[CERT-daily] Tageszusammenfassung - 28.07.2023
Daily end-of-shift report
team at cert.at
Fri Jul 28 18:46:42 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-07-2023 18:00 − Freitag 28-07-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New Android malware uses OCR to steal credentials from images ∗∗∗
---------------------------------------------
Two new Android malware families named CherryBlos and FakeTrade were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr-to-steal-credentials-from-images/
∗∗∗ Nutzerdaten in Gefahr: Hunderttausende von Wordpress-Seiten anfällig für Datenklau ∗∗∗
---------------------------------------------
Drei Schwachstellen im Wordpress-Plugin Ninja Forms können mitunter massive Datenlecks zur Folge haben. Admins sollten zeitnah updaten.
---------------------------------------------
https://www.golem.de/news/nutzerdaten-in-gefahr-hunderttausende-von-wordpress-seiten-anfaellig-fuer-datenklau-2307-176251.html
∗∗∗ ShellCode Hidden with Steganography, (Fri, Jul 28th) ∗∗∗
---------------------------------------------
When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.
---------------------------------------------
https://isc.sans.edu/diary/rss/30074
∗∗∗ Hackers Abusing Windows Search Feature to Install Remote Access Trojans ∗∗∗
---------------------------------------------
A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows.
---------------------------------------------
https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html
∗∗∗ IcedID Malware Adapts and Expands Threat with Updated BackConnect Module ∗∗∗
---------------------------------------------
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module thats used for post-compromise activity on hacked systems, new findings from Team Cymru reveal.
---------------------------------------------
https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html
∗∗∗ Hackers are infecting Call of Duty (Modern Warfare 2 (2009)) players with a self-spreading malware ∗∗∗
---------------------------------------------
Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. [..] Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware. “Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,” the tweet read.
---------------------------------------------
https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-players-with-a-self-spreading-malware/
∗∗∗ Angreifer können NAS- und IP-Videoüberwachungssysteme von Qnap lahmlegen ∗∗∗
---------------------------------------------
Mehrere Netzwerkprodukte von Qnap sind für eine DoS-Attacken anfällig. Dagegen abgesicherte Software schafft Abhilfe.
---------------------------------------------
https://heise.de/-9229575
∗∗∗ The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022 ∗∗∗
---------------------------------------------
This is Google’s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes.
---------------------------------------------
https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html
∗∗∗ Zimbra Patches Exploited Zero-Day Vulnerability ∗∗∗
---------------------------------------------
Zimbra has released patches for a cross-site scripting (XSS) vulnerability that has been exploited in malicious attacks.
---------------------------------------------
https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerability/
∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse ∗∗∗
---------------------------------------------
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-release-joint-cybersecurity-advisory-preventing-web-application-access-control
=====================
= Vulnerabilities =
=====================
∗∗∗ Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required ∗∗∗
---------------------------------------------
Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations.
---------------------------------------------
https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html
∗∗∗ ZDI-23-1010: Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1010/
∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ACLs Not Installed upon Reload ∗∗∗
---------------------------------------------
An issue with the boot-time programming of access control lists (ACLs) for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow a device to boot without all of its ACLs being correctly installed. This issue is due to a logic error that occurs when ACLs are programmed at boot time. If object groups are not in sequential order in the startup configuration, some access control entries (ACEs) may not be installed.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-aclconfig-wVK52f3z
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04).
---------------------------------------------
https://lwn.net/Articles/939445/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel).
---------------------------------------------
https://lwn.net/Articles/939519/
∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗
---------------------------------------------
An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-04
∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) ∗∗∗
---------------------------------------------
An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-09
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list