End-of-Day report
Timeframe: Freitag 08-07-2022 18:00 - Montag 11-07-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
New 0mega ransomware targets businesses in double-extortion attacks
A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.
https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets-businesses-in-double-extortion-attacks/
Hackers Exploiting Follina Bug to Deploy Rozena Backdoor
A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.
https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html
Raspberry Robin Windows Worm Abuses QNAP Devices
A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives.
https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devices
The History and Evolution of Zero Trust
-The term -zero trust- is now used so much and so widely that it has almost lost its meaning-.
https://www.securityweek.com/history-and-evolution-zero-trust
WhatsApp: Kriminelle geben sich als Ihr Kind aus
-Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.- Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug!
https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-ihr-kind-aus/
SELECT XMRig FROM SQLServer
Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month.
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Vulnerabilities
Sicherheitslücken in node.js abgedichtet
Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln.
https://heise.de/-7167912
Security updates for Monday
Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python).
https://lwn.net/Articles/900670/
vim: Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630
ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-22-959/
Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-3/
Security Bulletin: CVE-2021-23337
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/
Security Bulletin: CVE-2020-28500
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/
Security Bulletin: CVE-2020-8203
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/
Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enterprise-edition-is-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/
Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-vulnerable-to-html-injection-cve-2022-34160/
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-vulnerabilities-from-golang-go-and-ibm-websphere-application-server-liberty-cve-2021-39293-and-cve-2021-39038/
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-an-issue-in-opm-and-golang-go-packages-cve-2020-15257-cve-2021-21334-and-cve-2021-41771/
Security Bulletin: CVE-2020-8203
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/
Security Bulletin: CVE-2021-23369
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/
Security Bulletin: CVE-2020-7774
https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/
Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-vulnerable-to-html-injection-cve-2022-34160/
K40582331: Apache HTTP server vulnerability CVE-2022-28615
https://support.f5.com/csp/article/K40582331
K08006936: Apache Commons Configuration vulnerability CVE-2022-33980
https://support.f5.com/csp/article/K08006936
K74251611: Linux kernel vulnerability CVE-2021-38166
https://support.f5.com/csp/article/K74251611
K36462841: Linux kernel vulnerability CVE-2018-18281
https://support.f5.com/csp/article/K36462841
ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629