End-of-Day report
Timeframe: Mittwoch 16-02-2022 18:00 - Donnerstag 17-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Neue Welle von Spam-Mails: "Dein Paket wartet!"
Die E-Mails enthalten eine Zahlungsaufforderung und geben an, dass ein Paket abgeholt werden kann.
https://futurezone.at/digital-life/spam-e-mail-phishing-betrug-post-lieferung-dein-paket-wartet/401908795
Researchers Warn of a New Golang-based Botnet Under Continuous Development
Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken thats under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts.
https://thehackernews.com/2022/02/researchers-warn-of-new-golang-based.html
Tutorial: Kubernetes Vulnerability Scanning & Testing With Open Source
Kubernetes containers have several security risks, including runtime threats, vulnerabilities, exposures, and failed compliance audits. These insecurities motivated CyberArk to develop two open source tools: Kubesploit and KubiScan. These tools benefit the Kubernetes community by performing deep security operations while simultaneously mimicking a real attack. They allow us to test our resiliency.
https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-testing-with-open-source/
Detecting Karakurt - an extortion focused threat actor
NCC Group-s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.
https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-focused-threat-actor/
Bypassing software update package encryption - extracting the Lexmark MC3224i printer firmware (part 1)
Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution.
https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-encryption-extracting-the-lexmark-mc3224i-printer-firmware-part-1/
Gefahr Datenleaks: Achten Sie auf Passwort-Sicherheit!
Um sich vor den Gefahren im Netz zu schützen, macht es Sinn, sich regelmäßig über Internetbetrug zu informieren und die Tricks der Kriminellen zu kennen. Doch leider können Sie auch zum Opfer werden, wenn Sie alles richtig machen und sich nicht in Internetfallen locken lassen. Das gilt zum Beispiel, wenn Ihre Daten bei einem sogenannten Datenleak veröffentlicht werden.
https://www.watchlist-internet.at/news/gefahr-datenleaks-achten-sie-auf-passwort-sicherheit/
Vulnerabilities
Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
Project: Drupal core
Security risk: Moderately critical
Vulnerability: Information disclosure
CVE IDs: CVE-2022-25270
Description: The Quick Edit module does not properly check entity access in some circumstances.
https://www.drupal.org/sa-core-2022-004
Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003
Project: Drupal core
Security risk: Moderately critical
Vulnerability: Improper input validation
CVE IDs: CVE-2022-25271
Description: Drupal cores form API has a vulnerability where certain contributed or custom modules forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
https://www.drupal.org/sa-core-2022-003
Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025
Project: Quick Edit
Security risk: Moderately critical
Vulnerability: Information Disclosure
Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances.
https://www.drupal.org/sa-contrib-2022-025
Sicherheitsupdate: Präparierte Mails können Thunderbird aus dem Tritt bringen
Es ist eine gegen mögliche Schadcode-Attacken abgesicherte Version des Mailclients Thunderbird erschienen.
https://heise.de/-6484606
VMSA-2022-0005 - VMware NSX Data Center for vSphere (NSX-V) VMware Cloud Foundation (Cloud Foundation)
CVSSv3 Range: 8.8
CVE(s): CVE-2022-22945
Synopsis: VMware NSX Data Center for vSphere update addresses CLI shell injection vulnerability (CVE-2022-22945)
https://www.vmware.com/security/advisories/VMSA-2022-0005.html
Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin
On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in -Profile Builder - User Profile & User Registration Forms-, a WordPress plugin that is installed on over 50,000 WordPress websites. [..] We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.
https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/
PostgreSQL JDBC 42.3.3 Released
A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver.
https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/
SSA-949188: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1
https://cert-portal.siemens.com/productcert/txt/ssa-949188.txt
Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healthcare-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2022-23307/
Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-ibm-cloud-pak-for-data-system-1-0/
Security Bulletin: IBM OpenPages for Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-for-cloud-pak-for-data-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/
Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-1-0-is-vulnerable-to-arbitrary-code-execution-due-to-samba-cve-2021-44142/
Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-affects-ibm-integrated-analytics-system-5/
Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affects-rational-team-concert-rtc-and-ibm-engineering-workflow-management-ewm-2/
Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4104
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-icpds-2-0-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/
Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-system-is-vulnerable-to-arbitrary-code-execution-due-to-samba-cve-2021-44142-2/
Security Bulletin: Financial Transaction Manager is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-manager-is-vulnerable-to-arbitrary-code-execution-cve-2021-45046-and-denial-of-service-cve-2021-45105/
Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-ibm-integrated-analytics-system-2/
Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue within the channel process.(CVE-2021-39034)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-issue-within-the-channel-process-cve-2021-39034/
Security Bulletin: Log4j vulnerability affects IBM Integrated Analytics System.
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-integrated-analytics-system/