[CERT-daily] Tageszusammenfassung - 10.01.2022

Daily end-of-shift report team at cert.at
Mon Jan 10 18:25:51 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗
---------------------------------------------
Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien.
---------------------------------------------
https://heise.de/-6321079


∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗
---------------------------------------------
The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-europe-posing-as-flash-player-app/


∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗
---------------------------------------------
Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/


∗∗∗ Wheres the Interpreter!? ∗∗∗
---------------------------------------------
CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why!
---------------------------------------------
https://objective-see.com/blog/blog_0x6A.html


∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗
---------------------------------------------
TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T".
---------------------------------------------
https://isc.sans.edu/diary/rss/28194


∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗
---------------------------------------------
There is also a video of this analysis.
---------------------------------------------
https://isc.sans.edu/diary/rss/28200


∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗
---------------------------------------------
Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science.
---------------------------------------------
https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.html


∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗
---------------------------------------------
The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books.
---------------------------------------------
https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-spent-years-robbing-authors-of-their-unpublished-work/


∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗
---------------------------------------------
tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters.
---------------------------------------------
https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-namespace-injector/


∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗
---------------------------------------------
The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools.
---------------------------------------------
https://www.securityweek.com/us-government-issues-warning-over-commercial-surveillance-tools


∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗
---------------------------------------------
Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks.
---------------------------------------------
https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-cryptojacking-group/


∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗
---------------------------------------------
When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar.
---------------------------------------------
https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗
---------------------------------------------
Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications.
---------------------------------------------
https://kb.cert.org/vuls/id/142629


∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗
---------------------------------------------
A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...]
---------------------------------------------
https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html


∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗
---------------------------------------------
Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates.
---------------------------------------------
https://heise.de/-6321485


∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗
---------------------------------------------
IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...]
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2).
---------------------------------------------
https://lwn.net/Articles/880807/


∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗
---------------------------------------------
Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates.
---------------------------------------------
https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-firewall-products


∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗
---------------------------------------------
Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...]
---------------------------------------------
http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-overflow.html


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/


∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0016

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list