Tageszusammenfassung - 28.03.2022

End-of-Day report

Timeframe: Freitag 25-03-2022 18:00 - Montag 28-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Webbrowser: Notfallupdate für Google Chrome

Google hat neue Versionen vom Webbrowser Chrome veröffentlicht, die eine Sicherheitslücke schließen, für die bereits Exploit-Code existiert.

https://heise.de/-6638415


PayPal Funktion -Geld an Freunde senden- nicht als Zahlungsmittel auf Online-Marktplätzen verwenden

Momentan melden uns Facebook-NutzerInnen betrügerische Inserate im Facebook Marketplace. Darin werden beispielsweise Gaming-Stühle zum Verschenken angeboten. Die Person verlangt nur 15 Euro für den Versand. Der Betrag sollte mit der PayPal-Funktion -Geld an Freunde senden- übermittelt werden. Achtung: Dabei handelt es sich um Betrug! Sie verlieren Ihr Geld und erhalten kein Produkt!

https://www.watchlist-internet.at/news/paypal-funktion-geld-an-freunde-senden-nicht-als-zahlungsmittel-auf-online-marktplaetzen-verwenden/


Public Redis exploit used by malware gang to grow botnet

Threat analysts report having spotted a change in the operations of the Muhstik threat group, which has now switched to actively exploiting a Lua sandbox escape flaw in Redis.

https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by-malware-gang-to-grow-botnet/


Hive ransomware ports its Linux VMware ESXi encryptor to Rust

The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victims ransom negotiations.

https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/


The Mystery Admin User

One of our clients recently submitted a malware removal request with a curious problem: A mystery admin user kept getting re-created on their website. Try as they might, nothing they did would get rid of this user; it just kept coming back.

https://blog.sucuri.net/2022/03/the-mystery-admin-user.html


Purple Fox Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks

The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software. "Users machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report [...]

https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html


Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report [...]

https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html


Under the hood of Wslink-s multilayered virtual machine

ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques

https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine/


Vulnerability Management in a nutshell

Vulnerability Management plays an important role in an organization-s line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses.

https://blog.nviso.eu/2022/03/28/vulnerability-management-in-a-nutshell/


Ransomware profile: RansomExx

A comprehensive profile of the RansomExx ransomware strain.

https://blog.emsisoft.com/en/41027/ransomware-profile-ransomexx/

Vulnerabilities

Sicherheitsupdate: Sophos Firewall könnte Schadcode passieren lassen

Die Firewall von Sophos ist löchrig. Aktualisierte Versionen lösen das Sicherheitsproblem.

https://heise.de/-6653493


Whitepaper - Double Fetch Vulnerabilities in C and C++

Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper, draws the knowledge together into a single place, in order to better describe the different [...]

https://research.nccgroup.com/2022/03/28/whitepaper-double-fetch-vulnerabilities-in-c-and-c/


Security updates for Monday

Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3).

https://lwn.net/Articles/889423/


CISA Adds 66 Known Exploited Vulnerabilities to Catalog

CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.

https://us-cert.cisa.gov/ncas/current-activity/2022/03/25/cisa-adds-66-known-exploited-vulnerabilities-catalog


Microsoft Security Update Revisions (25. März 2022)

Microsoft hat zum 25. März 2022 noch einige Revisionen für Sicherheitsupdates veröffentlicht. In den Revisionen werden geänderte Einschätzungen zu Schwachstellen thematisiert. Hier eine unkommentierte Übersicht.

https://www.borncity.com/blog/2022/03/28/microsoft-security-update-revisions-25-mrz-2022/


SonicWall SonicOS: Schwachstelle ermöglicht Denial of Service

https://www.cert-bund.de/advisoryshort/CB-K22-0348


PowerDNS: Schwachstelle ermöglicht Denial of Service

https://www.cert-bund.de/advisoryshort/CB-K22-0358


Cross-Site Scripting-Schwachstelle in DHC Vision (SYSS-2022-019)

https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-dhc-vision-syss-2022-019


SQL Injection in der B2B Suite des Shopware e-Commerce Frameworks (SYSS-2022-018)

https://www.syss.de/pentest-blog/sql-injection-in-der-b2b-suite-des-shopware-e-commerce-frameworks-syss-2022-018


Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35550, CVE-2021-35603)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-watson-explorer-and-watson-explorer-content-analytics-studio-cve-2021-35550-cve-2021-35603/


Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java- Technology Edition

https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-management-system-monitor-is-affected-by-a-vulnerability-in-ibm-sdk-java-technology-edition-5/


Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) - CVE-2020-4768

https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-affect-ibm-business-automation-workflow-and-ibm-case-manager-icm-cve-2020-4768-2/


Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35578)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-watson-explorer-and-watson-explorer-content-analytics-studio-cve-2021-35578/


Security Bulletin: IBM UrbanCode Build is affected by CVE-2022-23181

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2022-23181/


Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-42340

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-42340/