[CERT-daily] Tageszusammenfassung - 24.03.2022

Daily end-of-shift report team at cert.at
Thu Mar 24 18:06:43 CET 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 23-03-2022 18:00 − Donnerstag 24-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns ∗∗∗
---------------------------------------------
Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.
---------------------------------------------
https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html


∗∗∗ Doppelter Betrug: Phishing-Konzept mit Browser-In-The-Browser-Attacke ausgebaut ∗∗∗
---------------------------------------------
In seinem Beispiel macht sich der Sicherheitsforscher das OAuth-Fenster zunutze. In seiner Demo baut er es via HTML/CSS exakt nach und versieht es mit einer legitimen Google-URL inklusive HTTPS-Schloss-Symbol. Dadurch fällt es Opfern schwerer, den Betrug aufzudecken und eingegebene Passwörter landen bei Betrügern.
Einen Schwachpunkt hat dieser Ansatz aber: Der Ausgangspunkt von einer BITB-Attacke ist eine Phishing-Website, die das OAuth-Anmeldeverfahren mit dem Fake-Fenster anbietet. Dahin müssen Betrüger Opfer erst mal locken, ohne dass Verdacht aufkommt.
---------------------------------------------
https://heise.de/-6621914


∗∗∗ A Closer Look at the LAPSUS$ Data Extortion Group ∗∗∗
---------------------------------------------
Microsoft and identity management platform Okta both disclosed this week breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish the information unless a ransom demand is paid. Heres a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.
---------------------------------------------
https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031 ∗∗∗
---------------------------------------------
Security risk: Moderately critical
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user. 
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-031


∗∗∗ Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030 ∗∗∗
---------------------------------------------
Security risk: Critical
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-030


∗∗∗ Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) ∗∗∗
---------------------------------------------
Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others.
---------------------------------------------
https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-digital-pr4100-nas-cve-2022-23121/


∗∗∗ Splunk: SVD-2022-0301 Indexer denial-of-service via malformed S2S request ∗∗∗
---------------------------------------------
CVSSv3.1 Score: 7.5, High
CVE ID: CVE-2021-3422
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic.
---------------------------------------------
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html


∗∗∗ VMware Carbon App Control: Angreifer könnten Schadcode auf Server schieben ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates schließen zwei kritische Lücken in Carbon App Control für Windows.
---------------------------------------------
https://heise.de/-6619596


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/889120/


∗∗∗ Schwachstelle in Windows 3CX-Telefonanlagen, Patchen ist angesagt ∗∗∗
---------------------------------------------
Wer unter Windows ein 3CX-System (Telefonanlage) in einer Version unterhalb v18 Update 3 (Build 450) betreibt, sollte reagieren. Der Hersteller hat ein Sicherheitsupdate für dieses Produkt in Form der v18 Update 3 (Build 450) veröffentlicht.
---------------------------------------------
https://www.borncity.com/blog/2022/03/24/schwachstelle-in-windows-3cx-telefonanlagen-patchen-ist-angesagt/


∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-management-apache-struts-vulnerablity-2/


∗∗∗ Security Bulletin: IBM Security Verify Governance, Identity Manager virtual appliance component is vulnerable to denial of service (CVE-2021-38951) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-identity-manager-virtual-appliance-component-is-vulnerable-to-denial-of-service-cve-2021-38951/


∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35550). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-affects-ibm-license-metric-tool-v9-cve-2021-35550/


∗∗∗ Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletinibm-sdk-java-technology-edition-quarterly-cpu-oct-2021-affects-ibm-security-verify-governance-identity-manager-virtual-appliance-component/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-liberty-for-java-for-ibm-cloud-due-to-january-2022-cpu-plus-deferred-cve-2021-35550-and-cve-2021-35603/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-spss-collaboration-and-deployment-services/


∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35603). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-affects-ibm-license-metric-tool-v9-cve-2021-35603/


∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-4-17-21-vulnerability-in-powerha-system-mirror-for-aix/


∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-cloud-is-vulnerable-to-clickjacking-cve-2021-39038/


∗∗∗ Security Bulletin: Vulnerabilities with Expat affect IBM Cloud Object Storage Systems (Mar 2022 V1) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expat-affect-ibm-cloud-object-storage-systems-mar-2022-v1/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-functional-tester-7/


∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-management-apache-struts-vulnerablity/


∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2022-22374 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-is-being-released-to-address-cve-2022-22374/


∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35578). ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-affects-ibm-license-metric-tool-v9-cve-2021-35578/


∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-006/


∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01


∗∗∗ mySCADA myPRO ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-083-02

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list