Tageszusammenfassung - 28.04.2022

End-of-Day report

Timeframe: Mittwoch 27-04-2022 18:00 - Donnerstag 28-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer


security.txt: Kontaktinfos für IT-Sicherheitsmeldungen standardisiert

Ein RFC beschreibt, wie Webseiten über die Datei security.txt Kontaktinformationen für Sicherheitsforscher bereitstellen können.


Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. [...] This was mitigated within 48 hours (on January 13, 2022).


A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809, (Thu, Apr 28th)

After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, we set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. And to keep things more interesting, we are forwarding traffic from a subset of our honeypots to the system. This gives us a pretty nice cross-section and keeps the system pretty busy. Other than not applying the April patches, the system isn't particularly vulnerable and is left in the default configuration (firewall disabled, of course). So what did we get?


This isnt Optimus Primes Bumblebee but its Still Transforming

Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID.


Nimbuspwn detector

This tool performs several tests to determine whether the system is possibly vulnerable to Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team.


QNAP customers urged to disable AFP to protect against severe vulnerabilities

MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed.


LAPSUS$: Recent techniques, tactics and procedures

This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.


Neue Cyberspionage-Kampagnen der TA410 Gruppe

ESET-Forscher enthüllen ein detailliertes Profil der APT-Gruppe TA410: Wir glauben, dass diese Cyberspionage-Dachgruppe aus drei verschiedenen Teams besteht, die unterschiedliche Tools verwenden, darunter eine neue Version der von ESET entdeckten FlowCloud-Spionage-Backdoor.


CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine

CISA and the Federal Bureau of Investigation (FBI) have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware.



VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location

Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.


VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value

Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.


IBM Security Bulletins 2022-04-27

IBM InfoSphere Information Server, IBM Watson for IBM Cloud Pak, Liberty for Java for IBM Cloud, IBM Cloud Transformation Advisor, WebSphere Application Server, IBM Spectrum Discover, IBM Integration Bus, IBM App Connect Enterprise, IBM Netezza Platform Server, IBM PowerVM Novalink, IBM Spectrum Scale SMB protocol


Cisco Security Advisories 2022-04-27

Cisco released 17 Security Advisories (11 High, 6 Medium Severity)


PHP Object Injection Vulnerability in Booking Calendar Plugin

On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.


Security updates for Thursday

Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird).


Synology-SA-22:06 Netatalk

Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).


CVE-2022-23812: NPM Package node-ipc With Malicious Code Found in Russia and Belarus

Malicious code, also known as protestware, within certain versions of the package was causing chaos among Russia and Belarus based developers-overwriting their entire file system with a heart emoji. These versions (10.1.0 and 10.1.2) are now tracked under CVE-2022-23812.


ZDI-22-622: Sante DICOM Viewer Pro J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability


Johnson Controls Metasys