[CERT-daily] Tageszusammenfassung - 13.02.2023

Mon Feb 13 18:49:30 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 10-02-2023 18:00 − Montag 13-02-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Erpressungstrojaner Play infiltriert Systeme von A10 Networks ∗∗∗
---------------------------------------------
Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein.
---------------------------------------------
https://heise.de/-7493748


∗∗∗ Gefälschtes Therme Wien-Gewinnspiel auf Facebook ∗∗∗
---------------------------------------------
Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite „Freizeit-Helden“ beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel-auf-facebook/


∗∗∗ Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746) ∗∗∗
---------------------------------------------
Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt.
---------------------------------------------
https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authentication-schwachstelle-cve-2023-21746/


∗∗∗ We had a security incident. Here’s what we know. ∗∗∗
---------------------------------------------
TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
---------------------------------------------
https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident_heres_what_we_know/


∗∗∗ Devs targeted by W4SP Stealer malware in malicious PyPi packages ∗∗∗
---------------------------------------------
Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-stealer-malware-in-malicious-pypi-packages/


∗∗∗ Security baseline for Microsoft Edge version 110 ∗∗∗
---------------------------------------------
We are pleased to announce the security review for Microsoft Edge, version 110!  We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.   Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-110/ba-p/3740900


∗∗∗ PCAP Data Analysis with Zeek, (Sun, Feb 12th) ∗∗∗
---------------------------------------------
Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot.
---------------------------------------------
https://isc.sans.edu/diary/rss/29530


∗∗∗ Linux auditd for Threat Hunting [Part 2] ∗∗∗
---------------------------------------------
In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors.
---------------------------------------------
https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f591e8


∗∗∗ Crypto Wallet Address Replacement Attack ∗∗∗
---------------------------------------------
At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space
---------------------------------------------
https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack


∗∗∗ The Linux Kernel and the Cursed Driver (CVE-2022-4842) ∗∗∗
---------------------------------------------
TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-and-the-cursed-driver


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Monitorr 1.7.6 Shell Upload ∗∗∗
---------------------------------------------
Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020021


∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗
---------------------------------------------
On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-url-bypass-WbMQqNJh


∗∗∗ ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities ∗∗∗
---------------------------------------------
Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code.
---------------------------------------------
https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK108467A7957&DocumentPartId=&LanguageCode=en


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/923163/


∗∗∗ Wordpress Multiple themes - Unauthenticated Arbitrary File Upload ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020022


∗∗∗ NEC PC Settings Tool vulnerable to missing authentication for critical function ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN60320736/


∗∗∗ Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN98612206/


∗∗∗ IBM Security Bulletins 2023-02-13 ∗∗∗
---------------------------------------------
* AIX is vulnerable to denial of service vulnerabilities
* IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities
* IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626)
* IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system
* IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509)
* IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628)
* IBM QRadar SIEM includes multiple components with known vulnerabilities
* IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351)
* IBM Security Directory Integrator is affected by multiple security vulnerabilities
* IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579)
* IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970)
* IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165)
* IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626)
* IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution
* The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231)
* Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1)
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily