[CERT-daily] Tageszusammenfassung - 28.04.2022
Daily end-of-shift report
team at cert.at
Thu Apr 28 18:20:07 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-04-2022 18:00 − Donnerstag 28-04-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ security.txt: Kontaktinfos für IT-Sicherheitsmeldungen standardisiert ∗∗∗
---------------------------------------------
Ein RFC beschreibt, wie Webseiten über die Datei security.txt Kontaktinformationen für Sicherheitsforscher bereitstellen können.
---------------------------------------------
https://www.golem.de/news/security-txt-kontaktinfos-fuer-it-sicherheitsmeldungen-standardisiert-2204-164931-rss.html
∗∗∗ Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution ∗∗∗
---------------------------------------------
MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. [...] This was mitigated within 48 hours (on January 13, 2022).
---------------------------------------------
https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-flexible-server-privilege-escalation-and-remote-code-execution/
∗∗∗ A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809, (Thu, Apr 28th) ∗∗∗
---------------------------------------------
After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, we set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. And to keep things more interesting, we are forwarding traffic from a subset of our honeypots to the system. This gives us a pretty nice cross-section and keeps the system pretty busy. Other than not applying the April patches, the system isn't particularly vulnerable and is left in the default configuration (firewall disabled, of course).
So what did we get?
---------------------------------------------
https://isc.sans.edu/diary/rss/28594
∗∗∗ This isnt Optimus Primes Bumblebee but its Still Transforming ∗∗∗
---------------------------------------------
Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.
---------------------------------------------
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
∗∗∗ Nimbuspwn detector ∗∗∗
---------------------------------------------
This tool performs several tests to determine whether the system is possibly vulnerable to Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team.
---------------------------------------------
https://github.com/jfrog/nimbuspwn-tools
∗∗∗ QNAP customers urged to disable AFP to protect against severe vulnerabilities ∗∗∗
---------------------------------------------
MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed.
---------------------------------------------
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/qnap-customers-urged-to-disable-afp-to-protect-against-severe-vulnerabilities/
∗∗∗ LAPSUS$: Recent techniques, tactics and procedures ∗∗∗
---------------------------------------------
This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.
---------------------------------------------
https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/
∗∗∗ Neue Cyberspionage‑Kampagnen der TA410 Gruppe ∗∗∗
---------------------------------------------
ESET-Forscher enthüllen ein detailliertes Profil der APT-Gruppe TA410: Wir glauben, dass diese Cyberspionage-Dachgruppe aus drei verschiedenen Teams besteht, die unterschiedliche Tools verwenden, darunter eine neue Version der von ESET entdeckten FlowCloud-Spionage-Backdoor.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2022/04/27/cyberspionage-unter-dem-ta410-schirm/
∗∗∗ CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine ∗∗∗
---------------------------------------------
CISA and the Federal Bureau of Investigation (FBI) have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/04/28/cisa-and-fbi-update-advisory-destructive-malware-targeting
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗
---------------------------------------------
Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.
---------------------------------------------
https://kb.cert.org/vuls/id/730007
∗∗∗ VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value ∗∗∗
---------------------------------------------
Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.
---------------------------------------------
https://kb.cert.org/vuls/id/411271
∗∗∗ IBM Security Bulletins 2022-04-27 ∗∗∗
---------------------------------------------
IBM InfoSphere Information Server, IBM Watson for IBM Cloud Pak, Liberty for Java for IBM Cloud, IBM Cloud Transformation Advisor, WebSphere Application Server, IBM Spectrum Discover, IBM Integration Bus, IBM App Connect Enterprise, IBM Netezza Platform Server, IBM PowerVM Novalink, IBM Spectrum Scale SMB protocol
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Cisco Security Advisories 2022-04-27 ∗∗∗
---------------------------------------------
Cisco released 17 Security Advisories (11 High, 6 Medium Severity)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F04%2F27&firstPublishedEndDate=2022%2F04%2F28
∗∗∗ PHP Object Injection Vulnerability in Booking Calendar Plugin ∗∗∗
---------------------------------------------
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.
---------------------------------------------
https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird).
---------------------------------------------
https://lwn.net/Articles/893001/
∗∗∗ Synology-SA-22:06 Netatalk ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_06
∗∗∗ CVE-2022-23812: NPM Package node-ipc With Malicious Code Found in Russia and Belarus ∗∗∗
---------------------------------------------
Malicious code, also known as protestware, within certain versions of the package was causing chaos among Russia and Belarus based developers—overwriting their entire file system with a heart emoji. These versions (10.1.0 and 10.1.2) are now tracked under CVE-2022-23812.
---------------------------------------------
https://orca.security/resources/blog/cve-2022-23812-protestware-malicious-code-node-ipc-npm-package/
∗∗∗ ZDI-22-622: Sante DICOM Viewer Pro J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-622/
∗∗∗ Johnson Controls Metasys ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-118-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list