End-of-Day report
Timeframe: Dienstag 28-12-2021 18:00 - Mittwoch 29-12-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
RedLine malware shows why passwords shouldnt be saved in browsers
The RedLine information-stealing malware targets popular web browsers such as Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is a bad idea.
https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
Microsoft Defender Log4j scanner triggers false positive alerts
Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the companys newly deployed Microsoft 365 Defender scanner for Log4j processes.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-scanner-triggers-false-positive-alerts/
Wieder Sicherheitslücken in Herzschrittmachern gefunden
Auf der Online-Konferenz RC3 zeigten zwei Sicherheitsforscher, wie sie Cardio-Geräte unter die Lupe genommen haben.
https://futurezone.at/digital-life/herzschrittmacher-sicherheitsluecken-rc3/401856956
Responsible Disclosure: Deine Software, die Sicherheitslücken und ich
Wie meldet man Sicherheitslücken eigentlich richtig? Und wie sollten Unternehmen damit umgehen? Zerforschung und CCC klären auf. Ein Bericht von Moritz Tremmel (rC3, API)
https://www.golem.de/news/responsible-disclosure-deine-software-die-sicherheitsluecken-und-ich-2112-162067-rss.html
LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th)
A supervised learning approach to Living off the Land attack classification from Adobe SI
https://isc.sans.edu/diary/rss/28184
Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics
An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed. [...] Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh." "Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,"
https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html
Turning bad SSRF to good SSRF: Websphere Portal
In this blog post, we will explain how we discovered a multitude of SSRF vulnerabilities in HCL Websphere, as well as how we turned a restrictive, bad SSRF to a good SSRF.
https://blog.assetnote.io/2021/12/26/chained-ssrf-websphere/
Storage Devices of Major Vendors Impacted by Encryption Software Flaws
Earlier this month, SecurityWeek reported that Western Digital had updated its SanDisk SecureAccess product to address vulnerabilities that can be exploited to gain access to user data through brute force and dictionary attacks.
SanDisk SecureAccess, recently rebranded SanDisk PrivateAccess, is a piece of software that allows users to encrypt files and folders stored in a protected vault on SanDisk USB flash drives.[...] Pelissier detailed his findings this week at the Chaos Computer Club-s Remote Chaos Experience (rC3) virtual conference, where he revealed that the vulnerabilities were actually discovered in the DataVault encryption software made by ENC Security.
https://www.securityweek.com/storage-devices-major-vendors-impacted-encryption-software-flaws
Sicher kaufen auf Willhaben, Shpock & Co.
Sie sind auf der Suche nach gebrauchten Schnäppchen? Mit Kleinanzeigenplattformen wie willhaben, Shpock oder den Facebook Marketplace gibt es zahlreiche Möglichkeiten, um zu stöbern und das perfekte Schnäppchen zu finden. Allerdings sollten Sie beim Shoppen auf solchen Plattformen einige Punkte beachten.
https://www.watchlist-internet.at/news/sicher-kaufen-auf-willhaben-shpock-co/
Threat actor uses HP iLO rootkit to wipe servers
An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.
https://therecord.media/threat-actor-uses-hp-ilo-rootkit-to-wipe-servers/
Vulnerabilities
Log4Shell vulnerability Number Four: -Much ado about something-
CVE-2021-44832; Its a Log4j bug, and you ought to patch it. But we dont think its a critical crisis like the last one.
https://nakedsecurity.sophos.com/2021/12/29/log4shell-vulnerability-number-four-much-ado-about-something/
SSA-784507: Apache Log4j Vulnerability (CVE-2021-44832) via JDBC Appender - Impact to Siemens Products
This advisory informs about the impact of CVE-2021-44832 to Siemens products and the corresponding remediation and mitigation measures. The vulnerability is different from other JNDI lookup vulnerabilities, the impact of which is documented in SSA-661247.
https://cert-portal.siemens.com/productcert/txt/ssa-784507.txt
Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr, python-gnupg, resiprocate, and ruby-haml), Fedora (mod_auth_mellon), openSUSE (thunderbird), Slackware (wpa_supplicant), and SUSE (gegl).
https://lwn.net/Articles/879995/
D-LINK Router (DIR-2640 <= 1.11B02): Mehrere Schwachstellen
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen und beliebigen Code als root auszuführen.
http://www.cert-bund.de/advisoryshort/CB-K21-1313
Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.
Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.
- Citrix Endpoint Management (Citrix XenMobile Server): Impacted - Customers are advised to apply the latest CEM rolling patch updates
- Citrix Virtual Apps and Desktops (XenApp & XenDesktop): Impacted - Linux VDA (non-LTSR versions only)
https://support.citrix.com/article/CTX335705
Exposure of Sensitive Information in QTS, QuTS hero, and QuTScloud
CVE identifier: CVE-2021-34347
Affected products: All QNAP NAS
A vulnerability involving exposure of sensitive information has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to compromise the security of the system.
https://www.qnap.com/en-us/security-advisory/QSA-21-53
Security Advisory - Cross-Site Scripting(XSS) Vulnerability in Huawei WS318n Product
http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211229-01-xss-en
Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot for VMware (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-protect-snapshot-for-vmware-cve-2021-44228-4/
Security Bulletin: Multiple vulnerabilities in IBM SANnav software used by IBM b-type SAN directors and switches (CVE-2021-45105 and CV-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sannav-software-used-by-ibm-b-type-san-directors-and-switches-cve-2021-45105-and-cv-2021-45046/
Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-4104-5/
Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches.
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-in-dcnm-network-management-software-used-by-ibm-c-type-san-directors-and-switches-2/
Security Bulletin: Apache Log4j vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches.
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-in-dcnm-network-management-software-used-by-ibm-c-type-san-directors-and-switches/