[CERT-daily] Tageszusammenfassung - 18.04.2023

Tue Apr 18 20:35:36 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 17-04-2023 18:00 − Dienstag 18-04-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Recycled Core Routers Exposed Sensitive Corporate Network Info ∗∗∗
---------------------------------------------
Researchers warn about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/recycled-core-routers-exposed-sensitive-corporate-network-info


∗∗∗ YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) thats used to deliver the Aurora information stealer malware.
---------------------------------------------
https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html


∗∗∗ Memory corruption in JCRE: An unpatchable HSM may swallow your private key ∗∗∗
---------------------------------------------
The key has always been a core target of security protection. Due to the limitation of key slots, most cryptocurrency hardware wallets use MCU chips (such as STM32F205RE) to implement. However, people who have higher security requirements to safeguarding the private keys are often interested in Java cards [...]
---------------------------------------------
https://hardenedvault.net/blog/2023-04-18-java-card-runtime-memory-corruption/


∗∗∗ Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight ∗∗∗
---------------------------------------------
[...] In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage. One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.
---------------------------------------------
https://www.malwarebytes.com/blog/business/2023/04/living-off-the-land-lotl-attacks-detecting-ransomware-gangs-hiding-in-plain-sight


∗∗∗ New Captcha Protected Phishing Attack Targets Access to Payroll Files ∗∗∗
---------------------------------------------
We have discovered a new phishing attack that specifically targets individuals who need access to payroll files through Microsoft Teams.
---------------------------------------------
https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-access-to-payroll-files/


∗∗∗ Sicherheitsupdates: Trend Micro Security macht Windows-PCs verwundbar ∗∗∗
---------------------------------------------
Es gibt ein wichtiges Update für die Anti-Viren-Anwendung Trend Micro Security für Windows.
---------------------------------------------
https://heise.de/-8969449


∗∗∗ US-Behörde: Schwachstelle in altem macOS wird für Angriffe ausgenutzt ∗∗∗
---------------------------------------------
Nach Informationen der Cyber-Sicherheitsbehörde gibt es Hinweise auf aktiv durchgeführte Angriffe. Für sehr alte Macs liegen keine Patches vor.
---------------------------------------------
https://heise.de/-8970903


∗∗∗ Kleinanzeigenbetrug: Vorsicht, wenn jemand per Scheck bezahlen möchte ∗∗∗
---------------------------------------------
Sie verkaufen ein Fahrrad auf Ländleanzeiger.at. Ein Interessent meldet sich und möchte es kaufen. Weil der Interessent gerade keinen Zugriff auf sein Bankkonto hat, möchte er es per Scheck bezahlen. Nach einigen Tagen kommt tatsächlich ein Scheck an – aber mit einem viel zu hohen Betrag. Vorsicht: Der Scheck ist Fake. Brechen Sie den Kontakt ab, Sie werden betrogen.
---------------------------------------------
https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-wenn-jemand-per-scheck-bezahlen-moechte/


∗∗∗ Shodan Verified Vulns 2023-04-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-04-01 sieht Shodan in Österreich die folgenden Schwachstellen: Dieses Monat stechen keine wirklich nennenswerten Veränderungen ins Auge.
---------------------------------------------
https://cert.at/de/aktuelles/2023/4/shodan-verified-vulns-2023-04-01


∗∗∗ APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers ∗∗∗
---------------------------------------------
APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108


∗∗∗ Windows 10/11: Microsoft veröffentlicht Fix für OOBE-Bitlocker-Ausfall-Bug ∗∗∗
---------------------------------------------
Microsoft propagiert zwar Bitlocker zur Verschlüsselung von Laufwerken unter Windows. Aber es gibt immer wieder Bugs, die die Verschlüsselung verhindern oder Dritten unbefugten Zugriff auf verschlüsselte Laufwerke ermöglichen. Ein Microsoft Supporter hat jetzt einen Fall enthüllt, bei dem Bitlocker in der Out-of-the-Box (OOBE) Phase der Windows-Installation nicht aktiviert wird.
---------------------------------------------
https://www.borncity.com/blog/2023/04/18/windows-10-11-microsoft-verffentlicht-fix-fr-oobe-bitlocker-ausfall-bug/


∗∗∗ Automating Qakbot Detection at Scale With Velociraptor ∗∗∗
---------------------------------------------
This blog offers a practical methodology to extract configuration data from recent Qakbot samples.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Garrett: PSA: upgrade your LUKS key derivation function ∗∗∗
---------------------------------------------
[...] the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id.
---------------------------------------------
https://lwn.net/Articles/929343/


∗∗∗ New sandbox escape PoC exploit available for VM2 library, patch now ∗∗∗
---------------------------------------------
Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-exploit-available-for-vm2-library-patch-now/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/929389/


∗∗∗ Multiple critical vulnerabilities in Strapi versions <=4.7.1 ∗∗∗
---------------------------------------------
Strapi had multiple critical vulnerabilities that could be chained together to gain unauthenticated remote code execution. This is my public disclosure of the vulnerabilities i found in strapi, how they were patched and some nonsensical ramblings.
---------------------------------------------
https://www.ghostccamm.com/blog/multi_strapi_vulns/


∗∗∗ Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scripting-vulnerabilities-patched-in-weaver-products/


∗∗∗ Omron CS/CJ Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-01


∗∗∗ Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 released, fix CVE-2023-20862 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/04/17/spring-security-6-1-0-rc1-6-0-3-5-8-3-and-5-7-8-released-fix-cve-2023-20862


∗∗∗ Kubernetes kube-apiserver vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982927


∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Sterling%20Order%20Management


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984199


∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in libcurl (CVE-2022-32221) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984203


∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854647


∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-24998)) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984345


∗∗∗ Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984347


∗∗∗ Vulnerabilities in Apache Shiro (CVE-2022-40664) and Apache Commons FileUpload (CVE-2023-24998) affect IBM WebSphere Service Registry and Repository. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962169


∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984413

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily