Tageszusammenfassung - 21.06.2022

End-of-Day report

Timeframe: Montag 20-06-2022 18:00 - Dienstag 21-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

New DFSCoerce NTLM Relay attack allows Windows domain takeover

A new Windows NTLM relay attack called DFSCoerce has been discovered that uses MS-DFSNM, Microsofts Distributed File System, to completely take over a Windows domain.

https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-attack-allows-windows-domain-takeover/

---

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call -Samurai backdoor- and -Ninja Trojan-.

https://securelist.com/toddycat/106799/

---

Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack

A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive.

https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-sharepoint/180010/

---

Bestellen Sie nicht bei funkelnmarkt.de

Der Online-Shop funkelnmarkt.de bietet Laptops, Waschmaschinen, Konsolen und Co. Die Preise sind teilweise etwas günstiger als bei anderen Shops und die Webseite wirkt professionell. Grund genug dort zu bestellen. Oder? Lieber nicht! Wenn Sie dort bestellen, erhalten Sie keine Ware und verlieren Ihr Geld!

https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-funkelnmarktde/

Vulnerabilities

Icefall: 56 flaws impact thousands of exposed industrial devices

A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments.

https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/

---

OpenSSL Security Advisory [21 June 2022]

When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell.

https://openssl.org/news/secadv/20220621.txt

---

Security updates for Tuesday

Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2).

https://lwn.net/Articles/898504/

---

SSA-111512: Client-side Authentication in SIMATIC WinCC OA

https://cert-portal.siemens.com/productcert/txt/ssa-111512.txt

---

ABB Security Advisory: ABB Relion REX640 Insufficient file access control

https://search.abb.com/library/Download.aspx?DocumentID=2NGA001421

---

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-are-addressed-with-ibm-cloud-pak-for-business-automation-ifixes-for-may-2022/

---

Security Bulletin: Flaw in Go may affect DataPower Operator (CVE-2021-44717)

https://www.ibm.com/blogs/psirt/security-bulletin-flaw-in-go-may-affect-datapower-operator-cve-2021-44717/

---

Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2021-35603)

https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerability-in-java-runtime-affects-ibm-spss-statistics-cve-2021-35603/

---

Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496)

https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerability-in-java-runtime-affects-ibm-spss-cve-2022-21496/

---

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-in-apache-thrift-5/

---

Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2022-21496)

https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerability-in-java-runtime-affects-ibm-spss-statistics-cve-2022-21496/

---

Security Bulletin: IBM DataPower Operator affected by flaw in Go (CVE-2022-23773)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-affected-by-flaw-in-go-cve-2022-23773/

---

Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-symphony-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/

---

Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-conductor-is-affected-but-not-classified-as-vulnerable-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/

---

Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-affected-by-prototype-pollution-in-dojo-cve-2021-23450-2/

---

Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-potentially-vulnerable-to-denial-of-service-cve-2021-44716/

---

Security Bulletin: IBM QRadar Wincollect agent is vulnerable to information disclosure

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-agent-is-vulnerable-to-information-disclosure/

---

Security Bulletin: DataPower Operator vulnerable to a Denial of Service (CVE-2022-23806)

https://www.ibm.com/blogs/psirt/security-bulletin-datapower-operator-vulnerable-to-a-denial-of-service-cve-2022-23806/

---

Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-postgresql-42-0-0-jar-vulnerability/

---

Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-mongodb-driver-legacy-4-1-1-jar-vulnerability-cve-2021-20328/

---

PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool

https://cert.vde.com/de/advisories/VDE-2022-028/

---

PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool

https://cert.vde.com/de/advisories/VDE-2022-026/

---

PHOENIX CONTACT: Vulnerability in classic line industrial controllers

https://cert.vde.com/de/advisories/VDE-2022-025/

---

WEIDMUELLER: EtherNet/IP Fieldbus Coupler out-of-bounds write

https://cert.vde.com/de/advisories/VDE-2021-004/