[CERT-daily] Tageszusammenfassung - 19.07.2023

Wed Jul 19 19:52:41 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 18-07-2023 18:00 − Mittwoch 19-07-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Neue Ransomware: Kriminelle verschlüsseln Systeme im Namen von Sophos ∗∗∗
---------------------------------------------
Eine vermeintliche Verschlüsselungssoftware von Sophos entpuppt sich als Bitcoin einspielender Ransomware-Dienst für kriminelle Akteure.
---------------------------------------------
https://www.golem.de/news/neue-ransomware-kriminelle-verschluesseln-systeme-im-namen-von-sophos-2307-175980.html


∗∗∗ Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability ∗∗∗
---------------------------------------------
On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as lots of publications and tweets about the vulnerability and its exploitation. Below, we will highlight the key points and then focus on the initial use of this vulnerability by attackers before it became public.
---------------------------------------------
https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/


∗∗∗ Massive Google Colaboratory Abuse: Gambling and Subscription Scam ∗∗∗
---------------------------------------------
While Google’s free and open tools are undeniably valuable for collaboration (and innovation), it’s evident that complications arise when they become a haven for bad actors. Millions of documents with spam content on the Google Colab platform reveal that spammers have found yet another method to host doorways that they actively promote via spam link injections on  compromised websites.
---------------------------------------------
https://blog.sucuri.net/2023/07/massive-google-colaboratory-abuse-gambling-and-subscription-scam.html


∗∗∗ LKA Niedersachsen warnt vor Phishing und Abofallen mit iCloud- und Google-Mails ∗∗∗
---------------------------------------------
Derzeit versenden Betrüger Mails, laut denen Apple iCloud- oder Google-Speicherplatz volllaufe. Davor warnt das LKA Niedersachsen.
---------------------------------------------
https://heise.de/-9220688


∗∗∗ Network and Information Systems Security (NIS2): recommendations for NRENs ∗∗∗
---------------------------------------------
GÉANT worked with Stratix, an independent consultancy firm specialised in communication infrastructures and services, to go through the steps that NRENs need to follow and the questions that need to be answered during the NIS2 implementation phase.
---------------------------------------------
https://connect.geant.org/2023/07/19/network-and-information-systems-security-nis2-recommendations-for-nrens


∗∗∗ HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within ∗∗∗
---------------------------------------------
Despite risks to their own data and devices, some users continue to be lured into downloading illegal versions of popular paid-for software, disregarding the potentially more severe repercussions than legitimate alternatives. We have analyzed how cybercriminals deploy HotRat, a remote access trojan (RAT), through an AutoHotkey script attached to cracked software.
---------------------------------------------
https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-software-downloads-and-hidden-autohotkey-script-within/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ OpenSSL Security Advisory: Excessive time spent checking DH keys and parameters (CVE-2023-3446) ∗∗∗
---------------------------------------------
Severity: Low Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.
---------------------------------------------
https://www.openssl.org/news/secadv/20230714.txt


∗∗∗ Webbrowser: Google stopft 20 Sicherheitslecks in Chrome 115 ∗∗∗
---------------------------------------------
Google hat den Webbrowser Chrome in Version 115 vorgelegt. Darin bessern die Entwickler 20 Schwachstellen aus.
---------------------------------------------
https://heise.de/-9220438


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl).
---------------------------------------------
https://lwn.net/Articles/938596/


∗∗∗ Session Token Enumeration in RWS WorldServer ∗∗∗
---------------------------------------------
Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions.
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/


∗∗∗ Oracle Releases Security Updates ∗∗∗
---------------------------------------------
Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for July 2023 to address vulnerabilities affecting multiple products.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/18/oracle-releases-security-updates


∗∗∗ Vulnerability with guava (CVE-2023-2976) affect IBM Cloud Object Storage Systems (July 2023) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012815


∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7010311


∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7010313


∗∗∗ Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012979


∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989451


∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013037


∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013035


∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855613


∗∗∗ WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a server-side request forgery vulnerability(CVE-2022-35282). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6827807


∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953111


∗∗∗ IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964530


∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983186


∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983188


∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013135


∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013139


∗∗∗ IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7013143


∗∗∗ Weintek Weincloud ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily