[CERT-daily] Tageszusammenfassung - 24.04.2023

Mon Apr 24 18:51:23 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 21-04-2023 18:00 − Montag 24-04-2023 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Decoy Dog malware toolkit found after analyzing 70 billion DNS queries ∗∗∗
---------------------------------------------
A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-found-after-analyzing-70-billion-dns-queries/


∗∗∗ Open Source: Gelöschte Curl-Instanz zerschießt Windows-Updates ∗∗∗
---------------------------------------------
Auch wenn Security-Scanner vor ungepatchter Software warnen, sollten Windows-Systemkomponenten wie Curl nicht manipuliert werden.
---------------------------------------------
https://www.golem.de/news/open-source-geloeschte-curl-instanz-zerschiesst-windows-updates-2304-173666.html


∗∗∗ New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web ∗∗∗
---------------------------------------------
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said.
---------------------------------------------
https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html


∗∗∗ XWorm RAT: Avira-Sicherheitsexperten warnen vor Malware ∗∗∗
---------------------------------------------
Sicherheitsexperten von Avira warnen vor der Malware XWorm RAT
---------------------------------------------
https://heise.de/-8976282


∗∗∗ "Notstart" über CAN-Bus-Hack: Altes Nokia-Handy erlaubt Auto-Diebstahl per Klick ∗∗∗
---------------------------------------------
Der jüngst aufgezeigte CAN-Injection-Angriff auf das Bussystem Controller Area Network zieht weitere Kreise. Es tauchen immer mehr Kits zum "Notstarten" auf.
---------------------------------------------
https://heise.de/-8976444


∗∗∗ Bumblebee-Malware: Opfersuche mit Malvertising für trojanisierte Installer ∗∗∗
---------------------------------------------
IT-Forscher haben trojanisierte Installer für professionelle Software entdeckt. Sie würden mit Malvertising beworben und enthielten den Schädling Bumblebee.
---------------------------------------------
https://heise.de/-8977016


∗∗∗ Fake-Shops für Autoreifen boomen ∗∗∗
---------------------------------------------
Sie suchen im Internet nach günstigen Autoreifen? Nehmen Sie den Online-Shop genau unter die Lupe, es kursieren unzählige Fake-Shops! Die betrügerischen Shops wirken sehr professionell, haben ein Impressum und unschlagbare Preise. Wir zeigen Ihnen, wie Sie Shops überprüfen.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-fuer-autoreifen-boomen/


∗∗∗ TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal ∗∗∗
---------------------------------------------
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451.
---------------------------------------------
https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal


∗∗∗ Updates and Timeline for 3CX and X_Trader Hacks ∗∗∗
---------------------------------------------
Mandiant revealed this week that the hack of 3CX was actually a double supply-chain hack that first involved hacking and compromising another companys software. Heres a timeline of the events.
---------------------------------------------
https://zetter.substack.com/p/updates-and-timeline-for-3cx-and


∗∗∗ Knapp zwei Drittel der XIoT-Schwachstellen remote ausnutzbar ∗∗∗
---------------------------------------------
Sicherheitstechnisch droht uns wohl ein Desaster - ich habe den State of XIoT Security Report: 2H 2022 von Claroty bereits einige Tage vorliegen. Dieser zeigt zwar die positiven Auswirkungen verstärkter Schwachstellen-Forschung und höheren Investitionen der Anbieter im Hinblick auf die XIoT-Sicherheit. Aber die Botschaft ist auch, dass Zahl der entdeckten Schwachstellen in diesem Bereit um 80 % zugenommen hat. Viele XIoT-Schwachstellen sind zudem remote ausnutzbar.
---------------------------------------------
https://www.borncity.com/blog/2023/04/23/knapp-zwei-drittel-der-xiot-schwachstellen-remote-ausnutzbar/


∗∗∗ ViperSoftX Updates Encryption, Steals Data ∗∗∗
---------------------------------------------
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html


∗∗∗ Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries ∗∗∗
---------------------------------------------
What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in some of the world’s largest organizations, including five Fortune 500 companies.
---------------------------------------------
https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges ∗∗∗
---------------------------------------------
The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges.
---------------------------------------------
https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalation/


∗∗∗ APC warns of critical unauthenticated RCE flaws in UPS software ∗∗∗
---------------------------------------------
APCs Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauthenticated-rce-flaws-in-ups-software/


∗∗∗ Jetzt patchen! Angreifer attackieren Druck-Management-Lösung Papercut MF/NG ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke gefährdet Systeme, auf denen Papercut läuft. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-8976755


∗∗∗ Solarwinds-Update dichtet zwei hochriskante Sicherheitslücken ab ∗∗∗
---------------------------------------------
Solarwinds stopft mit Software-Updates mehrere Sicherheitslücken, zwei davon gelten als hochriskant. IT-Verantwortliche sollten zügig aktualisieren.
---------------------------------------------
https://heise.de/-8976832


∗∗∗ Sicherheitspatches: Angreifer könnten Nvidia Cuda, DGX-1 & Co. attackieren ∗∗∗
---------------------------------------------
Nvidia hat wichtige Sicherheitsupdates für verschiedene Produkte veröffentlicht. Admins sollten schnell handeln.
---------------------------------------------
https://heise.de/-8976961


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf).
---------------------------------------------
https://lwn.net/Articles/930052/


∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks® Software ∗∗∗
---------------------------------------------
Autodesk® InfraWorks® has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0007


∗∗∗ ZDI-23-451: (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-451/


∗∗∗ ZDI-23-452: (Pwn2Own) TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-452/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily