Tageszusammenfassung - 15.03.2022

End-of-Day report

Timeframe: Montag 14-03-2022 18:00 - Dienstag 15-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner


Massive phishing campaign uses 500+ domains leading to fake login pages

Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet.


Sicherheitslücke in Druckern: Über 300 Jahre alter Algorithmus knackt RSA-Keys

Drucker von Canon und Fujifilm erzeugen schwache RSA-Schlüssel, die sich mit dem Faktorisierungsalgorithmus von Fermat angreifen lassen.


New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel

Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J vulnerability. What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system, We decided to take a close look, and indeed, it is a new botnet family, which we named B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.


Clean Binaries with Suspicious Behaviour, (Tue, Mar 15th)

EDR or "Endpoint Detection & Response" is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in modern SIEM infrastructure: To see a word.exe running is definitively not malicious, same with a Powershell script being launched. But if you monitor parent/child relations, to see a Powershell script launched from a Word process, that is suspicious!


A Simple Guide to Getting CVEs Published

This guide will, hopefully, let you skip the headaches and guesswork that we endured learning this process when you try to get a CVE published.


Can an HTTPS Website be Hacked?

It should be no shock by now that a professional can break through anything. These days, zero-days are a dime a dozen, so it-s important to ensure your site is hardened and protected as much as possible. While an SSL certificate can certainly be an important factor, it-s only one slice of the pie. In this article, we-ll be elaborating on the myths of SSL, the kinds of hacks that still have the potential to occur, and how you can improve an HTTPS site beyond installing an SSL certificate.


Ukraine-Krieg: BSI warnt vor Kasperskys Sicherheits- und Antiviren-Software

Wer Antiviren-Software des russischen Herstellers einsetzt, sollte auf alternative Produkte ausweichen, heißt es der offizellen BSI-Warnung.


Vorsicht vor Anrufe und E-Mails von -Besser-Gefunden-

Momentan werden Unternehmen telefonisch von -Besser-Gefunden- kontaktiert. Die Person am Telefon erklärt Ihnen, dass Ihr Unternehmen einen Vertrag für die Schaltung von kostenpflichtigen Anzeigen im Firmenverzeichnis von -Besser-Gefunden- abgeschlossen hat und die Gebühren bald fällig werden. Dieser Vertrag verlängert sich automatisch, wenn er nicht sofort schriftlich storniert wird. Vorsicht: Dabei handelt es sich um eine betrügerische Masche zur Kundengewinnung! Legen Sie auf und unterschreiben Sie nichts.


Updated: Kubernetes Hardening Guide

The National Security Agency (NSA) and CISA have updated their joint Cybersecurity Technical Report (CTR): Kubernetes Hardening Guide, originally released in August 2021, based on valuable feedback and inputs from the cybersecurity community.


Investigating an engineering workstation - Part 1

In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction with it.


Threat Advisory: CaddyWiper

Overview Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. [..] Analysis: The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show any indications of persistency, self-propagation or exploitation code. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution.


OpenSSL security releases may require Node.js security releases

The Node.js project may be releasing new versions across all of its supportedrelease lines late this week to incorporate upstream patches from OpenSSL.



Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more, (Mon, Mar 14th)

Apple today released one of its massive "surprise" updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems.


Sicherheitsupdate für IBM Spectrum Protect: Fremdzugriff auf Datenbanken möglich

Es gibt Sicherheitsupdates für IBMs Backup-Lösung Spectrum Protect. Angreifer könnten unter anderem auf eigentlich verschlüsselte Informationen zugreifen.


Security updates for Tuesday

Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh).


Belden Security Bulletin - Industrial IT BSECV-2021-16

CVEs: CVE-2020-24588, CVE-2020-26144, CVE-2020-26146 and CVE-2020-26147. FragAttacks 2 (fragmentation and aggregation attacks) is a collection of security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can exploit these vulnerabilities to steal user information or attack devices. Affected products: Hirschmann OpenBAT, WLC, BAT450


Dirty Pipe Linux Flaw Affects a Wide Range of QNAP NAS Devices


Security Bulletin: CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x)


Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93


Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144)


Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717)


Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517,


Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926)


Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty through could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID:


Security Bulletin: A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data


Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Workstations Central Administration Console (CVE-2021-23450)


Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2021 - Includes Oracle October 2021 CPU


Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-23450)


Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603


Security Bulletin: Mobilefirst is affected by a log4j vulnerability (CVE-2021-4104)


Security Bulletin: Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.


Security Bulletin: Vulnerablity in Apache Log4j affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2021-44228)


Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM)


Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44832)


Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450)


Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect Operations Center (CVE-2021-23450)


ABB OPC Server for AC 800M