[CERT-daily] Tageszusammenfassung - 09.02.2022
Daily end-of-shift report
team at cert.at
Wed Feb 9 18:11:27 CET 2022
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 08-02-2022 18:00 − Mittwoch 09-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Kimsuki hackers use commodity RATs with custom Gold Dragon malware ∗∗∗
---------------------------------------------
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodity-rats-with-custom-gold-dragon-malware/
∗∗∗ Fake Windows 11 upgrade installers infect you with RedLine malware ∗∗∗
---------------------------------------------
Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/
∗∗∗ Ransomware dev releases Egregor, Maze master decryption keys ∗∗∗
---------------------------------------------
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/
∗∗∗ Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken ∗∗∗
---------------------------------------------
An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen.
---------------------------------------------
https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmware-sicherheitsluecken-2202-163028-rss.html
∗∗∗ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) ∗∗∗
---------------------------------------------
Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08.
---------------------------------------------
https://isc.sans.edu/diary/rss/28318
∗∗∗ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718) ∗∗∗
---------------------------------------------
In this blog post, we’ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft’s Patch Tuesday in February 2022.
---------------------------------------------
https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81
∗∗∗ CISA and SAP warn about major vulnerability ∗∗∗
---------------------------------------------
SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products.
---------------------------------------------
https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/
∗∗∗ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware ∗∗∗
---------------------------------------------
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa22-040a
=====================
= Vulnerabilities =
=====================
∗∗∗ Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird ∗∗∗
---------------------------------------------
Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein.
---------------------------------------------
https://heise.de/-6360477
∗∗∗ Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch.
---------------------------------------------
https://heise.de/-6360267
∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Illustrator ∗∗∗
---------------------------------------------
Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert.
---------------------------------------------
https://heise.de/-6360575
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...]
---------------------------------------------
https://lwn.net/Articles/884242/
∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities ∗∗∗
---------------------------------------------
Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-nearly-50-vulnerabilities
∗∗∗ HPE Agentless Management registers unquoted service paths ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN12969207/
∗∗∗ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX337526
∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-affect-ibm-netezza-analytics/
∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnerability-in-apache-log4j-affects-netcool-operation-insight-cve-2021-44228-2/
∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-denial-of-service-due-to-go-cve-cve-2021-41771-cve-2021-41772/
∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-component-of-ibm-tririga-application-platform-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-feb-2022-v1/
∗∗∗ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2019-17571/
∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2021 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-java-sdk-that-affect-ibm-security-directory-suite-october-2021-cpu/
∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-security-directory-suite/
∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – July 2021 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-java-sdk-that-affect-ibm-security-directory-suite-july-2021-cpu/
∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-30639/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0002.html
∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0158
∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0156
∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0159
∗∗∗ QNAP: Multiple Vulnerabilities in Samba ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-22-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list