[CERT-daily] Tageszusammenfassung - 09.06.2023
Daily end-of-shift report
team at cert.at
Fri Jun 9 18:49:23 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 07-06-2023 18:00 − Freitag 09-06-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Barracuda Email Security Gateway Appliance (ESG) sofort austauschen! ∗∗∗
---------------------------------------------
Noch ein kurzes Thema, welche wegen Feiertag etwas liegen geblieben ist. Der Hersteller Barracuda fordert Administratoren seiner Email Security Gateway Appliance (ESG) auf, die Geräte sofort auszutauschen. Hintergrund ist eine Schwachstelle in den ESG-Modellen, die zwar Ende Mai 2025 gepatcht werden sollte. Das scheint aber nicht zu wirken und der Hersteller ruft zum Austausch auf.
---------------------------------------------
https://www.borncity.com/blog/2023/06/08/barracuda-email-security-gateway-appliance-esg-sofort-austauschen/
∗∗∗ CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances ∗∗∗
---------------------------------------------
Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks Email Security Gateway (ESG) appliances.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/
∗∗∗ Royal ransomware gang adds BlackSuit encryptor to their arsenal ∗∗∗
---------------------------------------------
The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operations usual encryptor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-blacksuit-encryptor-to-their-arsenal/
∗∗∗ Detecting and mitigating a multi-stage AiTM phishing and BEC campaign ∗∗∗
---------------------------------------------
Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/
∗∗∗ Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th) ∗∗∗
---------------------------------------------
PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday, I found a script that scored 0/59 on VT! Lets have a look at it.
---------------------------------------------
https://isc.sans.edu/diary/rss/29930
∗∗∗ Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021 ∗∗∗
---------------------------------------------
On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). [...] Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.
---------------------------------------------
https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit-transfer-vulnerability-cve-2023-34362
∗∗∗ MSSQL linked servers: abusing ADSI for password retrieval ∗∗∗
---------------------------------------------
When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server instances. However, this is only one of the multiple available options, so today we are going to delve into the Active Directory Service Interfaces (ADSI) provider, which allows querying the AD using the LDAP protocol.
---------------------------------------------
https://www.tarlogic.com/blog/linked-servers-adsi-passwords/
∗∗∗ Sicherheitsupdates Cisco: Angreifer könnten Passwörter beliebiger Nutzer ändern ∗∗∗
---------------------------------------------
Unter anderem Cisco Expressway Series und Adaptive Security Appliance sind verwundbar. Admins sollten die Software aktualisieren.
---------------------------------------------
https://heise.de/-9180829
∗∗∗ Minecraft-Modifikationspakete mit Fractureiser-Malware verseucht ∗∗∗
---------------------------------------------
Minecraftspieler aufgepasst: Auf den legitimen Portalen Bukkit und CurseForge sind infizierte Modifikationen aufgetaucht.
---------------------------------------------
https://heise.de/-9182068
∗∗∗ Schadcode-Attacken auf Netzwerk-Monitoringlösung von VMware möglich ∗∗∗
---------------------------------------------
Es gibt ein wichtiges Sicherheitsupdate für VMware Aria Operations for Networks. Admins sollten zeitnah handeln.
---------------------------------------------
https://heise.de/-9181036
∗∗∗ Android-Viren: Trickreich vor Nutzern versteckt ∗∗∗
---------------------------------------------
Die Virenanalysten von Bitdefender sind beim Test einer Schutzkomponente auf Android-Malware gestoßen, die sich trickreich auf dem Smartphone versteckt.
---------------------------------------------
https://heise.de/-9182008
∗∗∗ Asylum Ambuscade: Crimeware oder Cyberspionage? ∗∗∗
---------------------------------------------
Ein seltsamer Fall eines Bedrohungsakteurs an der Grenze zwischen Crimeware und Cyberspionage.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2023/06/08/asylum-ambuscade-crimeware-oder-cyberspionage/
∗∗∗ SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint ∗∗∗
---------------------------------------------
A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.
---------------------------------------------
https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-without-using-a-compromised-endpoint/
∗∗∗ Shodan Verified Vulns 2023-06-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-06-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Auch diesen Monat ist ein Abfall bei fast allen Einträgen zu verzeichnen. Die einzige verhältnismäßig größere Ausnahme ist die Sicherheitslücke CVE-2015-2080 (Jetleak).
---------------------------------------------
https://cert.at/de/aktuelles/2023/6/shodan-verified-vulns-2023-06-01
∗∗∗ Adventures in Disclosure: When Reporting Bugs Goes Wrong ∗∗∗
---------------------------------------------
The Zero Day Initiative (ZDI) is the world’s largest vendor-agnostic bug bounty program. That means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc. We don’t buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. Why Disclose at All? This is a fine place to start.
---------------------------------------------
https://www.thezdi.com/blog/2023/6/7/adventures-in-disclosure-when-reporting-bugs-goes-wrong
∗∗∗ May 2023’s Most Wanted Malware: New Version of Guloader Delivers Encrypted Cloud-Based Payloads ∗∗∗
---------------------------------------------
Check Point Research reported on a new version of shellcode-based downloader GuLoader featuring fully encrypted payloads for cloud-based delivery. Our latest Global Threat Index for May 2023 saw researchers report on a new version of shellcode-based downloader GuLoader, which was the fourth most prevalent malware. With fully encrypted payloads and anti-analysis techniques, the latest form can be stored undetected in well-known public cloud services, including Google Drive.
---------------------------------------------
https://blog.checkpoint.com/security/may-2023s-most-wanted-malware-new-version-of-guloader-delivers-encrypted-cloud-based-payloads/
∗∗∗ Analyzing the FUD Malware Obfuscation Engine BatCloak ∗∗∗
---------------------------------------------
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak.html
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-818: (0Day) ZTE MF286R goahead Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ZTE MF286R routers. Authentication is required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-818/
∗∗∗ ZDI: Sante DICOM Viewer Pro Vulnerabilities ∗∗∗
---------------------------------------------
* ZDI-23-853: Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-853/
* ZDI-23-854: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-854/
* ZDI-23-855: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-855/
* ZDI-23-856: Sante DICOM Viewer Pro JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-856/
---------------------------------------------
https://www.santesoft.com/win/sante-dicom-viewer-pro/download.html
∗∗∗ Virenschutz: Hochriskante Sicherheitslücken in Trend Micros Apex One ∗∗∗
---------------------------------------------
In der Schutzsoftware Trend Micro Apex One können Angreifer Schwachstellen missbrauchen, um ihre Rechte am System auszuweiten. Aktualisierungen stehen bereit.
---------------------------------------------
https://heise.de/-9180965
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, and ruby2.5), Fedora (curl, dbus, pypy, pypy3.8, pypy3.9, python3.10, and python3.8), Red Hat (python and python-flask), Scientific Linux (emacs), SUSE (firefox, google-cloud-sap-agent, libwebp, opensc, openssl, openssl-3, openssl1, python-sqlparse, python310, and supportutils), and Ubuntu (libxml2, netatalk, and sysstat).
---------------------------------------------
https://lwn.net/Articles/934245/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (jupyter-core, openssl, and ruby2.5), Fedora (firefox), Mageia (libreoffice, openssl, and python-flask), Red Hat (python and python3), Slackware (mozilla, php8, and python3), SUSE (java-1_8_0-ibm, libcares2, mariadb, and python36), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-intel-iotg, linux-raspi, linux-xilinx-zynqmp, and mozjs102).
---------------------------------------------
https://lwn.net/Articles/934316/
∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗
---------------------------------------------
Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-01
∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released two Industrial Control Systems (ICS) advisories on June 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-23-159-01 Atlas Copco Power Focus 6000
ICSA-23-159-02 Sensormatic Electronics Illustra Pro Gen 4
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/06/08/cisa-releases-two-industrial-control-systems-advisories
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list