Tageszusammenfassung - 11.01.2022

End-of-Day report

Timeframe: Montag 10-01-2022 18:00 - Dienstag 11-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner

Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert.

https://heise.de/-6323191


macOS-Lücke: Spionieren über Teams und andere Apps

Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt.

https://heise.de/-6322269


Facebook-Währung -Diem- nicht bei thediemtoken.com kaufen

Diem - eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie -thediemtoken.com- an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld!

https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-thediemtokencom-kaufen/


Linux version of AvosLocker ransomware targets VMware ESXi servers

AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines.

https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-ransomware-targets-vmware-esxi-servers/


Night Sky ransomware uses Log4j bug to hack VMware Horizon servers

The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems.

https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-log4j-bug-to-hack-vmware-horizon-servers/


Millions of Routers Exposed to RCE by USB Kernel Bug

The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al.

https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netusb/177506/


Don-t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters

TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client-s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals.

https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters


Domain Escalation - sAMAccountName Spoofing

Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0

https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofing/


What Is FIM (File Integrity Monitoring)?

Change is prolific in organizations- IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization-s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...]

https://www.tripwire.com/state-of-security/security-data-protection/security-controls/file-integrity-monitoring/


SFile (Escal) ransomware ported for Linux attacks

The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems.

https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/


New SysJoker Backdoor Targets Windows, Linux, and macOS

Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal.

https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

Vulnerabilities

Critical SonicWall NAC Vulnerability Stems from Apache Mods

Researchers offer more detail on the bug, which can allow attackers to completely take over targets.

https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/


Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data

Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13.

https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdir-flaw-could-let-attackers-gain-access-to-user-data


Siemens Security Advisories

Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9)

https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffentlichungen


PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack

The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities.

https://cert.vde.com/de/advisories/VDE-2021-059/


HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code

A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions.

https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018031&docId=hpesbux04206en_us


SAP Security Patch Day - January 2022

On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035


Citrix Workspace App for Linux Security Update

A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux.

https://support.citrix.com/article/CTX338435


An update on the Apache Log4j 2.x vulnerabilities

Update on IBM-s response: IBM-s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that-s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...]

https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/


Security updates for Tuesday

Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...]

https://lwn.net/Articles/881005/


Synology-SA-22:01 DSM

Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM).

https://www.synology.com/en-global/support/security/Synology_SA_22_01


Johnson Controls VideoEdge

This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls.

https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01


CISA Adds 15 Known Exploited Vulnerabilities to Catalog

CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-known-exploited-vulnerabilities-catalog


January 10th 2022 Security Releases

Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use.

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases


IBM Security Bulletins

https://www.ibm.com/blogs/psirt/


Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

https://www.cert-bund.de/advisoryshort/CB-K22-0026