Tageszusammenfassung - 06.04.2022

End-of-Day report

Timeframe: Dienstag 05-04-2022 18:00 - Mittwoch 06-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner

News

Microsoft detects Spring4Shell attacks across its cloud services

Microsoft said that its currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services.

https://www.bleepingcomputer.com/news/security/microsoft-detects-spring4shell-attacks-across-its-cloud-services/


Windows MetaStealer Malware, (Wed, Apr 6th)

The malware abuses legitimate services by Github and transfer.sh to host these data binaries. All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.

https://isc.sans.edu/diary/rss/28522


Zero-Day-Lücken: Ältere macOS- und iOS-Versionen weiter angreifbar

Aktiv ausgenutzte Lücken hat Apple nur in iOS 15 und macOS 12 gestopft. Sicherheitsforschern zufolge sind aber auch ältere Betriebssystemversionen verwundbar.

https://heise.de/-6664730


Wenn der PC plötzlich steckenbleibt, nicht bei Microsoft anrufen!

Die Betrugsmasche, bei der sich Kriminelle als Microsoft-Angestellte ausgeben und ihre Opfer telefonisch kontaktieren, ist weitläufig bekannt. Aktuell erhalten Betroffene vermehrt keinen Anruf, sondern werden durch Pop-ups auf ihren Bildschirmen, die die Nutzung des Computers einschränken, zu Anrufen bewegt. Achtung: Nicht anrufen, sonst drohen Geld- und Datenverluste!

https://www.watchlist-internet.at/news/wenn-der-pc-ploetzlich-steckenbleibt-nicht-bei-microsoft-anrufen/


Fake e-shops on the prowl for banking credentials using Android malware

This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign.

https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/


Analyzing a -multilayer- Maldoc: A Beginner-s Guide

In this blog post, we will not only analyze an interesting malicious document, but we will also demonstrate the steps required to get you up and running with the necessary analysis tools. There is also a howto video for this blog post.

https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/

Vulnerabilities

Fortinet Security Advisories (FortiClient, FortiEDR, FortiWAN)

* FortiClient (Linux) - Improper directories permissions * FortiClient (Linux) - external access to confighandler webserver * FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory * FortiEDR - Denial of service due to folder access permission change * FortiEDR - Hardcoded AES key enable disabling local Collector * FortiEDR - Insecure RSA key transport * FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol * FortiWAN - Pervasive OS command

https://www.fortiguard.com/psirt?date=04-2022


VMSA-2022-0011

CVSSv3 Range: 5.3-9.8 CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.

https://www.vmware.com/security/advisories/VMSA-2022-0011.html


Security updates for Wednesday

Security updates have been issued by Arch Linux (rizin), Fedora (fish, gdal, mingw-fribidi, mingw-gdal, mingw-openexr, mingw-python-pillow, mingw-python3, and python-pillow), Mageia (chromium-browser-stable), Oracle (Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel and kernel), Red Hat (kernel, kernel-rt, and Red Hat OpenStack Platform 16.2 (python-waitress)), Scientific Linux (kernel), Slackware (mozilla), SUSE (mozilla-nss), and Ubuntu (h2database).

https://lwn.net/Articles/890404/


Security Vulnerabilities fixed in Thunderbird 91.8

CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/


Spring Cloud Data Flow 2.9.4 Released

On behalf of the team and everyone who has contributed, I-m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central. This release contains an update of the Spring Boot version and addresses a couple of CVEs. Notable Changes in 2.9.4: * Update to Spring Boot 2.5.12 * Resolves CVE-2022-22965 * Resolves CVE-2021-29425

https://spring.io/blog/2022/04/05/spring-cloud-data-flow-2-9-4-released


Improper Authentication Management Vulnerability in some Huawei Products

http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220406-01-bdb62b17-en


Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-spoofing-attacks-and-clickjacking-due-to-swagger-ui-cve-2018-25031-cve-2021-46708/


Security Bulletin: Watson Query potentially exposes adminstrator's key under some conditions due to CVE-2022-22410

https://www.ibm.com/blogs/psirt/security-bulletin-watson-query-potentially-exposes-adminstrators-key-under-some-conditions-due-to-cve-2022-22410/


Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-38893

https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2021-38893/


Security Bulletin: Vulnerabilities with Apache HTTP Server affect IBM Cloud Object Storage Systems (Apr 2022 V1)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-apache-http-server-affect-ibm-cloud-object-storage-systems-apr-2022-v1/


K49419538: libxml2 vulnerability CVE 2016-4658

https://support.f5.com/csp/article/K49419538?utm_source=f5support&utm_medium=RSS


WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe

https://cert.vde.com/de/advisories/VDE-2022-009/


LifePoint Informatics Patient Portal

https://us-cert.cisa.gov/ics/advisories/icsma-22-095-01


Rockwell Automation ISaGRAF

https://us-cert.cisa.gov/ics/advisories/icsa-22-095-01


Johnson Controls Metasys

https://us-cert.cisa.gov/ics/advisories/icsa-22-095-02