[CERT-daily] Tageszusammenfassung - 04.04.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 03-04-2023 18:00 − Dienstag 04-04-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ WinRAR SFX archives can run PowerShell without being detected ∗∗∗
---------------------------------------------
Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/


∗∗∗ Analyzing the efile.com Malware "efail", (Tue, Apr 4th) ∗∗∗
---------------------------------------------
Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29712


∗∗∗ Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies ∗∗∗
---------------------------------------------
Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/


∗∗∗ Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions ∗∗∗
---------------------------------------------
Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files That's going to change going forward.
---------------------------------------------
https://thehackernews.com/2023/04/microsoft-tightens-onenote-security-by.html


∗∗∗ A fresh look at user enumeration in Microsoft Teams ∗∗∗
---------------------------------------------
The technique to enumerate user details and presence information via Microsoft Teams is not new and was described in a blog post by immunit.ch and their tool "TeamsUserEnum". This blog post adds more information related to user enumeration via Teams and covers different endpoints used by different account types.
---------------------------------------------
https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/


∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗
---------------------------------------------
Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema sind Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, mit denen versucht wird, User:innen zu Entscheidungen zu verleiten, die nicht in ihrem besten Interesse liegen. Was Dark Patterns genau sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier!
---------------------------------------------
https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-dark-patterns/


∗∗∗ Lebenslauf-Editor auf zety.de führt in Abo-Falle ∗∗∗
---------------------------------------------
Auf zety.de können Sie angeblich professionelle Lebensläufe und Bewerbungen erstellen. Per Klick wählen Sie eine gewünschte Vorlage und befüllen sie mit Ihren Daten – scheinbar kostenlos. Erst wenn Sie Ihr Dokument herunterladen möchten, erfahren Sie, dass der Dienst doch nicht gratis ist. Wenn Sie überweisen, schließen Sie ein Abo ab!
---------------------------------------------
https://www.watchlist-internet.at/news/lebenslauf-editor-auf-zetyde-fuehrt-in-abo-falle/


∗∗∗ Weitere Informationen zu Angriffen gegen 3CX Desktop App ∗∗∗
---------------------------------------------
Seit der Veröffentlichung unserer letzten Meldung zu den Angriffen gegen die bzw. durch Missbrauch der 3CX Desktop App sind inzwischen weitere Details und neue Informationen bekannt geworden. Die wichtigsten Details in dieser Hinsicht sind: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/4/weitere-informationen-zu-angriffen-gegen-3cx-desktop-app


∗∗∗ Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities ∗∗∗
---------------------------------------------
The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities.
Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.
---------------------------------------------
https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/


∗∗∗ Rorschach – A New Sophisticated and Fast Ransomware ∗∗∗
---------------------------------------------
Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups.
The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). 
---------------------------------------------
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID ∗∗∗
---------------------------------------------
The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.[..]  The uClibc library has not been updated since May of 2012.
---------------------------------------------
https://kb.cert.org/vuls/id/473698


∗∗∗ Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server (CVE-2022-43769, CVE-2022-43939, CVE-2022-43773, CVE-2022-43938) ∗∗∗
---------------------------------------------
A few months ago I was working on an engagement where Pentaho was used to collect data and generate reports. [..] I found a total of eight vulnerabilties, three of which enable command execution on the residing host. [..] 31 March 2023: Vendor released patches, but no public CVE disclosure.
---------------------------------------------
https://research.aurainfosec.io/pentest/pentah0wnage/


∗∗∗ Nexx Smart Home Device ∗∗∗
---------------------------------------------
AFFECTED PRODUCTS
 - Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
 - Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
 - Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01


∗∗∗ Patchday: Android-Lücken mit kritischem Risiko gestopft ∗∗∗
---------------------------------------------
Zum April-Patchday hat Google Sicherheitslücken im Android-Betriebssystem geschlossen, die die Entwickler teils als kritisch einstufen.
---------------------------------------------
https://heise.de/-8522365


∗∗∗ Sophos: Kritische Sicherheitslücke in Web-Appliance ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
Sophos hat in der Web Appliance (SWA) Sicherheitslücken geschlossen, die Angreifern etwa das Ausführen beliebigen Codes ermöglichen.
---------------------------------------------
https://heise.de/-8525279


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim).
---------------------------------------------
https://lwn.net/Articles/928294/


∗∗∗ Netty Vulnerabilites 4.0.37 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980407


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980411


∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980457


∗∗∗ Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962855


∗∗∗ IBM Aspera Faspex 5.0.5 has addressed CVE-2022-4304 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980501


∗∗∗ IBM Security Verify Access Appliance includes components with known vulnerabilities (CVE-2022-29154, CVE-2022-0391) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980521


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980519


∗∗∗ Vulnerability in py library affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-42969] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980723


∗∗∗ Vulnerability in cryptography affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-0286] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980351


∗∗∗ A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980725


∗∗∗ IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980727


∗∗∗ IBM Event Streams is affected by vulnerabilities in Node.js (CVE-2022-25927 and CVE-2022-25881) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980735


∗∗∗ IBM Event Streams is affected by a vulnerability in Apache Kafka (CVE-2023-25194) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980743


∗∗∗ IBM Event Streams is vulnerable to a denial of service due to Redis (CVE-2023-25155) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980747


∗∗∗ Multiple vulnerabilities have been identified in IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980737


∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956289


∗∗∗ CVE-2022-41721 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980755


∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963075


∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960215


∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963650


∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963077


∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960211


∗∗∗ There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980757


∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6828569

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily