Tageszusammenfassung - 21.12.2021

End-of-Day report

Timeframe: Montag 20-12-2021 18:00 - Dienstag 21-12-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Malware: Wer hat Angst vor Androids Barrierefreiheit?

Schadsoftware unter Android nutzt häufig die Accessibility Services, um Sicherheitsfunktionen auszuhebeln. Doch Apps können sich schützen.

https://www.golem.de/news/malware-wer-hat-angst-vor-androids-barrierefreiheit-2112-161930-rss.html


Xcode: Hotfix soll Log4j-Lücke umfahren

Apples Entwicklungsumgebung enthält eine angreifbare Version der Java-Logging-Bibliothek log4j. Beim Upload von iOS-Apps soll aber ein Fix greifen.

https://heise.de/-6301988


Have I Been Pwned: 225 Millionen neue Passwörter von britischer Polizeibehörde

Der Datensatz des Passwort-Prüfdiensts wächst immer weiter. Für Strafverfolgungsbehörden gibt es nun einen Weg, sichergestellte Daten direkt einzuspeisen.

https://heise.de/-6301963


Google entfernt Malware-infizierte SMS-App aus Play Store

Auf mehr als 500.000 Installationen kam eine Messages-App in Googles App-Store, die die Malware Joker einschleppte. Inzwischen hat Google die App entfernt.

https://heise.de/-6302544


Sicher verkaufen auf Willhaben, Shpock & Co

Sie möchten ungenutzte Gegenstände weiterverkaufen? Mit Plattformen wie willhaben, shpock oder Facebook haben Sie zahlreiche Möglichkeiten, alte Möbel, vernachlässigte Sportausrüstung oder Elektrogeräte an den Mann oder die Frau zu bringen. Dabei gibt es aber einiges zu beachten! Wir zeigen Ihnen, wie Sie sicher über Kleinanzeigenplattformen verkaufen.

https://www.watchlist-internet.at/news/sicher-verkaufen-auf-willhaben-shpock-co/


Backdoor CVE-2021-40859 in Auerswald Telefonanlagen (z.B. COMpact 5500R 7.8A & 8.0B) gefixt

Auerswald ist ein deutscher Hersteller von Telefonanlagen für den Unternehmenseinsatz. Sicherheitsforscher haben in der Firmware von Auerswald Telefonanlagen (z.B. COMpact 5500R) Hintertüren entdeckt, über die man das Administrator-Passwort zurücksetzen konnte. Dies wurde zum 20.12.2021 offen gelegt. Hier einige Informationen dazu.

https://www.borncity.com/blog/2021/12/21/backdoor-cve-2021-40859-in-auerswaldtelefonanlagen-z-b-compact-5500r-7-8a-8-0b-gefixt/


Two Active Directory Bugs Lead to Easy Windows Domain Takeover

Microsoft is urging customers to patch two Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12.

https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/


Day 10: where we are with log4j from honeypot-s perspective

Our team spent great deal of effort on simulating different protocols, applications and vulnerabilities with our honeypot (Anglerfish and Apacket) system. When big event happens, we are always curious what we see from the honeypot side. Since log4j came to light 10 days ago, we have published two related blogs,

https://blog.netlab.360.com/apache-log4j2-vulnerability-attack-trend-from-the-perspective-of-honeypot-en/


[SANS ISC] More Undetected PowerShell Dropper

I published the following diary on isc.sans.edu: -More Undetected PowerShell Dropper-: Last week, I published a diary about a PowerShell backdoor running below the radar with a VT score of 0! This time, it-s a dropper with multiple obfuscation techniques in place.

https://blog.rootshell.be/2021/12/21/sans-isc-more-undetected-powershell-dropper/


Velociraptor & Loki

Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically -phones home- and keep s a connection with the server [...]

https://blog.rootshell.be/2021/12/21/velociraptor-loki/


RCE in Visual Studio Codes Remote WSL for Fun and Negative Profit

The Visual Studio Code server in Windows Subsystem for Linux uses a local WebSocket WebSocket connection to communicate with the Remote WSL extension. JavaScript in websites can connect to this server and execute arbitrary commands on the target system.

https://parsiya.net/blog/2021-12-20-rce-in-visual-studio-codes-remote-wsl-for-fun-and-negative-profit/


Log4j vulnerability: what should boards be asking?

Advice for board members of medium to large organisations that are at risk from the Apache Log4j vulnerability.

https://www.ncsc.gov.uk/blog-post/log4j-vulnerability-what-should-boards-be-asking


FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability

The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability in Zoho-s ManageEngine Desktop Central product.

https://www.securityweek.com/fbi-sees-apts-exploiting-recent-manageengine-desktop-central-vulnerability


After ransomware attack, global logistics firm Hellmann warns of scam calls and mail

Hellmann said customers need to make sure they are really communicating with an employee through all calls or mail.

https://www.zdnet.com/article/after-ransomware-attack-global-logistics-firm-hellmann-warns-of-scam-calls-and-mail/


Why vulnerabilities are like buses

How organisations can address the growing trend in which multiple vulnerabilities within a single product are exploited over a short period.

https://www.ncsc.gov.uk/blog-post/why-vulnerabilities-are-like-buses

Vulnerabilities

IBM Security Bulletins

IBM hat 30 Security Bulletins veröffentlicht.

https://www.ibm.com/blogs/psirt/


Security updates for Tuesday

Security updates have been issued by Mageia (log4j), openSUSE (chromium, log4j, netdata, and nextcloud), Oracle (kernel and kernel-container), Red Hat (kernel, kernel-rt, log4j, openssl, postgresql:12, postgresql:13, and virt:rhel and virt-devel:rhel), Slackware (httpd), SUSE (xorg-x11-server), and Ubuntu (firefox).

https://lwn.net/Articles/879360/


mySCADA myPRO

This advisory contains mitigations for Authentication Bypass Using an Alternate Path or Channel, Use of Password Hash with Insufficient Computational Effort, Hidden Functionality, and OS Command Injection vulnerabilities in the mySCADA myPRO HMI/SCADA system.

https://us-cert.cisa.gov/ics/advisories/icsa-21-355-01


Horner Automation Cscape EnvisionRV

This advisory contains mitigations for an Improper Input Validation vulnerability in Horner Automation Cscape EnvisionRV industrial remote viewing software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-355-02


WECON LeviStudioU

This advisory contains mitigations for Stack-based Buffer Overflow, and Heap-based Buffer Overflow vulnerabilities in WECON LeviStudioU HMI programming software.

https://us-cert.cisa.gov/ics/advisories/icsa-21-355-03


Emerson DeltaV

This advisory contains mitigations for Missing Authentication for Critical Function, and Uncontrolled Search Path Element vulnerabilities in the Emerson DeltaV control system controllers and workstations.

https://us-cert.cisa.gov/ics/advisories/icsa-21-355-04


Schneider Electric Rack PDU (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-21-348-02 Schneider Electric Rack PDU that was published December 14, 2021, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Schneider Electric Rack Power Distribution Unit (PDU).

https://us-cert.cisa.gov/ics/advisories/icsa-21-348-02


Fresenius Kabi Agilia Connect Infusion System

This advisory contains mitigations for several vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System.

https://us-cert.cisa.gov/ics/advisories/icsma-21-355-01


Apache Log4j Vulnerabilities - Impact on Bosch Rexroth Products

BOSCH-SA-572602: The Apache Software Foundation has published information about a vulnerability in the Java logging framework *log4j*, which allows an attacker to execute arbitrary code loaded from LDAP or JNDI related endpoints which are under control of the attacker. \[1\]Additionally, a further vulnerability might allow an attacker to cause a denial of service by sending a crafted string to the framework. From Bosch Rexroth, only the IoT Gateway software has been identified as affected.

https://psirt.bosch.com/security-advisories/bosch-sa-572602.html


SSA-397453: Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to Siemens Energy TraceAlertServerPLUS

https://cert-portal.siemens.com/productcert/txt/ssa-397453.txt


Security Bulletin: IBM Cognos Controller 10.4.2 IF16: Apache Log4j vulnerability (CVE-2021-45046)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-10-4-2-if16-apache-log4j-vulnerability-cve-2021-45046/


An update on the Apache Log4j CVE-2021-44228 vulnerability

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/


CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 (Severity: CRITICAL)

https://security.paloaltonetworks.com/CVE-2021-44228