End-of-Day report
Timeframe: Mittwoch 04-05-2022 18:00 - Donnerstag 05-05-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
New NetDooka malware spreads via poisoned search results
A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device.
https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/
The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet
Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and Vavet Loader.
https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/
The curious case of mavinject.exe
Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process.
https://fourcore.io/blogs/mavinject-curious-process-injection
Vulnerabilities
Cisco Security Advisories 2022-05-04
Cisco published 9 Security Advisories (1 Critical, 8 Medium Severity)
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2022%2F05%2F04&firstPublishedEndDate=2022%2F05%2F04&limit=50
Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen
Wichtige Sicherheitsupdates schließen unter anderem eine kritische Lücke in BIG-IP-Systemen. Admins sollten jetzt handeln.
https://heise.de/-7075530
Sicherheitsupdates: Cisco schließt VM-Ausbruch-Lücken mit Root-Zugriff
Der Netzwerkausrüster Cisco hat unter anderem in Enterprise NFV Infrastrucutre Software eine kritische Lücke geschlossen.
https://heise.de/-7075725
Sicherheitsupdate schützt IBMs Datenbanksystem Informix Dynamic Server
Ein wichtiger Sicherheitspatch schließt eine Schwachstelle in IBMs Informix Dynamic Server.
https://heise.de/-7076231
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, recutils, suricata, and zchunk), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), Slackware (mozilla, openssl, and seamonkey), SUSE (apache2-mod_auth_mellon, libvirt, and pgadmin4), and Ubuntu (dpdk, mysql-5.7, networkd-dispatcher, openssl, openssl1.0, sqlite3, and twisted).
https://lwn.net/Articles/894036/
10 Jahre alte Schwachstellen in Avast und AVG gefährden Millionen Nutzer
Sicherheitsforscher von Sentinel One haben in den Sicherheitsprodukten von Avast und AVG zwei seit 10 Jahren bestehende, schwerwiegende Schwachstellen entdeckt, die Millionen von Nutzern gefährden.
https://www.borncity.com/blog/2022/05/05/10-jahre-alte-schwachstellen-in-avast-und-avg-gefhrden-millionen-nutzer/
Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036
https://www.drupal.org/sa-contrib-2022-036
Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035
https://www.drupal.org/sa-contrib-2022-035
Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034
https://www.drupal.org/sa-contrib-2022-034
Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039
https://www.drupal.org/sa-contrib-2022-039
Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038
https://www.drupal.org/sa-contrib-2022-038
Security Bulletin: Cross-site scripting vulnerabilities in jQuery may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-11022, CVE-2020-11023
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerabilities-in-jquery-may-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-11022-cve-2020-11023/
Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-robotic-process-automation-4/
Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-could-allow-a-user-with-physical-access-to-create-an-api-request-modified-to-create-additional-objects-cve-2022-22434/
Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-an-issue-where-an-api-could-be-used-to-perform-a-dns-lookup-via-a-third-party-provider/
Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-7656, CVE-2020-11022, CVE-2020-11023
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerabilities-in-jquery-might-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2020-7656-cve-2020-11022-cve-2020-11023-3/
Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-may-allow-regular-users-to-view-some-admin-pages/
Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-may-affect-ibm-robotic-process-automation-3/
Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-data-encryption-has-vulnerability-cve-2021-39020/
Security Vulnerabilities fixed in Thunderbird 91.9
https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/