[CERT-daily] Tageszusammenfassung - 04.05.2022
Daily end-of-shift report
team at cert.at
Wed May 4 18:24:18 CEST 2022
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 03-05-2022 18:00 − Mittwoch 04-05-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Conti, REvil, LockBit ransomware bugs exploited to block encryption ∗∗∗
---------------------------------------------
Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/
∗∗∗ A new secret stash for “fileless” malware ∗∗∗
---------------------------------------------
We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system.
---------------------------------------------
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
∗∗∗ Compromising Read-Only Containers with Fileless Malware ∗∗∗
---------------------------------------------
Many people see read-only filesystems as a catch-all to stop malicious activity and container drift in containerized environments. This blog will explore the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments.
---------------------------------------------
https://sysdig.com/blog/containers-read-only-fileless-malware/
∗∗∗ Update on cyber activity in Eastern Europe ∗∗∗
---------------------------------------------
Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns.
---------------------------------------------
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/
∗∗∗ Spyware blieb in Unternehmen bis zu 18 Monate lang unentdeckt ∗∗∗
---------------------------------------------
Die "Quietexit" genannte Backdoor blieb teilweise 18 Monate unentdeckt. Sicherheitsforscher vermuten, dass dahinter eine staatliche Gruppe steckt.
---------------------------------------------
https://heise.de/-7074066
∗∗∗ „Vorsicht, Falle!“: Wir brauchen Ihre Hilfe für ein neues Projekt! ∗∗∗
---------------------------------------------
Wir arbeiten derzeit an einem neuen Projekt: Bei „Vorsicht, Falle!“ entwickeln wir einen „Internetfallen-Generator“. Das heißt wir ahmen betrügerische Webseiten nach. Aber nicht mit dem Ziel, an Daten oder Geld zu kommen. Im Gegenteil: Allen, die in unsere Falle tappen, zeigen wir am Beispiel der Betrugsmasche, wie sie diese erkennen können.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-falle-wir-brauchen-ihre-hilfe-fuer-ein-neues-projekt/
∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/cisa-adds-five-known-exploited-vulnerabilities-catalog
∗∗∗ XSS in JSON: Old-School Attacks for Modern Applications ∗∗∗
---------------------------------------------
This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON).
---------------------------------------------
https://www.rapid7.com/blog/post/2022/05/04/xss-in-json-old-school-attacks-for-modern-applications/
=====================
= Vulnerabilities =
=====================
∗∗∗ Uclibc: Alte DNS-Lücke betrifft viele IoT-Geräte ∗∗∗
---------------------------------------------
Eine in Embedded-Geräten eingesetzte Bibliothek ist von Kaminskys DNS-Angriff betroffen, doch die Auswirkungen dürften sich in Grenzen halten.
---------------------------------------------
https://www.golem.de/news/uclibc-alte-dns-luecke-betrifft-viele-iot-geraete-2205-165083-rss.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openjdk-17), Fedora (chromium and suricata), Oracle (mariadb:10.5), SUSE (amazon-ssm-agent, containerd, docker, java-11-openjdk, libcaca, libwmf, pcp, ruby2.5, rubygem-puma, webkit2gtk3, and xen), and Ubuntu (linux-raspi).
---------------------------------------------
https://lwn.net/Articles/893839/
∗∗∗ Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-requirements-management-doors-next-is-vulnerable-to-xml-external-entity-xxe-attacks-due-to-fasterxml-jackson-databind-cve-2020-25649/
∗∗∗ Security Bulletin: IBM Informix Dynamic Server is affected to denial of service due to FasterXML jackson-databind (CVE-2020-36518) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-affected-to-denial-of-service-due-to-fasterxml-jackson-databind-cve-2020-36518/
∗∗∗ Security Bulletin: Multiple Vulnerabilities in Intel Processors affect Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-intel-processors-affect-cloud-pak-system/
∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified-in-ibm-db2-that-is-shipped-as-component-and-pattern-type-or-ptype-with-cloud-pak-system-and-cloud-pak-system-software-suite-cloud-pak-system-address-2/
∗∗∗ K55879220: Overview of F5 vulnerabilities (May 2022) ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K55879220
∗∗∗ 2022-11 Multiple vulnerabilities in Provize Basic Frontend ∗∗∗
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14299&mediaformatid=50063&destinationid=10016
∗∗∗ 2022-05 Multiple vulnerabilities in Provize Basic Backend ∗∗∗
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14298&mediaformatid=50063&destinationid=10016
∗∗∗ 2022-01 Vulnerability in ‘axios’ HTTP client in Provize Basic ∗∗∗
---------------------------------------------
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14297&mediaformatid=50063&destinationid=10016
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list