End-of-Day report
Timeframe: Donnerstag 10-03-2022 18:00 - Freitag 11-03-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
News
Raccoon Stealer Crawls Into Telegram
The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware.
https://threatpost.com/raccoon-stealer-telegram/178881/
Keep an Eye on WebSockets, (Fri, Mar 11th)
It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is.
https://isc.sans.edu/diary/rss/28430
Bypassing MFA: A Pentest Case Study
When a company implements multifactor authentication, the organization is usually confident that it-s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-mfa-a-pentest-case-study/
Multiple Security Flaws Discovered in Popular Software Package Managers
Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers.
https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html
Whats up with in-the-wild exploits? Plus, what were doing about it.
If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals.
http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.html
WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities
Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts.
https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities/
Cobalt Strike: Memory Dumps - Part 6
This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic.
https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/
Infostealer Being Distributed via YouTube
The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post.
https://asec.ahnlab.com/en/32499/
Vulnerabilities
ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-22-503/
Security updates for Friday
Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion).
https://lwn.net/Articles/887635/
Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released
We-re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition.
https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5-37-9-released/
Siemens Solid Edge, JT2Go, and Teamcenter Visualization
This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products.
https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07
Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080)
Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen.
https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messenger-syss-2021-077/-078/-079/-080
CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates
Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...]
https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachstelle-cve-2022-24508-fix-durch-windows-mrz-2022-updates/
Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers - 10 March 2022
Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below.
https://www.canon-europe.com/support/product-security-latest-news/
D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung
https://www.cert-bund.de/advisoryshort/CB-K22-0299
phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen
https://www.cert-bund.de/advisoryshort/CB-K22-0304
McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation
https://www.cert-bund.de/advisoryshort/CB-K22-0302
Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encryption-gde-has-a-vulnerability-cve-2021-39022-related-to-hazardous-input/
Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/
Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerability-are-addressed-in-monthly-security-fix-for-ibm-cloud-pak-for-business-automation-february-2022-3/
Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-is-vulnerable-to-an-attacker-obtaining-sensitive-information-cve-2021-35550-cve-2021-35603-and-denial-of-service-cve-2021-35578/
Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-38893
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2021-38893-2/
Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966)
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-cloud-pak-for-automation-workflow-process-service-cve-2021-38893-cve-2021-38966-2/