End-of-Day report
Timeframe: Donnerstag 28-04-2022 18:00 - Freitag 29-04-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Ransomware und Wiper: Cyberangriffe auf deutsche Windenergieunternehmen
Seit Beginn des Ukrainekrieges sind Windkraftanlagen-Hersteller Opfer von Cyberangriffen geworden. Besonders schwer hatten es die Angreifer wohl nicht.
https://www.golem.de/news/ransomware-und-wiper-cyberangriffe-auf-deutsche-windenergieunternehmen-2204-164932-rss.html
Sicherheitsupdates: Angreifer könnten Firewalls von Cisco neu starten lassen
Es gibt wichtige Sicherheitsupdates für Cisco Firepower Threat Defense und Adaptive Security Appliance.
https://heise.de/-7069408
Angreifer könnten in Installationsprozess von Sonicwall Global VPN einsteigen
Sicherheitslücken gefährden Sonicwall Global VPN Client und Sonicos. Sicherheitsupdates stehen zum Download bereit.
https://heise.de/-7069729
Videokonferenzen: Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr
Mehrere Schwachstellen in der Zoom-Software könnten Angreifern ermöglichen, ihre Rechte im System auszuweiten oder unbefugt Informationen abzugreifen.
https://heise.de/-7069420
Studie: Active Directory je nach Branche unterschiedlich angreifbar
Einer Befragung von IT-Verantwortlichen zufolge spielt bei der Absicherung des Active Directory die Branche eine Rolle. Auch ist die Unternehmensgröße relevant.
https://heise.de/-7069098
EmoCheck now detects new 64-bit versions of Emotet malware
The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month.
https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/
Colibri Loaders Unique Persistence Technique Using Get-Variable Cmdlet
Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console.
In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden
To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run.
https://fourcore.io/blogs/colibri-loader-powershell-get-variable-persistence
Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th)
In so many penetration tests or assessments, the client gives you a set of subnets and says "go for it". This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name.
https://isc.sans.edu/diary/rss/28596
Don-t expect to get your data back from the Onyx ransomware group
Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid.
https://go.theregister.com/feed/www.theregister.com/2022/04/29/onyx-ransomware-destroy-files/
Bypassing LDAP Channel Binding with StartTLS
Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller.
https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-starttls.html
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet).
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
The Package Analysis Project: Scalable detection of malicious open source packages
Despite open source software-s essential role in all software built today, it-s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute.
http://security.googleblog.com/2022/04/the-package-analysis-project-scalable.html
Analyzing VSTO Office Files
VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for [...]
https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/
Trello From the Other Side: Tracking APT29 Phishing Campaigns
Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29-s efforts to evade detection through retooling and abuse of Atlassian's Trello service.
https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns
Vulnerabilities
SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer
SonicWall Global VPN Client 4.10.7 installer (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0036
AC500 V3 CODESYS VULNERABILITIES
All AC500 V3 products with firmware version smaller than 3.6.0 are affected by these vulnerabilities: CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22518 and CVE-2022-22519.
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010997&LanguageCode=en&DocumentPartId=&Action=Launch
Security updates for Friday
Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk).
https://lwn.net/Articles/893102/
Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware
https://cert.vde.com/de/advisories/VDE-2022-006/
Microsoft Edge: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0521
Mattermost security updates 6.6.1, 6.5.1, 6.4.3, 6.3.8 (ESR) released
https://mattermost.com/blog/mattermost-security-update-6-6-1-released/
Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to directory traversal due to CVE-2022-24785
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-operands-may-be-vulnerable-to-directory-traversal-due-to-cve-2022-24785/
Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2022-0155, CVE-2022-0536, CVE-2021-3749
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2022-0155-cve-2022-0536-cve-2021-3749/
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1233
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integrationserver-components-that-use-designer-flows-may-be-vulnerable-to-cve-2022-1233/
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1243
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integrationserver-components-that-use-designer-flows-may-be-vulnerable-to-cve-2022-1243/
Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM QRadar SIEM (CVE-2021-22543, CVE-2021-3653, CVE-2021-3656, CVE-2021-37576)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-linux-kernel-affect-ibm-qradar-siem-cve-2021-22543-cve-2021-3653-cve-2021-3656-cve-2021-37576/
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to CVE-2022-25645
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designerauthoring-operands-may-be-vulnerable-to-arbitrary-code-execution-due-to-cve-2022-25645/
Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2022-0778
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-operands-may-be-vulnerable-to-denial-of-service-due-to-cve-2022-0778/
Security Bulletin: Denial of Service Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-24921)
https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnerability-in-golang-go-affects-ibm-spectrum-protect-plus-container-backup-and-restore-for-kubernetes-and-red-hat-openshift-cve-2022-24921/
Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 )
https://www.ibm.com/blogs/psirt/security-bulletin-uc-deploy-container-images-may-contain-non-unique-https-certificates-and-database-encryption-key-cve-2021-39082/
Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console
https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-email-is-affected-by-a-embedded-websphere-application-server-admin-console-2/