Tageszusammenfassung - 11.03.2022

End-of-Day report

Timeframe: Donnerstag 10-03-2022 18:00 - Freitag 11-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer

News

Raccoon Stealer Crawls Into Telegram

The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware.

https://threatpost.com/raccoon-stealer-telegram/178881/


Keep an Eye on WebSockets, (Fri, Mar 11th)

It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is.

https://isc.sans.edu/diary/rss/28430


Bypassing MFA: A Pentest Case Study

When a company implements multifactor authentication, the organization is usually confident that it-s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-mfa-a-pentest-case-study/


Multiple Security Flaws Discovered in Popular Software Package Managers

Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers.

https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html


Whats up with in-the-wild exploits? Plus, what were doing about it.

If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals.

http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.html


WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities

Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts.

https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities/


Cobalt Strike: Memory Dumps - Part 6

This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic.

https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/


Infostealer Being Distributed via YouTube

The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post.

https://asec.ahnlab.com/en/32499/

Vulnerabilities

ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability.

http://www.zerodayinitiative.com/advisories/ZDI-22-503/


Security updates for Friday

Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion).

https://lwn.net/Articles/887635/


Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released

We-re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition.

https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5-37-9-released/


Siemens Solid Edge, JT2Go, and Teamcenter Visualization

This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products.

https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07


Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080)

Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen.

https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messenger-syss-2021-077/-078/-079/-080


CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates

Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...]

https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachstelle-cve-2022-24508-fix-durch-windows-mrz-2022-updates/


Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers - 10 March 2022

Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below.

https://www.canon-europe.com/support/product-security-latest-news/


D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung

https://www.cert-bund.de/advisoryshort/CB-K22-0299


phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen

https://www.cert-bund.de/advisoryshort/CB-K22-0304


McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation

https://www.cert-bund.de/advisoryshort/CB-K22-0302


Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encryption-gde-has-a-vulnerability-cve-2021-39022-related-to-hazardous-input/


Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/


Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerability-are-addressed-in-monthly-security-fix-for-ibm-cloud-pak-for-business-automation-february-2022-3/


Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-is-vulnerable-to-an-attacker-obtaining-sensitive-information-cve-2021-35550-cve-2021-35603-and-denial-of-service-cve-2021-35578/


Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-38893

https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2021-38893-2/


Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966)

https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-cloud-pak-for-automation-workflow-process-service-cve-2021-38893-cve-2021-38966-2/