[CERT-daily] Tageszusammenfassung - 14.04.2022

Daily end-of-shift report team at cert.at
Thu Apr 14 18:12:07 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 13-04-2022 18:00 − Donnerstag 14-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ New EnemyBot DDoS botnet recruits routers and IoTs into its army ∗∗∗
---------------------------------------------
A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-enemybot-ddos-botnet-recruits-routers-and-iots-into-its-army/


∗∗∗ An Update on CVE-2022-26809 - MSRPC Vulnerabliity - PATCH NOW, (Thu, Apr 14th) ∗∗∗
---------------------------------------------
If your main concern is that you do not have time to apply the April update, stop wasting more time reading this (or anything else about CVE-2022-26809) and start patching.
---------------------------------------------
https://isc.sans.edu/diary/rss/28550


∗∗∗ A Primer on Cold Boot Attacks Against Embedded Systems ∗∗∗
---------------------------------------------
A computers main memory is volatile, and its content disappears if it is not regularly refreshed. This enables some attacks that exploit this behavior. One fairly well-known attack is called the "cold boot attack".
---------------------------------------------
https://sec-consult.com/blog/detail/a-primer-on-cold-boot-attacks-against-embedded-systems/


∗∗∗ "Pipedream": US-Warnung vor ausgeklügelten Cyberangriffen auf Energiesektor ∗∗∗
---------------------------------------------
Mit einem Werkzeugkasten hochentwickelter Cyberwaffen sollen unbekannte Angreifer industrielle Steuerungslagen übernehmen können.
---------------------------------------------
https://heise.de/-6670554


∗∗∗ Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet ∗∗∗
---------------------------------------------
Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.
---------------------------------------------
https://www.securityweek.com/microsoft-seizes-control-notorious-zloader-cybercrime-botnet


∗∗∗ SMS-Werbung für sichernow.com führt in Crypto-Investment-Falle ∗∗∗
---------------------------------------------
Aktuell versenden Kriminelle SMS, in denen für eine Crypto-Investment-Falle geworben wird. Der enthaltene Link führt zu einer betrügerischen Investment-Plattform.
---------------------------------------------
https://www.watchlist-internet.at/news/sms-werbung-fuer-sichernowcom-fuehrt-in-crypto-investment-falle/


∗∗∗ Blinding Snort: Breaking the Modbus OT Preprocessor ∗∗∗
---------------------------------------------
Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets. 
---------------------------------------------
https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/


∗∗∗ Old Gremlins, new methods ∗∗∗
---------------------------------------------
After a long break, the Russian-speaking ransomware group OldGremlin resumes attacks in Russia
---------------------------------------------
https://blog.group-ib.com/oldgremlin_comeback


∗∗∗ Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer ∗∗∗
---------------------------------------------
Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang."
---------------------------------------------
http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html


∗∗∗ Unfolding the Log4j Security Vulnerability and Log4shell TTPs in AWS ∗∗∗
---------------------------------------------
Orca researcher Lidor Ben Shitrit reveals how Log4 shell TTPs in an AWS cloud environment can be used to open up a Log4j security vulnerability.
---------------------------------------------
https://orca.security/resources/blog/log4j-security-vulnerability-log4shell-ttps-aws/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Security Advisories 2022-04-13 ∗∗∗
---------------------------------------------
1 Critical, 13 High, 9 Medium Severity
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F04%2F13&firstPublishedEndDate=2022%2F04%2F13&limit=50


∗∗∗ Jetzt patchen! Attacken auf VMware Identity Manager und Workspace One Access ∗∗∗
---------------------------------------------
Angreifer schieben Krypto-Miner durch eine kritische Schadcode-Lücke in VMware Identity Manager und Workspace One Access. Updates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-6677723


∗∗∗ Lücken in mehren Komponente machen Datenmanagement-Software IBM Db2 angreifbar ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für IBM Db2, IBM Db2 On Openshift und IBM Db2 Warehouse on Cloud Pak for Data.
---------------------------------------------
https://heise.de/-6677497


∗∗∗ Sicherheitsupdate: Admin-Tool Grafana ist verwundbar ∗∗∗
---------------------------------------------
Angreifer könnten Systeme mit der Datenvisualisierungssoftware Grafana attackieren.
---------------------------------------------
https://heise.de/-6678300


∗∗∗ VMSA-2022-0013 ∗∗∗
---------------------------------------------
VMware Cloud Director update addresses remote code execution vulnerability (CVE-2022-22966)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0013.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils).
---------------------------------------------
https://lwn.net/Articles/891354/


∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-3/


∗∗∗ Security Bulletin: Vulnerabilities with libxml2 affect IBM Cloud Object Storage Systems (Apr 2022 V2) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-libxml2-affect-ibm-cloud-object-storage-systems-apr-2022-v2/


∗∗∗ Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint are vulnerable to exposing sensitive information (CVE-2022-22391) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-are-vulnerable-to-exposing-sensitive-information-cve-2022-22391/


∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been-identified-in-apache-log4j-and-the-application-code-shipped-with-the-ds8000-hardware-management-console-hmc-2/


∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.3.0 and earlier (CVE-2021-3712) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-impacting-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-4-3-0-and-earlier-cve-2021-3712/


∗∗∗ Security Bulletin: Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-struts-affects-ibm-tivoli-application-dependency-discovery-manager-cve-2020-17530-2/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-performance-tester-8/


∗∗∗ K11455641: NGINX LDAP Reference Implementation security exposure ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K11455641


∗∗∗ Juniper JUNOS (J-Web): Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0444


∗∗∗ CVE-2022-0023 PAN-OS: Denial-of-Service (DoS) Vulnerability in DNS Proxy (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0023


∗∗∗ PAN-SA-2022-0002 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2022-0002


∗∗∗ PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files (Severity: LOW) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2022-0001


∗∗∗ CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed) ∗∗∗
---------------------------------------------
https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list