End-of-Day report
Timeframe: Donnerstag 01-12-2022 18:00 - Freitag 02-12-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Unpatched Redis servers targeted in new Redigo malware attacks
A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution.
https://www.bleepingcomputer.com/news/security/unpatched-redis-servers-targeted-in-new-redigo-malware-attacks/
Samsung, Mediatek, LG: Android-Malware mit OEM-Zertifikaten signiert
Google hat Malware gefunden, die mit den Zertifikaten von Android-Herstellern signiert sind. Das kann für Systemberechtigungen genutzt werden.
https://www.golem.de/news/samsung-mediatek-lg-android-malware-mit-oem-zertifikaten-signiert-2212-170219.html
obama224 distribution Qakbot tries .vhd (virtual hard disk) images, (Fri, Dec 2nd)
Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years. During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader.
https://isc.sans.edu/diary/rss/29294
Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection
New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool.
https://thehackernews.com/2022/11/researchers-find-way-malicious-npm.html
Flaws in GX Works3 Threaten Mitsubishi Electric Safety PLC Security
In this blog, we uncover three additional vulnerabilities that affect Mitsubishi Electric GX Works3, tracked under CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 (Mitsubishi Electric advisory 2022-015, CISA advisory ICSA-22-333-05), and that, in the worst-case scenario, may lead to the compromise of safety PLCs with the only requirement being the possession of associated GX Works3 project files.
https://www.nozominetworks.com/blog/flaws-in-gx-works3-threaten-mitsubishi-electric-safety-plc-security/
Jetzt patchen! Angreifer attackieren Firewalls und Proxies von Fortinet
Sicherheitsforscher warnen vor Attacken auf Firmen. Der Grund ist eine kritische Lücke in Fortinet-Produkten.
https://heise.de/-7364286
Wordpress: Attackiert schon während der Installation
Noch bevor das System live geht, haben Angreifer es oft unbemerkt mit Hintertüren versehen. Die stehen nämlich schon nach wenigen Minuten auf der Matte.
https://heise.de/-7364588
IBM Cloud Vulnerability Exposed Users to Supply Chain Attacks
IBM recently patched a vulnerability in IBM Cloud Databases for PostgreSQL that could have exposed users to supply chain attacks. The vulnerability has been named Hell-s Keychain by cloud security firm Wiz, whose researchers discovered the issue. It has been described by the company as a -first-of-its-kind supply-chain attack vector impacting a cloud provider-s infrastructure-.
https://www.securityweek.com/ibm-cloud-vulnerability-exposed-users-supply-chain-attacks
Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges
Qualys- Threat Research Unit has shown how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system.
https://www.securityweek.com/three-innocuous-linux-vulnerabilities-chained-obtain-full-root-privileges
Blowing Cobalt Strike Out of the Water With Memory Analysis
Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic.
https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
Protecting major events: an incident response blueprint
Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events.
https://blog.talosintelligence.com/protecting-major-events-an-incident-response-blueprint/
Industry 4.0: CNC Machine Security Risks Part 2
This three-part blog series explores the risks associated with CNC machines
https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-2.html
Vulnerabilities
IBM Security Bulletins 2022-12-01
IBM Watson, IBM App Connect, Rational Functional Tester, IBM Security Guardium, IBM Cloud Object Storage Systems, IBM API Connect.
https://www.ibm.com/blogs/psirt/
Security updates for Friday
Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff).
https://lwn.net/Articles/916658/
BD BodyGuard Pumps
https://us-cert.cisa.gov/ics/advisories/icsma-22-335-01
Mitsubishi Electric MELSEC iQ-R Series
https://us-cert.cisa.gov/ics/advisories/icsa-22-335-01