Tageszusammenfassung - 01.06.2022

End-of-Day report

Timeframe: Dienstag 31-05-2022 18:00 - Mittwoch 01-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Zero-Day-Lücke: Erste Cybergangs greifen MSDT-Sicherheitslücke an

Die Zero-Day-Lücke von Microsoft wird inzwischen von Cybergangs für Angriffe missbraucht. Der Hersteller ordnete das Problem erst falsch als irrelevant ein.

https://heise.de/-7128265

FluBot Android malware operation shutdown by law enforcement

Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence.

https://www.bleepingcomputer.com/news/security/flubot-android-malware-operation-shutdown-by-law-enforcement/

New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers

An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research.

https://thehackernews.com/2022/06/new-xloader-botnet-version-using.html

New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim.

https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html

Watch out for phishing emails that inject spyware trio

You wait for one infection and then three come along at once. An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information.

https://go.theregister.com/feed/www.theregister.com/2022/06/01/phishing-rat-bitrat-fortinet/

Certificate Transparency data is used to compromise WordPress before installation

Recently in the community forums of WordPress and Lets Encrypt, reports have shown up about webshells on freshly installed WordPress blogs that were later used for DDoS attacks.

https://www.feistyduck.com/bulletproof-tls-newsletter/issue_89_certificate_transparency_data_is_used_to_compromise_wordpress_before_installation

AA22-152A: Karakurt Data Extortion Group

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair.

https://us-cert.cisa.gov/ncas/alerts/aa22-152a

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by Debian (libjpeg-turbo, webkit2gtk, and wpewebkit), Fedora (golang-github-opencontainers-runc, mingw-pcre2, python-jwt, python-ujson, and weechat), Oracle (nodejs:16 and rsyslog), Red Hat (container-tools:3.0, expat, fapolicyd, kernel, kernel-rt, kpatch-patch, mariadb:10.3, postgresql:12, rsyslog and rsyslog7, and zlib), Slackware (mozilla), SUSE (bind, dpdk, fribidi, hdf5, librelp, php74, postgresql12, and postgresql13), and Ubuntu (cups, linux-gcp-5.13, linux-oracle, linux-oracle-5.13, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and webkit2gtk).

https://lwn.net/Articles/896803/

T&D Data Server and THERMO RECORDER DATA SERVER vulnerable to directory traversal

https://jvn.jp/en/jp/JVN28659051/

Security Advisory - Insufficient Input Verification Vulnerability In Huawei Product

http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-01-66843eb3-en

Security Bulletin: IBM® PureData System for Operational Analytics is vulnerable to arbitrary code execution, remote code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-puredata-system-for-operational-analytics-is-vulnerable-to-arbitrary-code-execution-remote-code-execution-and-denial-of-service-due-to-apache-log4j-cve-2021-44228-cve/

Security Bulletin: IBM CICS TX Standard is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-vulnerable-to-arbitrary-code-execution-due-to-ibm-websphere-application-server-liberty-cve-2021-23450/

Security Bulletin: Vulnerability in bind (CVE-2021-25214) affects Power HMC

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve-2021-25214-affects-power-hmc/

Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management

https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerabilities-from-kernel-affect-ibm-netezza-host-management-17/

Security Bulletin: IBM CICS TX Advanced is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-vulnerable-to-arbitrary-code-execution-due-to-ibm-websphere-application-server-liberty-cve-2021-23450/

Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-included-websphere-application-server-and-ibm-http-server-used-by-websphere-application-server/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-service-tester-9/

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to code injection due to CVE-2022-29078

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-designerauthoring-and-integrationserver-operands-may-be-vulnerable-to-code-injection-due-to-cve-2022-29078/

Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-data-synchronization-app-for-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities/

Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368)

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-spectrum-scale-that-could-allow-an-attacker-to-decrypt-highly-sensitive-informationcve-2022-22368-3/

Security Bulletin: Vulnerability in Apache HTTP (CVE-2022-22720) affects Power HMC

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-http-cve-2022-22720-affects-power-hmc/