End-of-Day report
Timeframe: Freitag 25-02-2022 18:00 - Montag 28-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Visual Voice Mail on Android may be vulnerable to eavesdropping
The security researcher, Chris Talbot, discovered the flaw on June 21, 2021, and filed the vulnerability under CVE-2022-23835. The bug is not a flaw in the Android operating system but rather how the service is implemented by mobile carriers.
However, the flaw has a "disputed" status because AT&T and T-Mobile dismissed the report for describing a non-exploitable risk, while Sprint and Verizon have not responded.
https://www.bleepingcomputer.com/news/security/visual-voice-mail-on-android-may-be-vulnerable-to-eavesdropping/
Reborn of Emotet: New Features of the Botnet and How to Detect it
One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotets executables. And it looked like the end of the trojans story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet.
https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html
CISA Warns of High-Severity Flaws in Schneider and GE Digitals SCADA Software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electrics Easergy medium voltage protection relays.
https://thehackernews.com/2022/02/cisa-warns-of-high-severity-flaws-in.html
Rogue RDP - Revisiting Initial Access Methods
With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red teams that will inevitably make initial access a bit more difficult to achieve. Over the last year, I have invested some research time in pursuing the use of the Remote Desktop Protocol as an alternative initial access vector, which this post will cover.
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
BSI liefert "Maßnahmenkatalog Ransomware"
Das Bundesamt für Sicherheit in der Informationstechnik stellt im "Maßnahmenkatalog Ransomware" für Unternehmen und Behörden wichtige Präventionsmaßnahmen vor.
https://heise.de/-6528055
BrokenPrint: A Netgear stack overflow
This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3
https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overflow/
Bestellungen bei herzens-mensch.de und heimfroh.com führen zu Problemen
Bei den Online-Shops herzens-mensch.de und heimfroh.com handelt es sich um sogenannte Dropshipping-Shops. Die Shops geben an, ein österreichisches Unternehmen zu sein, liefern jedoch aus Asien. Diese Vorgehensweise ist nicht unbedingt betrügerisch, eine Bestellung bei herzens-mensch.de oder heimfroh.com kann aber sehr teuer werden und zu zahlreichen Problemen führen.
https://www.watchlist-internet.at/news/bestellungen-bei-herzens-menschde-und-heimfrohcom-fuehren-zu-problemen/
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets.
There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 [..]
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
Ukraine-Krise - Aktuelle Informationen
Auf Grund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifsch hohe Gefährdung für Österreich ist aktuell noch nicht auszumachen. Wir sind in laufendem Kontakt mit unseren Kollegen im europäischen CSIRTs Network und in den nationalen Koordinierungsstrukturen.
https://cert.at/de/aktuelles/2022/2/ukraine-krise-aktuelle-informationen
BlackCat ransomware
AT&T Alien Labs is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure
https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware
Vulnerabilities
Mozillas VPN-Client könnte Schadcode nachladen
Es gibt ein wichtiges Sicherheitsupdate für Mozilla VPN. Nach erfolgreichen Attacken könnten Angreifer Systeme übernehmen.
https://heise.de/-6527681
Programmiersprache: Sicherheitslücke ermöglicht Codeschmuggel in PHP
Mit neuen PHP-Versionen schließen die Entwickler Sicherheitslücken, die Angreifern unter Umständen das Einschleusen von Schadcode ermöglichen könnten.
https://heise.de/-6527558
Security updates for Monday
Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0).
https://lwn.net/Articles/886358/
Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure
Cisco Talos recently discovered multiple vulnerabilities in the Gerbv file viewing software that could allow an attacker to execute arbitrary remote code or disclose sensitive information. [..] Cisco Talos worked with Gerbv to responsibly disclose these vulnerabilities in adherence to Cisco-s vulnerability disclosure policy. However, an update is not available to fix these issues as of Feb. 28, 2022.
CVE IDs: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, CVE-2021-40401, CVE-2021-40400, CVE-2021-40402, CVE-2021-40403
http://blog.talosintelligence.com/2022/02/vuln-spotlight-gerbv-g.html
ABB CYBER SECURITY ADVISORY - AC 800M MMS - DENIAL OF SERVICE VULNERABILITY IN MMS COMMUNICATION
https://search.abb.com/library/Download.aspx?DocumentID=7PAA001499&LanguageCode=en&DocumentPartId=&Action=Launch
Security Bulletin: Vulnerability in Java SE -CVE-2021-2161 may affect IBM Watson Assistant for IBM Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-cve-2021-2161-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/
Security Bulletin: Vulnerability in Node.js- CVE - 2021-22930 may affect IBM Watson Assistant for IBM Cloud Pak for Data.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-cve-2021-22930-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/
Security Bulletin: Due to use of Apache Log4j, IBM Content Navigator is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-content-navigator-is-vulnerable-to-arbitrary-code-execution-cve-2021-45046-and-denial-of-service-cve-2021-45105/
Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-44142).
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak-for-data-is-vulnerable-to-arbitrary-code-execution-cve-2021-44142/
Security Bulletin: Vulnerability in Node.js- CVE-2021-22959, CVE-2021-22960 may affect IBM Watson Assistant for IBM Cloud Pak for Data.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-cve-2021-22959-cve-2021-22960-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/
Security Bulletin: IBM Cloud Pak for Data System 2.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-system-2-0-is-vulnerable-to-arbitrary-code-execution-due-to-samba-cve-2021-44142/
Security Bulletin: Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data.
https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnerability-in-node-js-cve-2021-23362-cve-2021-22921-cve-2021-22918-cve-2021-27290-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/
Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA
https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-4-17-21-vulnerability-in-powerha-2/
Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak-for-data-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/
Security Bulletin: A Vulnerability In Apache HttpClient Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-httpclient-affects-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/