Tageszusammenfassung - 14.04.2022

End-of-Day report

Timeframe: Mittwoch 13-04-2022 18:00 - Donnerstag 14-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

New EnemyBot DDoS botnet recruits routers and IoTs into its army

A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec.

https://www.bleepingcomputer.com/news/security/new-enemybot-ddos-botnet-recruits-routers-and-iots-into-its-army/


An Update on CVE-2022-26809 - MSRPC Vulnerabliity - PATCH NOW, (Thu, Apr 14th)

If your main concern is that you do not have time to apply the April update, stop wasting more time reading this (or anything else about CVE-2022-26809) and start patching.

https://isc.sans.edu/diary/rss/28550


A Primer on Cold Boot Attacks Against Embedded Systems

A computers main memory is volatile, and its content disappears if it is not regularly refreshed. This enables some attacks that exploit this behavior. One fairly well-known attack is called the "cold boot attack".

https://sec-consult.com/blog/detail/a-primer-on-cold-boot-attacks-against-embedded-systems/


"Pipedream": US-Warnung vor ausgeklügelten Cyberangriffen auf Energiesektor

Mit einem Werkzeugkasten hochentwickelter Cyberwaffen sollen unbekannte Angreifer industrielle Steuerungslagen übernehmen können.

https://heise.de/-6670554


Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet

Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines.

https://www.securityweek.com/microsoft-seizes-control-notorious-zloader-cybercrime-botnet


SMS-Werbung für sichernow.com führt in Crypto-Investment-Falle

Aktuell versenden Kriminelle SMS, in denen für eine Crypto-Investment-Falle geworben wird. Der enthaltene Link führt zu einer betrügerischen Investment-Plattform.

https://www.watchlist-internet.at/news/sms-werbung-fuer-sichernowcom-fuehrt-in-crypto-investment-falle/


Blinding Snort: Breaking the Modbus OT Preprocessor

Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets.

https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/


Old Gremlins, new methods

After a long break, the Russian-speaking ransomware group OldGremlin resumes attacks in Russia

https://blog.group-ib.com/oldgremlin_comeback


Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer

Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang."

http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html


Unfolding the Log4j Security Vulnerability and Log4shell TTPs in AWS

Orca researcher Lidor Ben Shitrit reveals how Log4 shell TTPs in an AWS cloud environment can be used to open up a Log4j security vulnerability.

https://orca.security/resources/blog/log4j-security-vulnerability-log4shell-ttps-aws/

Vulnerabilities

Cisco Security Advisories 2022-04-13

1 Critical, 13 High, 9 Medium Severity

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F04%2F13&firstPublishedEndDate=2022%2F04%2F13&limit=50


Jetzt patchen! Attacken auf VMware Identity Manager und Workspace One Access

Angreifer schieben Krypto-Miner durch eine kritische Schadcode-Lücke in VMware Identity Manager und Workspace One Access. Updates stehen zum Download bereit.

https://heise.de/-6677723


Lücken in mehren Komponente machen Datenmanagement-Software IBM Db2 angreifbar

Es gibt wichtige Sicherheitsupdates für IBM Db2, IBM Db2 On Openshift und IBM Db2 Warehouse on Cloud Pak for Data.

https://heise.de/-6677497


Sicherheitsupdate: Admin-Tool Grafana ist verwundbar

Angreifer könnten Systeme mit der Datenvisualisierungssoftware Grafana attackieren.

https://heise.de/-6678300


VMSA-2022-0013

VMware Cloud Director update addresses remote code execution vulnerability (CVE-2022-22966)

https://www.vmware.com/security/advisories/VMSA-2022-0013.html


Security updates for Thursday

Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils).

https://lwn.net/Articles/891354/


Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-3/


Security Bulletin: Vulnerabilities with libxml2 affect IBM Cloud Object Storage Systems (Apr 2022 V2)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-libxml2-affect-ibm-cloud-object-storage-systems-apr-2022-v2/


Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint are vulnerable to exposing sensitive information (CVE-2022-22391)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-are-vulnerable-to-exposing-sensitive-information-cve-2022-22391/


Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been-identified-in-apache-log4j-and-the-application-code-shipped-with-the-ds8000-hardware-management-console-hmc-2/


Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.3.0 and earlier (CVE-2021-3712)

https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-impacting-aspera-high-speed-transfer-server-and-aspera-high-speed-transfer-endpoint-4-3-0-and-earlier-cve-2021-3712/


Security Bulletin: Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-struts-affects-ibm-tivoli-application-dependency-discovery-manager-cve-2020-17530-2/


Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-performance-tester-8/


K11455641: NGINX LDAP Reference Implementation security exposure

https://support.f5.com/csp/article/K11455641


Juniper JUNOS (J-Web): Mehrere Schwachstellen ermöglichen Cross-Site Scripting

http://www.cert-bund.de/advisoryshort/CB-K22-0444


CVE-2022-0023 PAN-OS: Denial-of-Service (DoS) Vulnerability in DNS Proxy (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2022-0023


PAN-SA-2022-0002 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE)

https://security.paloaltonetworks.com/PAN-SA-2022-0002


PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files (Severity: LOW)

https://security.paloaltonetworks.com/PAN-SA-2022-0001


CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed)

https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/