Tageszusammenfassung - 12.01.2022

End-of-Day report

Timeframe: Dienstag 11-01-2022 18:00 - Mittwoch 12-01-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

TellYouThePass ransomware returns as a cross-platform Golang threat

TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux.

https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-returns-as-a-cross-platform-golang-threat/


Coming Soon: New Security Update Guide Notification System

Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected.

https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-update-guide-notification-system/


SysJoker, the first (macOS) malware of 2022!

Here, we analyze the macOS versions of a cross-platform backdoor.

https://objective-see.com/blog/blog_0x6C.html


A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th)

Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise.

https://isc.sans.edu/diary/rss/28234


Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more

This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards.

https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside


Kaufen Sie keine Immobilien über term-re.com oder den-home.com!

Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen.

https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-term-recom-oder-den-homecom/


Check your SPF records: Wide IP ranges undo email security and make for tasty phishes

With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours.

https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-email-security-and-make-for-tasty-phishes/


Signed kernel drivers - Unguarded gateway to Windows- core

ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation.

https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/


Ransomware-Angreifer leakten möglicherweise frühere Opfer

Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten.

https://certitude.consulting/blog/de/ransomware-leak-de/


How to Analyze Malicious Microsoft Office Files

Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware.

https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files/


Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife

Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten.

https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/


Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome

The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities.

https://asec.ahnlab.com/en/30645/


Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information.

http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

Vulnerabilities

Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches - security hole exploit info is now out

Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances.

https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_multiple_vulns/


Cisco Security Advisories 2022-01-12

1 Critical, 8 Medium severity

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F01%2F12&firstPublishedEndDate=2022%2F01%2F12


IBM Security Bulletins

IBM published 14 Security Bulletins

https://www.ibm.com/blogs/psirt/


Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten

Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft.

https://heise.de/-6323634


Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates

Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe.

https://heise.de/-6323723


Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung

Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio.

https://heise.de/-6323843


Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten

Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind.

https://heise.de/-6323936


Security updates for Wednesday

Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml).

https://lwn.net/Articles/881144/


ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities

The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities.

https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-40-vulnerabilities


Credential Disclosure in Web Interface of Crestron Device

When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface.

https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/


Released: January 2022 Exchange Server Security Updates

Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-2022-exchange-server-security-updates/ba-p/3050699


QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety

https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000090868


Apache Guacamole: Mehrere Schwachstellen

http://www.cert-bund.de/advisoryshort/CB-K22-0037


Vulnerability in QTS and QuTS hero

https://www.qnap.com/en-us/security-advisory/QSA-21-57


Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard

https://www.qnap.com/en-us/security-advisory/QSA-21-59


XSS and Open Redirect Vulnerabilities in QcalAgent

https://www.qnap.com/en-us/security-advisory/QSA-21-60