End-of-Day report
Timeframe: Donnerstag 16-12-2021 18:00 - Freitag 17-12-2021 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Log4j attackers switch to RMI to inject code and mine Monero
Some threat actors exploiting the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI or even used both in a single request for maximum chances of success.
https://www.bleepingcomputer.com/news/security/log4j-attackers-switch-to-rmi-to-inject-code-and-mine-monero/
Log4j Scanning and CVE-2021-44228 Exploitation - Latest Observations (2021-12-16)
After our recent Special Report and blog post about vulnerable log4j servers, a quick and dirty update on the -log4shell- mass scanning and attempted CVE-2021-44228 exploitation activity we have been seeing across our global honeypot sensor network between Sunday December 11th and Thursday December 16th, including a quick analysis of the top ten Malware Callback URIs observed and server distribution.
https://www.shadowserver.org/news/log4j-scanning-and-cve-2021-44228-exploitation-latest-observations-2021-12-16/
How to Find and Fix a WordPress Pharma Hack
Did you know that one quarter of all spam emails are accredited to pharmaceutical ads? Pharma hacks go beyond the inbox and spam websites by redirecting traffic and adding fake keywords and subdomains to the search results. Why, and how did the medical world get tangled up in spam emails, SEO spam, redirects, and website spam injection? The answer is - money.
https://blog.sucuri.net/2021/12/how-to-find-and-fix-a-wordpress-pharma-hack.html
SWITCH Security Report November/December 2021
Dear Reader The latest issue of our bi-monthly SWITCH Security Report is available. The main topics of the current report are: GoldDust but no nuggets: seven REvil partners caught, but the real orchestrators are still out there / EasyHack? Data belonging to COVID-19 loan recipients stolen from EasyGov platform / Tor under siege: massive de-anonymisation attacks target Tor network [...]
https://securityblog.switch.ch/2021/12/17/switch-security-report-2021-10-11/
Kritische Lücke bedroht Desktop-Management-System VMware Workspace ONE UEM
Angreifer könnten auf Servern liegende Informationen einsehen. Dagegen abgesicherte Versionen von VMwares Management-Software sind erschienen.
https://heise.de/-6297742
CISA orders federal agencies to mitigate Log4J vulnerabilities in emergency directive
CISA had previously given civilian federal agencies until December 24 to apply any patches.
https://www.zdnet.com/article/cisa-orders-federal-agencies-to-mitigate-log4j-vulnerabilities-in-emergency-directive/#ftag=RSSbaffb68
NSA and CISA Release Final Part IV of Guidance on Securing 5G Cloud Infrastructures
CISA has announced the joint National Security Agency (NSA) and CISA publication of the final of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part IV: Ensure Integrity of Cloud Infrastructure focuses on platform integrity, microservices infrastructure integrity, launch time integrity, and build time security to ensure that 5G cloud resources are not modified without authorization.
https://us-cert.cisa.gov/ncas/current-activity/2021/12/16/nsa-and-cisa-release-final-part-iv-guidance-securing-5g-cloud
Conti ransomware group adopts Log4Shell exploit
The Conti gang has become the first professional ransomware operation to adopt and incorporate the Log4Shell vulnerability in their daily operations.
https://therecord.media/conti-ransomware-group-adopts-log4shell-exploit/
Insides zu Irlands Health Service Executive Ransomware-Fall im Mai 2021
Heute ist Türchen Nummer 17 im Sicherheits-Adventskalender dran. Ich habe da einen besonderen "Leckerbissen" für Administratoren hinterlegt. Im Mai 2021 gab es einen Ransomware-Angriff auf die Gesundheitsbehörden Irlands (Health Service Executive, HSE). PricewaterhouseCoopers hat kürzlich eine Analyse vorgelegt, was da [...]
https://www.borncity.com/blog/2021/12/17/insides-zu-irlands-health-service-executive-ransomware-fall-im-mai-2021/
Vulnerabilities
UNIVERGE DT Series vulnerable to missing encryption of sensitive data
UNIVERGE IP Phone DT Series and PC tools for DT Series maintainers (IP Phone Manager and Data Maintenance Tool) provided by NEC Platforms, Ltd. contain a missing encryption vulnerability.
https://jvn.jp/en/jp/JVN13464252/
An update on the Apache Log4j CVE-2021-44228 vulnerability
Update December 17, 11:37 am IBM is focused on the original CVE-2021-44228 as the prevalent risk, requiring our attention and our customers- attention. With so much active industry research on Log4j, we will continually see mitigation and remediation recommendations. We continue to review the latest information and share updates accordingly.
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
VMSA-2021-0028
Revised advisory with updates to multiple products. In addition, added CVE-2021-45046 information and noted alignment with new Apache Software Foundation guidance.
https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Security updates for Friday
Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts).
https://lwn.net/Articles/879020/
Xylem AquaView
This advisory contains mitigations for a Use of Hard-coded Credentials vulnerability in the Xylem AquaView SCADA system.
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-01
Delta Electronics CNCSoft
This advisory contains mitigations for an Out-of-bounds Read vulnerability in Delta Electronics CNCSoft industrial automation software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-02
Wibu-Systems CodeMeter Runtime
This advisory contains mitigations for an Improper Privilege Management vulnerability in the Wibu-Systems CodeMeter Runtime server.
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-03
Mitsubishi Electric GX Works2
This advisory contains mitigations for an Improper Handling of Length Parameter Inconsistency vulnerability in #Mitsubishi Electrics GX Works2 engineering software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-04
Mitsubishi Electric FA Engineering Software
This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software engineering software.
https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05
Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Plus (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-plus-cve-2021-44228/
Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an issue in Apache Log4j (CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-blockchain-bridge-dependencies-are-vulnerable-to-an-issue-in-apache-log4j-cve-2021-45046/
Security Bulletin: Apache Log4J vulnerabilities affect IBM Cloud Object Storage File Access (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilities-affect-ibm-cloud-object-storage-file-access-cve-2021-44228/
K32171392: Apache Log4j2 vulnerability CVE-2021-45046
https://support.f5.com/csp/article/K32171392
Logback: Schwachstelle ermöglicht Codeausführung
https://www.cert-bund.de/advisoryshort/CB-K21-1295