Tageszusammenfassung - 09.02.2022

End-of-Day report

Timeframe: Dienstag 08-02-2022 18:00 - Mittwoch 09-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Kimsuki hackers use commodity RATs with custom Gold Dragon malware

South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.

https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodity-rats-with-custom-gold-dragon-malware/

Fake Windows 11 upgrade installers infect you with RedLine malware

Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.

https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/

Ransomware dev releases Egregor, Maze master decryption keys

The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer.

https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/

Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken

An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen.

https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmware-sicherheitsluecken-2202-163028-rss.html

Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th)

Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08.

https://isc.sans.edu/diary/rss/28318

SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022-22718)

In this blog post, we-ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft-s Patch Tuesday in February 2022.

https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81

CISA and SAP warn about major vulnerability

SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products.

https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/

AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware

Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors- growing technological sophistication and an increased ransomware threat to organizations globally.

https://us-cert.cisa.gov/ncas/alerts/aa22-040a

Vulnerabilities

Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird

Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein.

https://heise.de/-6360477

Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen

Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch.

https://heise.de/-6360267

Patchday: Adobe schließt Schadcode-Lücken in Illustrator

Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert.

https://heise.de/-6360575

Security updates for Wednesday

Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...]

https://lwn.net/Articles/884242/

ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities

Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products.

https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-nearly-50-vulnerabilities

HPE Agentless Management registers unquoted service paths

https://jvn.jp/en/jp/JVN12969207/

Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145)

https://support.citrix.com/article/CTX337526

Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics

https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-affect-ibm-netezza-analytics/

Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228)

https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnerability-in-apache-log4j-affects-netcool-operation-insight-cve-2021-44228-2/

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772)

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-denial-of-service-due-to-go-cve-cve-2021-41771-cve-2021-41772/

Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 )

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-component-of-ibm-tririga-application-platform-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/

Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-feb-2022-v1/

Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2019-17571/

Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite - October 2021 CPU

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-java-sdk-that-affect-ibm-security-directory-suite-october-2021-cpu/

Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-security-directory-suite/

Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite - July 2021 CPU

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-java-sdk-that-affect-ibm-security-directory-suite-july-2021-cpu/

QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten

http://www.cert-bund.de/advisoryshort/CB-K22-0156

Grafana: Mehrere Schwachstellen

http://www.cert-bund.de/advisoryshort/CB-K22-0159

QNAP: Multiple Vulnerabilities in Samba

https://www.qnap.com/en-us/security-advisory/QSA-22-03