Tageszusammenfassung - 12.05.2022

End-of-Day report

Timeframe: Mittwoch 11-05-2022 18:00 - Donnerstag 12-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

Backdoor in public repository used new form of attack to target big firms

A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients- resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad.

https://arstechnica.com/?p=1853739


"Ive Found Some Bad Domains-Now What?"

When we talk about investigating bad domains, the focus of the story is usually the starting clues, but what about after you-ve identified bad domains? This blog discusses the approaches to take once a bad domain has been identified.

https://www.domaintools.com/resources/blog/ive-found-some-bad-domains-now-what


Massive WordPress JavaScript Injection Campaign Redirects to Ads

As outlined in our latest hacked website report, we-ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year - for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone.

https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html


Everything We Learned From the LAPSUS$ Attacks

There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid.

https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html


Spoofing SaaS Vanity URLs for Social Engineering Attacks

While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL-s subdomain (e.g., yourcompany.example.com), but instead only validate the URI (e.g., /s/1234). As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company-s sanctioned SaaS account.

https://www.varonis.com/blog/url-spoofing

Vulnerabilities

ZDI-22-759: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

http://www.zerodayinitiative.com/advisories/ZDI-22-759/


Security updates for Thursday

Security updates have been issued by Fedora (microcode_ctl, mingw-SDL2_ttf, seamonkey, and thunderbird), Mageia (cifs-utils, gerbv, golang, libcaca, libxml2, openssl, python-pillow, python-rencode, python-twisted, python-ujson, slurm, and sqlite3), Red Hat (gzip, kernel, kpatch-patch, podman, rsync, subversion:1.10, and zlib), Scientific Linux (gzip), Slackware (curl), SUSE (clamav), and Ubuntu (curl, firefox, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-oem-5.14)

https://lwn.net/Articles/895063/


Sandbox Escape mit Root Access & Klartext-Passwörtern in zahlreichen Konica Minolta bizhub MFP Drucker Terminals

Zahlreiche Konica Minolta MFP bizhub Geräte, sowie Geräte anderer Hersteller mit derselben Firmware, sind anfällig für einen Sandbox Breakout über den internen Browser, der die Hilfe-Menüs anzeigt. Der Browser selbst ist mit root-Rechten gestartet, was einen Zugriff auf das komplette Dateisystem ermöglicht. In einer Datei des Dateisystems befand sich das Administratorpasswort für das Webinterface des Druckers im Klartext.

https://sec-consult.com/de/vulnerability-lab/advisory/sandbox-escape-with-root-access-klartextpasswoerter-in-konica-minolta-bizhub-mfp-printer-terminals/


CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit (Severity: HIGH)

A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system processes and potentially execute arbitrary code with root privileges when the configuration is committed on both hardware and virtual firewalls.

https://security.paloaltonetworks.com/CVE-2022-0024


CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection

Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device.

https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/


Intel: May 2022 Patchday

https://www.intel.com/content/www/us/en/security-center/default.html


Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-4/


Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-java-affects-ibm-cloud-pak-system-cve-2020-27221-3/


Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-password-synchronization-plug-in-for-windows-ad-affected-by-multiple-vulnerabilities-cve-2021-20488-cve-2021-20494-cve-2021-20572-cve-2021-20573-cve-2021-20-2/


Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307)

https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initialization-and-maintenance-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104-cve-2022-23302-cve-2022-23305-cve-2022-23307/


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-cve-2018-10237-cve-2020-8908/


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-16/


Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-missing-http-strict-transport-security-header-vulnerability-cve-2021-39072-2/


Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-fasterxml-jackson-databind-vulnerabilities-cve-2020-25649-x-force-id-217968-2/


Security Bulletin: IBM MQ is vulnerable to multiple issues in IBM® Runtime Environment Java- Technology Edition, Version 8 and Version 7 (CVE-2021-35578, CVE-2021-35588, CVE-2021-41035)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-multiple-issues-in-ibm-runtime-environment-java-technology-edition-version-8-and-version-7-cve-2021-35578-cve-2021-35588-cve-2021-41035/


Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-multiple-eclipse-jetty-issues/


Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-path-traversal-and-crypto-vulnerabilities-cve-2021-29425-cve-2021-39076-2/


Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirect-for-microsoft-windows-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/


Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-jsoup-vulnerability-cve-2021-37714-2/


Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-webconsole-and-rest-api-are-affected-by-cve-2021-39031/


Check Point Zone Alarm: Schwachstelle ermöglicht Privilegieneskalation

http://www.cert-bund.de/advisoryshort/CB-K22-0595


CVE-2022-0025 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2022-0025


CVE-2022-0026 Cortex XDR Agent: Unintended Program Execution Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2022-0026