End-of-Day report
Timeframe: Dienstag 12-04-2022 18:00 - Mittwoch 13-04-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Emotet modules and recent attacks
Emotet was disrupted in January 2021 and returned in November. This report provides technical description of its active modules and statistics on the malwares recent attacks.
https://securelist.com/emotet-modules-and-recent-attacks/106290/
Fodcha, a new DDos botnet
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims being targeted on a daily basis.
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/
TallGrass - A Python script that enumerates supported antiviruses and their exclusions on Windows hosts within a domain
Some antiviruses, like Windows Defender, expose their exclusions through the registry. Because of this, it is possible, and somewhat trivial, to enumerate them for potential means of AV evasion. TallGrass queries the domain controller for all domain-joined Windows hosts, then enumerates the AV exclusions for each host.
https://github.com/chdav/TallGrass
PCI DSS 4.0 veröffentlicht: Mehr Sicherheit für Kreditkartendaten
Die neue Version 4.0 von PCI DSS erweitert den De-facto-Standard der Security für Zahlungssysteme. Vor allem sollen die Ziele flexibler umzusetzen sein.
https://heise.de/-6671323
Achtung vor unseriösen Urlaubsangeboten wie reisebuero-fuchs.com!
Die Urlaubsplanungen für Frühling und Sommer sind längst voll in Gang. Das nützen auch Kriminelle und veröffentlichen betrügerische Plattformen zur Urlaubsbuchung. Dort finden Sie tolle Unterkünfte zu top Konditionen. Der Haken: Sie sollen vorab Anzahlungen leisten, die Inhaber:innen der Unterkünfte erfahren aber nichts von Ihren Buchungen und das Geld landet in der Tasche Krimineller! Fazit: Nichts bezahlen!
https://www.watchlist-internet.at/news/achtung-vor-unserioesen-urlaubsangeboten-wie-reisebuero-fuchscom/
Coercing NTLM Authentication from SCCM
tl;dr: Disable NTLM for Client Push Installation
[...]
Client push installation accounts require local admin privileges to install software on systems in an SCCM site, so it is often possible to relay the credentials and execute actions in the context of a local admin on other SCCM clients in the site.
https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a
CVE-2022-26809: All your RPC are belong to us
Im April 2022 Patchday von Microsoft findet man wieder Updates [...] Spannender ist das Pärchen CVE-2022-26809/CVE-2022-24491 mit RCE: hier kommt zwar der Patch vor der ersten bekannten Ausnutzung der Schwachstelle, dafür sollten bei CVSS 9.8 die Alarmglocken laut läuten. Beim ersten geht es um das generische RPC Service, beim zweiten um den NFS Server. Während NFS nicht überall im Einsatz sein wird, ist Windows RPC auf Port 445 sehr weit verbreitet und innerhalb von Firmennetzen auch zwangsläufig sehr selten durch Firewalls geschützt.
https://cert.at/de/aktuelles/2022/4/2022-04-windows-patchday
[Caution] Virus/XLS Xanpei Infecting Normal Excel Files
The ASEC analysis team has recently discovered the constant distribution of malware strains that spread the infection when Excel file is opened. Besides infecting normal Excel files, they can also perform additional malicious behaviors such as acting as a downloader and performing DNS Spoofing, therefore, users need to take great caution.
https://asec.ahnlab.com/en/33630/
Vulnerabilities
Critical flaw in Elementor WordPress plugin may affect 500k sites
The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. [..] The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function. While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch.
https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-wordpress-plugin-may-affect-500k-sites/
Sicherheit: Git gibt Sicherheitslücken bekannt und veröffentlicht Patch
Git hat zwei Sicherheitslücken bekannt gegeben und gleich auch einen Patch bereitgestellt, der diese stopft: Update dringend empfohlen.
https://www.golem.de/news/sicherheit-git-gibt-sicherheitsluecken-bekannt-und-veroeffentlicht-patch-2204-164609-rss.html
Patchday: SAP dichtet 30 Sicherheitslücken ab
SAP hat zu Lücken in diversen Produkten 21 neue Meldungen veröffentlicht und neun ältere aktualisiert. Administratoren sollten die Updates bald installieren.
https://heise.de/-6670382
Sicherheitspatch für Apache Struts unvollständig - neues Updates soll es richten
Aufgrund der Gefahr von möglichen Schadcode-Attacken sollten Admins ihre Apache-Struts-Systeme auf den aktuellen Stand bringen.
https://heise.de/-6670584
Security updates for Wednesday
Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion).
https://lwn.net/Articles/891182/
Apache Subversion: Mehrere Schwachstellen
Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Apache Subversion ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen.
http://www.cert-bund.de/advisoryshort/CB-K22-0436
Citrix Releases Security Updates for Multiple Products
Original release date: April 12, 2022Citrix has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Citrix security bulletins and apply the necessary updates.
https://us-cert.cisa.gov/ncas/current-activity/2022/04/12/citrix-releases-security-updates-multiple-products
Motorola Android App Vulnerabilities
Some Motorola Android applications do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. [..] Update to latest version of the applications in the Product Impact section below.
App Name: 'Ready For', 'Device Help'
http://support.lenovo.com/product_security/PS500482-MOTOROLA-ANDROID-APP-VULNERABILITIES
ThinkPad BIOS Vulnerabilities
The following vulnerabilities were reported in ThinkPad BIOS.
CVE IDs: CVE-2022-1107, CVE-2022-1108
Update system firmware to the version (or newer) indicated for your model [..]
http://support.lenovo.com/product_security/PS500480-THINKPAD-BIOS-VULNERABILITIES
Lenovo System Update Privilege Escalation Vulnerability
A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window.
http://support.lenovo.com/product_security/PS500483-LENOVO-SYSTEM-UPDATE-PRIVILEGE-ESCALATION-VULNERABILITY
Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968)
While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.
https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968
Bentley Security Advisory BE-2022-0006: IFC File Parsing Vulnerabilities in MicroStation and MicroStation-based applications
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006
Security Bulletin: IBM Security SOAR is affected but not classified as vulnerable to remote code execution in Spring Framework (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-affected-but-not-classified-as-vulnerable-to-remote-code-execution-in-spring-framework-cve-2022-22965/
Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to arbitrary code exection due to Apache Log4j (CVE-2022-23307)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact-is-vulnerable-to-arbitrary-code-exection-due-to-apache-log4j-cve-2022-23307/
Security Bulletin: Publicly disclosed vulnerability in GNU binutils affects IBM Netezza Analytics for NPS
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-in-gnu-binutils-affects-ibm-netezza-analytics-for-nps/
Valmet DNA
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01
Mitsubishi Electric MELSEC-Q Series C Controller Module
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02
Inductive Automation Ignition
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03
Mitsubishi Electric GT25-WLAN
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04
Aethon TUG Home Base Server
https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05
NetApp Active IQ Unified Manager Information Disclosure Vulnerability
http://support.lenovo.com/product_security/PS500484-NETAPP-ACTIVE-IQ-UNIFIED-MANAGER-INFORMATION-DISCLOSURE-VULNERABILITY
Post-Auth Arbitrary File Read vulnerability Impacting End-Of-Life SRA Appliances and End-Of-Support SMA100 firmware versions
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0006