Tageszusammenfassung - 20.04.2022

End-of-Day report

Timeframe: Dienstag 19-04-2022 18:00 - Mittwoch 20-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

CISA warns of attackers now exploiting Windows Print Spooler bug

The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-now-exploiting-windows-print-spooler-bug/

Emotet botnet switches to 64-bit modules, increases activity

The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines.

https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/

Google: 2021 war Rekordjahr für entdeckte Zero Days

Laut Google ändert sich die Ursache der Sicherheitslücken selbst aber kaum. Größtes Problem bleiben Speicherfehler.

https://www.golem.de/news/google-2021-war-rekordjahr-fuer-entdeckte-zero-days-2204-164711-rss.html

"aa" distribution Qakbot (Qbot) infection with DarkVNC traffic, (Wed, Apr 20th)

Chain of Events and IOCs of a Qakbot infection.

https://isc.sans.edu/diary/rss/28568

Phishing-Welle zu Online-Banking rollt durch Postfächer

Aktuell rollt eine Phishing-Welle durch österreichische E-Mail-Postfächer, mit der es Kriminelle vor allem auf Online-Banking-Daten abgesehen haben.

https://www.watchlist-internet.at/news/phishing-welle-zu-online-banking-rollt-durch-postfaecher/

CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment

CISA has released draft versions of two guidance documents-along with a request for comment (RFC)-that are a part of the recently launched Secure Cloud Business Applications (SCuBA) project.

https://us-cert.cisa.gov/ncas/current-activity/2022/04/19/cisa-releases-secure-cloud-business-applications-scuba-guidance

Investigating an engineering workstation - Part 3

In our third blog post we will focus on information we can get from the projects itself.

https://blog.nviso.eu/2022/04/20/investigating-an-engineering-workstation-part-3/

Vulnerabilities

Elliptische Kurven: Java-Signaturprüfung lässt sich mit Nullen austricksen

Bei der Prüfung von ECDSA-Signaturen in Java fand sich ein Fehler, der dazu führt, dass man eine immer gültige Signatur erstellen kann.

https://www.golem.de/news/elliptische-kurven-java-signaturpruefung-laesst-sich-mit-nullen-austricksen-2204-164719-rss.html

Oracle stellt 520 Sicherheitspatches für sein Software-Portfolio bereit

Admins von Oracle-Anwendungen sollten die verfügbaren Aktualisierungen installieren, um zum Teil kritische Sicherheitslücken zu schließen.

https://heise.de/-6746906

Security updates for Wednesday

Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash).

https://lwn.net/Articles/892047/

AWSs Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation

We identified severe security issues within AWS Log4Shell hot patch solutions. We provide a root cause analysis and overview of fixes and mitigations.

https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/

SSA-254054: Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products

https://cert-portal.siemens.com/productcert/txt/ssa-254054.txt

Security Bulletin: IBM Emptoris Strategic Supply Management Platform is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-strategic-supply-management-platform-is-vulnerable-to-unspecified-vulnerability-due-to-oracle-database-server-cve-2021-35576/

Security Bulletin: IBM Security Guardium Insights is affected by Node.js vulnerability (CVE-2021-22939)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-node-js-vulnerability-cve-2021-22939/

Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service

https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-java-technology-edition-ibm-tivoli-application-dependency-discovery-manager-taddm-is-vulnerable-to-denial-of-service-2/

Security Bulletin: IBM Emptoris Sourcing is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-sourcing-is-vulnerable-to-unspecified-vulnerability-due-to-oracle-database-server-cve-2021-35576/

Security Bulletin: IBM Emptoris Contract Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-contract-management-is-vulnerable-to-unspecified-vulnerability-due-to-oracle-database-server-cve-2021-35576/

Security Bulletin: IBM Emptoris Program Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-program-management-is-vulnerable-to-unspecified-vulnerability-due-to-oracle-database-server-cve-2021-35576/

April 19, 2022 TNS-2022-09 [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities

http://www.tenable.com/security/tns-2022-09