Tageszusammenfassung - 11.07.2022

End-of-Day report

Timeframe: Freitag 08-07-2022 18:00 - Montag 11-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

New 0mega ransomware targets businesses in double-extortion attacks

A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.

https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/


Hackers Exploiting Follina Bug to Deploy Rozena Backdoor

A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.

https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html


Raspberry Robin Windows Worm Abuses QNAP Devices

A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives.

https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devices


The History and Evolution of Zero Trust

-The term -zero trust- is now used so much and so widely that it has almost lost its meaning-.

https://www.securityweek.com/history-and-evolution-zero-trust


WhatsApp: Kriminelle geben sich als Ihr Kind aus

-Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.- Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug!

https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-ihr-kind-aus/


SELECT XMRig FROM SQLServer

Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month.

https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/

Vulnerabilities

Sicherheitslücken in node.js abgedichtet

Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln.

https://heise.de/-7167912


Security updates for Monday

Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python).

https://lwn.net/Articles/900670/


vim: Mehrere Schwachstellen

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630


ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-22-959/


Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-3/


Security Bulletin: CVE-2021-23337

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/


Security Bulletin: CVE-2020-28500

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/


Security Bulletin: CVE-2020-8203

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/


Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enterprise-edition-is-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/


Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-vulnerable-to-html-injection-cve-2022-34160/


Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-vulnerabilities-from-golang-go-and-ibm-websphere-application-server-liberty-cve-2021-39293-and-cve-2021-39038/


Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-an-issue-in-opm-and-golang-go-packages-cve-2020-15257-cve-2021-21334-and-cve-2021-41771/


Security Bulletin: CVE-2020-8203

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/


Security Bulletin: CVE-2021-23369

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/


Security Bulletin: CVE-2020-7774

https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/


Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-vulnerable-to-html-injection-cve-2022-34160/


K40582331: Apache HTTP server vulnerability CVE-2022-28615

https://support.f5.com/csp/article/K40582331


K08006936: Apache Commons Configuration vulnerability CVE-2022-33980

https://support.f5.com/csp/article/K08006936


K74251611: Linux kernel vulnerability CVE-2021-38166

https://support.f5.com/csp/article/K74251611


K36462841: Linux kernel vulnerability CVE-2018-18281

https://support.f5.com/csp/article/K36462841


ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629