[CERT-daily] Tageszusammenfassung - 27.04.2023

Thu Apr 27 19:20:39 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 26-04-2023 18:00 − Donnerstag 27-04-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Google disrupts the CryptBot info-stealing malware operation ∗∗∗
---------------------------------------------
Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot-info-stealing-malware-operation/


∗∗∗ Cisco discloses XSS zero-day flaw in server management tool ∗∗∗
---------------------------------------------
Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day-flaw-in-server-management-tool/


∗∗∗ LimeRAT Malware Analysis: Extracting the Config ∗∗∗
---------------------------------------------
ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis.
---------------------------------------------
https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html


∗∗∗ Healthy security habits to fight credential breaches: Cyberattack Series ∗∗∗
---------------------------------------------
This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we’ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-habits-to-fight-credential-breaches-cyberattack-series/


∗∗∗ Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware ∗∗∗
---------------------------------------------
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp.
---------------------------------------------
https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html


∗∗∗ RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts ∗∗∗
---------------------------------------------
The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system.
---------------------------------------------
https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html


∗∗∗ LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates ∗∗∗
---------------------------------------------
Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.
---------------------------------------------
https://heise.de/-8981054


∗∗∗ State of DNS Rebinding in 2023 ∗∗∗
---------------------------------------------
This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions.
---------------------------------------------
https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/


∗∗∗ Bringing IT & OT Security Together: Part 1 ∗∗∗
---------------------------------------------
Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series.
---------------------------------------------
https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-together-part-1/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar.
---------------------------------------------
https://heise.de/-8980645


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).
---------------------------------------------
https://lwn.net/Articles/930367/


∗∗∗ Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE) ∗∗∗
---------------------------------------------
Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist.
---------------------------------------------
https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-2023-27524-ermglicht-remote-code-execution-rce/


∗∗∗ F5: K000133673 : Bootstrap vulnerability CVE-2016-10735 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133673


∗∗∗ F5: K000133652 : Python vulnerability CVE-2018-18074 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133652


∗∗∗ F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133448


∗∗∗ F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133668


∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986343


∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986341


∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986361


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986365


∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985675


∗∗∗ IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986509


∗∗∗ Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986543


∗∗∗ Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986547


∗∗∗ Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986573


∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986575


∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986577


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986323


∗∗∗ Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986585


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986619


∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986617


∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986625


∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986629


∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986627

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily