[CERT-daily] Tageszusammenfassung - 30.05.2022

Daily end-of-shift report team at cert.at
Mon May 30 18:10:32 CEST 2022


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 27-05-2022 18:00 − Montag 30-05-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Clop ransomware gang is back, hits 21 victims in a single month ∗∗∗
---------------------------------------------
After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back according to NCC Group researchers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/


∗∗∗ New Windows Subsystem for Linux malware steals browser auth cookies ∗∗∗
---------------------------------------------
Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-linux-malware-steals-browser-auth-cookies/


∗∗∗ New GoodWill Ransomware Forces Victims to Donate Money and Clothes to the Poor ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need.
---------------------------------------------
https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.html


∗∗∗ Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass) ∗∗∗
---------------------------------------------
We’ve got a copy of the vulnerable version of VMWare Workspace One Access, and we’ve gone through the extremely boring process of setting it up (oh the joys of vulnerability research). At this stage, we want to try and narrow down exactly where this vulnerability exists in code.
---------------------------------------------
https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-workspace-one-access/


∗∗∗ Bösartige Browser-Erweiterung: ChromeLoader kommt als ISO getarnt ∗∗∗
---------------------------------------------
Eine bösartige Erweiterung kann allen Browserverkehr über unerwünschte Server leiten und so Daten abschöpfen. ChromeLoader geht dabei trickreich vor.
---------------------------------------------
https://heise.de/-7126317


∗∗∗ Probleme mit Ihrer Lebensversicherung? Vorsicht vor Beratungsleistungen von konsumentenschuetzer.com ∗∗∗
---------------------------------------------
Im Internet finden Sie die Beratungsagentur „Konsumentenschützer“, die Ihren Vertrag prüft und bei Bedarf eine Klage bei Ihrer Versicherung einbringt. Wir raten zur Vorsicht.
---------------------------------------------
https://www.watchlist-internet.at/news/probleme-mit-ihrer-lebensversicherung-vorsicht-vor-beratungsleistungen-von-konsumentenschuetzercom/


∗∗∗ Microsoft findet Schwachstellen in Apps großer Mobilfunkprovider (Mai 2022) ∗∗∗
---------------------------------------------
Das Microsoft 365 Defender Research Team hat in einem mobilen Framework von mce Systems einige Schwachstellen gefunden.
---------------------------------------------
https://www.borncity.com/blog/2022/05/30/microsoft-findet-schwachstellen-in-apps-groer-mobilfunkprovider-mai-2022/


∗∗∗ Detecting BCD Changes To Inhibit System Recovery ∗∗∗
---------------------------------------------
Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD).
---------------------------------------------
https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/


∗∗∗ Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices ∗∗∗
---------------------------------------------
Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers.
---------------------------------------------
https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers


∗∗∗ GitHub RepoJacking Weakness Exploited in the Wild by Attackers ∗∗∗
---------------------------------------------
A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published.
---------------------------------------------
https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme, (Mon, May 30th) ∗∗∗
---------------------------------------------
It was a long weekend for many European countries and it’s an off-day in the US but we were aware of a new attack vector for Microsoft Office documents.
---------------------------------------------
https://isc.sans.edu/diary/rss/28694


∗∗∗ Zero-Day-Lücke in Microsoft Office ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
Sicherheitsforscher haben ein Word-Dokument entdeckt, das beim Öffnen Schadcode nachladen und ausführen kann. Aktuelle Software scheint davor zu schützen.
---------------------------------------------
https://heise.de/-7125635


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), [...]
---------------------------------------------
https://lwn.net/Articles/896640/


∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB – 219814, MariaDB – 219815, CVE-2022-24050, CVE-2022-24052 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-rhel-is-vulnerable-to-mariadb-with-cve-2021-46669-cve-2022-24048-mariadb-219814-mariadb-219815-cve-2022-24050-cve-2022-24052/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by a number of security vulnerabilities in Netty, which is used by Guardium (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-number-of-security-vulnerabilities-in-netty-which-is-used-by-guardium-cve-2021-21290-cve-2021-21295-cve-2021-21409-cve-2021-37136-cve-2-2/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-in-apache-thrift-3/


∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-golang-x-crypto-cve-2020-9283-which-is-consumed-by-ibm-cics-tx-standard/


∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-golang-x-crypto-cve-2020-9283-which-is-consumed-by-ibm-cics-tx-advanced/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-fasterxml-jackson-databind-vulnerabilities-cve-2020-25649-x-force-id-217968-3/


∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote attack due to Moment.js CVE-2022-24785 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-remote-attack-due-to-moment-js-cve-2022-24785/


∗∗∗ Security Bulletin: Cross-Site Request Forgery vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-22361 ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forgery-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2022-22361/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-path-traversal-and-crypto-vulnerabilities-cve-2021-29425-cve-2021-39076-3/


∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-20/


∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0665

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list