[CERT-daily] Tageszusammenfassung - 18.08.2023

Fri Aug 18 18:28:23 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 17-08-2023 18:00 − Freitag 18-08-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ „Ihre Rückerstattung ist online verfügbar“: Phishing-Mail im Namen von oesterreich.gv.at ∗∗∗
---------------------------------------------
Aktuell melden uns zahlreiche Leser:innen eine betrügerische E-Mail, die im Namen von oesterreich.gv.at verschickt wird. In der E-Mail wird behauptet, dass eine Rückerstattung von 176,88 Euro aussteht. Achtung: Dahinter stecken Kriminelle!
---------------------------------------------
https://www.watchlist-internet.at/news/ihre-rueckerstattung-ist-online-verfuegbar-phishing-mail-im-namen-von-oesterreichgvat/


∗∗∗ Microsoft: BlackCats Sphynx ransomware embeds Impacket, RemCom ∗∗∗
---------------------------------------------
Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/


∗∗∗ From a Zalando Phishing to a RAT, (Fri, Aug 18th) ∗∗∗
---------------------------------------------
Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign.
---------------------------------------------
https://isc.sans.edu/diary/rss/30136


∗∗∗ Critical Security Update for Magento Open Source & Adobe Commerce ∗∗∗
---------------------------------------------
Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read.
---------------------------------------------
https://blog.sucuri.net/2023/08/critical-security-update-for-magento-adobe-commerce.html


∗∗∗ New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools ∗∗∗
---------------------------------------------
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the companys [...]
---------------------------------------------
https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.html


∗∗∗ Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams ∗∗∗
---------------------------------------------
[...] another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. [...] This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2


∗∗∗ Recapping the top stories from Black Hat and DEF CON ∗∗∗
---------------------------------------------
If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.
---------------------------------------------
https://blog.talosintelligence.com/threat-source-newsletter-aug-17-2023/


∗∗∗ NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security ∗∗∗
---------------------------------------------
A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required.
---------------------------------------------
https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html


∗∗∗ Kommentar zum Azure-Master-Key-Diebstahl: Microsofts Reaktion lässt tief blicken ∗∗∗
---------------------------------------------
Microsoft lässt sich einen Signing Key für Azure klauen. Bis jetzt ist die Tragweite des Angriffs unklar. Das ist unverantwortlich, kommentiert Oliver Diedrich.
---------------------------------------------
https://heise.de/-9258697


∗∗∗ Gefälschte Buchungsseite vom Hotel Regina ∗∗∗
---------------------------------------------
Planen Sie gerade einen Urlaub in Wien? Vorsicht, wenn Sie das Hotel Regina buchen wollen. Kriminelle haben eine gefälschte Buchungsseite ins Netz gestellt. Die Internetadresse der betrügerischen Buchungsseite lautet regina-hotel-vienna.h-rez.com. Wenn Sie dort buchen, stehlen Kriminelle Ihnen persönliche Daten und Kreditkartendaten.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-buchungsseite-vom-hotel-regina/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗
---------------------------------------------
Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability. By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices. CVE IDs: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution


∗∗∗ K30444545 : libxslt vulnerability CVE-2019-11068 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K30444545


∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027948


∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027944


∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote information transfer due to CouchDB CVE-2023-26268 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028066


∗∗∗ Multiple vulnerabilities affect IBM SDK, Java Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028074


∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028087


∗∗∗ A security vulnerability has been identified in the Apache POI, which is vulnerable to Denial of Service. (CVE-2017-5644) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/711741


∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028095


∗∗∗ RESTEasy component is vulnerable to CVE-2023-0482 is used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028099


∗∗∗ netplex json-smart-v2 component is vulnerable to CVE-2023-1370 is used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028097

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily