End-of-Day report
Timeframe: Dienstag 05-04-2022 18:00 - Mittwoch 06-04-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Microsoft detects Spring4Shell attacks across its cloud services
Microsoft said that its currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services.
https://www.bleepingcomputer.com/news/security/microsoft-detects-spring4shell-attacks-across-its-cloud-services/
Windows MetaStealer Malware, (Wed, Apr 6th)
The malware abuses legitimate services by Github and transfer.sh to host these data binaries.
All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary.
https://isc.sans.edu/diary/rss/28522
Zero-Day-Lücken: Ältere macOS- und iOS-Versionen weiter angreifbar
Aktiv ausgenutzte Lücken hat Apple nur in iOS 15 und macOS 12 gestopft. Sicherheitsforschern zufolge sind aber auch ältere Betriebssystemversionen verwundbar.
https://heise.de/-6664730
Wenn der PC plötzlich steckenbleibt, nicht bei Microsoft anrufen!
Die Betrugsmasche, bei der sich Kriminelle als Microsoft-Angestellte ausgeben und ihre Opfer telefonisch kontaktieren, ist weitläufig bekannt. Aktuell erhalten Betroffene vermehrt keinen Anruf, sondern werden durch Pop-ups auf ihren Bildschirmen, die die Nutzung des Computers einschränken, zu Anrufen bewegt. Achtung: Nicht anrufen, sonst drohen Geld- und Datenverluste!
https://www.watchlist-internet.at/news/wenn-der-pc-ploetzlich-steckenbleibt-nicht-bei-microsoft-anrufen/
Fake e-shops on the prowl for banking credentials using Android malware
This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign.
https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
Analyzing a -multilayer- Maldoc: A Beginner-s Guide
In this blog post, we will not only analyze an interesting malicious document, but we will also demonstrate the steps required to get you up and running with the necessary analysis tools. There is also a howto video for this blog post.
https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/
Vulnerabilities
Fortinet Security Advisories (FortiClient, FortiEDR, FortiWAN)
* FortiClient (Linux) - Improper directories permissions
* FortiClient (Linux) - external access to confighandler webserver
* FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory
* FortiEDR - Denial of service due to folder access permission change
* FortiEDR - Hardcoded AES key enable disabling local Collector
* FortiEDR - Insecure RSA key transport
* FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol
* FortiWAN - Pervasive OS command
https://www.fortiguard.com/psirt?date=04-2022
VMSA-2022-0011
CVSSv3 Range: 5.3-9.8
CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961
Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
Security updates for Wednesday
Security updates have been issued by Arch Linux (rizin), Fedora (fish, gdal, mingw-fribidi, mingw-gdal, mingw-openexr, mingw-python-pillow, mingw-python3, and python-pillow), Mageia (chromium-browser-stable), Oracle (Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel and kernel), Red Hat (kernel, kernel-rt, and Red Hat OpenStack Platform 16.2 (python-waitress)), Scientific Linux (kernel), Slackware (mozilla), SUSE (mozilla-nss), and Ubuntu (h2database).
https://lwn.net/Articles/890404/
Security Vulnerabilities fixed in Thunderbird 91.8
CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/
Spring Cloud Data Flow 2.9.4 Released
On behalf of the team and everyone who has contributed, I-m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central. This release contains an update of the Spring Boot version and addresses a couple of CVEs.
Notable Changes in 2.9.4:
* Update to Spring Boot 2.5.12
* Resolves CVE-2022-22965
* Resolves CVE-2021-29425
https://spring.io/blog/2022/04/05/spring-cloud-data-flow-2-9-4-released
Improper Authentication Management Vulnerability in some Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220406-01-bdb62b17-en
Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-spoofing-attacks-and-clickjacking-due-to-swagger-ui-cve-2018-25031-cve-2021-46708/
Security Bulletin: Watson Query potentially exposes adminstrator's key under some conditions due to CVE-2022-22410
https://www.ibm.com/blogs/psirt/security-bulletin-watson-query-potentially-exposes-adminstrators-key-under-some-conditions-due-to-cve-2022-22410/
Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-38893
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2021-38893/
Security Bulletin: Vulnerabilities with Apache HTTP Server affect IBM Cloud Object Storage Systems (Apr 2022 V1)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-apache-http-server-affect-ibm-cloud-object-storage-systems-apr-2022-v1/
K49419538: libxml2 vulnerability CVE 2016-4658
https://support.f5.com/csp/article/K49419538?utm_source=f5support&utm_medium=RSS
WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe
https://cert.vde.com/de/advisories/VDE-2022-009/
LifePoint Informatics Patient Portal
https://us-cert.cisa.gov/ics/advisories/icsma-22-095-01
Rockwell Automation ISaGRAF
https://us-cert.cisa.gov/ics/advisories/icsa-22-095-01
Johnson Controls Metasys
https://us-cert.cisa.gov/ics/advisories/icsa-22-095-02