End-of-Day report
Timeframe: Donnerstag 19-05-2022 18:00 - Freitag 20-05-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
Observing a 254% increase in activity over the last six months from a versatile Linux trojan called XorDdos, the Microsoft 365 Defender research team provides in-depth analysis into this stealthy malwares capabilities and key infection signs.
https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware
Fraudulent domains masquerading as Microsofts Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
https://thehackernews.com/2022/05/hackers-trick-users-with-fake-windows.html
Cytroxs Predator Spyware Targeted Android Users with Zero-Day Exploits
Googles Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.
https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.html
Metastealer - filling the Racoon void
MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.
https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/
Emotet Being Distributed Using Various Files
The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk).
https://asec.ahnlab.com/en/34556/
Vulnerabilities
Oracle Security Alert for CVE-2022-21500 - 19 May 2022
This Security Alert addresses vulnerability CVE-2022-21500, which affects some deployments of Oracle E-Business Suite.
https://www.oracle.com/security-alerts/alert-cve-2022-21500.html
Angreifer könnten mit DNS-Software BIND erstellte TLS-Sessions "zerstören"
Es gibt ein wichtiges Sicherheitsupdate für BIND, welches Admins zeitnah installieren sollten.
https://heise.de/-7101032
Security updates for Friday
Security updates have been issued by CentOS (kernel), Debian (ark, openldap, and thunderbird), Fedora (freetype and vim), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, container-tools:3.0, glibc, kernel, rsync, and subversion:1.10), Scientific Linux (kernel), SUSE (dcraw, firefox, glib2, ImageMagick, kernel-firmware, libxml2, libyajl, php7, ucode-intel, and unrar), and Ubuntu (openldap).
https://lwn.net/Articles/895862/
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-process-designer-in-ibm-business-automation-workflow-and-ibm-business-process-manager-2/
Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001)
https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-is-affected-by-two-websphere-application-server-vulnerabilities-cve-2021-23450-cve-1999-0001/
Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-is-vulnerable-to-spoofing-cve-2022-22365/
Security Bulletin: IBM Robotic Process Automation with Automation Anywhere is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-with-automation-anywhere-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/
Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-39038, CVE-1999-0002)
https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-is-affected-by-two-websphere-application-server-vulnerabilities-cve-2021-39038-cve-1999-0002/
Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle-management-is-vulnerable-to-cross-site-scripting-xss-vulnerability-cve-2021-39043/
Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224)
https://www.pentestpartners.com/security-blog/galleon-nts-6002-gps-command-injection-vulnerability-cve-2022-27224/
Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1
https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
Grafana: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
http://www.cert-bund.de/advisoryshort/CB-K22-0639
Trend Micro Security Produkte: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen
http://www.cert-bund.de/advisoryshort/CB-K22-0638