[CERT-daily] Tageszusammenfassung - 31.08.2023

Thu Aug 31 18:09:55 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 30-08-2023 18:00 − Donnerstag 31-08-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature ∗∗∗
---------------------------------------------
A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud."The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques [..]
---------------------------------------------
https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html


∗∗∗ North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository ∗∗∗
---------------------------------------------
Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro.
---------------------------------------------
https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html


∗∗∗ CISA and FBI Publish Joint Advisory on QakBot Infrastructure ∗∗∗
---------------------------------------------
CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/30/cisa-and-fbi-publish-joint-advisory-qakbot-infrastructure


∗∗∗ Converting Tokens to Session Cookies for Outlook Web Application ∗∗∗
---------------------------------------------
More and more organizations are adopting cloud-based solutions and federating with various identity providers. As these deployments increase in complexity, ensuring that Conditional Access Policies (CAPs) always act as expected can become a challenge. Today, we will share a technique weve been using to gain access to Outlook Web Application (OWA) in a browser by utilizing Bearer and Refresh tokens for the outlook.office365.com or outlook.office.com endpoints.
---------------------------------------------
https://labs.lares.com/owa-cap-bypass/


∗∗∗ Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework ∗∗∗
---------------------------------------------
Starting with Windows Server 2016, Microsoft released its own version of this solution, Windows Containers, which offers process and Hyper-V isolation modes. The presentation covered the basics of Windows containers, broke down its file system isolation framework, reverse-engineered its main mini-filter driver, and detailed how it can be utilized and manipulated by a bad actor to bypass EDR products in multiple domains.
---------------------------------------------
https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using-the-windows-container-isolation-framework


∗∗∗ NosyMonkey: API hooking and code injection made easy ∗∗∗
---------------------------------------------
As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn’t normally do or change the way it works in some way. [..] Enter, NosyMonkey: a library to inject code and place hooks that does almost everything for you. No need to write complicated ASM shellcode, or even think about allocating code, hot patching and other dirty business.
---------------------------------------------
https://www.anvilsecure.com/blog/nosymonkey.html


∗∗∗ Bypassing Defender’s LSASS dump detection and PPL protection In Go ∗∗∗
---------------------------------------------
This blog reviews the technique that can be used to bypass Protected Process Light protection for any Windows process using theProcess Explorer driver and explores methods to bypass Windows Defender’s signature-based mechanisms for process dump detection. The tool introduced in this blog (PPLBlade), is written entirely in GO and can be used as a POC for the techniques overviewed below.
---------------------------------------------
https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-and-ppl-protection-in-go-7dd85d9a32e6


∗∗∗ Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows ∗∗∗
---------------------------------------------
In today’s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside — a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows.
---------------------------------------------
https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/


∗∗∗ Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store ∗∗∗
---------------------------------------------
ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications [..]
---------------------------------------------
https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/


∗∗∗ Infamous Chisel Malware Analysis Report ∗∗∗
---------------------------------------------
Infamous Chisel is a collection of components targeting Android devices.This malware is associated with Sandworm activity.It performs periodic scanning of files and network information for exfiltration.System and application configuration files are exfiltrated from an infected device.
---------------------------------------------
https://www.cisa.gov/news-events/analysis-reports/ar23-243a


∗∗∗ A Deep Dive into Brute Ratel C4 payloads ∗∗∗
---------------------------------------------
Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework.
---------------------------------------------
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress migration add-on flaw could lead to data breaches ∗∗∗
---------------------------------------------
All-in-One WP Migration, a popular data migration plugin for WordPress sites that has 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-flaw-could-lead-to-data-breaches/


∗∗∗ Wordpress: Cloud-Extensions für Migrationstool ermöglichen Datenklau ∗∗∗
---------------------------------------------
Die Box-, Google-Drive-, Onedrive- und Dropbox-Erweiterungen für ein weitverbreitetes Wordpress-Migrations-Plug-in sind anfällig für Datenklau.
---------------------------------------------
https://www.golem.de/news/wordpress-cloud-extensions-fuer-migrationstool-ermoeglichen-datenklau-2308-177253.html


∗∗∗ Drupal: Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041 ∗∗∗
---------------------------------------------
This module makes PatternLab's custom Twig functions available to Drupal theming.
The module's included examples don't sufficiently filter data.
This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-041


∗∗∗ Drupal: Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042 ∗∗∗
---------------------------------------------
This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesnt sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-042


∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-243-01 ARDEREG Sistemas SCADA, CVE-2023-4485
* ICSA-23-243-02 GE Digital CIMPLICITY, CVE-2023-4487
* ICSA-23-243-03 PTC Kepware KepServerEX, CVE-2023-29444, CVE-2023-29445, CVE-2023-29446, CVE-2023-29447
* ICSA-23-243-04 Digi RealPort Protocol, CVE-2023-4299
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/31/cisa-releases-four-industrial-control-systems-advisories


∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Aruba-Switches möglich ∗∗∗
---------------------------------------------
Verschiedene Switch-Modelle von Aruba sind verwundbar. Abgesicherte Ausgaben von ArubaOS schaffen Abhilfe.
---------------------------------------------
https://heise.de/-9290375


∗∗∗ Big Data: Splunk dichtet hochriskante Lücken ab ∗∗∗
---------------------------------------------
Die Big-Data-Experten von Splunk haben aktualisierte Software bereitgestellt, die teils hochriskante Schwachstellen in der Analysesoftware ausbessert.
---------------------------------------------
https://heise.de/-9290325


∗∗∗ VMware Tools: Schwachstelle ermöglicht Angreifern unbefugte Aktionen in Gästen ∗∗∗
---------------------------------------------
VMware warnt vor einer Sicherheitslücke in VMware Tools. Sie ermöglicht eine Man-in-the-Middle-Attacke auf Gastsysteme.
---------------------------------------------
https://heise.de/-9290783


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) ∗∗∗
---------------------------------------------
Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-21-2023-to-august-27-2023/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive).
---------------------------------------------
https://lwn.net/Articles/943192/


∗∗∗ Mozilla Releases Security Updates for Firefox and Firefox ESR ∗∗∗
---------------------------------------------
Mozilla has released security updates to address vulnerabilities for Firefox 117, Firefox ESR 115.2, and Firefox ESR 102.15. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/30/mozilla-releases-security-updates-firefox-and-firefox-esr


∗∗∗ Weitere Windows-Rechteausweitung über Razer Synapse (SYSS-2023-002) ∗∗∗
---------------------------------------------
In Razer Synapse kann über eine Time-of-check Time-of-use Race Condition die Überprüfung fremder Bibliotheken durch den Dienst überlistet werden.
---------------------------------------------
https://www.syss.de/pentest-blog/weitere-windows-rechteausweitung-ueber-razer-synapse-syss-2023-002


∗∗∗ Cisco Unified Communications Products Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg


∗∗∗ Multiple vulnerabilities in IBM Storage Defender Data Protect ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029861


∗∗∗ Security Vulnerability in the IBM Java Runtime Environment (JRE) affect the 3592 Enterprise Tape Controller ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/691223


∗∗∗ Vulnerability in SSLv3 affects IBM System Storage Tape Controller 3592 Model C07 (CVE-2014-3566) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690117


∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983442


∗∗∗ Security vulnerability in IBM Java Object Request Broker (ORB) in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027874


∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2023-21830, CVE-2023-21843 in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983440


∗∗∗ Multiple Security vulnerabilities in IBM Java in FileNet Content Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7001699


∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029864


∗∗∗ TADDM affected by vulnerability due to IBM Java and its runtime ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029984


∗∗∗ Due to use of Mozilla Firefox, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029986


∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are used in IBM Security Guardium Key Lifecycle Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7006475


∗∗∗ A vulnerability in Microsoft ASP.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2022-29117) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029527


∗∗∗ A vulnerability in Microsoft Azure SDK for .NET affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2022-26907). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029524


∗∗∗ Multiple security vulnerabilities affect IBM Robotic Process Automation ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7026754


∗∗∗ A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029540


∗∗∗ Multiple security vulnerabilities in Java affect IBM Robotic Process Automation ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7026758


∗∗∗ IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030110


∗∗∗ IBM MQ is affected by OpenSSL vulnerability (CVE-2023-2650) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030100


∗∗∗ IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030101


∗∗∗ IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030102


∗∗∗ IBM MQ is vulnerable to a denial of service attack (CVE-2023-26285) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030103


∗∗∗ IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7030159

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily