End-of-Day report
Timeframe: Mittwoch 16-03-2022 18:00 - Donnerstag 17-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
SolarWinds warns of attacks targeting Web Help Desk instances
SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw).
https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-targeting-web-help-desk-instances/
Microsoft creates tool to scan MikroTik routers for TrickBot infections
The TrickBot trojan has just added one more trick up its sleeve, now using vulnerable IoT (internet of things) devices like modem routers as proxies for its C2 (command and control) server communication.
https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-scan-mikrotik-routers-for-trickbot-infections/
CISA: US-Behörde warnt vor 15 aktiv ausgenutzten Sicherheitslücken
Die US-Sicherheitsbehörde CISA warnt Unternehmen und Behörden vor 15 älteren Sicherheitslücken, die aktiv für Angriffe ausgenutzt werden.
https://www.golem.de/news/cisa-us-behoerde-warnt-vor-15-aktiv-ausgenutzten-sicherheitsluecken-2203-163929-rss.html
DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly
The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday.
https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html
LokiLocker ransomware family spotted with built-in wiper
BlackBerry says extortionists erase documents if ransom unpaid BlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is capable of erasing all non-system files from infected Windows PCs.
https://go.theregister.com/feed/www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/
Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks
What do you do when you-ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we-ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives.
https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants.
http://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
Vulnerabilities
New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers
A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host.
"Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," [..]
https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.html
Security updates for Thursday
Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db).
https://lwn.net/Articles/888288/
Red Hat Virtualization: Schwachstelle ermöglicht Manipulation von Dateien
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Virtualization ausnutzen, um Dateien zu manipulieren.
http://www.cert-bund.de/advisoryshort/CB-K22-0328
ISC Releases Security Advisories for BIND
Original release date: March 17, 2022The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.
https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/isc-releases-security-advisories-bind
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-affect-ibm-netezza-performance-portal-2/
Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-vm2-module-affects-ibm-cloud-automation-manager-2/
Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo-affects-ibm-spectrum-protect-for-virtual-environments-cve-2021-23450-2/
Security Bulletin: Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305)
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-netcool-omnibus-probe-dsl-factory-framework-is-vulnerable-to-arbitrary-code-execution-cve-2022-23302-cve-2022-23307-and-sql-injection-cve-2022-2/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-has-applied-security-fixes-for-its-use-of-ibm-websphere-liberty-cve-2021-35517-cve-2021-36090/
Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44531)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-cve-2021-44531/
Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-js-affect-ibm-app-connect-enterprise-cve-2022-0235/
Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-aix-cve-2021-25219-3/
Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db2-affect-ibm-spectrum-protect-server-cve-2021-38931-cve-2021-29678-cve-2021-20373-cve-2021-39002-cve-2021-38926-3/
Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-runtime-and-golang-go-affect-ibm-spectrum-protect-server-cve-2021-35578-cve-2021-44716-cve-2021-44717-4/
Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-log4j-v1-2-affects-ibm-cloud-automation-manager/