Tageszusammenfassung - 24.03.2022

End-of-Day report

Timeframe: Mittwoch 23-03-2022 18:00 - Donnerstag 24-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner


Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.


Doppelter Betrug: Phishing-Konzept mit Browser-In-The-Browser-Attacke ausgebaut

In seinem Beispiel macht sich der Sicherheitsforscher das OAuth-Fenster zunutze. In seiner Demo baut er es via HTML/CSS exakt nach und versieht es mit einer legitimen Google-URL inklusive HTTPS-Schloss-Symbol. Dadurch fällt es Opfern schwerer, den Betrug aufzudecken und eingegebene Passwörter landen bei Betrügern. Einen Schwachpunkt hat dieser Ansatz aber: Der Ausgangspunkt von einer BITB-Attacke ist eine Phishing-Website, die das OAuth-Anmeldeverfahren mit dem Fake-Fenster anbietet. Dahin müssen Betrüger Opfer erst mal locken, ohne dass Verdacht aufkommt.


A Closer Look at the LAPSUS$ Data Extortion Group

Microsoft and identity management platform Okta both disclosed this week breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish the information unless a ransom demand is paid. Heres a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.



Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

Security risk: Moderately critical This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.


Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

Security risk: Critical The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.


Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)

Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others.


Splunk: SVD-2022-0301 Indexer denial-of-service via malformed S2S request

CVSSv3.1 Score: 7.5, High CVE ID: CVE-2021-3422 The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic.


VMware Carbon App Control: Angreifer könnten Schadcode auf Server schieben

Wichtige Sicherheitsupdates schließen zwei kritische Lücken in Carbon App Control für Windows.


Security updates for Thursday

Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird).


Schwachstelle in Windows 3CX-Telefonanlagen, Patchen ist angesagt

Wer unter Windows ein 3CX-System (Telefonanlage) in einer Version unterhalb v18 Update 3 (Build 450) betreibt, sollte reagieren. Der Hersteller hat ein Sicherheitsupdate für dieses Produkt in Form der v18 Update 3 (Build 450) veröffentlicht.


Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity


Security Bulletin: IBM Security Verify Governance, Identity Manager virtual appliance component is vulnerable to denial of service (CVE-2021-38951)


Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35550).


Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU - Oct 2021 affects IBM Security Verify Governance, Identity Manager virtual appliance component


Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603


Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services


Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35603).


Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX


Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038)


Security Bulletin: Vulnerabilities with Expat affect IBM Cloud Object Storage Systems (Mar 2022 V1)


Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester


Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity


Security Bulletin: This Power System update is being released to address CVE-2022-22374


Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35578).


Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware


Yokogawa CENTUM and Exaopc