[CERT-daily] Tageszusammenfassung - 11.07.2022
Daily end-of-shift report
team at cert.at
Mon Jul 11 18:24:43 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 08-07-2022 18:00 − Montag 11-07-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New 0mega ransomware targets businesses in double-extortion attacks ∗∗∗
---------------------------------------------
A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/
∗∗∗ Hackers Exploiting Follina Bug to Deploy Rozena Backdoor ∗∗∗
---------------------------------------------
A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.
---------------------------------------------
https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html
∗∗∗ Raspberry Robin Windows Worm Abuses QNAP Devices ∗∗∗
---------------------------------------------
A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives.
---------------------------------------------
https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devices
∗∗∗ The History and Evolution of Zero Trust ∗∗∗
---------------------------------------------
“The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”.
---------------------------------------------
https://www.securityweek.com/history-and-evolution-zero-trust
∗∗∗ WhatsApp: Kriminelle geben sich als Ihr Kind aus ∗∗∗
---------------------------------------------
„Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.“ Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-ihr-kind-aus/
∗∗∗ SELECT XMRig FROM SQLServer ∗∗∗
---------------------------------------------
Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month.
---------------------------------------------
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslücken in node.js abgedichtet ∗∗∗
---------------------------------------------
Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln.
---------------------------------------------
https://heise.de/-7167912
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python).
---------------------------------------------
https://lwn.net/Articles/900670/
∗∗∗ vim: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen.
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630
∗∗∗ ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-959/
∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-3/
∗∗∗ Security Bulletin: CVE-2021-23337 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/
∗∗∗ Security Bulletin: CVE-2020-28500 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/
∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/
∗∗∗ Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enterprise-edition-is-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/
∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-vulnerable-to-html-injection-cve-2022-34160/
∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-vulnerabilities-from-golang-go-and-ibm-websphere-application-server-liberty-cve-2021-39293-and-cve-2021-39038/
∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-an-issue-in-opm-and-golang-go-packages-cve-2020-15257-cve-2021-21334-and-cve-2021-41771/
∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/
∗∗∗ Security Bulletin: CVE-2021-23369 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/
∗∗∗ Security Bulletin: CVE-2020-7774 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/
∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-vulnerable-to-html-injection-cve-2022-34160/
∗∗∗ K40582331: Apache HTTP server vulnerability CVE-2022-28615 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K40582331
∗∗∗ K08006936: Apache Commons Configuration vulnerability CVE-2022-33980 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K08006936
∗∗∗ K74251611: Linux kernel vulnerability CVE-2021-38166 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K74251611
∗∗∗ K36462841: Linux kernel vulnerability CVE-2018-18281 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K36462841
∗∗∗ ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten ∗∗∗
---------------------------------------------
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list