===================== = End-of-Day report = =====================
Timeframe: Freitag 26-05-2023 18:00 − Dienstag 30-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter
===================== = News = =====================
∗∗∗ QBot malware abuses Windows WordPad EXE to infect devices ∗∗∗ --------------------------------------------- The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-w...
∗∗∗ Hot Pixels attack checks CPU temp, power changes to steal data ∗∗∗ --------------------------------------------- A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the targets browser and infer the navigation history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu-...
∗∗∗ Android apps with spyware installed 421 million times from Google Play ∗∗∗ --------------------------------------------- A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-ins...
∗∗∗ Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th) ∗∗∗ --------------------------------------------- I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py --------------------------------------------- https://isc.sans.edu/diary/rss/29894
∗∗∗ Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th) ∗∗∗ --------------------------------------------- Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29. --------------------------------------------- https://isc.sans.edu/diary/rss/29896
∗∗∗ Beware of the new phishing technique “file archiver in the browser” that exploits zip domains ∗∗∗ --------------------------------------------- “file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain. --------------------------------------------- https://securityaffairs.com/146828/cyber-crime/file-archiver-in-the-browser-...
∗∗∗ Severe Flaw in Google Clouds Cloud SQL Service Exposed Confidential Data ∗∗∗ --------------------------------------------- A new security flaw has been disclosed in the Google Cloud Platforms (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data. --------------------------------------------- https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.htm...
∗∗∗ Vorsicht vor Fake-Service-Telefonnummern beim Googeln! ∗∗∗ --------------------------------------------- Die Suche nach einer Service-Telefonnummer stellt sich bei manchen Web-Angeboten als kompliziertes Unterfangen heraus. Deshalb ist es oft einfacher, nicht auf den jeweiligen Unternehmens-Websites sondern direkt über die Suchmaschine nach den Kontaktdaten zu suchen. Doch Vorsicht: Unter echte Kontaktdaten mischen Kriminelle auch Fake-Seiten und -Nummern, über die Ihnen Geld und Daten gestohlen werden. Ein aktuelles Beispiel sind Fake-Nummern der Fluglinie Ryanair! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-service-telefonnumm...
===================== = Vulnerabilities = =====================
∗∗∗ OpenSSL 3.0 Series Release Notes [30 May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255]) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) * Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html
∗∗∗ OpenSSL 1.1.1 Series Release Notes [30th May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html
∗∗∗ Sicherheitslücke in Moxa MXsecurity Series gefährdet kritische Infrastrukturen ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in der Netzwerküberwachungslösung MXsecurity bringt Industrieanlagen in Gefahr. --------------------------------------------- https://heise.de/-9068382
∗∗∗ Angreifer könnten Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- In der aktuellen Wireshark-Version haben die Entwickler mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-9069031
∗∗∗ Kollaborations-Suite Nextcloud: Teils hochriskante Lücken geschlossen ∗∗∗ --------------------------------------------- In der Kollaborations-Software Nextcloud klaffen Sicherheitslücken mit teils hohem Risiko. Aktualisierte Software steht bereit. --------------------------------------------- https://heise.de/-9068654
∗∗∗ VMSA-2023-0011 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0011.html
∗∗∗ Many Vulnerabilities Found in PrinterLogic Enterprise Software ∗∗∗ --------------------------------------------- Vulnerabilities identified in PrinterLogic’s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks. --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-in-printerlogic-ente...
∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo). --------------------------------------------- https://lwn.net/Articles/933165/
∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl). --------------------------------------------- https://lwn.net/Articles/933246/
∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01
∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-a...
∗∗∗ Starlette vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95981715/
∗∗∗ Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnera...
∗∗∗ Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-in-mitsubishi-plc-could-lea...
∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998795
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998811
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998813
∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999091
∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999115
∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999119
∗∗∗ Apache Commons Text vulnerability affects Netcool Operations Insight [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999133
∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999213
∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center (CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CV) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999215
∗∗∗ [All] Expat - CVE-2022-43680 (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999237
∗∗∗ Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to HTTP request splitting attacks (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999241
∗∗∗ IBM Copy Services Manager is vulnerable to crypto attack vulnerabilities due to IBM Java 8 vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999269
∗∗∗ IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981113