End-of-Day report
Timeframe:   Freitag 01-04-2022 18:00 - Montag 04-04-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter
      News       
Fake-Shop-Alarm: Vorsicht beim Online-Einkauf von Markenware!
Wer Markenkleidung oder -schuhe online kaufen will, sollte sich vergewissern, dass das Angebot seriös ist. Denn derzeit tauchen zahlreiche Fake-Shops auf, die angeben, beliebte Markenware zu verkaufen. Keine dieser betrügerischen Shops hat ein Impressum auf der Seite, die Webadresse hat außerdem nichts mit den angebotenen Waren zu tun. Das sind typische Merkmale für Fake-Shops und gute Gründe, hier nicht einzukaufen!
https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online-einkauf-von-markenware/
Explaining Spring4Shell: The Internet security disaster that wasn-t
Vulnerability in the Spring Java Framework is important, but its no Log4Shell.
https://arstechnica.com/?p=1845362
Beastmode botnet boosts DDoS power with new router exploits
A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers.
https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/
Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?, (Mon, Apr 4th)
In November, an accountant working for a construction company received an innocent enough-looking email: An update on the terms to submit bills to a local county. Seeing the email, the accountant clicked on the link and quickly downloaded the new document after entering their Outlook 365 credentials. The PDF looked all right but was something the accountant had already downloaded a couple of weeks ago from the county-s official website. [...] This, turns out, was a typical case of -business email compromise.-
https://isc.sans.edu/diary/rss/28516
WordPress Popunder Malware Redirects to Scam Sites
Over the last year we-ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021. The reported behaviour is always the same: After a few seconds of loading, the website will redirect to a dodgy scam site.
https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html
Brokenwire Hack Could Let Remote Attackers Disrupt Charging for Electric Vehicles
A group of academics from the University of Oxford and Armasuisse S+T has disclosed details of a new attack technique against the popular Combined Charging System (CCS) that could potentially disrupt the ability to charge electric vehicles at scale. Dubbed "Brokenwire," the method interferes with the control communications that transpire between the vehicle and charger to wirelessly abort the abort the charging sessions from a distance of as far as 47m (151ft).
https://thehackernews.com/2022/04/brokenwire-hack-could-let-remote.html
Deep Dive Analysis - Borat RAT
[...] During our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities.
https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purported shift to ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven-t publicly written about since Mahalo FIN7, published in 2019.
https://www.mandiant.com/resources/evolution-of-fin7
Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said
Email marketing firm Mailchimp announced on Monday that a hacker breached its internal tools and managed to gain access to 319 Mailchimp accounts for companies in the cryptocurrency and finance industries.
https://therecord.media/hacker-accessed-319-crypto-and-finance-related-mailchimp-accounts-company-said/
Kaseya Full Disclosure
In honor of our appearance on the Ransomware Files podcast episode #5 we are releasing the full details of the vulnerabilities we found during our research into Kaseya VSA of which some were used by REvil to attack Kaseya-s customers. The details can be found in our CVE entries: [...]
https://csirt.divd.nl/2022/04/04/Kaseya-VSA-Full-Disclosure/
 Vulnerabilities 
15-Year-Old Bug in PEAR PHP Repository Couldve Enabled Supply Chain Attacks
A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code.
https://thehackernews.com/2022/04/15-year-old-bug-in-pear-php-repository.html
FG-IR-22-059: Vulnerability in OpenSSL library
A security advisory was released affecting the version of OpenSSL library used in some Fortinet products.
https://fortiguard.fortinet.com/psirt/FG-IR-22-059
VMSA-2022-0010
A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products.
https://www.vmware.com/security/advisories/VMSA-2022-0010.html
Security updates for Monday
Security updates have been issued by Debian (asterisk, qemu, and zlib), Fedora (389-ds-base, ghc-cmark-gfm, ghc-hakyll, gitit, libkiwix, openssl, pandoc, pandoc-citeproc, patat, phoronix-test-suite, seamonkey, and skopeo), Mageia (libtiff, openjpeg2, and php-smarty), openSUSE (python), Oracle (httpd), Red Hat (httpd), and SUSE (libreoffice, python, and python36).
https://lwn.net/Articles/890187/
Microsoft Edge 100.0.1185.29 fixt Schwachstellen
Microsoft hat zum 1. April 2022 (kein April-Scherz) den Chromium-Edge Browser auf die Version Edge 100.0.1185.29 aktualisiert. Es handelt sich um ein Wartungsupdate, das eine Reihe Schwachstellen schließt und den 100er-Entwicklungszweig einleitet.
https://www.borncity.com/blog/2022/04/02/microsoft-edge-100-0-1185-29-fixt-schwachstellen/
Kaspersky Anti-Virus: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K22-0384
Vulnerability in Spring Framework Affecting Cisco Products: March 2022
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterprise
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-integration-bus-and-ibm-app-connect-enterprise/
Security Bulletin: Vulnerability in Netty - CVE-2021-43797 may affect IBM Watson Assistant for IBM Cloud Pak for Data.
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-cve-2021-43797-may-affect-ibm-watson-assistant-for-ibm-cloud-pak-for-data/
Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-2/
Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2022-23307-cve-2022-23302-and-sql-injection-due-to-apache/
Security Bulletin: Cloud Pak for Security contains packages that have multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-contains-packages-that-have-multiple-vulnerabilities/
Security Bulletin: Cross-Site Scripting and information disclosure vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2022 (CVE-2021-29835, CVE-39046)
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-information-disclosure-vulnerabilities-are-addressed-with-ibm-cloud-pak-for-business-automation-ifixes-for-march-2022-cve-2021-29835-cve-39046/
Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-vulnerable-to-docker-cli-cve-2021-41092-and-apache-log4j-cve-2021-4104-cve-2022-23302-cve-2022-23305-cve-2022-23307-weaknesses/
Security Bulletin: IBM Informix Dynamic Server in Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-server-in-cloud-pak-for-data-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-cve-2021-45046/
Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-10/