Tageszusammenfassung - 24.02.2022

End-of-Day report

Timeframe: Mittwoch 23-02-2022 18:00 - Donnerstag 24-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Malware infiltrates Microsoft Store via clones of popular games

A malware named Electron Bot has found its way into Microsofts Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of 5,000 computers in Sweden, Israel, Spain, and Bermuda.

https://www.bleepingcomputer.com/news/security/malware-infiltrates-microsoft-store-via-clones-of-popular-games/

Malware: Mit Wipern und DDoS gegen ukrainische IT-Systeme

Etliche Webseiten in der Ukraine sind nicht erreichbar. Zudem sind Hunderte Rechner von einer vernichtenden Schadsoftware befallen.

https://www.golem.de/news/malware-mit-wipern-und-ddos-gegen-ukrainische-it-systeme-2202-163422-rss.html

Ukraine & Russia Situation From a Domain Names Perspective , (Thu, Feb 24th)

Every time, something happens in the world like an earthquake, big floods, or even major sports events, it is followed by a peak of new domains registrations.

https://isc.sans.edu/diary/rss/28376

Shadowserver Special Reports - Cyclops Blink

In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter.

https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/

HermeticWiper: New Destructive Malware Used In Cyber Attacks on Ukraine

On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations.

https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

SockDetour - a Silent, Fileless, Socketless Backdoor - Targets U.S. Defense Contractors

SockDetour is a custom backdoor being used to maintain persistence, designed to serve as a backup backdoor in case the primary one is removed.

https://unit42.paloaltonetworks.com/sockdetour/

Clang Checkers and CodeQL Queries for Detecting Untrusted Pointer Derefs and Tainted Loop Conditions

In this final blog of the series, we experiment with CodeQL-s IR and Clang checkers for detecting such bug classes.

https://www.thezdi.com/blog/2022/2/22/clang-checkers-and-codeql-queries-for-detecting-untrusted-pointer-derefs-and-tainted-loop-conditions

Vulnerability Spotlight: Buffer overflow vulnerabilities in Accusoft ImageGear could lead to code execution

Cisco Talos recently discovered multiple vulnerabilities in Accusoft ImageGear.

http://blog.talosintelligence.com/2022/02/vuln-spotlight-accusoft-code.html

Vulnerabilities

Cisco schließt Root-Lücke in Netzwerk-OS, gibt wichtige Hinweise für Firewalls

Wer eine Firewall von Cisco nutzt, sollte diese aus Sicherheitsgründen bis Anfang März aktualisieren. Außerdem gibt es Patches für NX-OS.

https://heise.de/-6524029

Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin

On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in -Photoswipe Masonry Gallery-, a WordPress plugin that is installed on over 10,000 sites.

https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerability-patched-in-a-wordpress-photo-gallery-plugin/

Security updates for Wednesday

Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0).

https://lwn.net/Articles/885885/

Security updates for Thursday

Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird).

https://lwn.net/Articles/885997/

Security Bulletin: Datastax Enterprise with IBM is vulnerable to exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

https://www.ibm.com/blogs/psirt/security-bulletin-datastax-enterprise-with-ibm-is-vulnerable-to-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/

Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-txseries-for-multiplatforms-7/

Security Bulletin: Multiple vulnerabilities were detected in IBM Sterling External Authentication Server (CVE-2022-22333, CVE-2022-22349)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-were-detected-in-ibm-sterling-external-authentication-server-cve-2022-22333-cve-2022-22349/

Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics

https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-affect-ibm-netezza-analytics-2/

Security Bulletin: Log4j vulnerability affects IBM Netezza Analytics for NPS

https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-netezza-analytics-for-nps-2/

Security Bulletin: IBM Operational Decision Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) .

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operational-decision-manager-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-content-collector-for-sap-applications-3/

Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-are-vulnerable-to-clickjacking-cve-2021-39038/

Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-38994, CVE-2021-38995)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-aix-kernel-cve-2021-38994-cve-2021-38995/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-aix-7/

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Log4j

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-apache-log4j-5/

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Logback

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-logback/

Security Bulletin: Multiple Vulnerabilities were detected in IBM Sterling Secure Proxy (CVE-2022-22336, CVE-2022-22333)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-were-detected-in-ibm-sterling-secure-proxy-cve-2022-22336-cve-2022-22333/

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-java-7/