[CERT-daily] Tageszusammenfassung - 13.12.2021
Daily end-of-shift report
team at cert.at
Mon Dec 13 19:01:17 CET 2021
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-12-2021 18:00 − Montag 13-12-2021 18:00
Handler: Dimitri Robl
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Schutz vor Log4j-Lücke – was hilft jetzt und was eher nicht ∗∗∗
---------------------------------------------
"Warnstufe Rot" für Anwender und Firmen, doch was bedeutet das konkret? So testen Sie Dienste auf die Log4j-Lücke und reduzieren ihr Risiko vor Angriffen.
---------------------------------------------
https://heise.de/-6292961
∗∗∗ log4j-scan ∗∗∗
---------------------------------------------
We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability.
---------------------------------------------
https://github.com/fullhunt/log4j-scan
∗∗∗ Ten families of malicious samples are spreading using the Log4j2 vulnerability Now ∗∗∗
---------------------------------------------
On December 11, 2021, at 8:00 pm, we published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10.
---------------------------------------------
https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/
∗∗∗ log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228 ∗∗∗
---------------------------------------------
tl;dr Run add our new tool, -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the “Log4Shell” vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes [...]
---------------------------------------------
https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/
∗∗∗ Malicious PyPI packages with over 10,000 downloads taken down ∗∗∗
---------------------------------------------
The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers report.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with-over-10-000-downloads-taken-down/
∗∗∗ Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group ∗∗∗
---------------------------------------------
A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, [...]
---------------------------------------------
https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html
∗∗∗ HANCITOR DOC drops via CLIPBOARD ∗∗∗
---------------------------------------------
Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/
∗∗∗ Diavol Ransomware ∗∗∗
---------------------------------------------
In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware.
---------------------------------------------
https://thedfirreport.com/2021/12/13/diavol-ransomware/
∗∗∗ Bugs in the Cloud: How One Vulnerability Exposed 'Offline' Devices to a Security Risk ∗∗∗
---------------------------------------------
The post Bugs in the Cloud: How One Vulnerability Exposed ‘Offline’ Devices to a Security Risk appeared first on Claroty.
---------------------------------------------
https://claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vulnerability-exposed-offline-devices-to-a-security-risk/
∗∗∗ Von wegen Darknet – Ransomware-Gangs setzen Opfer per Social Media unter Druck ∗∗∗
---------------------------------------------
Ransomware-Gruppen nutzen soziale Netzwerkkanäle, um ihre Angriffe zu bewerben und damit ihre Opfer weiter zur Lösegeldzahlung unter Druck zu setzen.
---------------------------------------------
https://blog.emsisoft.com/de/39431/von-wegen-darknet-ransomware-gangs-setzen-opfer-per-social-media-unter-druck/
∗∗∗ Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits ∗∗∗
---------------------------------------------
Deserialization vulnerabilities are a class of bugs that have plagued multiple languages and applications over the years. These include Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more. Fundamentally, these bugs are a result of applications placing too much trust in data that a user (or attacker) can tamper with.
---------------------------------------------
https://www.mandiant.com/resources/hunting-deserialization-exploits
=====================
= Vulnerabilities =
=====================
∗∗∗ Log4j Vulnerability (CVE-2021-44228) ∗∗∗
---------------------------------------------
This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228).
---------------------------------------------
https://github.com/NCSC-NL/log4shell
∗∗∗ VMSA-2021-0028 ∗∗∗
---------------------------------------------
[...] Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
∗∗∗ Log4j Zero-Day Vulnerability ∗∗∗
---------------------------------------------
IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability.
---------------------------------------------
https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90bc949
∗∗∗ Bugs in billions of WiFi, Bluetooth chips allow password, data theft ∗∗∗
---------------------------------------------
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves its possible to extract passwords and manipulate traffic on a WiFi chip by targeting a devices Bluetooth component.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
∗∗∗ IBM Security Bulletins 2021-12-10 - 2021-13 ∗∗∗
---------------------------------------------
WebSphere Application Server, Rational Application Developer for WebSphere, Spectrum Copy Data Management, Tivoli Netcool, Spectrum Protect, i2 Analystss Notebook, Decision Optimization Center, ILOG CPLEX Optimization Studio, PowerVM, Db2
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, [...]
---------------------------------------------
https://lwn.net/Articles/878520/
∗∗∗ CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog
∗∗∗ Oracle Security Alert for CVE-2021-44228 - 10 December 2021 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
∗∗∗ Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021 ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
∗∗∗ Citrix Security Advisory for Apache CVE-2021-44228 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX335705
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list