[CERT-daily] Tageszusammenfassung - 11.04.2022

Daily end-of-shift report team at cert.at
Mon Apr 11 19:06:33 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 08-04-2022 18:00 − Montag 11-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Android banking malware takes over calls to customer support ∗∗∗
---------------------------------------------
A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a banks customer support number and connect the victim directly with the cybercriminals operating the malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-banking-malware-takes-over-calls-to-customer-support/


∗∗∗ Security: OpenSSH 9.0 veröffentlicht ∗∗∗
---------------------------------------------
Die neue Version von OpenSSH bringt unter anderem eine Härtung gegen Faktorisierungsattacken mit zukünftigen Quantencomputern mit.
---------------------------------------------
https://www.golem.de/news/security-openssh-9-0-veroeffentlicht-2204-164550-rss.html


∗∗∗ Method For String Extraction Filtering, (Sat, Apr 9th) ∗∗∗
---------------------------------------------
In diary entry "XLSB Files: Because Binary is Stealthier Than XML", Xavier shows how to extract strings (URLs) from binary files that make up an Excel spreadsheet. This inspired me to make a tool to parse this XLSB file format: "Quickie: Parsing XLSB Documents". Now I'm presenting another method, one that uses string analysis.
---------------------------------------------
https://isc.sans.edu/diary/rss/28532


∗∗∗ Mirai-Botnet missbraucht Spring4Shell-Sicherheitsleck ∗∗∗
---------------------------------------------
Sicherheitsforscher haben beobachtet, dass das Mirai-Botnet die Spring4Shell-Schwachstelle angreift und dadurch die Malware verbreitet.
---------------------------------------------
https://heise.de/-6668646


∗∗∗ Denonia cryptominer is first malware to target AWS Lambda ∗∗∗
---------------------------------------------
There is now malware in serverless environments. Dubbed Denonia, it specifically targets the AWS Lambda to perform cryptojacking.
---------------------------------------------
https://blog.malwarebytes.com/business-2/2022/04/denonia-cryptominer-is-first-malware-to-target-aws-lambda/


∗∗∗ Octo Android Trojan Allows Cybercrooks to Conduct On-Device Fraud ∗∗∗
---------------------------------------------
Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud.
---------------------------------------------
https://www.securityweek.com/octo-android-trojan-allows-cybercrooks-conduct-device-fraud


∗∗∗ Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster ∗∗∗
---------------------------------------------
Analyzing the attack goals of adversaries is important to be able to better align defenses against the speed of changing attack techniques. By focusing on a handful of techniques, you can effectively shut down malware’s methods of choice for getting in and making itself at home. To achieve this, you need to know which key areas to be focusing on in the coming months.
---------------------------------------------
https://www.securityweek.com/think-criminal-knowing-popular-attack-techniques-stop-bad-actors-faster


∗∗∗ Love-Scam - Wie unterstütze ich Betroffene? ∗∗∗
---------------------------------------------
Hilfe! Mein Mutter, mein Onkel, meine Bekannte liebt eine:n Internetbetrüger:in. Für Außenstehende ist der Fall meist klar: Die Internetliebe ist ein:e Betrüger:in. Das Opfer möchte dies aber nicht glauben und überweist immer wieder Geld. Was tun? Wie können Sie Opfer von Liebesbetrüger:innen unterstützen?
---------------------------------------------
https://www.watchlist-internet.at/news/love-scam-wie-unterstuetze-ich-betroffene/


∗∗∗ New SolarMarker (Jupyter) Campaign Demonstrates the Malware's Changing Attack Patterns ∗∗∗
---------------------------------------------
A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve.
---------------------------------------------
https://unit42.paloaltonetworks.com/solarmarker-malware/


∗∗∗ Insider-Bedrohungen greifen nach außen ∗∗∗
---------------------------------------------
Wenn Mitarbeiter auf eigene Faust zum Cyberkrieger werden wollen, kann das die Unternehmenssicherheit ebenso gefährden wie traditionelle Insider- und externe Bedrohungen, berichtet Andreas Riepen, Regional Sales Director Central Europe bei Vectra AI, in einem Gastbeitrag.
---------------------------------------------
https://www.zdnet.de/88400523/insider-bedrohungen-greifen-nach-aussen/


∗∗∗ Cyber-Sicherheit im Gesundheitswesen ∗∗∗
---------------------------------------------
Das Gesundheitswesen ist nach wie vor einer der am häufigsten durch Hacker angegriffenen Bereiche. Lieder wurden in der Vergangenheit entsprechende Hausaufgaben lange aufgeschobene. 
---------------------------------------------
https://www.borncity.com/blog/2022/04/10/cyber-sicherheit-im-gesundheitswesen/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now! ∗∗∗
---------------------------------------------
A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.
---------------------------------------------
https://nakedsecurity.sophos.com/2022/04/08/popular-ruby-asciidoc-toolkit-patched-against-critical-vuln-get-the-update-now/


∗∗∗ Spring: It isnt just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too., (Mon, Apr 11th) ∗∗∗
---------------------------------------------
Our "First Seen URL" page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. [...] The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently).
---------------------------------------------
https://isc.sans.edu/diary/rss/28538


∗∗∗ ABB Cyber Security Advisory: ARM600 M2M Gateway NSS library and polkit vulnerabilities ∗∗∗
---------------------------------------------
These vulnerabilities affect cryptographic libraries and privilege handling. Subsequently, a successful exploit could allow attackers to execute code with root user privileges or to elevate a non-privileged user to a privileged user.
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001254&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ ABB Cyber Security Advisory: Arctic Wireless Gateway Firewall vulnerability (CVE-2022-0947) ∗∗∗
---------------------------------------------
A vulnerability is found in the ABB Arctic wireless gateways in a specific configuration and when using firmware versions from 2.4.0 or later until version 3.4.10.
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001253&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ Verschlüsselungsschwächen in Datenmanagementsoftware Dell EMC PowerScale OneFS ∗∗∗
---------------------------------------------
Admins von Systemen mit Dell EMC PowerScale OneFS sollten die Software aus Sicherheitsgründen auf den aktuellen Stand bringen.
---------------------------------------------
https://heise.de/-6668566


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump).
---------------------------------------------
https://lwn.net/Articles/890936/


∗∗∗ XSS vulnerability patched in Directus data engine platform ∗∗∗
---------------------------------------------
The platform is described as a "flexible powerhouse for engineers."
---------------------------------------------
https://www.zdnet.com/article/xss-vulnerability-patched-in-directus-data-engine-platform/


∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0412


∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23806 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-cve-2022-23806/


∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been-identified-in-apache-log4j-and-the-application-code-shipped-with-the-ds8000-hardware-management-console-hmc/


∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-for-ibm-i-is-vulnerable-to-spoofing-and-clickjacking-attacks-due-to-swagger-ui-cve-2018-25031-cve-2021-46708/


∗∗∗ Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to Jackson-Databind (217968 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-global-mailbox-is-vulnerable-to-denial-of-service-due-to-jackson-databind-217968/


∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to log4js-node CVE-2022-21704 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-log4js-node-cve-2022-21704/


∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management(CVE-2021-39068) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xss-vulnerability-may-impact-ibm-cram-social-program-managementcve-2021-39068/


∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-host-on-demand-4/


∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in Google Gson (217225) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-management-may-be-affected-by-denial-of-service-vulnerability-in-google-gson-217225/


∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-24921 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-cve-2022-24921/


∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23772 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-cve-2022-23772/


∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23773 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-cve-2022-23773/


∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to node-request-retry CVE-2022-0654 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-node-request-retry-cve-2022-0654/


∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring-framework-affects-ibm-tivoli-application-dependency-discovery-manager-cve-2020-5421-4/


∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to cross-site Ajax request vulnerability due to Prototype JavaScript (CVE-2008-7220) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-cross-site-ajax-request-vulnerability-due-to-prototype-javascript-cve-2008-7220/


∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-multiple-vulnerabilities-7/


∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple CVEs in Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-multiple-cves-in-node-js/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list