End-of-Day report
Timeframe: Freitag 21-01-2022 18:00 - Montag 24-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Erfolgreicher Angriff auf Nutzerkonten bei Thalia
Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird.
https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten-bei-thalia-2201-162604.html
Backup-Software: Dell EMC AppSync kompromittierbar
Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können.
https://heise.de/-6334745
SonicWall explains why firewalls were caught in reboot loops
In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed.
https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-firewalls-were-caught-in-reboot-loops/
Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd)
Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack.
https://isc.sans.edu/diary/rss/28264
Microsoft is now disabling Excel 4.0 macros by default
Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default.
https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-excel-4-0-macros-by-default/
Emotet Now Using Unconventional IP Address Formats to Evade Detection
Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...]
https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html
GoWard A robust and rapidly-deployable Red Team proxy
Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation.
https://github.com/chdav/GoWard
Crime Shop Sells Hacked Logins to Other Crime Shops
Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.
https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other-crime-shops/
Dark Souls servers taken offline over hacking fears
We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You-ll also hear the incredibly confused streamer in the background, talking about seeing -powershell.exe- on their screen. This is, it has to be said, not a good sign.
https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-offline-over-hacking-fears/
Cobalt Strike, a Defender-s Guide - Part 2
Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...]
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
Vulnerabilities
High-Severity Rust Programming Bug Could Lead to File, Directory Deletion
The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...]
https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html
Multiple Cisco Products Snort Modbus Denial of Service Vulnerability
A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj
CVE-2021-45467: CWP CentOS Web Panel - preauth RCE
CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target.
https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-preauth-rce/
Security updates for Monday
Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird).
https://lwn.net/Articles/882396/
phpMyAdmin: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0089
Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/
Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service-manager-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-44832-cve-2021-45046-cve-2021-45105/
Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-is-vulnerable-to-remote-code-execution-due-to-apache-log4j-cve-2021-44832/
Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032)
https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-logs-vulnerability-affects-ibm-sterling-gentranserver-for-windows-cve-2021-39032-2/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-i-6/
Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-may-affect-ibm-spectrum-archive-enterprise-edition-cve-2021-44832/
Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appliances-are-vulnerable-to-intel-privilege-escalation-cve-2021-0144/
Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2021-44228-affects-ibm-cloud-pak-for-data-system-1-0/