[CERT-daily] Tageszusammenfassung - 18.07.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 17-07-2023 18:00 − Dienstag 18-07-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks ∗∗∗
---------------------------------------------
The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware. According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities.
---------------------------------------------
https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html


∗∗∗ Uncovering drIBAN fraud operations. Chapter 3: Exploring the drIBAN web inject kit ∗∗∗
---------------------------------------------
So far, we have discussed the malspam campaign that started spreading sLoad. Then, we discovered that sLoad is a dropper for Ramnit [..] After that, we also described Ramnit’s capabilities, focusing mainly on its injection and persistence techniques. As a final step, we will discuss drIBAN, a sophisticated and modular web-inject kit that can hide resources, masquerade its presence, and perform large-scale ATS attacks.
---------------------------------------------
https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-3


∗∗∗ Wordpress: Angriffswelle auf Woocommerce Payments läuft derzeit ∗∗∗
---------------------------------------------
Die IT-Forscher von Wordfence beobachten eine Angriffswelle auf das Woocommerce Payments-Plug-in. Es ist auf mehr als 600.000 Websites installiert.
---------------------------------------------
https://heise.de/-9219114


∗∗∗ JavaScript-Sandbox vm2: Neue kritische Schwachstelle, kein Update mehr ∗∗∗
---------------------------------------------
Für die jüngste kritische Sicherheitslücke im Open-Source-Projekt vm2 gibt es keinen Bugfix, sondern der Betreiber rät zum Umstieg auf isolated-vm.
---------------------------------------------
https://heise.de/-9219087


∗∗∗ Verkaufen auf Shpock: Vorsicht, wenn Sie den Kaufbetrag in Ihrer Banking-App "bestätigen" müssen ∗∗∗
---------------------------------------------
Sie verkaufen etwas auf Shpock. Sofort meldet sich jemand und möchte es kaufen. Zeitgleich erhalten Sie ein E-Mail von „TeamShpock“ mit der Information, dass die Ware bezahlt wurde und Sie das Geld anfordern können. Sie werden auf eine "Auszahlungsseite" verlinkt. Vorsicht, diese Vorgehensweise ist Betrug. Wir zeigen Ihnen, wie die Betrugsmasche abläuft und wie Sie sicher auf Shpock verkaufen!
---------------------------------------------
https://www.watchlist-internet.at/news/verkaufen-auf-shpock-vorsicht-wenn-sie-den-kaufbetrag-in-ihrer-banking-app-bestaetigen-muessen/


∗∗∗ NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing ∗∗∗
---------------------------------------------
This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s).
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/17/nsa-cisa-release-guidance-security-considerations-5g-network-slicing



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) (CVE-2023-34203) ∗∗∗
---------------------------------------------
Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user.
---------------------------------------------
https://community.progress.com/s/article/Role-based-Access-Control-and-Privilege-Management-in-OEM


∗∗∗ Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack ∗∗∗
---------------------------------------------
The flaw presents a significant supply chain risk since it allows attackers to maliciously tamper with application images, which can then infect users and customers when they install the application. [..] Orca Security immediately reported the findings to the Google Security Team, who investigated the issue and deployed a partial fix. However, Google’s fix doesn’t revoke the discovered Privilege Escalation (PE) vector. It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk.
---------------------------------------------
https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp).
---------------------------------------------
https://lwn.net/Articles/938488/


∗∗∗ Sicherheitslücken, teils kritisch, in Citrix/Netscaler ADC und Gateway - aktiv ausgenützt - Updates verfügbar ∗∗∗
---------------------------------------------
Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentisierten Angreifenden, beliebigen Code auszuführen. Diese Schwachstelle wird auch bereits aktiv ausgenützt. Weitere mit diesen Updates geschlossene Sicherheitslücken betreffen Reflected Cross Site Scripting (XSS) sowie Privilege Escalation.
---------------------------------------------
https://cert.at/de/warnungen/2023/7/sicherheitslucken-teil-kritisch-in-citrixnetscaler-adc-und-gateway-updates-verfugbar


∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers ∗∗∗
---------------------------------------------
Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection.
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers


∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012613


∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012387


∗∗∗ IBM Security Verify Governance has multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012649


∗∗∗ IBM Security Verify Governance has multiple vulnerabilities (CVE-2022-41946, CVE-2022-46364, CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012647


∗∗∗ Vulnerabilities in httpclient library affects IBM Engineering Test Management (ETM) (CVE-2020-13956) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012659


∗∗∗ Vulnerabilities in Commons Codec library affects IBM Engineering Test Management (ETM) (IBM X-Force ID:177835) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012657


∗∗∗ Vulberability in Apache commons io library affects IBM Engineering Test Management (ETM) (CVE-2021-29425) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012661


∗∗∗ Vulnerability in Junit library affects IBM Engineering Test Management (ETM) ( CVE-2020-15250) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012663


∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7011767


∗∗∗ Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012675


∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012711


∗∗∗ Daeja ViewONE may be affected by Bouncy Castle Vulnerability (CVE-2023-33201) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012809


∗∗∗ Rockwell Automation Kinetix 5700 DC Bus Power Supply ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-01


∗∗∗ ​Weintek Weincloud ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04


∗∗∗ ​Keysight N6845A Geolocation Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02


∗∗∗ ​GeoVision GV-ADR2701 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05


∗∗∗ WellinTech KingHistorian ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-07


∗∗∗ Iagona ScrutisWeb ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03


∗∗∗ GE Digital CIMPLICITY ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-06

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily