Tageszusammenfassung - 18.02.2022

End-of-Day report

Timeframe: Donnerstag 17-02-2022 18:00 - Freitag 18-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Conti ransomware gang takes over TrickBot malware operation

After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware.

https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/


Remcos RAT Delivered Through Double Compressed Archive, (Fri, Feb 18th)

One of our readers shared an interesting sample received via email.

https://isc.sans.edu/diary/rss/28354


Microsoft Warns of Ice Phishing Threat on Web3 and Decentralized Networks

Microsoft has warned of emerging threats in the Web3 landscape, including "ice phishing" campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while its still in its early stages.

https://thehackernews.com/2022/02/microsoft-warns-of-ice-phishing-threat.html


Analyzing a PJL directory traversal vulnerability - exploiting the Lexmark MC3224i printer (part 2)

This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group.

https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversal-vulnerability-exploiting-the-lexmark-mc3224i-printer-part-2/


Microsoft Teams Abused for Malware Distribution in Recent Attacks

A recently identified malicious campaign has been abusing Microsoft Teams for the distribution of malware, enterprise email security firm Avanan reports.

https://www.securityweek.com/microsoft-teams-abused-malware-distribution-recent-attacks


Vorsicht bei der Jobsuche: Ignorieren Sie Stellenangebote von skovgaardtransit.com!

LeserInnen der Watchlist Internet melden uns derzeit ein betrügerisches Stellenangebot eines angeblich globalen Logistikunternehmens namens Skovgaard Logistics Services LTD. Das unseriöse Unternehmen verspricht darin einen Job mit -hoher Bezahlung-, Vorkenntnisse sind keine notwendig.

https://www.watchlist-internet.at/news/vorsicht-bei-der-jobsuche-ignorieren-sie-stellenangebote-von-skovgaardtransitcom/


NSA Best Practices for Selecting Cisco Password Types

The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance on securing network infrastructure devices and credentials.

https://us-cert.cisa.gov/ncas/current-activity/2022/02/17/nsa-best-practices-selecting-cisco-password-types


CISA Compiles Free Cybersecurity Services and Tools for Network Defenders

CISA has compiled and published a list of free cybersecurity services and tools to help organizations reduce cybersecurity risk and strengthen resiliency. This non-exhaustive living repository includes services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.

https://us-cert.cisa.gov/ncas/current-activity/2022/02/18/cisa-compiles-free-cybersecurity-services-and-tools-network


Academics publish method for recovering data encrypted by the Hive ransomware

A team of South Korean researchers has published an academic paper on Thursday detailing a method to recover files encrypted by the Hive ransomware without paying the attackers for the decryption key.

https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/


Distribution of Magniber Ransomware Stops (Since February 5th)

The ASEC analysis team constantly monitors -malvertising- which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution.

https://asec.ahnlab.com/en/31690/


Log4Shell 2 Months Later: Security Strategies for the Internets New Normal

On Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability.

https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/

Vulnerabilities

Onlineshops: Erneut kritische Lücke in Adobe Commerce und Magento entdeckt

Aufgrund einer weiteren Sicherheitslücke hat Adobe einen Notfallpatch überarbeitet. Es gibt bereits Attacken auf Onlineshops.

https://heise.de/-6495424


Root-Rechte durch Schwachstelle in Softwareverteilungssystem Snap

Sicherheitslücken in der Software-Bereitstellung Snap ermöglichen Angreifern unter anderem, ihre Rechte im System auszuweiten. Updates beheben die Fehler.

https://heise.de/-6495740


Vulnerability found in WordPress plugin with over 3 million installations

UpdraftPlus patched the vulnerability on Thursday in version 1.22.3.

https://www.zdnet.com/article/vulnerability-found-in-wordpress-plugin-with-over-3-million-installations/


Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System.

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-kernel-affects-ibm-integrated-analytics-system/


Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 2.0.

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-affects-ibm-cloud-pak-for-data-system-2-0/


Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-are-vulnerable-to-arbitrary-code-execution-and-sql-injection-due-to-apache-log4j-cve-2022-23302-cve/


Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System.

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system-6/


Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 )

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-weak-password-requirements-cve-2021-38935/


Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service

https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-java-technology-edition-ibm-tivoli-application-dependency-discovery-manager-taddm-is-vulnerable-to-denial-of-service/


Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39026 )

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encryption-gde-has-an-information-exposure-vulnerability-cve-2021-39026/


Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-services-is-vulnerable-to-sql-injection-due-to-apache-log4j-cve-2022-23305/


Security Bulletin: CVE-2021-42771

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-42771/


Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-services-is-vulnerable-to-remote-code-execution-due-to-apache-log4j-cve-2022-23307/


Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-3733)

https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed-vulnerability-in-ibm-tivoli-application-dependency-discovery-manager-cve-2021-3733/


Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-web-services-is-vulnerable-to-untrusted-data-deserialization-due-to-apache-log4j-cve-2021-4104/


WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003

https://webkitgtk.org/security/WSA-2022-0003.html


Bitdefender Antivirus: Schwachstelle ermöglicht Manipulation von Produkteinstellungen

http://www.cert-bund.de/advisoryshort/CB-K22-0207