End-of-Day report
Timeframe: Dienstag 22-02-2022 18:00 - Mittwoch 23-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
News
LockBit, Conti most active ransomware targeting industrial sector
Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector.
https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ransomware-targeting-industrial-sector/
Entropy ransomware linked to Dridex malware downloader
Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan.
https://www.bleepingcomputer.com/news/security/entropy-ransomware-linked-to-dridex-malware-downloader/
Creaky Old WannaCry, GandCrab Top the Ransomware Scene
Nothing like zombie campaigns: WannaCrys old as dirt, and GandCrab threw in the towel years ago. Theyre on auto-pilot at this point, researchers say.
https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/
How to Fix the specialadves WordPress Redirect Hack
Attackers are regularly exploiting vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites.
https://blog.sucuri.net/2022/02/how-to-fix-the-specialadves-wordpress-redirect-hack.html
25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository
Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down.
https://thehackernews.com/2022/02/25-malicious-javascript-libraries.html
Cisco warns firewall customers of four-day window for urgent updates
Firewalls are supposed to update so they block new threats - miss this deadline and they might not.
https://www.theregister.com/2022/02/23/cisco_firepower_rapid_update_required/
SameSite: Hax - Exploiting CSRF With The Default SameSite Policy
Default SameSite settings are not the same as SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF.
https://pulsesecurity.co.nz/articles/samesite-lax-csrf
Shadowserver Starts Conducting Daily Scans to Help Secure ICS
The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks.
https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-help-secure-ics
Investieren Sie nicht bei bottic.org!
Schnell, viel Geld verdienen mit Crypto-Investments, das verspricht eine Vielzahl an unseriösen Investitionsplattformen. Wir raten zur Vorsicht!
https://www.watchlist-internet.at/news/investieren-sie-nicht-bei-botticorg/
Increased Phishing Attacks Disguised as Microsoft
The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages.
https://asec.ahnlab.com/en/31994/
(Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it-s exclusively used by the group.
https://www.mandiant.com/resources/unc2596-cuba-ransomware
Vulnerabilities
IBM Security Bulletins
IBM Planning Analytics, IBM Planning Analytics Workspace, IBM Cúram Social Program Management, IBM SDK Java Technology Edition, IBM Cloud Application Business Insights, IBM Sterling Global Mailbox, Content Collector, IBM WebSphere Application Server, CICS Transaction Gateway
https://www.ibm.com/blogs/psirt/
Cisco Security Advisories 2022-02-23
Cisco has published 4 Security Advisories: 3 High, 1 Medium Severity
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F02%2F23&firstPublishedEndDate=2022%2F02%2F23
ZDI-22-404: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr1 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-404/
ZDI-22-403: (0Day) WECON LeviStudioU UMP File Parsing XY Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-403/
ZDI-22-402: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr2 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-402/
ZDI-22-401: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-401/
ZDI-22-400: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-400/
ZDI-22-399: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-399/
ZDI-22-398: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-398/
ZDI-22-397: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-397/
ZDI-22-396: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-396/
ZDI-22-395: (0Day) WECON LeviStudioU UMP File Parsing Disc Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-395/
SSA-306654: Insyde BIOS Vulnerabilities in Siemens Industrial Products
https://cert-portal.siemens.com/productcert/txt/ssa-306654.txt
Remote Code Execution in pfSense <= 2.5.2
https://www.shielder.it/advisories/pfsense-remote-command-execution/
CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool
https://www.securityweek.com/cisa-warns-attacks-exploiting-recent-vulnerabilities-zabbix-monitoring-tool
Trend Micro ServerProtect: Mehrere Schwachstellen
http://www.cert-bund.de/advisoryshort/CB-K22-0223
SA45038 - CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-23852-Expat-aka-libexpat-before-2-4-4-has-a-signed-integer-overflow-in-XML-GetBuffer-for-configurations-with-a-nonzero-XML-CONTEXT-BYTES