End-of-Day report
Timeframe: Montag 21-03-2022 18:00 - Dienstag 22-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Serpent malware campaign abuses Chocolatey Windows package manager
Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms.
https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/
Conti Ransomware V. 3, Including Decryptor, Leaked
The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it-s reportedly clunkier code.
Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released - specifically, the source code for Conti Ransomware V3.0 - to VirusTotal.
https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/
CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users
Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips.
https://thehackernews.com/2022/03/cryptorom-crypto-scam-abusing-iphone.html
Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen
Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe.
https://heise.de/-6603364
Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten
Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös!
https://www.watchlist-internet.at/news/ausgesperrt-vorsicht-vor-unserioesen-schluesseldiensten/
Sandworm: A tale of disruption told anew
[..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group - Sandworm. Who is Sandworm?
https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/
FBI and FinCEN Release Advisory on AvosLocker Ransomware
The Federal Bureau of Investigation (FBI) and the Department of the Treasury-s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware.
https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware
Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS
In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis.
https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/
Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten
Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen.
https://www.borncity.com/blog/2022/03/22/facestealer-trojaner-aus-der-google-play-store-app-craftsart-cartoon-photo-tools-klaut-facebook-zugangsdaten/
Cobalt Strike: Overview - Part 7
This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods.
https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/
Detecting shadow credentials
This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials).
https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
8 Tips for Securing Networks When Time Is Scarce
In light of increased cyber risk surrounding the Russia-Ukraine conflict, we-ve put together 8 tips that defenders can take right now to prepare.
https://www.rapid7.com/blog/post/2022/03/22/8-tips-for-securing-networks-when-time-is-scarce/
Vulnerabilities
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
Security risk: Moderately critical
Vulnerability: Third-party libraries
CVE IDs: CVE-2022-24775
Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
https://www.drupal.org/sa-core-2022-006
Multiple Vulnerabilities in GARO Wallbox
1. Without Authentication(CVE-2021-45878)
2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877)
3. Unauthenticated Command Injection(CVE-2021-45876)
https://github.com/delikely/advisory/tree/main/GARO
Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen
Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe.
https://heise.de/-6605306
Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware
Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können.
https://heise.de/-6602749
Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar
Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen.
https://heise.de/-6604576
Security updates for Tuesday
Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon).
https://lwn.net/Articles/888859/
Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-affects-ibm-spectrum-scale-smb-protocol-access-method-cve-2021-23192/
Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID:
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-7-0-8-0-8-5-9-0-and-liberty-17-0-0-3-through-21-0-0-9-could-allow-a-remote-user-to-enumerate-usernames-due-to-a-difference-of-responses-from-vali-2/
Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-impacts-ibm-watson-knowledge-catalog-in-cloud-pak-for-data-cve-2021-44228-2/
Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-affects-ibm-spectrum-scale-smb-protocol-access-method-cve-2016-2124/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-pak-for-data-system-1-0-2/
Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-db2-recovery-expert-for-linux-unix-and-windows/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-pak-for-data-system-1-0/
Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-semeru-runtime-may-affect-ibm-decision-optimization-for-ibm-cloud-pak-for-data-cve-2022-21282-cve-2022-21296-cve-2022-21299/
K31323265: OpenSSL vulnerability CVE-2022-0778
https://support.f5.com/csp/article/K31323265?utm_source=f5support&utm_medium=RSS
PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager
https://cert.vde.com/de/advisories/VDE-2022-007/
Delta Electronics DIAEnergie
https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01