[CERT-daily] Tageszusammenfassung - 17.04.2023

Daily end-of-shift report team at cert.at
Mon Apr 17 19:18:33 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 14-04-2023 18:00 − Montag 17-04-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Juice Jacking: FBI warnt ohne Anlass vor öffentlichen USB-Ladestationen ∗∗∗
---------------------------------------------
Angreifer könnten USB-Ladestationen an Flughäfen & Co. kompromittieren, um so Malware auf Smartphones zu schieben. Das ist jedoch nicht wirklich aktuell.
---------------------------------------------
https://heise.de/-8966067


∗∗∗ Zero-Day: Pinduoduo konnte Daten stehlen und Malware installieren ∗∗∗
---------------------------------------------
Die chinesische Android-App Pinduoduo konnte eine Zero-Day-Lücke in Android missbrauchen. Die CISA mahnt zum Anwenden des Android-Updates.
---------------------------------------------
https://heise.de/-8968204


∗∗∗ Sonderupdate: Google Chrome 112.0.5615.121 und Edge 112.0.1722.48 ∗∗∗
---------------------------------------------
Google hat zum 14. April 2023 außerplanmäßig Updates des Google Chrome Browsers 112 im Extended und Stable Channel für Mac, Linux und Windows freigegeben. Microsoft hat gleichzeitig den Edge Version 112 aktualisiert. Es sind Sicherheitsupdates, welche die als hoch eingestufte Schwachstelle CVE-2023-2033 schließen.
---------------------------------------------
https://www.borncity.com/blog/2023/04/16/google-chrome-112-0-5615-121-sonderupdate/


∗∗∗ Dating: Auf live-treffen.com & royacca.com chatten Sie kostenpflichtig mit Fake-Profilen ∗∗∗
---------------------------------------------
Auf den Dating-Plattformen live-treffen.com & royacca.com finden Sie schnell interessante Menschen. Ob es sich dabei um echte Personen handelt, ist unklar, denn die Plattformen nutzen „professionelle Animateure“, die mit Ihnen chatten. Das Problem dabei: Jede Nachricht kostet und Sie wissen nicht, ob Sie mit echten oder fiktiven Profilen schreiben.
---------------------------------------------
https://www.watchlist-internet.at/news/dating-auf-live-treffencom-royaccacom-chatten-sie-kostenpflichtig-mit-fake-profilen/


∗∗∗ Android malware infiltrates 60 Google Play apps with 100M installs ∗∗∗
---------------------------------------------
A new Android malware named Goldoson has infiltrated the platforms official app store, Google Play, through 60 apps that collectively have 100 million downloads.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/


∗∗∗ Hackers start abusing Action1 RMM in ransomware attacks ∗∗∗
---------------------------------------------
Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/


∗∗∗ QBot banker delivered through business correspondence ∗∗∗
---------------------------------------------
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to.
---------------------------------------------
https://securelist.com/qbot-banker-business-correspondence/109535/


∗∗∗ FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks ∗∗∗
---------------------------------------------
A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino, is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer [...]
---------------------------------------------
https://thehackernews.com/2023/04/fin7-and-ex-conti-cybercrime-gangs-join.html


∗∗∗ Bypassing Windows Defender (10 Ways) ∗∗∗
---------------------------------------------
In this article I will be explaining 10 ways/techniques to bypass a fully updated Windows system with up-to-date Windows Defender intel in order to execute unrestricted code (other than permissions/ACLs, that is).
---------------------------------------------
https://www.fo-sec.com/articles/10-defender-bypass-methods


∗∗∗ LockBit Ransomware Group Developing Malware to Encrypt Files on macOS ∗∗∗
---------------------------------------------
The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat.
---------------------------------------------
https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to-encrypt-files-on-macos/


∗∗∗ Trigona Ransomware Attacking MS-SQL Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware.
---------------------------------------------
https://asec.ahnlab.com/en/51343/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice).
---------------------------------------------
https://lwn.net/Articles/929303/


∗∗∗ K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133522?utm_source=f5support&utm_medium=RSS


∗∗∗ Microsoft Defender Security Feature Bypass Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934


∗∗∗ Vulnerabilities in Samba shipped with IBM OS Image for Red Hat Enterprise Linux System (CVE-2022-32742) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983851


∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984157


∗∗∗ There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984165


∗∗∗ IBM Cloud Pak for Network Automation 2.4.5 addresses multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984171


∗∗∗ IBM Db2\u00ae Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984185

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list