Tageszusammenfassung - 16.03.2022

End-of-Day report

Timeframe: Dienstag 15-03-2022 18:00 - Mittwoch 16-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer

News

Android trojan persists on the Google Play Store since January

Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs.

https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-the-google-play-store-since-january/


Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th)

On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Today's diary provides a quick review of the infection activity.

https://isc.sans.edu/diary/rss/28448


The Attack of the Chameleon Phishing Page

Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-of-the-chameleon-phishing-page/


Werbe-SMS -Bewerbung erhalten- führt zu Investment-Betrug

Aktuell versenden Kriminelle SMS, in denen von einer angeblichen Bewerbung durch die EmpfängerInnen die Rede ist. Wie die Kriminellen an Namen und Telefonnummer der Betroffenen gelangen, ist unklar. Klar hingegen ist, dass der enthaltene Link auf eine betrügerische Investment-Werbung führt.

https://www.watchlist-internet.at/news/werbe-sms-bewerbung-erhalten-fuehrt-zu-investment-betrug/


Gh0stCringe RAT Being Distributed to Vulnerable Database Servers

This blog will explain the RAT malware named Gh0stCringe. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT.

https://asec.ahnlab.com/en/32572/

Vulnerabilities

Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters

Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations.

https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html


7 RCE and DoS vulnerabilities Found in ClickHouse DBMS

The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials.

https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/


Sicherheitslücke: Präparierte TLS-Zertifikate können OpenSSL-Systeme gefährden

Angreifer könnten Clients und Server mit präparierten TLS-Zertifikaten auf Basis von elliptischen Kurven lahmlegen.

https://heise.de/-6550820


Sicherheitsupdates: Angreifer könnten Schadcode durch pfSense-Firewall schieben

Mehrere Schwachstellen gefährden Systeme mit der Firewall-Distribution pfSense.

https://heise.de/-6577971


Sicherheitsupdates: Schadcode-Schlupflöcher in Dell-BIOS

Angreifer könnten Dell-Computer attackieren und im schlimmsten Fall die volle Kontrolle über Geräte erlangen.

https://heise.de/-6550647


Security updates for Wednesday

Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, [...]

https://lwn.net/Articles/888093/


Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

https://www.drupal.org/sa-core-2022-005


Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/


Security Bulletin: A security vulnerability in Node.js follow-redirects module affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-follow-redirects-module-affects-ibm-cloud-automation-manager/


Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Network Automation (CVE-2021-44228)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-pak-for-network-automation-cve-2021-44228/


Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-openssl-denial-of-service-vulnerabilities-cve-2021-23840-cve-2021-23841/


Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform upgrade from Log4j 2.17 to 2.17.1 to protect from infinite recursion in lookup evaluation

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-component-of-ibm-tririga-application-platform-upgrade-from-log4j-2-17-to-2-17-1-to-protect-from-infinite-recursion-in-lookup-evaluation/


Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-ibm-websphere-application-server-due-to-expat-vulnerabilities-4/


Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-business-developer-5/


Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-fetch-module-affects-ibm-cloud-automation-manager-2/


Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-marked-module-affects-ibm-cloud-automation-manager-2/


Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-module-affects-ibm-cloud-automation-manager-3/


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-10/


Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-are-vulnerable-to-clickjacking-cve-2021-39038-2/


Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-module-affects-ibm-cloud-automation-manager-2/


Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-golang-affects-ibm-cloud-automation-manager-2/


Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-golang-affects-ibm-cloud-automation-manager/


Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2021-33198

https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-denial-of-service-by-go-vulnerability-cve-2021-33198/


Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-marked-module-affects-ibm-cloud-automation-manager/


Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affects-rational-business-developer-6/


Improper Restriction of XML External Entity Reference in BVMS

https://psirt.bosch.com/security-advisories/bosch-sa-506619-bt.html


Google Releases Security Updates for Chrome

https://us-cert.cisa.gov/ncas/current-activity/2022/03/16/google-releases-security-updates-chrome