Tageszusammenfassung - 29.03.2022

End-of-Day report

Timeframe: Montag 28-03-2022 18:00 - Dienstag 29-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner

News

Sophos warns critical firewall bug is being actively exploited

British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.

https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-bug-is-being-actively-exploited/

Triton Malware Still Targeting Energy Firms

The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good.

https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting-energy-firms

Linux-Kernel: Netfilter-Bug gibt Nutzern Root-Rechte

Im Linux-Kernel sind mehrere Fehler im Netfilter-Code gefunden worden, die es einem Nutzer ermöglichen, Root-Rechte zu erlangen. Das Kernel-Team hat für alle unterstützten Versionszweige Updates veröffentlicht. CVE-2022-1015, CVE-2022-1016).

https://www.golem.de/news/linux-kernel-netfilter-bug-gibt-nutzern-root-rechte-2203-164225-rss.html

A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages

A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules.

https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html

Betrügerische SMS im Namen der Volksbank

Aktuell kursieren betrügerische SMS im Namen der Volksbank. EmpfängerInnen werden dringlich aufgefordert, auf einen Link zu klicken - angeblich, weil das Konto gesperrt wurde. Achtung: Dabei handelt es sich um Betrug. Wer den Link anklickt, landet auf einer gefälschten Login-Seite der Volksbank. Dort werden Zugangsdaten gestohlen!

https://www.watchlist-internet.at/news/betruegerische-sms-im-namen-der-volksbank/

Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners

A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated. According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners.

https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-servers-with-backdoors-crypto-miners/

Verblecon: Sophisticated New Loader Used in Low-level Attacks

Indications the attacker may not realize the potential capabilities of the malware they are using.

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

Mitigating Attacks Against Uninterruptable Power Supply Devices

CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet.

https://us-cert.cisa.gov/ncas/current-activity/2022/03/29/mitigating-attacks-against-uninterruptable-power-supply-devices

Vulnerabilities

Wyze Cam flaw lets hackers remotely access your saved videos

The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019. The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery. The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update.

https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-remotely-access-your-saved-videos/

ZDI-22-545: (0Day) Siemens Simcenter Femap NEU File Parsing Out-Of-Bounds Write Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens Simcenter Femap. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

http://www.zerodayinitiative.com/advisories/ZDI-22-545/

Kritische Schadcode-Lücke in In-Memory-Datenbank Redis geschlossen

Das Zusammenspiel von Debian-Systemen und Redis kann zu ernsten Sicherheitsproblemen führen. Dagegen abgesicherte Versionen schaffen Abhilfe.

https://heise.de/-6655726

Security updates for Tuesday

Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko).

https://lwn.net/Articles/889571/

Sicherheitswarnung: Authentifizierungsschwachstelle CVE-2022-0342 in Zyxel USG/ZyWALL

In verschiedenen Zyxel Firewall-Produkten gibt es eine kritische Authentifizierungs-Schwachstelle (CVE-2022-0342). Durch diese Sicherheitslücke wird eine Übernahme der Firewall möglich. Zyxel stellt zwar für Geräte, die noch im Support sind, Firmware-Updates bereits.

https://www.borncity.com/blog/2022/03/29/sicherheitswarnung-authentifizierungsschwachstelle-cve-2022-0342-in-zyxel-usg-zywall/

CVE-2018-25032: Zlib Memory Corruption Vulnerability

You may be thinking: -Wait, this new CVE starts with 2018.., this must be a mistake?-. In fact, it is not a mistake. This is about a CVE that everyone thought was patched years ago but now appears to be alive and well. [...] Linux distributions such as Ubuntu and Alpine have already implemented the fix in their latest releases, so you may want to update Zlib to your platform-s release of version 1.2.12, and re-compile any programs with the updated library.

https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-cve-2018-25032/

Security Bulletin: CVE-2021-44228 log4j affects MAS Monitor 8.4, 8.5 and 8.6

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-44228-log4j-affects-mas-monitor-8-4-8-5-and-8-6/

Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j

https://www.ibm.com/blogs/psirt/security-bulletin-mas-monitor-8-4-8-5-and-8-6-log4j/

Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries)

https://www.ibm.com/blogs/psirt/security-bulletin-critical-vulnerabilities-in-libraries-used-by-libraries-that-ibm-spectrum-discover-is-using-libraries-of-libraries/