[CERT-daily] Tageszusammenfassung - 19.04.2022
Daily end-of-shift report
team at cert.at
Tue Apr 19 19:46:45 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 15-04-2022 18:00 − Dienstag 19-04-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Freier Decryptor für Yanlouwang-Ransomware ∗∗∗
---------------------------------------------
Sicherheitsanbieter Kaspersky hat in der Verschlüsselung der Yanlouwang-Ransomware eine Schwachstelle entdeckt. In Folge dieser Schwachstelle kann die Verschlüsselung von Dateien unter bestimmten Voraussetzungen geknackt werden. Jedenfalls steht ein kostenloser Decryptor für die Yanlouwang-Ransomware zur Verfügung.
---------------------------------------------
https://www.borncity.com/blog/2022/04/19/freier-decryptor-fr-yanlouwang-ransomware/
∗∗∗ Achtung unseriös: hondrox.com, hondrox.eu & hondrox.shop ∗∗∗
---------------------------------------------
Auf der Suche nach Behandlungsmöglichkeiten bei Gelenkschmerzen stoßen Sie möglicherweise auf „Hondrox“. Ein Spray, der die „Wiederherstellung der Knorpel in den Gelenken“ sowie Schmerzlinderung verspricht. Auf hondrox.com, hondrox.eu und hondrox.shop wird dieses vermeintliche Wundermittel angeboten. Doch Vorsicht: Diese Online-Shops sind unseriös. Sie verschwenden Ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-unserioes-hondroxcom-hondroxeu-hondroxshop/
∗∗∗ GitHub-Sicherheitslücke: OAuth-Token von Heroku und Travis-CI kompromittiert ∗∗∗
---------------------------------------------
Unauthorisierte Zugriffe auf die npm-Infrastruktur haben kriminelle Aktivitäten enttarnt. Betroffenen sind OAuth-Token von Heroku und Travis-CI.
---------------------------------------------
https://heise.de/-6703708
∗∗∗ Sicherheit fürs Anmelden: Was bei Kennwörtern, FIDO2 und TOTP zu beachten ist ∗∗∗
---------------------------------------------
In der Theorie sind zweite Faktoren einfach. In der praktischen Umsetzung tauchen aber diverse Fragen auf – die häufigsten haben wir zusammengetragen.
---------------------------------------------
https://heise.de/-6660829
∗∗∗ Lenovo System Update könnte Schadcode auf Computer lassen ∗∗∗
---------------------------------------------
Lenovo hat Sicherheitslücken in einer Anwendung und verschiedenen BIOS-Versionen geschlossen und Hintertüren entfernt.
---------------------------------------------
https://heise.de/-6740544
∗∗∗ Studie: Ciscos Webex telefoniert auch stummgeschaltet nach Hause ∗∗∗
---------------------------------------------
Bei einer Untersuchung der Stummschaltefunktion von Videokonferenzsoftware fiel Ciscos Webex negativ auf.
---------------------------------------------
https://www.golem.de/news/studie-ciscos-webex-telefoniert-auch-stummgeschaltet-nach-hause-2204-164659-rss.html
∗∗∗ New stealthy BotenaGo malware variant targets DVR devices ∗∗∗
---------------------------------------------
Threat analysts have spotted a new variant of the BotenaGo botnet malware, and its the stealthiest seen so far, running undetected by any anti-virus engine.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-stealthy-botenago-malware-variant-targets-dvr-devices/
∗∗∗ Managing container vulnerability risks: Tools and best practices ∗∗∗
---------------------------------------------
Containers are quickly becoming the de facto form of compute and workload deployments in the cloud-native ecosystem. The latest Cloud Native Computing Foundation (CNCF) Cloud Native Survey shows that 96% of organizations are either actively using containers and Kubernetes or are evaluating them. Containers have well-known benefits such as portability, consistency and efficiency, but they aren’t without security concerns.
---------------------------------------------
https://www.csoonline.com/article/3656702/managing-container-vulnerability-risks-tools-and-best-practices.html
∗∗∗ Sysmons RegistryEvent (Value Set), (Mon, Apr 18th) ∗∗∗
---------------------------------------------
A colleague asked me about Sysmon's event ID 13 RegistryEvent (Value Set). They wanted to know if binary data could be recorded in event 13.
---------------------------------------------
https://isc.sans.edu/diary/rss/28558
∗∗∗ Why you shouldn’t automate your VirusTotal uploads ∗∗∗
---------------------------------------------
Security teams use VirusTotal as a second opinion scanner, but its not advisable to upload documents to VirusTotal as that may result in a breach of confidence and exposure of confidential data.
---------------------------------------------
https://blog.malwarebytes.com/101/2022/04/why-you-shouldnt-automate-your-virustotal-uploads/
∗∗∗ How vx-underground is building a hacker’s dream library ∗∗∗
---------------------------------------------
When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. "I had no success really," said its founder, who goes by the online moniker smelly_vx.
---------------------------------------------
https://therecord.media/how-vx-underground-is-building-a-hackers-dream-library/
∗∗∗ Stories from the SOC - Lateral movement using default accounts ∗∗∗
---------------------------------------------
The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-lateral-movement-using-default-accounts
=====================
= Vulnerabilities =
=====================
∗∗∗ Angreifer könnten sich als Admins an Cisco Wireless LAN Controller anmelden ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für unter anderem Cisco IOS XE, SD-WAN und WLC. Eine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-6737709
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby).
---------------------------------------------
https://lwn.net/Articles/891725/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc).
---------------------------------------------
https://lwn.net/Articles/891818/
∗∗∗ Elcomplus SmartPPT SCADA Server ∗∗∗
---------------------------------------------
This advisory contains mitigations for Cross-site Scripting, Unauthorized Exposure to Sensitive Information, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Cross-site Request Forgery vulnerabilities in the Elcomplus SmartPPT SCADA Server voice and data dispatch software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05
∗∗∗ Multiple RTOS (Update E) ∗∗∗
---------------------------------------------
Update E:
Windriver VxWorks – Update in progress
The following devices use Windriver VxWorks as their RTOS:
Hitachi Energy GMS600 – See public advisory.
Hitachi Energy PWC600 – See public advisory.
Hitachi Energy REB500 – See public advisory.
Hitachi Energy Relion 670, 650 series and SAM600-IO – See public advisory
Hitachi Energy RTU500 series CMU – Updates available for some firmware versions – See public advisory.
Hitachi Energy Modular Switchgear Monitoring System MSM – Protect your network – See public advisory.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cookie User Password Disclosure ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022040067
∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022040065
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ K56105136: BIND vulnerability CVE-2022-0396 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K56105136
∗∗∗ K21054458: Eclipse Jetty vulnerability CVE-2017-7656 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K21054458
∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0456
∗∗∗ 7-Zip: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0459
∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0458
∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0461
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list