[CERT-daily] Tageszusammenfassung - 07.03.2022

Daily end-of-shift report team at cert.at
Mon Mar 7 19:17:15 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 04-03-2022 18:00 − Montag 07-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ E-Mail vom "Zoll Kundenservice" ist Fake ∗∗∗
---------------------------------------------
Im betrügerischen E-Mail von "[email protected]" wird behauptet, dass Ihr Paket nicht geliefert werden kann, da Zollgebühren nicht bezahlt wurden. Um die Zollgebühren zu begleichen, werden Sie aufgefordert, einen Paysafecard-Pin um 75 Euro zu schicken. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-vom-zoll-kundenservice-ist-fake/


∗∗∗ Notfallupdate: Sicherheitslücken in Firefox und Thunderbird werden angegriffen ∗∗∗
---------------------------------------------
Die Mozilla-Stiftung hat außer der Reihe Sicherheitsupdates für Firefox, Klar und Thunderbird herausgegeben, die bereits aktiv angegriffene Lücken schließen.
---------------------------------------------
https://heise.de/-6540649


∗∗∗ Sicherheitsprobleme bei Samsung: Quellcode geklaut, unsichere Kryptografie ∗∗∗
---------------------------------------------
Einbrecher haben bei Samsung Quellcode entwendet. Zudem patzte der Hersteller bei Kryptografie in der Trusted Execution Environment von Flaggschiff-Smartphones.
---------------------------------------------
https://heise.de/-6540849


∗∗∗ Dirty Pipe: Linux-Kernel-Lücke erlaubt Schreibzugriff mit Root-Rechten ∗∗∗
---------------------------------------------
Ein Fehler bei der Verarbeitung von Pipes im Linux-Kernel lässt sich ausnutzen, um Root-Rechte zu erlangen.
---------------------------------------------
https://www.golem.de/news/dirty-pipe-linux-kernel-luecke-erlaubt-schreibzugriff-mit-root-rechten-2203-163680-rss.html


∗∗∗ Microsoft fixes critical Azure bug that exposed customer data ∗∗∗
---------------------------------------------
Microsoft has addressed a critical vulnerability in the Azure Automation service that could have allowed attackers to take full control over other Azure customers data.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-critical-azure-bug-that-exposed-customer-data/


∗∗∗ Massive Meris Botnet Embeds Ransomware Notes from REvil ∗∗∗
---------------------------------------------
Notes threatening to tank targeted companies stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL.
---------------------------------------------
https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/178769/


∗∗∗ Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th) ∗∗∗
---------------------------------------------
Earlier today, I received a scam email that impersonates the Ukrainian Red Cross. It attempts to solicit donations via Bitcoin. The email is almost certainly not related to any valid Red Cross effort.
---------------------------------------------
https://isc.sans.edu/diary/rss/28404


∗∗∗ oledumps Extra Option, (Sat, Mar 5th) ∗∗∗
---------------------------------------------
A colleague asked if it was possible with oledump.py, to search through a set of malicious documents and filter out all streams that have identical VBA source code.
---------------------------------------------
https://isc.sans.edu/diary/rss/28406


∗∗∗ Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking ∗∗∗
---------------------------------------------
Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges. The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victims box simply by knowing the IP [...]
---------------------------------------------
https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.html


∗∗∗ Backdooring WordPress using PyShell ∗∗∗
---------------------------------------------
PyShell is new tool made for bug bounty, ethical hacking, penetration testers or red-teamers. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed.
---------------------------------------------
https://blog.wpsec.com/backdooring-wordpress-using-pyshell/


∗∗∗ Beware of malware offering “Warm greetings from Saudi Aramco” ∗∗∗
---------------------------------------------
A new Formbook campaign is targeting oil and gas companies.
---------------------------------------------
https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware-offering-warm-greetings-from-saudi-aramco/


∗∗∗ Amcache contains SHA-1 Hash – It Depends! ∗∗∗
---------------------------------------------
If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk.
---------------------------------------------
https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/


∗∗∗ Webhook Party – Malicious packages caught exfiltrating data via legit webhook services ∗∗∗
---------------------------------------------
Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload [...]
---------------------------------------------
https://checkmarx.com/blog/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances ∗∗∗
---------------------------------------------
Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8.
---------------------------------------------
https://thehackernews.com/2022/03/new-security-vulnerability-affects.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, [...]
---------------------------------------------
https://lwn.net/Articles/887055/


∗∗∗ Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device ∗∗∗
---------------------------------------------
Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device.
---------------------------------------------
https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte-router.html


∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nimsh-cve-2022-22351/


∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerability-are-addressed-in-monthly-security-fix-for-ibm-cloud-pak-for-business-automation-february-2022/


∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38988) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-kernel-cve-2021-38988/


∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38989) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-kernel-cve-2021-38989/


∗∗∗ Security Bulletin: Some unspecified vulnerabilities in Java SE result in the unauthenticated attacker to take control of the system or some impact ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-some-unspecified-vulnerabilities-in-java-se-result-in-the-unauthenticated-attacker-to-take-control-of-the-system-or-some-impact/


∗∗∗ Bitdefender Produkte: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0264


∗∗∗ Webmin: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0267


∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0266


∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0265

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list