exposed to RCE by USB Kernel Bug ∗∗∗
---------------------------------------------
The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al.
---------------------------------------------
https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netus…
∗∗∗ Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters ∗∗∗
---------------------------------------------
TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client’s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-tit…
∗∗∗ Domain Escalation – sAMAccountName Spoofing ∗∗∗
---------------------------------------------
Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0
---------------------------------------------
https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofin…
∗∗∗ What Is FIM (File Integrity Monitoring)? ∗∗∗
---------------------------------------------
Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization’s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...]
---------------------------------------------
https://www.tripwire.com/state-of-security/security-data-protection/securit…
∗∗∗ SFile (Escal) ransomware ported for Linux attacks ∗∗∗
---------------------------------------------
The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems.
---------------------------------------------
https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/
∗∗∗ New SysJoker Backdoor Targets Windows, Linux, and macOS ∗∗∗
---------------------------------------------
Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical SonicWall NAC Vulnerability Stems from Apache Mods ∗∗∗
---------------------------------------------
Researchers offer more detail on the bug, which can allow attackers to completely take over targets.
---------------------------------------------
https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/
∗∗∗ Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data ∗∗∗
---------------------------------------------
Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdi…
∗∗∗ Siemens Security Advisories ∗∗∗
---------------------------------------------
Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9)
---------------------------------------------
https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffent…
∗∗∗ PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack ∗∗∗
---------------------------------------------
The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-059/
∗∗∗ HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code ∗∗∗
---------------------------------------------
A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions.
---------------------------------------------
https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018…
∗∗∗ SAP Security Patch Day - January 2022 ∗∗∗
---------------------------------------------
On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes.
---------------------------------------------
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035
∗∗∗ Citrix Workspace App for Linux Security Update ∗∗∗
---------------------------------------------
A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux.
---------------------------------------------
https://support.citrix.com/article/CTX338435
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
Update on IBM’s response: IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...]
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...]
---------------------------------------------
https://lwn.net/Articles/881005/
∗∗∗ Synology-SA-22:01 DSM ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_01
∗∗∗ Johnson Controls VideoEdge ∗∗∗
---------------------------------------------
This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01
∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-know…
∗∗∗ January 10th 2022 Security Releases ∗∗∗
---------------------------------------------
Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use.
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0026
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗
---------------------------------------------
Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien.
---------------------------------------------
https://heise.de/-6321079
∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗
---------------------------------------------
The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e…
∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗
---------------------------------------------
Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m…
∗∗∗ Wheres the Interpreter!? ∗∗∗
---------------------------------------------
CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why!
---------------------------------------------
https://objective-see.com/blog/blog_0x6A.html
∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗
---------------------------------------------
TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T".
---------------------------------------------
https://isc.sans.edu/diary/rss/28194
∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗
---------------------------------------------
There is also a video of this analysis.
---------------------------------------------
https://isc.sans.edu/diary/rss/28200
∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗
---------------------------------------------
Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science.
---------------------------------------------
https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h…
∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗
---------------------------------------------
The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books.
---------------------------------------------
https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s…
∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗
---------------------------------------------
tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters.
---------------------------------------------
https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names…
∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗
---------------------------------------------
The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools.
---------------------------------------------
https://www.securityweek.com/us-government-issues-warning-over-commercial-s…
∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗
---------------------------------------------
Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks.
---------------------------------------------
https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c…
∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗
---------------------------------------------
When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar.
---------------------------------------------
https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗
---------------------------------------------
Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.
---------------------------------------------
https://kb.cert.org/vuls/id/142629
∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗
---------------------------------------------
A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...]
---------------------------------------------
https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html
∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗
---------------------------------------------
Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates.
---------------------------------------------
https://heise.de/-6321485
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...]
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2).
---------------------------------------------
https://lwn.net/Articles/880807/
∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗
---------------------------------------------
Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates.
---------------------------------------------
https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir…
∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗
---------------------------------------------
Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...]
---------------------------------------------
http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0016
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗
---------------------------------------------
A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu…
∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗
---------------------------------------------
Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans…
∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗
---------------------------------------------
A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples…
∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗
---------------------------------------------
This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly.
---------------------------------------------
https://isc.sans.edu/diary/rss/28224
∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗
---------------------------------------------
When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point.
---------------------------------------------
https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html
∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗
---------------------------------------------
Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt.
---------------------------------------------
https://heise.de/-6319430
∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗
---------------------------------------------
Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht.
---------------------------------------------
https://heise.de/-6320248
∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗
---------------------------------------------
LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter.
---------------------------------------------
https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v…
=====================
= Vulnerabilities =
=====================
∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗
---------------------------------------------
QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar…
∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗
---------------------------------------------
UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit…
∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗
---------------------------------------------
Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month.
---------------------------------------------
https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 36 Security Bulletins veröffentlicht
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗
---------------------------------------------
In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-6320363
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...]
---------------------------------------------
https://lwn.net/Articles/880564/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/880672/
∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2022-01
∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2022-02
∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0006
∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0014
∗∗∗ Omron CX-One ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01
∗∗∗ Fernhill SCADA ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02
∗∗∗ IDEC PLCs ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03
∗∗∗ Philips Engage Software ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗
---------------------------------------------
Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-…
∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗
---------------------------------------------
Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve?
---------------------------------------------
https://isc.sans.edu/diary/rss/28216
∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗
---------------------------------------------
An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information.
---------------------------------------------
https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html
∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗
---------------------------------------------
Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money.
---------------------------------------------
https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati…
∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗
---------------------------------------------
Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte.
---------------------------------------------
https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio…
∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗
---------------------------------------------
Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have.
---------------------------------------------
https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗
---------------------------------------------
IBM hat 26 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗
---------------------------------------------
VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch.
---------------------------------------------
https://heise.de/-6318269
∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗
---------------------------------------------
IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten.
---------------------------------------------
https://heise.de/-6318740
∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗
---------------------------------------------
Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können.
---------------------------------------------
https://heise.de/-6318885
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django).
---------------------------------------------
https://lwn.net/Articles/880454/
∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗
---------------------------------------------
Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS.
---------------------------------------------
https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20…
∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K10396196
∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗
---------------------------------------------
http://cert.vde.com/de/advisories/VDE-2021-060/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗
---------------------------------------------
I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53).
---------------------------------------------
https://isc.sans.edu/diary/rss/28212
∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗
---------------------------------------------
The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way.
---------------------------------------------
https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle…
∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗
---------------------------------------------
Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden.
---------------------------------------------
https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm…
∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗
---------------------------------------------
A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites.
---------------------------------------------
https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗
---------------------------------------------
Organizations mights not realize their environments are already compromised.
---------------------------------------------
https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble…
∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗
---------------------------------------------
A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs.
---------------------------------------------
https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server).
---------------------------------------------
https://lwn.net/Articles/880327/
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana…
∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ VMSA-2022-0001 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0001.html
∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0002
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗
---------------------------------------------
Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro…
∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗
---------------------------------------------
Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year.
---------------------------------------------
https://isc.sans.edu/diary/rss/28202
∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗
---------------------------------------------
I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared.
---------------------------------------------
https://isc.sans.edu/diary/rss/28208
∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗
---------------------------------------------
Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis.
---------------------------------------------
https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗
---------------------------------------------
Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten.
---------------------------------------------
https://heise.de/-6316020
∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗
---------------------------------------------
Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe.
---------------------------------------------
https://heise.de/-6315605
∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗
---------------------------------------------
Or, “Can large language models generate exploits?”
---------------------------------------------
https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang…
∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗
---------------------------------------------
We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous.
---------------------------------------------
https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep…
∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗
---------------------------------------------
Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde.
---------------------------------------------
https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01
∗∗∗ Log4j Scanners ∗∗∗
---------------------------------------------
There are 19 tools, and each has certain stipulations with it. I would suggest take a look.
---------------------------------------------
https://securitythreatnews.com/2022/01/03/log4j-scanners/
=====================
= Vulnerabilities =
=====================
∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗
---------------------------------------------
Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben.
---------------------------------------------
https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un…
∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗
---------------------------------------------
Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat.
---------------------------------------------
https://heise.de/-6315714
∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗
---------------------------------------------
Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen.
---------------------------------------------
https://heise.de/-6316037
∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen.
---------------------------------------------
https://heise.de/-6316263
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl).
---------------------------------------------
https://lwn.net/Articles/880100/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana).
---------------------------------------------
https://lwn.net/Articles/880232/
∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy…
∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac…
∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 29-12-2021 18:00 − Donnerstag 30-12-2021 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Hiding malware inside the flex capacity space on modern SSDs ∗∗∗
---------------------------------------------
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location thats beyond the reach of the user and security solutions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-fl…
∗∗∗ Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th) ∗∗∗
---------------------------------------------
Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data. This malware has been around since 2014, and SMTP is its most common method for data exfiltration.
---------------------------------------------
https://isc.sans.edu/diary/rss/28190
∗∗∗ LastPass Automated Warnings Linked to ‘Credential Stuffing’ Attack ∗∗∗
---------------------------------------------
Users of the popular LastPass password manager are being targeted in so-called “credential stuffing” attacks that use email addresses and passwords obtained from third-party breaches.
---------------------------------------------
https://www.securityweek.com/lastpass-automated-warnings-linked-%E2%80%98cr…
∗∗∗ Android 12: Samsung überrascht zum Jahresende mit regelrechter Update-Flut ∗∗∗
---------------------------------------------
Updates für praktisch alle High-End-Smartphones der vergangenen drei Jahre veröffentlicht. Selbst erste Tablets werden schon bedient.
---------------------------------------------
https://www.derstandard.at/story/2000132240383/android-12-samsung-ueberrasc…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (advancecomp, apache-log4j2, postgis, spip, uw-imap, and xorg-server), Mageia (kernel and kernel-linus), Scientific Linux (log4j), and SUSE (kernel-firmware and mariadb).
---------------------------------------------
https://lwn.net/Articles/880039/
∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects IBM Db2 Web Query for i (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Guardium Data Encryption (GDE) (CVE-2021-45105 and CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Trend Micro Apex One und Trend Micro Worry-Free Business Security: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1320
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 28-12-2021 18:00 − Mittwoch 29-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ RedLine malware shows why passwords shouldnt be saved in browsers ∗∗∗
---------------------------------------------
The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-pa…
∗∗∗ Microsoft Defender Log4j scanner triggers false positive alerts ∗∗∗
---------------------------------------------
Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-sc…
∗∗∗ Wieder Sicherheitslücken in Herzschrittmachern gefunden ∗∗∗
---------------------------------------------
Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben.
---------------------------------------------
https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3…
∗∗∗ Responsible Disclosure: Deine Software, die Sicherheitslücken und ich ∗∗∗
---------------------------------------------
Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API)
---------------------------------------------
https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherh…
∗∗∗ LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th) ∗∗∗
---------------------------------------------
A supervised learning approach to Living off the Land attack classification from Adobe SI
---------------------------------------------
https://isc.sans.edu/diary/rss/28184
∗∗∗ Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics ∗∗∗
---------------------------------------------
An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,"
---------------------------------------------
https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html
∗∗∗ Turning bad SSRF to good SSRF: Websphere Portal ∗∗∗
---------------------------------------------
In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF.
---------------------------------------------
https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
∗∗∗ Storage Devices of Major Vendors Impacted by Encryption Software Flaws ∗∗∗
---------------------------------------------
Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks.
SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club’s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security.
---------------------------------------------
https://www.securityweek.com/storage-devices-major-vendors-impacted-encrypt…
∗∗∗ Sicher kaufen auf Willhaben, Shpock & Co. ∗∗∗
---------------------------------------------
Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten.
---------------------------------------------
https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-c…
∗∗∗ Threat actor uses HP iLO rootkit to wipe servers ∗∗∗
---------------------------------------------
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.
---------------------------------------------
https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/
=====================
= Vulnerabilities =
=====================
∗∗∗ Log4Shell vulnerability Number Four: “Much ado about something” ∗∗∗
---------------------------------------------
CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one.
---------------------------------------------
https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-…
∗∗∗ SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products ∗∗∗
---------------------------------------------
This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247.
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl).
---------------------------------------------
https://lwn.net/Articles/879995/
∗∗∗ D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1313
∗∗∗ Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. ∗∗∗
---------------------------------------------
Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
- Citrix Endpoint Management (Citrix XenMobile Server): Impacted – Customers are advised to apply the latest CEM rolling patch updates
- Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only)
---------------------------------------------
https://support.citrix.com/article/CTX335705
∗∗∗ Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud ∗∗∗
---------------------------------------------
CVE identifier: CVE-2021-34347
Affected products: All QNAP NAS
A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-21-53
∗∗∗ Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l…
∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
∗∗∗ Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 27-12-2021 18:00 − Dienstag 28-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers ∗∗∗
---------------------------------------------
Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature thats dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group.
---------------------------------------------
https://thehackernews.com/2021/12/experts-detail-logging-tool-of.html
∗∗∗ V8 Heap pwn and /dev/memes - WebOS Root LPE ∗∗∗
---------------------------------------------
This is a writeup for my latest WebOS local root exploit chain, which Im calling WAMpage. ... This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root.
---------------------------------------------
https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html
∗∗∗ Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution ∗∗∗
---------------------------------------------
Recently observed malicious campaigns have abused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines. [...] The threat actors typically gain access to the target environment using a valid remote desktop protocol (RDP) account, leverage remote Windows Services (SCM) for lateral movement, and abuse MSBuild to execute the Cobalt Strike Beacon payload.
---------------------------------------------
https://www.securityweek.com/threat-actors-abuse-msbuild-cobalt-strike-beac…
=====================
= Vulnerabilities =
=====================
∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
Update December 28, 10:01am
The list of products that are confirmed not impacted by Log4j 2.x CVE-2021-44228 and the list of products that have been remediated for Log4j 2.x CVE-2021-44228 has been updated.
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (djvulibre, libzip, monit, novnc, okular, paramiko, postgis, rdflib, ruby2.3, and zziplib), openSUSE (chromium, kafka, and permissions), and SUSE (net-snmp and permissions).
---------------------------------------------
https://lwn.net/Articles/879952/
∗∗∗ Security Bulletin:IBM SPSS Modeler is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletinibm-spss-modeler-is-vulner…
∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Operations Center (CVE-2021-45105, CVE-2021-45046) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache…
∗∗∗ Security Bulletin: IBM Navigator for i is affected by security vulnerability (CVE-2021-38876) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af…
∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ SSA-661247 V2.0 (Last Update: 2021-12-27): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily