End-of-Day report
Timeframe: Mittwoch 11-05-2022 18:00 - Donnerstag 12-05-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Backdoor in public repository used new form of attack to target big firms
A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients- resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.
https://arstechnica.com/?p=1853739
"Ive Found Some Bad Domains-Now What?"
When we talk about investigating bad domains, the focus of the story is usually the starting clues, but what about after you-ve identified bad domains? This blog discusses the approaches to take once a bad domain has been identified.
https://www.domaintools.com/resources/blog/ive-found-some-bad-domains-now-what
Massive WordPress JavaScript Injection Campaign Redirects to Ads
As outlined in our latest hacked website report, we-ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year - for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.
https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html
Everything We Learned From the LAPSUS$ Attacks
There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid.
https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html
Spoofing SaaS Vanity URLs for Social Engineering Attacks
While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL-s subdomain (e.g., yourcompany.example.com), but instead only validate the URI (e.g., /s/1234). As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company-s sanctioned SaaS account.
https://www.varonis.com/blog/url-spoofing
Vulnerabilities
ZDI-22-759: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-22-759/
Security updates for Thursday
Security updates have been issued by Fedora (microcode_ctl, mingw-SDL2_ttf, seamonkey, and thunderbird), Mageia (cifs-utils, gerbv, golang, libcaca, libxml2, openssl, python-pillow, python-rencode, python-twisted, python-ujson, slurm, and sqlite3), Red Hat (gzip, kernel, kpatch-patch, podman, rsync, subversion:1.10, and zlib), Scientific Linux (gzip), Slackware (curl), SUSE (clamav), and Ubuntu (curl, firefox, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-oem-5.14)
https://lwn.net/Articles/895063/
Sandbox Escape mit Root Access & Klartext-Passwörtern in zahlreichen Konica Minolta bizhub MFP Drucker Terminals
Zahlreiche Konica Minolta MFP bizhub Geräte, sowie Geräte anderer Hersteller mit derselben Firmware, sind anfällig für einen Sandbox Breakout über den internen Browser, der die Hilfe-Menüs anzeigt. Der Browser selbst ist mit root-Rechten gestartet, was einen Zugriff auf das komplette Dateisystem ermöglicht. In einer Datei des Dateisystems befand sich das Administratorpasswort für das Webinterface des Druckers im Klartext.
https://sec-consult.com/de/vulnerability-lab/advisory/sandbox-escape-with-root-access-klartextpasswoerter-in-konica-minolta-bizhub-mfp-printer-terminals/
CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit (Severity: HIGH)
A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system processes and potentially execute arbitrary code with root privileges when the configuration is committed on both hardware and virtual firewalls.
https://security.paloaltonetworks.com/CVE-2022-0024
CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection
Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.
https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/
Intel: May 2022 Patchday
https://www.intel.com/content/www/us/en/security-center/default.html
Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-4/
Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-affects-ibm-cloud-pak-system-cve-2020-27221-3/
Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-password-synchronization-plug-in-for-windows-ad-affected-by-multiple-vulnerabilities-cve-2021-20488-cve-2021-20494-cve-2021-20572-cve-2021-20573-cve-2021-20-2/
Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307)
https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initialization-and-maintenance-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-cve-2022-23302-cve-2022-23305-cve-2022-23307/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-cve-2018-10237-cve-2020-8908/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-16/
Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-missing-http-strict-transport-security-header-vulnerability-cve-2021-39072-2/
Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-fasterxml-jackson-databind-vulnerabilities-cve-2020-25649-x-force-id-217968-2/
Security Bulletin: IBM MQ is vulnerable to multiple issues in IBM® Runtime Environment Java- Technology Edition, Version 8 and Version 7 (CVE-2021-35578, CVE-2021-35588, CVE-2021-41035)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-multiple-issues-in-ibm-runtime-environment-java-technology-edition-version-8-and-version-7-cve-2021-35578-cve-2021-35588-cve-2021-41035/
Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-multiple-eclipse-jetty-issues/
Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-path-traversal-and-crypto-vulnerabilities-cve-2021-29425-cve-2021-39076-2/
Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-for-microsoft-windows-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/
Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-jsoup-vulnerability-cve-2021-37714-2/
Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-webconsole-and-rest-api-are-affected-by-cve-2021-39031/
Check Point Zone Alarm: Schwachstelle ermöglicht Privilegieneskalation
http://www.cert-bund.de/advisoryshort/CB-K22-0595
CVE-2022-0025 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0025
CVE-2022-0026 Cortex XDR Agent: Unintended Program Execution Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0026