[CERT-daily] Tageszusammenfassung - 07.07.2023
Daily end-of-shift report
team at cert.at
Fri Jul 7 18:16:19 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 06-07-2023 18:00 − Freitag 07-07-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Google Play apps with 1.5 million installs send your data to China ∗∗∗
---------------------------------------------
Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond whats needed to offer the promised functionality. [..] File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.file.box.master.gkd."
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-play-apps-with-15-million-installs-send-your-data-to-china/
∗∗∗ Iranian Hackers Sophisticated Malware Targets Windows and macOS Users ∗∗∗
---------------------------------------------
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware."TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.
---------------------------------------------
https://thehackernews.com/2023/07/iranian-hackers-sophisticated-malware.html
∗∗∗ BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days ∗∗∗
---------------------------------------------
Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it.
---------------------------------------------
https://thehackernews.com/2023/07/blackbyte-20-ransomware-infiltrate.html
∗∗∗ StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability ∗∗∗
---------------------------------------------
A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges.
---------------------------------------------
https://github.com/lrh2000/StackRot
∗∗∗ Sie sollen eine „Erstattung aus dem Sozialfonds erhalten“? Ignorieren Sie diese SMS! ∗∗∗
---------------------------------------------
Unsere Leser:innen melden uns aktuell SMS, die im Namen des „Staates“ verschickt werden. Angeblich sollen Sie eine „Erstattung aus dem Sozialfonds“ erhalten. Achtung, Phishing-Alarm! Löschen Sie die SMS und geben Sie auf keinen Fall Ihre Kontodaten an.
---------------------------------------------
https://www.watchlist-internet.at/news/sie-sollen-eine-erstattung-aus-dem-sozialfonds-erhalten-ignorieren-sie-diese-sms/
∗∗∗ A Network of SOCs? ∗∗∗
---------------------------------------------
I wrote most of this text quickly in January 2021 when the European Commission asked me to apply my lessons learned from the CSIRTs Network to a potential European Network of SOCs. During 2022, the plans for SOC collaboration have been toned down a bit, the DIGITAL Europe funding scheme proposes multiple platforms where SOCs can work together. In 2023, the newly proposed “Cyber Solidarity Act” builds upon this and codifies the concept of a “national SOC” and “cross-border SOC platforms” into an EU regulation.
---------------------------------------------
https://cert.at/en/blog/2023/7/a-network-of-socs
∗∗∗ Cybererpresser: Ransomware-Gruppe BianLian verzichtet auf Verschlüsselung ∗∗∗
---------------------------------------------
Die Hintermänner konzentrieren sich auf die Exfiltration von Daten. Sie reagieren auf die Veröffentlichung eines kostenlosen Entschlüsselungstools für die Ransomware BianLian.
---------------------------------------------
https://www.zdnet.de/88410380/cybererpresser-ransomware-gruppe-bianlian-verzichtet-auf-verschluesselung/
∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants ∗∗∗
---------------------------------------------
Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-and-partners-release-joint-cybersecurity-advisory-newly-identified-truebot-malware-variants
=====================
= Vulnerabilities =
=====================
∗∗∗ Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities ∗∗∗
---------------------------------------------
Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks.
---------------------------------------------
https://thehackernews.com/2023/07/google-releases-android-patch-update.html
∗∗∗ Mastodon Social Network Patches Critical Flaws Allowing Server Takeover ∗∗∗
---------------------------------------------
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460, [..]
---------------------------------------------
https://thehackernews.com/2023/07/mastodon-social-network-patches.html
∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-187-01 PiiGAB M-Bus
* ICSA-23-187-02 ABUS TVIP
* ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module (Update A)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-releases-three-industrial-control-systems-advisories
∗∗∗ VMSA-2023-0015 ∗∗∗
---------------------------------------------
CVSSv3 Range: 5.3
CVE(s): CVE-2023-20899
VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors: An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0015.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (debian-archive-keyring, libusrsctp, nsis, ruby-redcloth, and webkit2gtk), Fedora (firefox), Mageia (apache-ivy, cups, curaengine, glances, golang, keepass, libreoffice, minidlna, nodejs, opensc, perl-DBD-SQLite, python-setuptools, python-wheel, skopeo/buildah/podman, systemd, testng, and webkit2), SUSE (bind), and Ubuntu (Gerbv, golang-websocket, linux-gke, linux-intel-iotg, and linux-oem-5.17).
---------------------------------------------
https://lwn.net/Articles/937616/
∗∗∗ [R1] Nessus Agent Version 10.4.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Nessus Agent leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider.Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues.
---------------------------------------------
https://www.tenable.com/security/tns-2023-24
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list