[CERT-daily] Tageszusammenfassung - 25.01.2023

Wed Jan 25 19:05:37 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 24-01-2023 18:00 − Mittwoch 25-01-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Vorsicht vor Phishing-Mails von FinanzOnline und ID Austria ∗∗∗
---------------------------------------------
Betrüger*innen versuchen mit gefälschten Mails an sensible Daten zu kommen.
---------------------------------------------
https://futurezone.at/digital-life/phishing-mails-finanzonline-id-austria-vorsicht-so-schuetzt-man-sich-warnung/402304283


∗∗∗ GoTo-Hacker erbeuten verschlüsselte Backups inklusive Schlüssel ∗∗∗
---------------------------------------------
GoTo, ein Anbieter für Software-as-a-Service und Remote-Work-Tools, veröffentlicht weitere Erkenntnisse über einen IT-Sicherheitsvorfall.
---------------------------------------------
https://heise.de/-7470609


∗∗∗ OTORIO DCOM Hardening Toolkit für Windows für OT-Systeme veröffentlicht ∗∗∗
---------------------------------------------
In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle, die eine Umgehung der Sicherheitsfunktionen ermöglicht. Microsoft hat das dokumentiert und gepatcht, und will im März 2023 aber einen letzten einen Patch freigeben. Sicherheitsanbieter OTORIO hat im Vorfeld ein OpenSource DCOM Hardening Toolkit für OT-Systeme veröffentlicht, mit dem Unternehmen ihre DCOM-Umgebungen analysieren und ggf. härten können.
---------------------------------------------
https://www.borncity.com/blog/2023/01/25/otorio-dcom-hardening-toolkit-fr-windows-fr-ot-systeme-verffentlicht/


∗∗∗ Recovery-Scam durch betrugsdezernat.com und betrugsdezernat.org! ∗∗∗
---------------------------------------------
Wer auf betrügerischen Investment-Plattformen Geld verloren hat, wünscht sich meist nichts mehr, als sämtliche Einzahlungen zurückerhalten zu können. Darauf setzen auch die Kriminellen, die schon hinter dem Investitionsbetrug steckten. Sie geben sich als (häufig erfundene) Behörden aus und behaupten, das verlorene Geld festgesetzt zu haben. Eine kleine Vorauszahlung der Opfer soll zur Rückbuchung aller Verluste führen.
---------------------------------------------
https://www.watchlist-internet.at/news/recovery-scam-durch-betrugsdezernatcom-und-betrugsdezernatorg/


∗∗∗ Senden Sie Ihre Daten nicht an gewerbe-datenanzeiger.at! ∗∗∗
---------------------------------------------
Haben auch Sie eine Nachricht von Gewerbe Datenanzeiger bekommen, die Sie auffordert, Ihre Firmendaten preiszugeben? Ignorieren Sie die Nachricht, wenn Sie antworten, schließen Sie ein teures Abo in Höhe von 1.992 € ab!
---------------------------------------------
https://www.watchlist-internet.at/news/senden-sie-ihre-daten-nicht-an-gewerbe-datenanzeigerat/


∗∗∗ Ransomware access brokers use Google ads to breach your network ∗∗∗
---------------------------------------------
A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims passwords, and ultimately breach networks for ransomware attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-use-google-ads-to-breach-your-network/


∗∗∗ New stealthy Python RAT malware targets Windows in attacks ∗∗∗
---------------------------------------------
A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malware-targets-windows-in-attacks/


∗∗∗ Lessons Learned from the Windows Remote Desktop Honeypot Report ∗∗∗
---------------------------------------------
Over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their Windows Remote Desktop honeypot system. Here is what they learned.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lessons-learned-from-the-windows-remote-desktop-honeypot-report/


∗∗∗ A First Malicious OneNote Document, (Wed, Jan 25th) ∗∗∗
---------------------------------------------
Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1].
---------------------------------------------
https://isc.sans.edu/diary/rss/29470


∗∗∗ Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network ∗∗∗
---------------------------------------------
Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing - including tech support scams, adult dating, phishing, or drive-by-downloads. Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: [...]
---------------------------------------------
https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html


∗∗∗ At the Edge of Tier Zero: The Curious Case of the RODC ∗∗∗
---------------------------------------------
The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can control “enterprise identities”, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance.
---------------------------------------------
https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06?source=rss----f05f8696e3cc---4


∗∗∗ Vulnerability of Zyxel switches posed serious risk for business processes of many companies ∗∗∗
---------------------------------------------
The issue received a CVSSv3 score of 8.2, qualifying it as high severity
---------------------------------------------
https://www.ptsecurity.com/ww-en/about/news/vulnerability-of-zyxel-switches-posed-serious-risk-for-business-processes-of-many-companies


∗∗∗ Attacking The Supply Chain: Developer ∗∗∗
---------------------------------------------
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-developer.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Xen Security Advisory CVE-2022-42330 / XSA-425 ∗∗∗
---------------------------------------------
Guests can cause Xenstore crash via soft reset
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-425.html


∗∗∗ Kritische Schadcode-Lücken in Logging-Tool VMware vRealize Log geschlossen ∗∗∗
---------------------------------------------
Netzwerk-Admins sollten ihre Systeme mit VMware vRealize Log auf den aktuellen Stand bringen, um Angreifer auszusperren.
---------------------------------------------
https://heise.de/-7470157


∗∗∗ Kritische Sicherheitslücke: Neuere Lexmark-Drucker ermöglichen Codeschmuggel ∗∗∗
---------------------------------------------
Lexmark warnt vor Sicherheitslücken in seinen Druckern. Neuere Modelle ermöglichten Angreifern, Schadcode einzuschleusen und auszuführen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7470640


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind,
---------------------------------------------
https://lwn.net/Articles/921194/


∗∗∗ [R1] Tenable.sc 6.0.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-03


∗∗∗ IBM Security Verify Governance, Identity Manager virtual appliance component uses weaker than expected cryptography (CVE-2022-22462) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857339


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2022-40750) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857579


∗∗∗ IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6833806


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857613


∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857607

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily