[CERT-daily] Tageszusammenfassung - 23.12.2021

Daily end-of-shift report team at cert.at
Thu Dec 23 18:38:10 CET 2021


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 22-12-2021 18:00 − Donnerstag 23-12-2021 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Dridex malware trolls employees with fake job termination emails ∗∗∗
---------------------------------------------
A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a seasons greeting message. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/


∗∗∗ Microsoft Azure App Service flaw exposed customer source code ∗∗∗
---------------------------------------------
A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web apps, led to the exposure of PHP, Node, Python, Ruby, or Java customer source code for at least four years, since 2017.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-azure-app-service-flaw-exposed-customer-source-code/


∗∗∗ Honeypot experiment reveals what hackers want from IoT devices ∗∗∗
---------------------------------------------
​A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-what-hackers-want-from-iot-devices/


∗∗∗ Attackers, CSIRTs and Individual Rights: Clarified ∗∗∗
---------------------------------------------
A few years ago I wrote a post on how the GDPR copes with situations when there was a conflict between the obligation to prevent, detect and investigate incidents and the obligation to inform all those whose personal data you process. GDPR Article 14(5) provides a general tool for resolving that conflict: you don’t need to inform if doing so “is likely to render impossible or seriously impair the achievement of the objectives of that processing”.
---------------------------------------------
https://regulatorydevelopments.jiscinvolve.org/wp/2021/12/22/attackers-csirts-and-individual-rights-clarified/


∗∗∗ Microsoft Teams blockiert Notrufe mit Android-Handys – Update einspielen ∗∗∗
---------------------------------------------
Die Android-App für Microsoft Teams kann unter Umständen Notrufe vom Handy verhindern. Die aktuelle Version soll das unterlassen. [...] Wie es überhaupt dazu kommen kann, dass eine App ohne Root-Rechte die wichtigste Funktion des Telefons sabotieren kann, verraten weder Google noch Microsoft. [...] Das zugrundeliegende Sicherheitsproblem in Android möchte Google mit dem ersten Android-Sicherheitsupdate im neuen Jahr beheben.
---------------------------------------------
https://heise.de/-6306221


∗∗∗ Audio bugging with the Fisher Price Chatter Bluetooth Telephone ∗∗∗
---------------------------------------------
The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute!
Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances.
---------------------------------------------
https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher-price-chatter-bluetooth-telephone/


∗∗∗ This new ransomware has simple but very clever tricks to evade PC defenses ∗∗∗
---------------------------------------------
One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target's intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.
---------------------------------------------
https://www.zdnet.com/article/this-new-ransomware-has-simple-but-very-clever-tricks-to-evade-pc-defenses/


∗∗∗ Log4j Vulnerabilities: Attack Insights ∗∗∗
---------------------------------------------
Symantec [..] has observed numerous variations in attack requests primarily aimed at evading detection. [..] Attackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded vulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc.
Payloads: Muhstik Botnet, XMRig miner, Malicious class file backdoor, Reverse Bash shell. Other publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan (RAT), and the Dridex malware, among others.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047 ∗∗∗
---------------------------------------------
Project: Mail Login
Security risk: Moderately critical
Description: This modules enables users to login via email address.This module does not sufficiently check user status when authenticating.Solution: Install the latest version
If you use the mail_login module for Drupal 8 or 9, upgrade to Mail Login 8.x-2.5
---------------------------------------------
https://www.drupal.org/sa-contrib-2021-047


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM hat 46 Security Bulletins veröffentlicht.
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ CVE-2021-44790: Apache HTTP Server / mod_lua ∗∗∗
---------------------------------------------
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
---------------------------------------------
https://www.openwall.com/lists/oss-security/2021/12/20/4


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openjdk-11), Fedora (keepalived and tang), openSUSE (openssh, p11-kit, runc, and thunderbird), Oracle (postgresql:12, postgresql:13, and virt:ol and virt-devel:ol), Red Hat (rh-maven36-log4j12), and SUSE (ansible, chrony, logstash, elasticsearch, kafka, zookeeper, openstack-monasca-agent, openstack-monasca-persister-java, openstack-monasca-thresh, openssh, p11-kit, python-Babel, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/879675/


∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗
---------------------------------------------
A malicious privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K21-1304


∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerability in some Huawei products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-01-log4j-en


∗∗∗ SSA-661247 V1.8 (Last Update: 2021-12-22): Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list