End-of-Day report
Timeframe: Donnerstag 24-02-2022 18:00 - Freitag 25-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
US and UK expose new malware used by MuddyWater hackers
MuddyWater is "targeting a range of government and private-sector organizations across sectors-including telecommunications, defense, local government, and oil and natural gas-in Asia, Africa, Europe, and North America.
https://www.bleepingcomputer.com/news/security/us-and-uk-expose-new-malware-used-by-muddywater-hackers/
Jester Stealer malware adds more capabilities to entice hackers
An infostealing piece of malware called Jester Stealer has been gaining popularity in the underground cybercrime community for its functionality and affordable prices.
https://www.bleepingcomputer.com/news/security/jester-stealer-malware-adds-more-capabilities-to-entice-hackers/
Cyberangriffe im Ukraine-Krieg: BSI warnt Behörden und Unternehmen nachdrücklich
Das BSI hat ein weiteres Warnschreiben an Unternehmen und Behörden geschickt. Demnach gibt es Netzwerkscans und erste Wiper in Partnerstaaten.
https://www.golem.de/news/cyberangriffe-im-ukraine-krieg-bsi-warnt-behoerden-und-unternehmen-nachdruecklich-2202-163457-rss.html
Some details of the DDoS attacks targeting Ukraine and Russia in recent days
At 360Netlab, we continuously track botnets on a global scale through our BotMon system. In particular, for DDoS-related botnets, we further tap into their C2 communications to enable us really see the details of the attacks.
https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years.
https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html
-ID-app aktivieren-: Betrügerisches Mail im Namen der Volksbank im Umlauf
Kriminelle versenden derzeit betrügerische E-Mails im Namen der Volksbank, in der dazu aufgefordert wird die ID-app zu aktivieren. Diese App wird von der Volksbank tatsächlich angeboten, um mehr Sicherheit zu gewährleisten. In diesem Fall missbrauchen aber Kriminelle diese Sicherheitsmaßnahme, um an Ihre Zugangsdaten zu kommen.
https://www.watchlist-internet.at/news/id-app-aktivieren-betruegerisches-mail-im-namen-der-volksbank-im-umlauf/
Russia-Ukraine Crisis: How to Protect Against the Cyber Impact (Updated Feb. 24 to Include New Information on DDoS, HermeticWiper and Defacement)
We provide an overview of known cyberthreats related to the Russia-Ukraine crisis including DDoS attacks, HermeticWiper and defacement and share recommendations for proactive defense.
https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/
Mac-Malware auf dem Vormarsch
Die Sicherheitsgefahren für mobile Geräte und Macs nehmen zu. Festgestellt wurden die Mac-Malware-Familien Cimpli, Pirrit, Imobie, Shlayer und Genieo.
https://www.zdnet.de/88399571/mac-malware-auf-dem-vormarsch/
Threat Update - Ukraine & Russia conflict
In this report, NVISO CTI describes the cyber threat landscape of Ukraine and by extension the current situation.
https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/
New Infostealer -ColdStealer- Being Distributed
The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer.
https://asec.ahnlab.com/en/32090/
Vulnerabilities
Sicherheitsupdates: Java- und Kernel-Lücken in IBM AIX bedrohen Server
Angreifer könnten Server mit IBM AIX attackieren und im schlimmsten Fall die volle Kontrolle über Systeme erlangen.
https://heise.de/-6526120
Security updates for Friday
Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd).
https://lwn.net/Articles/886124/
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-ibm-websphere-application-server-due-to-expat-vulnerabilities/
Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-log4j-affects-some-features-of-ibm-db2-cve-2021-44832-4/
Security Bulletin: CVE-2021-35550 may affect IBM® SDK, Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35550-may-affect-ibm-sdk-java-technology-edition/
Security Bulletin: Vulnerabilities in Java SE affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-se-affect-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/
Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect-ibm-sdk-java-technology-edition/
Security Bulletin: Vulnerability in the AIX smbcd daemon (CVE-2021-38993)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-smbcd-daemon-cve-2021-38993/
Security Bulletin: IBM PowerVM Novalink is vulnerable to provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-to-provide-weaker-than-expected-security-a-remote-attacker-could-exploit-this-weakness-to-obtain-sensitive-information-and-gain-unauthorized-acce/
Security Bulletin: IBM PowerVM Novalink could allow a remote authenticated attacker to conduct an LDAP injection.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-could-allow-a-remote-authenticated-attacker-to-conduct-an-ldap-injection/
Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM Application Server Liberty due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-application-server-and-ibm-application-server-liberty-due-to-january-2022-cpu-plus-deferred-cve-2021-35550-and-cv/
Mozilla VPN local privilege escalation via uncontrolled OpenSSL search path
https://www.mozilla.org/en-US/security/advisories/mfsa2022-08/
FATEK Automation FvDesigner
https://us-cert.cisa.gov/ics/advisories/icsa-22-055-01
Mitsubishi Electric EcoWebServerIII
https://us-cert.cisa.gov/ics/advisories/icsa-22-055-02
Schneider Electric Easergy P5 and P3
https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03
Baker Hughes Bently Nevada 3500
https://us-cert.cisa.gov/ics/advisories/icsa-21-231-02