End-of-Day report
Timeframe: Freitag 25-03-2022 18:00 - Montag 28-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Webbrowser: Notfallupdate für Google Chrome
Google hat neue Versionen vom Webbrowser Chrome veröffentlicht, die eine Sicherheitslücke schließen, für die bereits Exploit-Code existiert.
https://heise.de/-6638415
PayPal Funktion -Geld an Freunde senden- nicht als Zahlungsmittel auf Online-Marktplätzen verwenden
Momentan melden uns Facebook-NutzerInnen betrügerische Inserate im Facebook Marketplace. Darin werden beispielsweise Gaming-Stühle zum Verschenken angeboten. Die Person verlangt nur 15 Euro für den Versand. Der Betrag sollte mit der PayPal-Funktion -Geld an Freunde senden- übermittelt werden. Achtung: Dabei handelt es sich um Betrug! Sie verlieren Ihr Geld und erhalten kein Produkt!
https://www.watchlist-internet.at/news/paypal-funktion-geld-an-freunde-senden-nicht-als-zahlungsmittel-auf-online-marktplaetzen-verwenden/
Public Redis exploit used by malware gang to grow botnet
Threat analysts report having spotted a change in the operations of the Muhstik threat group, which has now switched to actively exploiting a Lua sandbox escape flaw in Redis.
https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by-malware-gang-to-grow-botnet/
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victims ransom negotiations.
https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
The Mystery Admin User
One of our clients recently submitted a malware removal request with a curious problem: A mystery admin user kept getting re-created on their website. Try as they might, nothing they did would get rid of this user; it just kept coming back.
https://blog.sucuri.net/2022/03/the-mystery-admin-user.html
Purple Fox Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks
The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software. "Users machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report [...]
https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html
Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware
A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report [...]
https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html
Under the hood of Wslink-s multilayered virtual machine
ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques
https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine/
Vulnerability Management in a nutshell
Vulnerability Management plays an important role in an organization-s line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses.
https://blog.nviso.eu/2022/03/28/vulnerability-management-in-a-nutshell/
Ransomware profile: RansomExx
A comprehensive profile of the RansomExx ransomware strain.
https://blog.emsisoft.com/en/41027/ransomware-profile-ransomexx/
Vulnerabilities
Sicherheitsupdate: Sophos Firewall könnte Schadcode passieren lassen
Die Firewall von Sophos ist löchrig. Aktualisierte Versionen lösen das Sicherheitsproblem.
https://heise.de/-6653493
Whitepaper - Double Fetch Vulnerabilities in C and C++
Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper, draws the knowledge together into a single place, in order to better describe the different [...]
https://research.nccgroup.com/2022/03/28/whitepaper-double-fetch-vulnerabilities-in-c-and-c/
Security updates for Monday
Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3).
https://lwn.net/Articles/889423/
CISA Adds 66 Known Exploited Vulnerabilities to Catalog
CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.
https://us-cert.cisa.gov/ncas/current-activity/2022/03/25/cisa-adds-66-known-exploited-vulnerabilities-catalog
Microsoft Security Update Revisions (25. März 2022)
Microsoft hat zum 25. März 2022 noch einige Revisionen für Sicherheitsupdates veröffentlicht. In den Revisionen werden geänderte Einschätzungen zu Schwachstellen thematisiert. Hier eine unkommentierte Übersicht.
https://www.borncity.com/blog/2022/03/28/microsoft-security-update-revisions-25-mrz-2022/
SonicWall SonicOS: Schwachstelle ermöglicht Denial of Service
https://www.cert-bund.de/advisoryshort/CB-K22-0348
PowerDNS: Schwachstelle ermöglicht Denial of Service
https://www.cert-bund.de/advisoryshort/CB-K22-0358
Cross-Site Scripting-Schwachstelle in DHC Vision (SYSS-2022-019)
https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-dhc-vision-syss-2022-019
SQL Injection in der B2B Suite des Shopware e-Commerce Frameworks (SYSS-2022-018)
https://www.syss.de/pentest-blog/sql-injection-in-der-b2b-suite-des-shopware-e-commerce-frameworks-syss-2022-018
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35550, CVE-2021-35603)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-watson-explorer-and-watson-explorer-content-analytics-studio-cve-2021-35550-cve-2021-35603/
Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java- Technology Edition
https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-management-system-monitor-is-affected-by-a-vulnerability-in-ibm-sdk-java-technology-edition-5/
Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) - CVE-2020-4768
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-affect-ibm-business-automation-workflow-and-ibm-case-manager-icm-cve-2020-4768-2/
Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35578)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-watson-explorer-and-watson-explorer-content-analytics-studio-cve-2021-35578/
Security Bulletin: IBM UrbanCode Build is affected by CVE-2022-23181
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2022-23181/
Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-42340
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-affected-by-cve-2021-42340/