[CERT-daily] Tageszusammenfassung - 21.02.2023

Daily end-of-shift report team at cert.at
Tue Feb 21 18:41:51 CET 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 20-02-2023 18:00 − Dienstag 21-02-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Kriminalität: Ransomware will Versicherungspolice ∗∗∗
---------------------------------------------
Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen.
---------------------------------------------
https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice-2302-172056.html


∗∗∗ Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild ∗∗∗
---------------------------------------------
A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report.
---------------------------------------------
https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.html


∗∗∗ Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs ∗∗∗
---------------------------------------------
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
---------------------------------------------
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/


∗∗∗ A Deep Dive Into a PoshC2 Implant ∗∗∗
---------------------------------------------
PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant.
---------------------------------------------
https://resources.securityscorecard.com/research/poshc2-implant


∗∗∗ ClamAV Critical Patch Review ∗∗∗
---------------------------------------------
The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs.
---------------------------------------------
https://onekey.com/blog/clamav-critical-patch-review/


∗∗∗ OWASP Kubernetes Top 10 ∗∗∗
---------------------------------------------
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity.
---------------------------------------------
https://sysdig.com/blog/top-owasp-kubernetes/


∗∗∗ iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein ∗∗∗
---------------------------------------------
Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht.
---------------------------------------------
https://heise.de/-7522282


∗∗∗ What can we learn from the latest Coinbase cyberattack? ∗∗∗
---------------------------------------------
Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year.
---------------------------------------------
https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/


∗∗∗ Keine Pellets auf ferberpainting.de bestellen! ∗∗∗
---------------------------------------------
Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke.
---------------------------------------------
https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-bestellen/


∗∗∗ Ihre Bank ruft an? Es könnte sich um Betrug handeln! ∗∗∗
---------------------------------------------
Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um-betrug-handeln/


∗∗∗ HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) ∗∗∗
---------------------------------------------
In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea.
---------------------------------------------
https://asec.ahnlab.com/en/48063/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VMSA-2023-0004 ∗∗∗
---------------------------------------------
CVSSv3 Range: 9.1
CVE(s): CVE-2023-20858
Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0004.html


∗∗∗ VMSA-2023-0005 ∗∗∗
---------------------------------------------
CVSSv3 Range: 8.8
CVE(s): CVE-2023-20855
Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0005.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel).
---------------------------------------------
https://lwn.net/Articles/923942/


∗∗∗ TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2023-002


∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01


∗∗∗ IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690011


∗∗∗ Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690125


∗∗∗ Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690127


∗∗∗ Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690129


∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690131


∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690149


∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956598


∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6328143


∗∗∗ IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953755


∗∗∗ IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957066


∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957134

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list