Tageszusammenfassung - 09.12.2021

End-of-Day report

Timeframe: Dienstag 07-12-2021 18:00 - Donnerstag 09-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Malicious NPM packages are part of a malware -barrage- hitting repositories

Peoples trust in repositories make them the perfect vectors for malware.

New Cerber ransomware targets Confluence and GitLab servers

Cerber ransomware is back, as a new ransomware family adopts the old name and targets Atlassian Confluence and GitLab servers using remote code execution vulnerabilities.

https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/

Grafana fixes zero-day vulnerability after exploits spread over Twitter

Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files.

https://www.bleepingcomputer.com/news/security/grafana-fixes-zero-day-vulnerability-after-exploits-spread-over-twitter/

Emotet now drops Cobalt Strike, fast forwards ransomware attacks

In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent.

https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/

The life cycle of phishing pages

Weve analyzed the life cycle of phishing pages, how they transform during their active period, and the domains where they're located.

https://securelist.com/phishing-page-life-cycle/105171/

Moobot Botnet Chews Up Hikvision Surveillance Systems

Attackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned.

https://threatpost.com/moobot-botnet-hikvision-surveillance-systems/176879/

PHP Re-Infectors - The Malware that Keeps On Giving

Attackers have developed some methods for protecting their work as we will explore in this post. We will also look at how you can remove this infection from a compromised website.

https://blog.sucuri.net/2021/12/php-re-infectors-the-malware-that-keeps-on-giving.html

Over 300,000 MikroTik Devices Found Vulnerable to Remote Hacking Bugs

At least 300,000 IP addresses associated with MikroTik devices have been found vulnerable to multiple remotely exploitable security vulnerabilities that have since been patched by the popular supplier of routers and wireless ISP devices.

https://thehackernews.com/2021/12/over-300000-mikrotik-devices-found.html

Microsoft and GitHub OAuth Implementation Vulnerabilities Lead to Redirection Attacks

Vulnerabilities in Microsoft and others- popular OAuth2.0 implementations lead to redirection attacks that bypass most phishing detection solutions and email security solutions.

https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection

Virtualisiertes USB als Sicherheitslücke

USB+Cloud=Gefahr. Lücken in USB-über-Ethernet-Treibern für Clouddienste erlauben Angreifern, lokal und serverseitig beliebigen Code im Kernel-Modus auszuführen.

https://heise.de/-6289521

Is your web browser vulnerable to data theft? XS-Leak explained

IT security researchers recently exposed new cross-site leak (XS-Leak) attacks against modern-day browsers. But what is XS-Leak anyway?

https://blog.malwarebytes.com/explained/2021/12/is-your-web-browser-vulnerable-to-data-theft-xs-leak-explained/

Was threat actor KAX17 de-anonymizing the Tor network?

A threat actor was found to be running a high percentage of the Tor Networks servers.

https://blog.malwarebytes.com/reports/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/

Detecting Patient Zero Web Threats in Real Time With Advanced URL Filtering

Patient zero web threats are malicious URLs that are being seen for the first time. We discuss how to stop them despite attacker cloaking techniques.

https://unit42.paloaltonetworks.com/patient-zero-web-threats/

CISA Releases Guidance on Protecting Organization-Run Social Media Accounts

CISA has released Capability Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts.

https://us-cert.cisa.gov/ncas/current-activity/2021/12/09/cisa-releases-guidance-protecting-organization-run-social-media

Two Birds with One Stone: An Introduction to V8 and JIT Exploitation

In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 - Google-s open-source high-performance JavaScript and WebAssembly engine - through the lens of a bug used during Pwn2Own Vancouver 2021.

https://www.thezdi.com/blog/2021/12/6/two-birds-with-one-stone-an-introduction-to-v8-and-jit-exploitation

Kernel Karnage - Part 6 (Last Call)

Having covered process, thread and image callbacks in the previous blogposts, I think it-s only fair if we conclude this topic with registry and object callbacks.

https://blog.nviso.eu/2021/12/09/kernel-karnage-part-6-last-call/

Vulnerabilities

SanDisk SecureAccess bug allows brute forcing vault passwords

Western Digital has fixed a security vulnerability that enabled attackers to brute force SanDisk SecureAccess passwords and access the users protected files.

https://www.bleepingcomputer.com/news/security/sandisk-secureaccess-bug-allows-brute-forcing-vault-passwords/

IBM Security Bulletins 2021-12-07 and 2021-12-08

DB2, WebSphere Application Server, Tivoli Business Service Manager, PowerHA, Guardium Data Encryption, Watson Speech Services, Process Designer, Business Automation Workflow

https://www.ibm.com/blogs/psirt/

Jetzt patchen! Root-Lücke in Fernzugrifflösung SMA 100 von Sonicwall

Sicherheitsupdates schließen unter anderem kritische Schwachstellen in Secure-Mobile-Access-Appliances.

https://heise.de/-6290012

FortiOS- und FortiProxy-Updates schließen Sicherheitslücken, Check empfohlen

Fortinet ist auf ein unterwandertes System gestoßen und empfiehlt Administratoren die Überprüfung auf Einbruchsspuren. Zudem stehen Aktualisierungen bereit.

https://heise.de/-6290546

LibreOffice zieht Update wegen kritischer Schwachstelle vor

Eine Sicherheitslücke in der NSS-Bibliothek betrifft auch LibreOffice und ermöglicht das Unterschieben von Schadcode. Updates zur Absicherung stehen bereit.

https://heise.de/-6290069

Security updates for Wednesday

Security updates have been issued by Debian (nss), Fedora (rubygem-rmagick), openSUSE (xen), Red Hat (firefox and nss), SUSE (kernel and xen), and Ubuntu (mailman and nss).

https://lwn.net/Articles/878038/

Security updates for Thursday

Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez).

https://lwn.net/Articles/878142/

Bentley BE-2021-0005: Out-of-bounds and use-after-free vulnerabilities in Bentley MicroStation and Bentley View

https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005