End-of-Day report
Timeframe: Freitag 04-02-2022 18:00 - Montag 07-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Medusa malware ramps up Android SMS phishing attacks
The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud.
https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-android-sms-phishing-attacks/
An Insidious Mac Malware Is Growing More Sophisticated
When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways.
https://www.wired.com/story/mac-malware-growing-more-sophisticated
Shadow Credentials
During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice.
https://pentestlab.blog/2022/02/07/shadow-credentials/
web3 phishing via self-customizing landing pages
You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage.
https://isc.sans.edu/diary/rss/28312
Sextortion: Wenn ein harmloser Flirt in Erpressung endet
Sextortion ist eine Betrugsmasche, bei der meist männliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet veröffentlicht!
https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-in-erpressung-endet/
FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware
The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations.
https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indicators-compromise-associated-lockbit-20
Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022)
Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows - quasi als Schutz vor Emotet, BazarLoader oder ähnlicher Malware - deaktiviert.
https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appinstaller-protokoll-handler-in-windows-feb-2022/
Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022)
Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hände von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird über die betreffenden Seiten Malware verteilt.
https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-de-verbreiten-malware-feb-2022/
Vulnerabilities
Cisco DNA Center Information Disclosure Vulnerability
A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-info-disc-8QEynKEj
Security updates for Monday
Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django).
https://lwn.net/Articles/884015/
OTRS: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0143
Multiple ESET products for macOS vulnerable to improper server certificate verification
https://jvn.jp/en/jp/JVN95898697/
Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healthcare-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2022-23302/
Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-multipe-vulnerabilities/
Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healthcare-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2022-23305/
Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44832/
Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031)
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-cloud-is-vulnerable-to-ldap-injection-cve-2021-39031/
Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-apache-log4j-affect-ibm-tivoli-netcool-impact-cve-2021-45105-cve-2021-45046-4/
Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310)
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-cloud-is-vulnerable-to-an-information-disclosure-cve-2022-22310/