[CERT-daily] Tageszusammenfassung - 10.02.2022
Daily end-of-shift report
team at cert.at
Thu Feb 10 18:22:26 CET 2022
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 09-02-2022 18:00 − Donnerstag 10-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Wave of MageCart attacks target hundreds of outdated Magento sites ∗∗∗
---------------------------------------------
Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-target-hundreds-of-outdated-magento-sites/
∗∗∗ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems ∗∗∗
---------------------------------------------
Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-hits-healthcare-edu-and-govt-systems/
∗∗∗ Linux Malware on the Rise ∗∗∗
---------------------------------------------
Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states.
---------------------------------------------
https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illicit-use-of-cobalt-strike
∗∗∗ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware ∗∗∗
---------------------------------------------
The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.
---------------------------------------------
https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/
∗∗∗ SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs ∗∗∗
---------------------------------------------
SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..]
---------------------------------------------
https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/
∗∗∗ Vorsicht vor betrügerischen Fortnite-Shops! ∗∗∗
---------------------------------------------
Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte „Fortnite-Skins“ zum Kauf an. Doch Vorsicht – oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnite-shops/
∗∗∗ Ransomware tracker: the latest figures [February 2022] ∗∗∗
---------------------------------------------
Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn’t going anywhere.
Here are some of our most critical findings
---------------------------------------------
https://therecord.media/ransomware-tracker-the-latest-figures/
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-290/
∗∗∗ WordPress-Übernahme durch kritische Lücken in PHP Everywhere ∗∗∗
---------------------------------------------
Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit.
---------------------------------------------
https://heise.de/-6369318
∗∗∗ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin ∗∗∗
---------------------------------------------
On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query.
---------------------------------------------
https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).
---------------------------------------------
https://lwn.net/Articles/884381/
∗∗∗ Dell Computer: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0174
∗∗∗ Drupal: Mehrere Schwachstellen [in Plugins] ∗∗∗
---------------------------------------------
Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.
Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0173
∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-30640/
∗∗∗ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-41079/
∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-33037/
∗∗∗ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-45046-cve-2021-45105/
∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-25122-and-cve-2021-25329/
∗∗∗ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0016
∗∗∗ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0017
∗∗∗ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0018
∗∗∗ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0011
∗∗∗ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0021
∗∗∗ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0020
∗∗∗ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0019
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list