End-of-Day report
Timeframe: Freitag 04-03-2022 18:00 - Montag 07-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
E-Mail vom "Zoll Kundenservice" ist Fake
Im betrügerischen E-Mail von "[email protected]" wird behauptet, dass Ihr Paket nicht geliefert werden kann, da Zollgebühren nicht bezahlt wurden. Um die Zollgebühren zu begleichen, werden Sie aufgefordert, einen Paysafecard-Pin um 75 Euro zu schicken. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug.
https://www.watchlist-internet.at/news/e-mail-vom-zoll-kundenservice-ist-fake/
Notfallupdate: Sicherheitslücken in Firefox und Thunderbird werden angegriffen
Die Mozilla-Stiftung hat außer der Reihe Sicherheitsupdates für Firefox, Klar und Thunderbird herausgegeben, die bereits aktiv angegriffene Lücken schließen.
https://heise.de/-6540649
Sicherheitsprobleme bei Samsung: Quellcode geklaut, unsichere Kryptografie
Einbrecher haben bei Samsung Quellcode entwendet. Zudem patzte der Hersteller bei Kryptografie in der Trusted Execution Environment von Flaggschiff-Smartphones.
https://heise.de/-6540849
Dirty Pipe: Linux-Kernel-Lücke erlaubt Schreibzugriff mit Root-Rechten
Ein Fehler bei der Verarbeitung von Pipes im Linux-Kernel lässt sich ausnutzen, um Root-Rechte zu erlangen.
https://www.golem.de/news/dirty-pipe-linux-kernel-luecke-erlaubt-schreibzugriff-mit-root-rechten-2203-163680-rss.html
Microsoft fixes critical Azure bug that exposed customer data
Microsoft has addressed a critical vulnerability in the Azure Automation service that could have allowed attackers to take full control over other Azure customers data.
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-critical-azure-bug-that-exposed-customer-data/
Massive Meris Botnet Embeds Ransomware Notes from REvil
Notes threatening to tank targeted companies stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL.
https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/178769/
Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th)
Earlier today, I received a scam email that impersonates the Ukrainian Red Cross. It attempts to solicit donations via Bitcoin. The email is almost certainly not related to any valid Red Cross effort.
https://isc.sans.edu/diary/rss/28404
oledumps Extra Option, (Sat, Mar 5th)
A colleague asked if it was possible with oledump.py, to search through a set of malicious documents and filter out all streams that have identical VBA source code.
https://isc.sans.edu/diary/rss/28406
Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking
Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges. The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victims box simply by knowing the IP [...]
https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.html
Backdooring WordPress using PyShell
PyShell is new tool made for bug bounty, ethical hacking, penetration testers or red-teamers. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed.
https://blog.wpsec.com/backdooring-wordpress-using-pyshell/
Beware of malware offering -Warm greetings from Saudi Aramco-
A new Formbook campaign is targeting oil and gas companies.
https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware-offering-warm-greetings-from-saudi-aramco/
Amcache contains SHA-1 Hash - It Depends!
If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk.
https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/
Webhook Party - Malicious packages caught exfiltrating data via legit webhook services
Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team-s malicious package detection system. Findings show all packages caught contained malicious payload [...]
https://checkmarx.com/blog/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services/
Vulnerabilities
New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances
Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8.
https://thehackernews.com/2022/03/new-security-vulnerability-affects.html
Security updates for Monday
Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, [...]
https://lwn.net/Articles/887055/
Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
Cisco Talos- vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE-s patch, we decided to take an even closer look at two of these vulnerabilities - CVE-2021-21748 and CVE-2021-21745 - to show how they could be chained together by an attacker to completely take over a device.
https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte-router.html
Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nimsh-cve-2022-22351/
Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerability-are-addressed-in-monthly-security-fix-for-ibm-cloud-pak-for-business-automation-february-2022/
Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38988)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-kernel-cve-2021-38988/
Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38989)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-kernel-cve-2021-38989/
Security Bulletin: Some unspecified vulnerabilities in Java SE result in the unauthenticated attacker to take control of the system or some impact
https://www.ibm.com/blogs/psirt/security-bulletin-some-unspecified-vulnerabilities-in-java-se-result-in-the-unauthenticated-attacker-to-take-control-of-the-system-or-some-impact/
Bitdefender Produkte: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0264
Webmin: Mehrere Schwachstellen ermöglichen Privilegieneskalation
https://www.cert-bund.de/advisoryshort/CB-K22-0267
Asterisk: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0266
D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
https://www.cert-bund.de/advisoryshort/CB-K22-0265