End-of-Day report
Timeframe: Montag 24-01-2022 18:00 - Dienstag 25-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken
Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek
https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-sicherheitsluecken-2201-162189-rss.html
Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware
Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können.
https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-der-lockbit-ransomware/
Vollzugriff durch Hintertür in WordPress-Erweiterungen
Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen.
https://heise.de/-6337344
Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall
Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun.
https://heise.de/-6337222
Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über -Kurierdienst Post- oder -ebay Selling- abwickeln
Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake!
https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahlung-und-versand-nicht-ueber-kurierdienst-post-oder-ebay-se/
BRATA Android Trojan Updated with -Kill Switch- that Wipes Devices
Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques.
https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/
TrickBot Malware Using New Techniques to Evade Web Injection Attacks
The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products.
https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html
Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks
A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...]
https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.html
Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies
We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42.
https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/
Microsoft warns about this phishing attack that wants to read your emails
Attackers have targeted hundreds of organisations, says Microsoft security.
https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-that-wants-to-read-your-emails/#ftag=RSSbaffb68
Introducing Scanning Made Easy
A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities.
https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy
Vulnerabilities
PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment
CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher
https://cert.vde.com/de/advisories/VDE-2022-001/
Kritische Sicherheitslücke in Unisys Messaging Integration Services
Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten.
https://heise.de/-6337226
Security updates for Tuesday
Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan).
https://lwn.net/Articles/882552/
PrinterLogic Patches Code Execution Flaws in Printer Management Suite
PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings.
https://www.securityweek.com/printerlogic-patches-code-execution-flaws-printer-management-suite
Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher
Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein.
https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-security-critical-patch-2380-und-der-freie-disk-speicher/
XSA-395
Insufficient cleanup of passed-through device IRQs
https://xenbits.xen.org/xsa/advisory-395.html
XSA-394
A PV guest could DoS Xen while unmapping a grant
https://xenbits.xen.org/xsa/advisory-394.html
XSA-393
arm: guest_physmap_remove_page not removing the p2m mappings
https://xenbits.xen.org/xsa/advisory-393.html
GNU libc: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K22-0097
Foxit Reader: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K22-0096
Node.js: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K22-0094
Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released
https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5-37-7-released/
An update on the Apache Log4j 2.x vulnerabilities
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-ldap-injection-cve-2021-39031/
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-liberty-for-java-for-ibm-cloud-october-2021-cpu/
Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44832/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-data-studio-client-cve-2021-4104/
Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-execution-vulnerability-in-apache-solr-and-logstash-shipped-with-ibm-operations-analytics-log-analysis-cve-2021-44228-3/
Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-may-affect-ibm-spectrum-copy-data-management-cve-2021-44832/
Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2021-4104/
Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/