End-of-Day report
Timeframe: Mittwoch 09-03-2022 18:00 - Donnerstag 10-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Nearly 30% of critical WordPress plugin bugs dont get a patch
Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture.
https://www.bleepingcomputer.com/news/security/nearly-30-percent-of-critical-wordpress-plugin-bugs-dont-get-a-patch/
What Security Controls Do I Need for My Kubernetes Cluster?
This Tech Tip offers some security controls to embed in your organizations CI/CD pipeline to protect Kubernetes clusters and corporate networks.
https://www.darkreading.com/dr-tech/what-security-controls-do-i-need-for-my-kubernetes-cluster-
Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads
The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things.
https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-email-threads/178845/
Credentials Leaks on VirusTotal, (Thu, Mar 10th)
A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. Im keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform.
https://isc.sans.edu/diary/rss/28426
Demystifying E-Commerce Website Security
Here we-ll be discussing the main aspects that are important to an E-Commerce website, the kinds of vulnerabilities that can impact your business, and how to take better preventative measures.
https://blog.sucuri.net/2022/03/demystifying-e-commerce-website-security.html
Pre-announcement of 4 BIND security issues scheduled for disclosure 16 March 2022
As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the March 2022 BIND maintenance releases that will be released on Wednesday, 16 March, will contain a patches for a security vulnerabilities affecting the BIND 9.11.x, 9.16.x and 9.18.x release branches. Further details about those vulnerabilities will be publicly disclosed at the time the releases are published.
https://lists.isc.org/pipermail/bind-announce/2022-March/001211.html
Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers
In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EUs digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NISD)
https://arxiv.org/abs/2203.04887
The Conti Leaks: Insight into a Ransomware Unicorn
In late February 2022, the internal chat logs of the Conti ransomware group were disclosed. This blog dissects the internal chat logs that illuminate how Conti-s organizational infrastructure is run, details key figureheads, tooling as well as bitcoin transactions.
https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/
Spectre V2 ist auch bei ARM und Intel zurück: Angriff auf Branch History Buffer
Bisherige Schutzmechanismen von Intel-Prozessoren und ARM-Kernen gegen Seitenkanalangriffe vom Typ Spectre V2 reichen nicht aus.
https://heise.de/-6545263
-Ihr ID-Betriebssystem wird gesperrt- - Apple E-Mail ist Fake!
Im betrügerischen E-Mail, das angeblich von Apple versendet wird, werden Sie aufgefordert Ihre Apple ID zu überprüfen. Doch Vorsicht - es handelt sich um Phishing! Hier sind Kriminelle auf Ihre Daten aus! Am besten ignorieren Sie das E-Mail.
https://www.watchlist-internet.at/news/ihr-id-betriebssystem-wird-gesperrt-apple-e-mail-ist-fake/
Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools
Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised.
http://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
Vulnerabilities
[webapps] Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)
# note : this is blind RCE so don't expect to see results on the site
# this exploit is tested against Zabbix 5.0.17 only
https://www.exploit-db.com/exploits/50816
XSA-396
CVEs: CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042
Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends
https://xenbits.xen.org/xsa/advisory-396.html
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat).
https://lwn.net/Articles/887484/
Drupal: Mehrere Schwachstellen
- SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028
- Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029
http://www.cert-bund.de/advisoryshort/CB-K22-0298
CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes (Severity: MEDIUM)
Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. [..] Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes.
https://security.paloaltonetworks.com/CVE-2022-0022
UNIVERGE WA Series vulnerable to OS command injection
https://jvn.jp/en/jp/JVN72801744/
[remote] Siemens S7-1200 - Unauthenticated Start/Stop Command
https://www.exploit-db.com/exploits/50820
Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encryption-gde-has-an-information-exposure-vulnerability-cve-2021-39025/
Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-23450
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-websphere-application-server-liberty-affects-ibm-cloud-application-business-insights-cve-2021-23450/
Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encryption-is-vulnerable-to-cross-site-scripting-cve-2020-7676/
Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xeon-affects-ibm-cloud-pak-system-cve-2021-0144-2/
Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-aix-cve-2021-25219-2/
Security Bulletin: IBM DataPower Gateway permits reflected JSON injection (CVE-2021-38910)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-permits-reflected-json-injection-cve-2021-38910/
Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-omnifind-text-search-server-for-db2-for-i-is-vulnerable-to-arbitrary-code-execution-cve-2021-4104/