End-of-Day report
Timeframe: Mittwoch 09-02-2022 18:00 - Donnerstag 10-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Wave of MageCart attacks target hundreds of outdated Magento sites
Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-target-hundreds-of-outdated-magento-sites/
FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems
Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers.
https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-hits-healthcare-edu-and-govt-systems/
Linux Malware on the Rise
Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states.
https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illicit-use-of-cobalt-strike
Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware
The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.
https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/
SAP to Give Threat Briefing on Uber-Severe -ICMAD- Bugs
SAP-s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..]
https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/
Vorsicht vor betrügerischen Fortnite-Shops!
Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte -Fortnite-Skins- zum Kauf an. Doch Vorsicht - oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern.
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnite-shops/
Ransomware tracker: the latest figures [February 2022]
Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn-t going anywhere.
Here are some of our most critical findings
https://therecord.media/ransomware-tracker-the-latest-figures/
Vulnerabilities
ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-22-290/
WordPress-Übernahme durch kritische Lücken in PHP Everywhere
Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit.
https://heise.de/-6369318
Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin
On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query.
https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).
https://lwn.net/Articles/884381/
Dell Computer: Mehrere Schwachstellen
Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren.
http://www.cert-bund.de/advisoryshort/CB-K22-0174
Drupal: Mehrere Schwachstellen [in Plugins]
Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.
Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen.
http://www.cert-bund.de/advisoryshort/CB-K22-0173
Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-30640/
Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44228/
Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-41079/
Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-33037/
Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-is-vulnerable-to-arbitrary-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-45046-cve-2021-45105/
Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-25122-and-cve-2021-25329/
CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH)
https://security.paloaltonetworks.com/CVE-2022-0016
CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH)
https://security.paloaltonetworks.com/CVE-2022-0017
CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0018
CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0011
CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW)
https://security.paloaltonetworks.com/CVE-2022-0021
CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0020
CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0019