[CERT-daily] Tageszusammenfassung - 28.02.2022

Daily end-of-shift report team at cert.at
Mon Feb 28 18:20:08 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 25-02-2022 18:00 − Montag 28-02-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Visual Voice Mail on Android may be vulnerable to eavesdropping ∗∗∗
---------------------------------------------
The security researcher, Chris Talbot, discovered the flaw on June 21, 2021, and filed the vulnerability under CVE-2022-23835. The bug is not a flaw in the Android operating system but rather how the service is implemented by mobile carriers.
However, the flaw has a "disputed" status because AT&T and T-Mobile dismissed the report for describing a non-exploitable risk, while Sprint and Verizon have not responded.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/visual-voice-mail-on-android-may-be-vulnerable-to-eavesdropping/


∗∗∗ Reborn of Emotet: New Features of the Botnet and How to Detect it ∗∗∗
---------------------------------------------
One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotets executables. And it looked like the end of the trojans story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet.
---------------------------------------------
https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html


∗∗∗ CISA Warns of High-Severity Flaws in Schneider and GE Digitals SCADA Software ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electrics Easergy medium voltage protection relays.
---------------------------------------------
https://thehackernews.com/2022/02/cisa-warns-of-high-severity-flaws-in.html


∗∗∗ Rogue RDP – Revisiting Initial Access Methods ∗∗∗
---------------------------------------------
With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red teams that will inevitably make initial access a bit more difficult to achieve. Over the last year, I have invested some research time in pursuing the use of the Remote Desktop Protocol as an alternative initial access vector, which this post will cover.
---------------------------------------------
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/


∗∗∗ BSI liefert "Maßnahmenkatalog Ransomware" ∗∗∗
---------------------------------------------
Das Bundesamt für Sicherheit in der Informationstechnik stellt im "Maßnahmenkatalog Ransomware" für Unternehmen und Behörden wichtige Präventionsmaßnahmen vor.
---------------------------------------------
https://heise.de/-6528055


∗∗∗ BrokenPrint: A Netgear stack overflow ∗∗∗
---------------------------------------------
This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3
---------------------------------------------
https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overflow/


∗∗∗ Bestellungen bei herzens-mensch.de und heimfroh.com führen zu Problemen ∗∗∗
---------------------------------------------
Bei den Online-Shops herzens-mensch.de und heimfroh.com handelt es sich um sogenannte Dropshipping-Shops. Die Shops geben an, ein österreichisches Unternehmen zu sein, liefern jedoch aus Asien. Diese Vorgehensweise ist nicht unbedingt betrügerisch, eine Bestellung bei herzens-mensch.de oder heimfroh.com kann aber sehr teuer werden und zu zahlreichen Problemen führen.
---------------------------------------------
https://www.watchlist-internet.at/news/bestellungen-bei-herzens-menschde-und-heimfrohcom-fuehren-zu-problemen/


∗∗∗ Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks ∗∗∗
---------------------------------------------
The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets.
There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 [..]
---------------------------------------------
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage


∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗
---------------------------------------------
Auf Grund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifsch hohe Gefährdung für Österreich ist aktuell noch nicht auszumachen. Wir sind in laufendem Kontakt mit unseren Kollegen im europäischen CSIRTs Network und in den nationalen Koordinierungsstrukturen.
---------------------------------------------
https://cert.at/de/aktuelles/2022/2/ukraine-krise-aktuelle-informationen


∗∗∗ BlackCat ransomware ∗∗∗
---------------------------------------------
AT&T Alien Labs is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure
---------------------------------------------
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Mozillas VPN-Client könnte Schadcode nachladen ∗∗∗
---------------------------------------------
Es gibt ein wichtiges Sicherheitsupdate für Mozilla VPN. Nach erfolgreichen Attacken könnten Angreifer Systeme übernehmen.
---------------------------------------------
https://heise.de/-6527681


∗∗∗ Programmiersprache: Sicherheitslücke ermöglicht Codeschmuggel in PHP ∗∗∗
---------------------------------------------
Mit neuen PHP-Versionen schließen die Entwickler Sicherheitslücken, die Angreifern unter Umständen das Einschleusen von Schadcode ermöglichen könnten.
---------------------------------------------
https://heise.de/-6527558


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0).
---------------------------------------------
https://lwn.net/Articles/886358/


∗∗∗ Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure ∗∗∗
---------------------------------------------
Cisco Talos recently discovered multiple vulnerabilities in the Gerbv file viewing software that could allow an attacker to execute arbitrary remote code or disclose sensitive information. [..] Cisco Talos worked with Gerbv to responsibly disclose these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy. However, an update is not available to fix these issues as of Feb. 28, 2022. 
CVE IDs: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, CVE-2021-40401, CVE-2021-40400, CVE-2021-40402, CVE-2021-40403
---------------------------------------------
http://blog.talosintelligence.com/2022/02/vuln-spotlight-gerbv-g.html


∗∗∗ ABB CYBER SECURITY ADVISORY - AC 800M MMS - DENIAL OF SERVICE VULNERABILITY IN MMS COMMUNICATION ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=7PAA001499&LanguageCode=en&DocumentPartId=&Action=Launch


∗∗∗ Security Bulletin: Vulnerability in Java SE -CVE-2021-2161 may affect IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-cve-2021-2161-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE – 2021-22930 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-cve-2021-22930-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Content Navigator is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-content-navigator-is-vulnerable-to-arbitrary-code-execution-cve-2021-45046-and-denial-of-service-cve-2021-45105/


∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-44142). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak-for-data-is-vulnerable-to-arbitrary-code-execution-cve-2021-44142/


∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE-2021-22959, CVE-2021-22960 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-cve-2021-22959-cve-2021-22960-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-is-vulnerable-to-arbitrary-code-execution-due-to-samba-cve-2021-44142/


∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnerability-in-node-js-cve-2021-23362-cve-2021-22921-cve-2021-22918-cve-2021-27290-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/


∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-4-17-21-vulnerability-in-powerha-2/


∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak-for-data-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/


∗∗∗ Security Bulletin: A Vulnerability In Apache HttpClient Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-httpclient-affects-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list