Tageszusammenfassung - 05.04.2022

End-of-Day report

Timeframe: Montag 04-04-2022 18:00 - Dienstag 05-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner

News

WhatsApp voice message phishing emails push info-stealing malware

A new WhatsApp phishing campaign impersonating WhatsApps voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses.

https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phishing-emails-push-info-stealing-malware/


SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965

Microsoft provides guidance for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell.

https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/


WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th)

Looking through my honeypot logs for some Spring4Shell exploits (I didn't find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is "run of the mill," but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult.

https://isc.sans.edu/diary/rss/28520


ZDI-22-547: (0Day) (Pwn2Own) Samsung Galaxy S21 Exposed Dangerous Method Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

http://www.zerodayinitiative.com/advisories/ZDI-22-547/


Phishing-Angriffe auf Kryptowährungssektor nach Einbruch bei MailChimp

Nach einem Einbruch beim Marketing-Mail-Anbieter MailChimp haben Cyberkriminelle versucht, per Phishing an Kryptowährungen von Krypto-Wallet-Kunden zu gelangen.

https://heise.de/-6662971


CISA advises D-Link users to take vulnerable routers offline

CISA has advised users to take certain vulnerable D-Link routers offline since the existing vulnerabilities are know to be actively exploited and the models have reached EOL and will not get patched.

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline/


Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter

Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software.

http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html

Vulnerabilities

Android Security Bulletin-April 2022

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-04-05 or later address all of these issues.

https://source.android.com/security/bulletin/2022-04-01


Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues. The precise impact is system specific, but would likely be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out.

https://xenbits.xen.org/xsa/advisory-400.html


Xen Security Advisory CVE-2022-26357 / XSA-399

race in VT-d domain ID cleanup. The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out.

https://xenbits.xen.org/xsa/advisory-399.html


Xen Security Advisory CVE-2022-26356 / XSA-397

Racy interactions between dirty vram tracking and paging log dirty hypercalls. An attacker can cause Xen to leak memory, eventually leading to a Denial of Service (DoS) affecting the entire host.

https://xenbits.xen.org/xsa/advisory-397.html


Security updates for Tuesday

Security updates have been issued by Arch Linux (polkit, postgresql, and zlib), openSUSE (389-ds and opera), Red Hat (kpatch-patch), SUSE (389-ds and util-linux), and Ubuntu (waitress).

https://lwn.net/Articles/890258/


Kyocera Printer: Schwachstelle ermöglicht Offenlegung von Informationen

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kyocera Printer ausnutzen, um Informationen offenzulegen.

http://www.cert-bund.de/advisoryshort/CB-K22-0391


Citrix Hypervisor Security Update

This issue may allow privileged code in a guest VM to cause the host to crash or become unresponsive. The issue only affects systems with Intel CPUs where the malicious guest VM has had a physical PCI device assigned to it by the host administrator using the PCI passthrough feature. The issue has the following identifier: CVE-2022-26357 Customers who have not assigned a physical PCI device to a guest VM are not affected by this issue. Customers who are running on systems with only AMD CPUs are also not affected by this issue.

https://support.citrix.com/article/CTX390511


Sicherheitsupdate für Webbrowser Google Chrome

https://heise.de/-6662814


Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-multiple-issues-within-red-hat-ubi-packages-and-the-ibm-websphere-application-server-liberty-shipped-with-ibm-mq/


Security Bulletin: A security vulnerability has been identified in Dojo Toolkil shipped with IBM Tivoli Netcool Impact (CVE-2021-23450)

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-dojo-toolkil-shipped-with-ibm-tivoli-netcool-impact-cve-2021-23450/


Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-an-apache-log4j-vulnerability-cve-2022-23302/


Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-39031)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2021-39031/


Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22310)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-websphere-application-server-liberty-shipped-with-ibm-tivoli-netcool-impact-cve-2022-22310/


Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-may-be-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-1-2-cve-2021-4104/


Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-an-apache-log4j-vulnerability-cve-2022-23305/


Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected-by-account-enumeration-and-denial-of-service-vulnerabilities-cve-2022-22356-and-cve-2022-22355/


Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics

https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vulnerabilities-has-been-identified-in-ibm-db2-shipped-with-ibm-puredata-system-for-operational-analytics-cve-2018-1980cve-2019-4094cve-2018-1922/


Security Bulletin: IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-affected-by-gson-vulnerability-c2021-0419/


K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413

https://support.f5.com/csp/article/K29855410?utm_source=f5support&utm_medium=RSS


K08827426: Vim vulnerability CVE-2022-0359

https://support.f5.com/csp/article/K08827426?utm_source=f5support&utm_medium=RSS


Security Vulnerabilities fixed in Firefox ESR 91.8

https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/


Security Vulnerabilities fixed in Firefox 99

https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/