Tageszusammenfassung - 29.04.2022

End-of-Day report

Timeframe: Donnerstag 28-04-2022 18:00 - Freitag 29-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer


Ransomware und Wiper: Cyberangriffe auf deutsche Windenergieunternehmen

Seit Beginn des Ukrainekrieges sind Windkraftanlagen-Hersteller Opfer von Cyberangriffen geworden. Besonders schwer hatten es die Angreifer wohl nicht.


Sicherheitsupdates: Angreifer könnten Firewalls von Cisco neu starten lassen

Es gibt wichtige Sicherheitsupdates für Cisco Firepower Threat Defense und Adaptive Security Appliance.


Angreifer könnten in Installationsprozess von Sonicwall Global VPN einsteigen

Sicherheitslücken gefährden Sonicwall Global VPN Client und Sonicos. Sicherheitsupdates stehen zum Download bereit.


Videokonferenzen: Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr

Mehrere Schwachstellen in der Zoom-Software könnten Angreifern ermöglichen, ihre Rechte im System auszuweiten oder unbefugt Informationen abzugreifen.


Studie: Active Directory je nach Branche unterschiedlich angreifbar

Einer Befragung von IT-Verantwortlichen zufolge spielt bei der Absicherung des Active Directory die Branche eine Rolle. Auch ist die Unternehmensgröße relevant.


EmoCheck now detects new 64-bit versions of Emotet malware

The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month.


Colibri Loaders Unique Persistence Technique Using Get-Variable Cmdlet

Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console. In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run.


Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th)

In so many penetration tests or assessments, the client gives you a set of subnets and says "go for it". This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name.


Don-t expect to get your data back from the Onyx ransomware group

Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid.


Bypassing LDAP Channel Binding with StartTLS

Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller.


New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware

We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet).


The Package Analysis Project: Scalable detection of malicious open source packages

Despite open source software-s essential role in all software built today, it-s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute.


Analyzing VSTO Office Files

VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for [...]


Trello From the Other Side: Tracking APT29 Phishing Campaigns

Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29-s efforts to evade detection through retooling and abuse of Atlassian's Trello service.



SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer

SonicWall Global VPN Client 4.10.7 installer (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system.



All AC500 V3 products with firmware version smaller than 3.6.0 are affected by these vulnerabilities: CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22518 and CVE-2022-22519.


Security updates for Friday

Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk).


Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware


Microsoft Edge: Mehrere Schwachstellen


Mattermost security updates 6.6.1, 6.5.1, 6.4.3, 6.3.8 (ESR) released


Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to directory traversal due to CVE-2022-24785


Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2022-0155, CVE-2022-0536, CVE-2021-3749


Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1233


Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1243


Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM QRadar SIEM (CVE-2021-22543, CVE-2021-3653, CVE-2021-3656, CVE-2021-37576)


Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to CVE-2022-25645


Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2022-0778


Security Bulletin: Denial of Service Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-24921)


Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 )


Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console