[CERT-daily] Tageszusammenfassung - 19.06.2023

Mon Jun 19 19:15:15 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 16-06-2023 18:00 − Montag 19-06-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Android spyware camouflaged as VPN, chat apps on Google Play ∗∗∗
---------------------------------------------
Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-spyware-camouflaged-as-vpn-chat-apps-on-google-play/


∗∗∗ Security Expert Defeats Lenovo Laptop BIOS Password With a Screwdriver ∗∗∗
---------------------------------------------
Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password.
---------------------------------------------
https://it.slashdot.org/story/23/06/16/2322255/security-expert-defeats-lenovo-laptop-bios-password-with-a-screwdriver?utm_source=rss1.0mainlinkanon&utm_medium=feed


∗∗∗ From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as its also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report.
---------------------------------------------
https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html


∗∗∗ New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions ∗∗∗
---------------------------------------------
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.
---------------------------------------------
https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html


∗∗∗ [SANS ISC] Malware Delivered Through .inf File ∗∗∗
---------------------------------------------
Today, I published the following diary on isc.sans.edu: “Malware Delivered Through .inf File“: Microsoft has used “.inf” files for a while. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection].
---------------------------------------------
https://blog.rootshell.be/2023/06/19/sans-isc-malware-delivered-through-inf-file/


∗∗∗ The Phantom Menace: Exposing hidden risks through ACLs in Active Directory (Part 1) ∗∗∗
---------------------------------------------
The abuse of misconfigured Access Control Lists is nothing new. However, it is still one of the main ways of lateral movement and privilege escalation within an active directory domain. [..] In this post, we will discuss, in a general overview, some concepts that will help us understand how Windows handles access relationships and privileges between objects and how to enumerate these relationships.
---------------------------------------------
https://labs.lares.com/securing-active-directory-via-acls/


∗∗∗ Speculative Denial-of-Service Attacks in Ethereum ∗∗∗
---------------------------------------------
Block proposers speculatively execute transactions when creating blocks to maximize their profits. How can this go wrong? In “Speculative Denial-of-Service Attacks in Ethereum”, we show how speculative execution allows attackers to cheaply DoS the network.
---------------------------------------------
https://medium.com/@aviv.yaish/speculative-denial-of-service-attacks-in-ethereum-c4bfbbaec4a2


∗∗∗ Warning: Malware Disguised as a Security Update Installer Being Distributed ∗∗∗
---------------------------------------------
AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software.
---------------------------------------------
https://asec.ahnlab.com/en/54375/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ ZDI-23-889: Schneider Electric IGSS DashFiles Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-889/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (golang-go.crypto, maradns, requests, sofia-sip, and xmltooling), Fedora (chromium, iaito, iniparser, libX11, matrix-synapse, radare2, and thunderbird), Red Hat (c-ares, jenkins and jenkins-2-plugins, and texlive), SUSE (bluez, chromium, go1.19, go1.20, jetty-minimal, kernel, kubernetes1.18, kubernetes1.23, kubernetes1.24, libX11, open-vm-tools, openvswitch3, opera, syncthing, and xen), and Ubuntu (libcap2, libpod, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-lowlatency, linux-raspi, linux-oem-5.17, linux-oem-6.1, pypdf2, and qemu).
---------------------------------------------
https://lwn.net/Articles/935184/


∗∗∗ Vulnerability in Apache Commons FileUpload may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6998653


∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004699


∗∗∗ Vulnerability in Eclipse OpenJ9 affects Rational Performance Tester (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004703


∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004701


∗∗∗ Vulnerability in Eclipse OpenJ9 affects Rational Service Tester (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004705


∗∗∗ Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995589


∗∗∗ Vulnerabilities with OpenSSL, Apache HTTP Server, Python affect IBM Cloud Object Storage Systems (June 2023v1) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004661


∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Performance Tester. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004709


∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Service Tester. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004711


∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-1280, CVE-2023-0386, CVE-2022-4269, CVE-2022-2873, CVE-2022-4378) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995585


∗∗∗ Vulnerabilities with Linux Kernel, OpenJDK affect IBM Cloud Object Storage Systems (June 2023) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7002711


∗∗∗ Vulnerabilities in Golang Go might affect IBM Spectrum Copy Data Management ( CVE-2023-24536, CVE-2023-24537, CVE-2023-24538) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6998399


∗∗∗ IBM Sterling Control Center is vulnerable to denial of service attack due to Java SE (CVE-2022-21426) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004723


∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Java SE (CVE-2023-21830, CVE-2023-21843) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004721


∗∗∗ Vulnerabilities in OpenSSL might affect IBM Spectrum Copy Data Management (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995593


∗∗∗ IBM Aspera Shares is vulnerable to cross-site scripting due to JQuery-UI (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004731


∗∗∗ Vulnerabilities in Oracle Java SE might affect IBM Spectrum Copy Data Management (CVE-2023-21968, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21937, CVE-2023-21930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995595


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7004197


∗∗∗ Vulnerabilities in Flask and Pallets Werkzeug may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2023-30861, CVE-2023-25577, CVE-2023-23934) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6999973


∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986323


∗∗∗ Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7001663

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily