[CERT-daily] Tageszusammenfassung - 22.02.2022
Daily end-of-shift report
team at cert.at
Tue Feb 22 18:26:03 CET 2022
=====================
= End-of-Day report =
=====================
Timeframe: Montag 21-02-2022 18:00 − Dienstag 22-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Revamped CryptBot malware spread by pirated software sites ∗∗∗
---------------------------------------------
A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/
∗∗∗ VU#229438: Mobile device monitoring services do not authenticate API requests ∗∗∗
---------------------------------------------
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. [..] We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability
For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it."
---------------------------------------------
https://kb.cert.org/vuls/id/229438
∗∗∗ Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike ∗∗∗
---------------------------------------------
Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts.
---------------------------------------------
https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html
∗∗∗ Horde Webmail 5.2.22 - Account Takeover via Email ∗∗∗
---------------------------------------------
We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. [..] Although we reported this vulnerability almost 6 months ago, there is currently no official patch available. Hence, we provide recommendations on how to mitigate this code vulnerability at the end of this blog post.
---------------------------------------------
https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
∗∗∗ Empfehlungen: Mit kostenlosen IT-Security-Tools Computer sicherer machen ∗∗∗
---------------------------------------------
Admins aufgepasst: IT-Security ist komplex, doch es gibt jede Menge nützliche und vor allem kostenlose Services und Tools, die helfen können. Eine Auflistung.
---------------------------------------------
https://heise.de/-6515891
∗∗∗ Achtung: E-Mail von DNS Österreich ist Fake ∗∗∗
---------------------------------------------
Zahlreiche Webseiten-BetreiberInnen erhalten momentan ein E-Mail von DNS Österreich. Das vermeintliche Unternehmen behauptet darin, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, die Domain für € 297,50 vorab zu kaufen. Überweisen Sie nichts, Sie verlieren Ihr Geld.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-e-mail-von-dns-oesterreich-ist-fake/
∗∗∗ Asustor NAS owners hit by DeadBolt ransomware attack ∗∗∗
---------------------------------------------
While Asustor investigates what is clearly a serious problem, it says it has disabled functionality which can allow remote access to its NAS drives: ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to. In addition, the company has published the following recommendations for customers to protect themselves from the DeadBolt ransomware
---------------------------------------------
https://www.bitdefender.com/blog/hotforsecurity/asustor-nas-owners-hit-by-deadbolt-ransomware-attack/
∗∗∗ Ransomware victims are paying up. But then the gangs are coming back for more ∗∗∗
---------------------------------------------
Cybersecurity experts warn against paying ransoms - this is why.
---------------------------------------------
https://www.zdnet.com/article/ransomware-victims-are-paying-up-but-the-crooks-are-coming-back-for-more/
∗∗∗ Integer overflow: How does it occur and how can it be prevented? ∗∗∗
---------------------------------------------
Make no mistake, counting on a computer is not as easy as it may seem. Here’s what happens when a number gets “too big”.
---------------------------------------------
https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can-be-prevented/
∗∗∗ Kernel Karnage – Part 9 (Finishing Touches) ∗∗∗
---------------------------------------------
I also incorporated dynamic function imports using hashed function names and CIG to protect the spawned suspended process against injection of non-Microsoft-signed binaries. The Beacon payload is stored as an AES256 encrypted PE resource and decrypted in memory before being injected into the remote process.
---------------------------------------------
https://blog.nviso.eu/2022/02/22/kernel-karnage-part-9-finishing-touches/
=====================
= Vulnerabilities =
=====================
∗∗∗ NAS: Sicherheitslücke in Synology DSM erlaubt Ausführen beliebiger Befehle ∗∗∗
---------------------------------------------
Angreifer könnten beliebige Befehle auf Synology-NAS-Geräten ausführen. Der Hersteller arbeitet an Updates zum Beheben der Fehler. Erste stehen bereit.
---------------------------------------------
https://heise.de/-6515542
∗∗∗ TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer ∗∗∗
---------------------------------------------
Third-party package enshrined/svg-sanitize, used by TYPO3 core packages, was susceptible to bypassing the sanitization strategy.
---------------------------------------------
https://typo3.org/security/advisory/typo3-psa-2022-001
∗∗∗ Reflected XSS in Header Footer Code Manager ∗∗∗
---------------------------------------------
On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations.
The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022.
---------------------------------------------
https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/
∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Webmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Code auszuführen
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0217
∗∗∗ EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN67108459/
∗∗∗ EC-CUBE improperly handles HTTP Host header values ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN53871926/
∗∗∗ ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php
∗∗∗ Security Bulletin: App Connect Professional is affected by Quick Emulator vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-quick-emulator-vulnerability/
∗∗∗ Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-cast-iron-and-app-connect-professional-are-affected-by-vulnerabilities-in-pacemaker-imagemagick-gd-libgd-libxslt-curl-libcurl-ghostscript/
∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU (minus CVE-2021-35550/35561/35603) plus CVE-2021-41035 affects IBM Tivoli Composite Application Manager for ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2021-includes-oracle-october-2021-cpu-minus-cve-2021-35550-35561-35603-plus-cve-2021-41035-affects-ibm-tivoli-composite-appl/
∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2021-includes-oracle-october-2021-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/
∗∗∗ GE Proficy CIMPLICITY-IPM ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01
∗∗∗ GE Proficy CIMPLICITY-Cleartext ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02
∗∗∗ WIN-911 2021 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-053-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list