[CERT-daily] Tageszusammenfassung - 09.01.2023
Daily end-of-shift report
team at cert.at
Mon Jan 9 18:59:59 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 05-01-2023 18:00 − Montag 09-01-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Security: Kunden-Secrets von CircleCI wohl komplett kompromittiert ∗∗∗
---------------------------------------------
CircleCI warnt Kunden dringend, sämtliche Secrets zu tauschen. Builds und Netzwerke könnten über zwei Wochen lang kompromittiert worden sein.
---------------------------------------------
https://www.golem.de/news/security-kunden-secrets-von-circleci-wohl-komplett-kompromittiert-2301-171024.html
∗∗∗ Verschlüsselung: RSA zerstört? Experten zweifeln ∗∗∗
---------------------------------------------
Ein neuer Algorithmus knackt die Verschlüsselung RSA angeblich schneller als jemals zuvor - diesmal mit einem Quantencomputer. Experten zweifeln daran.
---------------------------------------------
https://heise.de/-7449806
∗∗∗ Rust: bis zu 2500 Projekte durch Bibliothek Hyper für DoS verwundbar ∗∗∗
---------------------------------------------
Enthält die to_bytes-Funktion von Hyper keine Längenbeschränkung, so lassen sich schnell DoS-Attacken ausführen. Abhilfe schafft die offizielle Doku.
---------------------------------------------
https://heise.de/-7451019
∗∗∗ BaFin warnt vor "Godfather"-Banking-Trojaner ∗∗∗
---------------------------------------------
Die BaFin warnt vor einem Banking-Trojaner, der Android-Geräte angreift. Die "Godfather" genannte Malware kann 400 internationale Finanzinstitutionen ausspähen.
---------------------------------------------
https://heise.de/-7453238
∗∗∗ Android-Malware: Neue Version von SpyNote stiehlt Banking-Daten ∗∗∗
---------------------------------------------
Die Verbreitung erfolgt über Phishing-E-Mails. Seit Oktober 2022 ist der Quellcode von SpyNote frei verfügbar. Seitdem nehmen die Aktivitäten von SpyNote deutlich zu.
---------------------------------------------
https://www.zdnet.de/88406317/android-malware-neue-version-von-spynote-stiehlt-banking-daten/
∗∗∗ Kostenloses Entschlüsselungs-Tool für Ransomware MegaCortex veröffentlicht ∗∗∗
---------------------------------------------
Das Tool ist eine gemeinsame Entwicklung von Bitdefender und No More Ransom. Es funktioniert mit allen Varianten von MegaCortex.
---------------------------------------------
https://www.zdnet.de/88406357/kostenloses-entschluesselungs-tool-fuer-ransomware-megacortex-veroeffentlicht/
∗∗∗ Windows 11 GPO "Enable MPR notifications ..." zur Sicherheit setzen ∗∗∗
---------------------------------------------
Kleiner Tipp für Administratoren, die so langsam Windows 11 in Unternehmensumgebungen einführen. In den Standardeinstellungen des Betriebssystems lassen sich mittels einer einfachen DLL die Winlogon-Anmeldeinformationen im Klartext auslesen. Die neue Gruppenrichtlinie "Enable MPR notifications" soll dies nun verhindern.
---------------------------------------------
https://www.borncity.com/blog/2023/01/08/windows-11-gpo-enable-mpr-notifications-zur-sicherheit-setzen/
∗∗∗ VSCode Marketplace can be abused to host malicious extensions ∗∗∗
---------------------------------------------
Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that its surprisingly easy to upload malicious extensions from accounts that appear verified on the platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions/
∗∗∗ Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls ∗∗∗
---------------------------------------------
Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-create-cloudflare-tunnels-to-bypass-firewalls/
∗∗∗ Unraveling the techniques of Mac ransomware ∗∗∗
---------------------------------------------
Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware/
∗∗∗ Finding & Removing Malware From Weebly Sites ∗∗∗
---------------------------------------------
Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused.
---------------------------------------------
https://blog.sucuri.net/2023/01/finding-removing-malware-from-weebly-sites.html
∗∗∗ Dridex Malware Now Attacking macOS Systems with Novel Infection Method ∗∗∗
---------------------------------------------
A variant of the infamous Dridex banking malware has set its sights on Apples macOS operating system using a previously undocumented infection method, according to latest research.
---------------------------------------------
https://thehackernews.com/2023/01/dridex-malware-now-attacking-macos.html
∗∗∗ LummaC2 Stealer: A Potent Threat to Crypto Users ∗∗∗
---------------------------------------------
During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.
---------------------------------------------
https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/
∗∗∗ Unwrapping Ursnifs Gifts ∗∗∗
---------------------------------------------
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment [...]
---------------------------------------------
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
∗∗∗ Distribution of NetSupport RAT Malware Disguised as a Pokemon Game ∗∗∗
---------------------------------------------
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems.
---------------------------------------------
https://asec.ahnlab.com/en/45312/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in MatrixSSL ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
In der IoT-Bibliothek MatrixSSL haben IT-Forscher eine als kritisch eingestufte Sicherheitslücke entdeckt. Angreifer könnten dadurch Code einschleusen.
---------------------------------------------
https://heise.de/-7453087
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14).
---------------------------------------------
https://lwn.net/Articles/919202/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, [...]
---------------------------------------------
https://lwn.net/Articles/919422/
∗∗∗ Kritische Sicherheitslücke in Open-Source-Projekt JsonWebToken entdeckt ∗∗∗
---------------------------------------------
Die Schwachstelle erlaubt unter Umständen eine Remotecodeausführung. Nutzer sollten auf die fehlerbereinigte Version 9.0.0 von JsonWebToken umsteigen.
---------------------------------------------
https://www.zdnet.de/88406385/kritische-sicherheitsluecke-in-open-source-projekt-jsonwebtoken-entdeckt/
∗∗∗ ThinkPad X13s: BIOS-Update schließt Schwachstellen ∗∗∗
---------------------------------------------
Der Hersteller Lenovo hat in einer Sicherheitsmeldung auf eine Reihe Schwachstellen im BIOS des ThinkPad X13s hingewiesen. Diese ermöglichen eine Speicherbeschädigung (Memory Corruption) und die Offenlegung von Informationen. Es steht ein BIOS-Update zum Schließen der Schwachstellen bereit.
---------------------------------------------
https://www.borncity.com/blog/2023/01/07/thinkpad-x13s-bios-update-schliet-schwachstellen/
∗∗∗ IBM Security Bulletins 2023-01-06 - 2023-01-09 ∗∗∗
---------------------------------------------
AIX, CICS Transaction Gateway, Enterprise Content Management System Monitor, IBM App Connect Enterprise, IBM Business Automation Workflow, IBM Connect:Direct Web Services, IBM InfoSphere Information Server, IBM Integration Bus, IBM Maximo Application Suite, IBM MQ, IBM Process Mining, IBM Robotic Process Automation for Cloud Pak, IBM Spectrum Protect Server, IBM SPSS Analytic Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct Web Services, IBM Tivoli Netcool Impact, Power HMC
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 ∗∗∗
---------------------------------------------
https://github.com/numanturle/CVE-2022-44877
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list