Tageszusammenfassung - 11.04.2022

End-of-Day report

Timeframe: Freitag 08-04-2022 18:00 - Montag 11-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Android banking malware takes over calls to customer support

A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a banks customer support number and connect the victim directly with the cybercriminals operating the malware.

https://www.bleepingcomputer.com/news/security/android-banking-malware-takes-over-calls-to-customer-support/

Security: OpenSSH 9.0 veröffentlicht

Die neue Version von OpenSSH bringt unter anderem eine Härtung gegen Faktorisierungsattacken mit zukünftigen Quantencomputern mit.

https://www.golem.de/news/security-openssh-9-0-veroeffentlicht-2204-164550-rss.html

Method For String Extraction Filtering, (Sat, Apr 9th)

In diary entry "XLSB Files: Because Binary is Stealthier Than XML", Xavier shows how to extract strings (URLs) from binary files that make up an Excel spreadsheet. This inspired me to make a tool to parse this XLSB file format: "Quickie: Parsing XLSB Documents". Now I'm presenting another method, one that uses string analysis.

https://isc.sans.edu/diary/rss/28532

Mirai-Botnet missbraucht Spring4Shell-Sicherheitsleck

Sicherheitsforscher haben beobachtet, dass das Mirai-Botnet die Spring4Shell-Schwachstelle angreift und dadurch die Malware verbreitet.

https://heise.de/-6668646

Denonia cryptominer is first malware to target AWS Lambda

There is now malware in serverless environments. Dubbed Denonia, it specifically targets the AWS Lambda to perform cryptojacking.

https://blog.malwarebytes.com/business-2/2022/04/denonia-cryptominer-is-first-malware-to-target-aws-lambda/

Octo Android Trojan Allows Cybercrooks to Conduct On-Device Fraud

Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud.

https://www.securityweek.com/octo-android-trojan-allows-cybercrooks-conduct-device-fraud

Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster

Analyzing the attack goals of adversaries is important to be able to better align defenses against the speed of changing attack techniques. By focusing on a handful of techniques, you can effectively shut down malware-s methods of choice for getting in and making itself at home. To achieve this, you need to know which key areas to be focusing on in the coming months.

https://www.securityweek.com/think-criminal-knowing-popular-attack-techniques-stop-bad-actors-faster

Love-Scam - Wie unterstütze ich Betroffene?

Hilfe! Mein Mutter, mein Onkel, meine Bekannte liebt eine:n Internetbetrüger:in. Für Außenstehende ist der Fall meist klar: Die Internetliebe ist ein:e Betrüger:in. Das Opfer möchte dies aber nicht glauben und überweist immer wieder Geld. Was tun? Wie können Sie Opfer von Liebesbetrüger:innen unterstützen?

https://www.watchlist-internet.at/news/love-scam-wie-unterstuetze-ich-betroffene/

New SolarMarker (Jupyter) Campaign Demonstrates the Malware's Changing Attack Patterns

A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve.

https://unit42.paloaltonetworks.com/solarmarker-malware/

Insider-Bedrohungen greifen nach außen

Wenn Mitarbeiter auf eigene Faust zum Cyberkrieger werden wollen, kann das die Unternehmenssicherheit ebenso gefährden wie traditionelle Insider- und externe Bedrohungen, berichtet Andreas Riepen, Regional Sales Director Central Europe bei Vectra AI, in einem Gastbeitrag.

https://www.zdnet.de/88400523/insider-bedrohungen-greifen-nach-aussen/

Cyber-Sicherheit im Gesundheitswesen

Das Gesundheitswesen ist nach wie vor einer der am häufigsten durch Hacker angegriffenen Bereiche. Lieder wurden in der Vergangenheit entsprechende Hausaufgaben lange aufgeschobene.

https://www.borncity.com/blog/2022/04/10/cyber-sicherheit-im-gesundheitswesen/

Vulnerabilities

Popular Ruby Asciidoc toolkit patched against critical vuln - get the update now!

A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.

https://nakedsecurity.sophos.com/2022/04/08/popular-ruby-asciidoc-toolkit-patched-against-critical-vuln-get-the-update-now/

Spring: It isnt just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too., (Mon, Apr 11th)

Our "First Seen URL" page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. [...] The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently).

https://isc.sans.edu/diary/rss/28538

ABB Cyber Security Advisory: ARM600 M2M Gateway NSS library and polkit vulnerabilities

These vulnerabilities affect cryptographic libraries and privilege handling. Subsequently, a successful exploit could allow attackers to execute code with root user privileges or to elevate a non-privileged user to a privileged user.

https://search.abb.com/library/Download.aspx?DocumentID=2NGA001254&LanguageCode=en&DocumentPartId=&Action=Launch

ABB Cyber Security Advisory: Arctic Wireless Gateway Firewall vulnerability (CVE-2022-0947)

A vulnerability is found in the ABB Arctic wireless gateways in a specific configuration and when using firmware versions from 2.4.0 or later until version 3.4.10.

https://search.abb.com/library/Download.aspx?DocumentID=2NGA001253&LanguageCode=en&DocumentPartId=&Action=Launch

Verschlüsselungsschwächen in Datenmanagementsoftware Dell EMC PowerScale OneFS

Admins von Systemen mit Dell EMC PowerScale OneFS sollten die Software aus Sicherheitsgründen auf den aktuellen Stand bringen.

https://heise.de/-6668566

Security updates for Monday

Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump).

https://lwn.net/Articles/890936/

XSS vulnerability patched in Directus data engine platform

The platform is described as a "flexible powerhouse for engineers."

https://www.zdnet.com/article/xss-vulnerability-patched-in-directus-data-engine-platform/

Webmin: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K22-0412

Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23806

https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-cve-2022-23806/

Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been-identified-in-apache-log4j-and-the-application-code-shipped-with-the-ds8000-hardware-management-console-hmc/

Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-for-ibm-i-is-vulnerable-to-spoofing-and-clickjacking-attacks-due-to-swagger-ui-cve-2018-25031-cve-2021-46708/

Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to Jackson-Databind (217968 )

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-global-mailbox-is-vulnerable-to-denial-of-service-due-to-jackson-databind-217968/

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to log4js-node CVE-2022-21704

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-log4js-node-cve-2022-21704/

Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management(CVE-2021-39068)

https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xss-vulnerability-may-impact-ibm-cram-social-program-managementcve-2021-39068/

Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-runtime-affects-host-on-demand-4/

Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in Google Gson (217225)

https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-management-may-be-affected-by-denial-of-service-vulnerability-in-google-gson-217225/

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to node-request-retry CVE-2022-0654

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-node-request-retry-cve-2022-0654/

Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421).

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring-framework-affects-ibm-tivoli-application-dependency-discovery-manager-cve-2020-5421-4/

Security Bulletin: IBM Sterling B2B Integrator vulnerable to cross-site Ajax request vulnerability due to Prototype JavaScript (CVE-2008-7220)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-cross-site-ajax-request-vulnerability-due-to-prototype-javascript-cve-2008-7220/

Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-multiple-vulnerabilities-7/

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple CVEs in Node.js

https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-automation-assets-in-ibm-cloud-pak-for-integration-are-vulnerable-to-multiple-cves-in-node-js/