End-of-Day report
Timeframe: Freitag 10-06-2022 18:00 - Montag 13-06-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Krypto-Miner und Verschlüsselungstrojaner schlüpfen durch Confluence-Lücke
Es häufen sich Attacken auf ungepatchte Instanzen von Confluence und Data Center. Sicherheitspatches sind verfügbar.
https://heise.de/-7138563
Buchen Sie Ihr Hotel nicht über hotels-in-tyrol.com
Die Buchungsplattform hotels-in-tyrol.com vermittelt Unterkünfte in Tirol. Wir raten zur Vorsicht. Auf der Plattform gibt es weder Informationen zum Betreiber noch Kontaktdaten. Im Reiter -Über uns- wird lediglich ein Unternehmen namens -LocalHotels Ltd- angeführt. Wir gehen aber davon aus, dass dieses Unternehmen gar nicht existiert.
https://www.watchlist-internet.at/news/buchen-sie-ihr-hotel-nicht-ueber-hotels-in-tyrolcom/
Massenhafte Kontenübernahme bei smarten Yunmai Waagen möglich
Vom chinesischen Hersteller Yunmai wurden auch in Deutschland smarte Körperfettwaagen angeboten. Diese lassen sich per Bluetooth mit einer App auf dem Smartphone koppeln, so dass die persönlichen Daten mehrerer Personen in persönlichen Profilen gespeichert werden können. Leider hapert es mit der Sicherheit, wie Sicherheitsexperten festgestellt haben. Das Yunmai API ermöglicht die massenhafte Kontenübernahme oder die Umgehung der Hersteller-Restriktionen.
https://www.borncity.com/blog/2022/06/11/massenhafte-kontenbernahme-bei-smarten-yunmai-waagen-mglich/
PyPI package keep mistakenly included a password stealer
PyPI packages keep, pyanxdns, api-res-py were found to contain a password-stealer and a backdoor due to the presence of malicious request dependency within some versions.
https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly-included-a-password-stealer/
New Syslogk Linux rootkit uses magic packets to trigger backdoor
A new rootkit malware named Syslogk has been spotted in the wild, and it features advanced process and file hiding techniques that make detection highly unlikely.
https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-uses-magic-packets-to-trigger-backdoor/
EPSScall: An Exploit Prediction Scoring System App, (Fri, Jun 10th)
If you follow Cyentia Institute-s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022).
https://isc.sans.edu/diary/rss/28732
Translating Saitamas DNS tunneling messages, (Mon, Jun 13th)
Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages - a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordans foreign ministry on an attack [...]
https://isc.sans.edu/diary/rss/28738
ModBus 101: One Protocol to Rule the OT World
Ever wondered how large-scale power plants monitor or control the myriad of systems that fill their environment? Have you thought about how some of the world-s greatest industrial hacks were enacted? This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modbus-101-one-protocol-to-rule-the-ot-world/
Smilodon Credit Card Skimming Malware Shifts to WordPress
WordPress- massive market share has come with an unsurprising side effect: As more and more site admins turn to popular plugins like WooCommerce to turn a profit on their website and set up online stores we-ve seen a significant increase in the number of attacks targeting WordPress eCommerce sites. What-s more, bad actors are repurposing their old Magento credit card stealing malware for use against WordPress.
https://blog.sucuri.net/2022/06/smilodon-credit-card-skimming-malware-shifts-to-wordpress.html
MIT Researchers Discover New Flaw in Apple M1 CPUs That Cant Be Patched
A novel hardware attack dubbed PACMAN has been demonstrated against Apples M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems. It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," [...]
https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html
Extracting Clear-Text Credentials Directly From Chromium-s Memory
Credential data (URL/username/password) is stored in Chrome-s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (-Login Data- file).
https://www.cyberark.com/resources/threat-research-blog/extracting-clear-text-credentials-directly-from-chromium-s-memory
Researchers: Wi-Fi Probe Requests Expose User Data
A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests. Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received.
https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-data
Exposing HelloXD Ransomware and x4k
HelloXD is a ransomware family in its initial stages - but already seeking to impact organizations. We analyze samples and hunt for attribution.
https://unit42.paloaltonetworks.com/helloxd-ransomware/
GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
A new, difficult-to-detect remote access trojan named PingPull is being used by GALLIUM, an advanced persistent threat (APT) group.
https://unit42.paloaltonetworks.com/pingpull-gallium/
Microsoft Azure Synapse Pwnalytics
[...] Synapse Analytics utilizes Apache Spark for the underlying provisioning of clusters that user code is run on. User code in these environments is run with intentionally limited privileges because the environments are managed by internal Microsoft subscription IDs, which is generally indicative of a multi-tenant environment. Tenable Research has discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. We have also discovered a flaw that allows a user to poison the hosts file on all nodes in their Spark pool, which allows one to redirect subsets of traffic and snoop on services users generally do not have access to. The full privilege escalation flaw has been adequately addressed. However, the hosts file poisoning flaw remains unpatched at the time of this writing.
https://medium.com/tenable-techblog/microsoft-azure-synapse-pwnalytics-87c99c036291
Vulnerabilities
QTS 5.0.0-Sicherheitsupdates für QNAP-NAS Geräte (8. Juni 2022)
Kurzer Hinweis an Leser und Leserinnen, die NAS-Laufwerke von QNAP im Einsatz haben. In der QTS 5.0.0-Software gibt es in älteren Versionen gravierende Schwachstellen, die am 8. Juni 2022 mit einem Update der Firmware auf QTS 5.0.0.2055 build 20220531 beseitigt wurden.
https://www.borncity.com/blog/2022/06/11/qts-5-sicherheitsupdates-fr-qnap-nas-gerte-8-juni-2022/
Technical Advisory - Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: [...]
https://research.nccgroup.com/2022/06/10/technical-advisory-multiple-vulnerabilities-in-trendnet-tew-831dr-wifi-router-cve-2022-30325-cve-2022-30326-cve-2022-30327-cve-2022-30328-cve-2022-30329/
Security updates for Monday
Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot).
https://lwn.net/Articles/897711/
Drupal Releases Security Updates
Drupal has released security updates to address a Guzzle third-party library vulnerability that does not affect Drupal core but may affect some contributed projects or custom code on Drupal sites. Exploitation of this vulnerability could allow a remote attacker to take control of an affected website.
https://us-cert.cisa.gov/ncas/current-activity/2022/06/13/drupal-releases-security-updates
Screams of Power vulnerabilities (Powertek-based PDUs)
Even if the PDUs you use in your data center aren't branded "Powertek", please keep reading. Powertek is a company that makes datacenter class smart PDUs (Power Distribution Units - i.e. heavy duty power cords) for server racks. They sell both directly (or at least used to in the past I think?) and through their resellers. There is one reseller per country and they commonly rebrand their PDUs (e.g. mine has a logo of the Swiss reseller - schneikel). Anyway, in March I've done a quick 3h review of the firmware and found multiple vulnerabilities and weaknesses in Powertek PDU's firmware v3.30.23 and possibly prior (details below). So, if you're using a PDU that is running Powertek firmware, you might want to patch now.
https://gynvael.coldwind.pl/?id=748
OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen
https://www.cert-bund.de/advisoryshort/CB-K22-0702
Security Bulletin: A vulnerability in OpenSSL affects IBM InfoSphere Information Server (CVE-2022-0778)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openssl-affects-ibm-infosphere-information-server-cve-2022-0778/
Security Bulletin: A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550)
https://www.ibm.com/blogs/psirt/security-bulletin-a-unspecified-java-vulnerability-is-affecting-watson-knowledge-catalog-for-ibm-cloud-pak-for-data-cve-2021-35550/
Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44832/
Security Bulletin: Due to use of Spring Framework, IBM Db2 Web Query for i is vulnerable to unprotected fields (CVE-2022-22968), remote code execution (CVE-2022-22965), and denial of service (CVE-2022-22950).
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-spring-framework-ibm-db2-web-query-for-i-is-vulnerable-to-unprotected-fields-cve-2022-22968-remote-code-execution-cve-2022-22965-and-denial-of-service-cve-2022/
Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-vulnerable-to-a-denial-of-service-due-to-openssl-cve-2022-0778/
Security Bulletin: IBM Java XML vulnerability affects Liberty for Java for IBM Cloud due to CVE-2022-21299 deferred from Oracle Jan 2022 CPU
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-xml-vulnerability-affects-liberty-for-java-for-ibm-cloud-due-to-cve-2022-21299-deferred-from-oracle-jan-2022-cpu/
Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgresql-may-affect-ibm-spectrum-copy-data-management/
Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475)
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-cloud-is-vulnerable-to-identity-spoofing-cve-2022-22475/