Tageszusammenfassung - 21.04.2022

End-of-Day report

Timeframe: Mittwoch 20-04-2022 18:00 - Donnerstag 21-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a

News

Microsoft Exchange servers hacked to deploy Hive ransomware

A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.

https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/


REvils TOR sites come alive to redirect to new ransomware operation

REvil ransomwares servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year.

https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/


Multi-Cryptocurrency Clipboard Swapper, (Thu, Apr 21st)

It-s not the first time that I found a piece of code that monitors the clipboard and swap the BTC address found with the attacker's one. This time, the script that I found supports a lot of cryptocurrencies!

https://isc.sans.edu/diary/rss/28574


Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark-

This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments.

https://research.nccgroup.com/2022/04/20/mitigating-the-top-10-security-threats-to-gcp-using-the-cis-google-cloud-platform-foundation-benchmark%ef%bf%bc/


Two OpenWrt updates

The OpenWrt 21.02.3 and 19.07.10 updates have been released. These updates contain some security fixes and improved device support.

https://lwn.net/Articles/892161/


Willhaben, ebay, Vinted & Co. im Fokus von Kriminellen!

Egal ob Sie etwas kaufen oder verkaufen wollen - nehmen Sie sich vor der Abzocke auf Kleinanzeigenplattformen in Acht! Wenn Sie dazu aufgefordert werden, die Transaktion mithilfe eines Kurierdienstes abzuwickeln, brechen Sie den Kontakt ab.

https://www.watchlist-internet.at/news/willhaben-ebay-vinted-co-im-fokus-von-kriminellen/


Abusing Azure Container Registry Tasks

In this post, I will explain how one Azure service supporting DevOps can start in a very solid -secure by default- state, but then quickly descend into a very dangerous configured state.

https://posts.specterops.io/abusing-azure-container-registry-tasks-1f407bfaa465


Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6

A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6

https://blog.zsec.uk/cobalt-strike-profiles/


TeamTNT targeting AWS, Alibaba

TeamTNT is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances.

http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html

Vulnerabilities

Cisco Security Advisories 2022-04-20

Cisco published 12 Security Advisories (3 High, 9 Medium Severity)

https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&securityImpactRatings=critical,high,medium&firstPublishedStartDate=2022%2F04%2F20&firstPublishedEndDate=2022%2F04%2F20


Statischer SSH-Schlüssel macht Cloudsicherheitssystem Cisco Umbrella zu schaffen

Wichtige Sicherheitsupdates für Hard- und Software von Cisco schließen mehrere Lücken. Angreifer könnten Admin-Zugangsdaten mitschneiden.

https://heise.de/-7061311


Security updates for Thursday

Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure,[...]

https://lwn.net/Articles/892214/


Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

https://www.drupal.org/sa-core-2022-009


Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

https://www.drupal.org/sa-core-2022-008


Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-and-the-ibm-maximo-manage-application-in-ibm-maximo-application-suite-are-vulnerable-to-cross-site-scripting-cve-2022-22436/


Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-and-the-ibm-maximo-manage-application-in-ibm-maximo-application-suite-are-vulnerable-to-cross-site-scripting-cve-2022-22435/


Security Bulletin: Vulnerability in OpenSSL affect App Connect Professional.

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affect-app-connect-professional/


Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System.

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system-7/


Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-robotic-process-automation-2/


Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-12/


Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-11/


Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System.

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-kernel-affects-ibm-integrated-analytics-system-2/


Security Bulletin: IBM Emptoris Supplier Lifecycle Management vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-supplier-lifecycle-management-vulnerable-to-unspecified-vulnerability-due-to-oracle-database-server-cve-2021-35576/


Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-is-affected-by-gnu-c-library-vulnerability-10/


Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-use-case-manager-app-is-vulnerable-to-using-components-with-known-vulnerabilities/


Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the included Expat 3rd party library (CVE-2022-23852 and CVE-2022-23990)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-multiple-vulnerabilities-in-the-included-expat-3rd-party-library-cve-2022-23852-and-cve-2022-23990/


Security Bulletin: A Vulnerability in IBM WebSphere Application Server - Liberty affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data/


Jira Security Advisory 2022-04-20

https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html


Delta Electronics ASDA-Soft

https://us-cert.cisa.gov/ics/advisories/icsa-22-111-01


Johnson Controls Metasys SCT Pro

https://us-cert.cisa.gov/ics/advisories/icsa-22-111-02


Hitachi Energy MicroSCADA Pro/X SYS600

https://us-cert.cisa.gov/ics/advisories/icsa-22-111-03