[CERT-daily] Tageszusammenfassung - 19.01.2023
Daily end-of-shift report
team at cert.at
Thu Jan 19 18:16:55 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-01-2023 18:00 − Donnerstag 19-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Illegal Solaris darknet market hijacked by competitor Kraken ∗∗∗
---------------------------------------------
Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-market-hijacked-by-competitor-kraken/
∗∗∗ Microsoft investigates bug behind unresponsive Windows Start Menu ∗∗∗
---------------------------------------------
Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-behind-unresponsive-windows-start-menu/
∗∗∗ PayPal accounts breached in large-scale credential stuffing attack ∗∗∗
---------------------------------------------
PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/
∗∗∗ New Blank Image attack hides phishing scripts in SVG files ∗∗∗
---------------------------------------------
An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides-phishing-scripts-in-svg-files/
∗∗∗ Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 ∗∗∗
---------------------------------------------
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data.
---------------------------------------------
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/
∗∗∗ SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th) ∗∗∗
---------------------------------------------
Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published.
---------------------------------------------
https://isc.sans.edu/diary/rss/29452
∗∗∗ Android Users Beware: New Hook Malware with RAT Capabilities Emerges ∗∗∗
---------------------------------------------
The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session.
---------------------------------------------
https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html
∗∗∗ CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA ∗∗∗
---------------------------------------------
CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-github-oauth-keys-bypassing-2fa
∗∗∗ Pwned or Bot ∗∗∗
---------------------------------------------
Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system.
---------------------------------------------
https://www.troyhunt.com/pwned-or-bot/
∗∗∗ LockBit ransomware – what you need to know ∗∗∗
---------------------------------------------
It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog.
---------------------------------------------
https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know
∗∗∗ Windows 11 22H2: Systemwiederherstellung verursacht "This app can’t open"-Fehler ∗∗∗
---------------------------------------------
Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt.
---------------------------------------------
https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherstellung-verursacht-this-app-cant-open-fehler/
∗∗∗ Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099 ∗∗∗
---------------------------------------------
Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden.
---------------------------------------------
https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-patch-zum-fix-der-bitlocker-bypass-schwachstelle-cve-2022-41099/
∗∗∗ Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest ∗∗∗
---------------------------------------------
In this blog, we’ll tackle encrypting AWS in transit and at rest.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-security-posture-step-3-encrypt-aws-data-in-transit-and-at-rest
∗∗∗ Following the LNK metadata trail ∗∗∗
---------------------------------------------
While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads.
---------------------------------------------
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
∗∗∗ Darth Vidar: The Dark Side of Evolving Threat Infrastructure ∗∗∗
---------------------------------------------
Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s code and C2 communications were observed.
---------------------------------------------
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).
---------------------------------------------
https://lwn.net/Articles/920478/
∗∗∗ Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM ∗∗∗
---------------------------------------------
Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).
---------------------------------------------
https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vulnerability-unified-cm
∗∗∗ CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services ∗∗∗
---------------------------------------------
A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered.
---------------------------------------------
https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execution-azure-services
∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2023-001
∗∗∗ [R1] Nessus Version 8.15.8 Fixes One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-02
∗∗∗ Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856209
∗∗∗ IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856221
∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856221
∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856401
∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856409
∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856403
∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856405
∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856407
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856439
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856443
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list