End-of-Day report
Timeframe: Dienstag 03-05-2022 18:00 - Mittwoch 04-05-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Conti, REvil, LockBit ransomware bugs exploited to block encryption
Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today.
https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomware-bugs-exploited-to-block-encryption/
A new secret stash for -fileless- malware
We observed the technique of putting the shellcode into Windows event logs for the first time -in the wild- during the malicious campaign. It allows the -fileless- last stage Trojan to be hidden from plain sight in the file system.
https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/
Compromising Read-Only Containers with Fileless Malware
Many people see read-only filesystems as a catch-all to stop malicious activity and container drift in containerized environments. This blog will explore the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments.
https://sysdig.com/blog/containers-read-only-fileless-malware/
Update on cyber activity in Eastern Europe
Google-s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns.
https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/
Spyware blieb in Unternehmen bis zu 18 Monate lang unentdeckt
Die "Quietexit" genannte Backdoor blieb teilweise 18 Monate unentdeckt. Sicherheitsforscher vermuten, dass dahinter eine staatliche Gruppe steckt.
https://heise.de/-7074066
-Vorsicht, Falle!-: Wir brauchen Ihre Hilfe für ein neues Projekt!
Wir arbeiten derzeit an einem neuen Projekt: Bei -Vorsicht, Falle!- entwickeln wir einen -Internetfallen-Generator-. Das heißt wir ahmen betrügerische Webseiten nach. Aber nicht mit dem Ziel, an Daten oder Geld zu kommen. Im Gegenteil: Allen, die in unsere Falle tappen, zeigen wir am Beispiel der Betrugsmasche, wie sie diese erkennen können.
https://www.watchlist-internet.at/news/vorsicht-falle-wir-brauchen-ihre-hilfe-fuer-ein-neues-projekt/
CISA Adds Five Known Exploited Vulnerabilities to Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/cisa-adds-five-known-exploited-vulnerabilities-catalog
XSS in JSON: Old-School Attacks for Modern Applications
This post highlights how cross-site scripting has adapted to today-s modern web applications, specifically the API and Javascript Object Notation (JSON).
https://www.rapid7.com/blog/post/2022/05/04/xss-in-json-old-school-attacks-for-modern-applications/
Vulnerabilities
Uclibc: Alte DNS-Lücke betrifft viele IoT-Geräte
Eine in Embedded-Geräten eingesetzte Bibliothek ist von Kaminskys DNS-Angriff betroffen, doch die Auswirkungen dürften sich in Grenzen halten.
https://www.golem.de/news/uclibc-alte-dns-luecke-betrifft-viele-iot-geraete-2205-165083-rss.html
Security updates for Wednesday
Security updates have been issued by Debian (openjdk-17), Fedora (chromium and suricata), Oracle (mariadb:10.5), SUSE (amazon-ssm-agent, containerd, docker, java-11-openjdk, libcaca, libwmf, pcp, ruby2.5, rubygem-puma, webkit2gtk3, and xen), and Ubuntu (linux-raspi).
https://lwn.net/Articles/893839/
Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-requirements-management-doors-next-is-vulnerable-to-xml-external-entity-xxe-attacks-due-to-fasterxml-jackson-databind-cve-2020-25649/
Security Bulletin: IBM Informix Dynamic Server is affected to denial of service due to FasterXML jackson-databind (CVE-2020-36518)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-is-affected-to-denial-of-service-due-to-fasterxml-jackson-databind-cve-2020-36518/
Security Bulletin: Multiple Vulnerabilities in Intel Processors affect Cloud Pak System
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-intel-processors-affect-cloud-pak-system/
Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified-in-ibm-db2-that-is-shipped-as-component-and-pattern-type-or-ptype-with-cloud-pak-system-and-cloud-pak-system-software-suite-cloud-pak-system-address-2/
K55879220: Overview of F5 vulnerabilities (May 2022)
https://support.f5.com/csp/article/K55879220
2022-11 Multiple vulnerabilities in Provize Basic Frontend
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14299&mediaformatid=50063&destinationid=10016
2022-05 Multiple vulnerabilities in Provize Basic Backend
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14298&mediaformatid=50063&destinationid=10016
2022-01 Vulnerability in -axios- HTTP client in Provize Basic
https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14297&mediaformatid=50063&destinationid=10016