[CERT-daily] Tageszusammenfassung - 20.02.2023

Mon Feb 20 19:12:17 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 17-02-2023 18:00 − Montag 20-02-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ CISA warnt: Mögliche System-Kompromittierung durch Lücken in Thunderbird ∗∗∗
---------------------------------------------
Die Version 102.8 von Thunderbird schließt Schwachstellen, durch die Angreifer die Kontrolle über ein System erlangen könnten. Davor warnt die CISA.
---------------------------------------------
https://heise.de/-7521002


∗∗∗ Microsoft-Updates: Nebenwirkungen für VMware und Windows Server 2022 ∗∗∗
---------------------------------------------
Die Februar-Updates zum Microsoft-Patchdays haben ungewollte Nebenwirkungen. Sie betreffen Windows Server 2022 unter VMware und die Windows-11-Updateverteilung.
---------------------------------------------
https://heise.de/-7521199


∗∗∗ Nach Cyber-Einbruch: Angreifer leiten GoDaddy-Webseiten um ∗∗∗
---------------------------------------------
Beim Webhoster GoDaddy konnten Angreifer Anfang Dezember 2022 Schadcode einschleusen, der dort gehostete Webseiten auf Malware-Seiten umleitete.
---------------------------------------------
https://heise.de/-7521325


∗∗∗ Achtung: Finanzamt schickt kein SMS ∗∗∗
---------------------------------------------
Kriminelle versenden im Namen des Finanzamtes gefälschte Nachrichten. Im SMS wird behauptet, dass Sie einen Betrag von € 286, 93 erhalten. Um das Geld zu bekommen, müssen Sie sich verifizieren und auf einen Link klicken. Klicken Sie nicht auf den Link, Sie landen auf einer Phishing-Seite.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-finanzamt-schickt-kein-sms/


∗∗∗ New WhiskerSpy malware delivered via trojanized codec installer ∗∗∗
---------------------------------------------
Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-delivered-via-trojanized-codec-installer/


∗∗∗ OneNote Suricata Rules, (Sun, Feb 19th) ∗∗∗
---------------------------------------------
I end my diary entry "Detecting (Malicious) OneNote Files" with a set of Suricata rules to detect various OneNote files.
---------------------------------------------
https://isc.sans.edu/diary/rss/29564


∗∗∗ The Dangers of Installing Nulled WordPress Themes and Plugins ∗∗∗
---------------------------------------------
Nulled WordPress themes and plugins are a controversial topic for many in the web development world - and arguably one of the bigger threats to WordPress security. Essentially modified versions of official WordPress themes and plugins with their licensing restrictions removed, these nulled software copies are often touted as premium functionality packaged in a free download.
---------------------------------------------
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html


∗∗∗ NimPlant - A light first-stage C2 implant written in Nim and Python ∗∗∗
---------------------------------------------
NimPlant was developed as a learning project and released to the public for transparency and educational purposes. For a large part, it makes no effort to hide its intentions. Additionally, protections have been put in place to prevent abuse. In other words, do NOT use NimPlant in production engagements as-is without thorough source code review and modifications!
---------------------------------------------
https://github.com/chvancooten/NimPlant


∗∗∗ Finding forensics breadcrumbs in Android image storage ∗∗∗
---------------------------------------------
[...] In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint user activity and tie a user to a particular image’s creation from a source file e.g. pages from a PDF.
---------------------------------------------
https://www.pentestpartners.com/security-blog/finding-forensics-breadcrumbs-in-android-image-storage/


∗∗∗ Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers ∗∗∗
---------------------------------------------
Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html


∗∗∗ QR code generator My QR Code leaks users’ login data and addresses ∗∗∗
---------------------------------------------
My QR Code was informed about the leak almost two weeks ago, yet it failed to respond or secure its server.
---------------------------------------------
https://www.hackread.com/qr-code-generator-my-qr-code-data-leak/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Patchday: Fortinet schließt 40 Sicherheitslücken, PoC-Exploit angekündigt ∗∗∗
---------------------------------------------
Fortinet hat im Februar Updates für diverse Produkte veröffentlicht, die insgesamt 40 Sicherheitslücken schließen. Davon gelten zwei als kritisch.
---------------------------------------------
https://heise.de/-7520937


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/923803/


∗∗∗ Newly Disclosed Vulnerability Exposes EOL Arris Routers to Attacks ∗∗∗
---------------------------------------------
Malwarebytes warns of a remote code execution vulnerability impacting Arris G2482A, TG2492, and SBG10 routers, which have reached end-of-life (EOL).
---------------------------------------------
https://www.securityweek.com/newly-disclosed-vulnerability-exposes-eol-arris-routers-to-attacks/


∗∗∗ Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167) ∗∗∗
---------------------------------------------
As of the past 2 months, we’ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP.
---------------------------------------------
https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilities_Fixed.html/


∗∗∗ IBM Security Bulletins 2023-02-20 ∗∗∗
---------------------------------------------
Flash Storage->RamSan-710, Flash Storage->RamSan-720, Flash Storage->RamSan-810, Flash Storage->RamSan-820, IBM Cloud Object Storage System, IBM Cloud Pak for Applications, IBM FlashSystem 720, IBM FlashSystem 900, IBM Multi-Enterprise Integration Gateway, IBM Multi-Enterprise Integration Gateway, IBM Power E1050 (9043-MRX), IBM Power L1022 (9786-22H), IBM Power L1024 (9786-42H), IBM Power S1014 (9105-41B), IBM Power S1022 (9105-22A), IBM Power S1022s (9105-22B), IBM Power S1024 (9105-42A), IBM WebSphere Hybrid Edition, Tivoli System Automation Application Manager
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily