[CERT-daily] Tageszusammenfassung - 28.06.2023
Daily end-of-shift report
team at cert.at
Wed Jun 28 19:17:57 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 27-06-2023 18:00 − Mittwoch 28-06-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Andariel’s silly mistakes and a new malware family ∗∗∗
---------------------------------------------
In this crimeware report, Kaspersky researchers provide insights into Andariel’s activity targeting organizations: clumsy commands executed manually, off-the-shelf tools and EasyRat malware.
---------------------------------------------
https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/
∗∗∗ Warning: JavaScript registry npm vulnerable to manifest confusion abuse ∗∗∗
---------------------------------------------
Failure to match metadata with packaged files is perfect for supply chain attacks. The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/06/27/javascript_registry_npm_vulnerable/
∗∗∗ Black Basta Ransomware ∗∗∗
---------------------------------------------
What is Black Basta Ransomware? Black Basta is a threat group that provides ransomware-as-a-service (RaaS). The service is maintained by dedicated developers and is a highly efficient and professionally run operation; there’s a TOR website that provides a victim login portal, a chat room, and a wall of company’s names who’s data has been leaked.
---------------------------------------------
https://www.pentestpartners.com/security-blog/black-basta-ransomware/
∗∗∗ Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor ∗∗∗
---------------------------------------------
Manic Menagerie 2.0 is a campaign deploying coin miners and web shells, among other tactics. Hijacked machines could be used as C2 for further operations.
---------------------------------------------
https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/
∗∗∗ Charming Kitten Updates POWERSTAR with an InterPlanetary Twist ∗∗∗
---------------------------------------------
Volexity works with many individuals and organizations often subjected to sophisticated and highly targeted spear-phishing campaigns from a variety of nation-state-level threat actors. In the last few years, Volexity has observed threat actors dramatically increase the level of effort they put into compromising credentials or systems of individual targets.
---------------------------------------------
https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/
∗∗∗ Hackers Hiding DcRAT Malware in Fake OnlyFans Content ∗∗∗
---------------------------------------------
A malicious campaign targeting smartphone users has been uncovered, utilizing fake OnlyFans content to distribute a dangerous Remote Access Trojan (RAT) known as DcRAT malware.
---------------------------------------------
https://www.hackread.com/hackers-dcrat-malware-fake-onlyfans-content/
∗∗∗ Newly Surfaced ThirdEye Infostealer Targeting Windows Devices ∗∗∗
---------------------------------------------
FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer.
---------------------------------------------
https://www.hackread.com/thirdeye-infostealer-windows-devices/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution ∗∗∗
---------------------------------------------
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.
---------------------------------------------
https://thehackernews.com/2023/06/critical-sql-injection-flaws-expose.html
∗∗∗ App Bypass und andere Schwachstellen in Boomerang Parental Control App ∗∗∗
---------------------------------------------
Die Kinderüberwachungs-App "Boomerang" von National Education Technologies ist von Schwachstellen mit hohem Risiko betroffen. Angreifer können ein lokales ADB Backup erzeugen, über welches Zugang zu API Token erlangt werden kann. Dadurch kann ein Angreifer Privilege Escalation durchführen oder auch Cross-Site Scripting im Web Dashboard der Eltern. Des weiteren können Kinder die Beschränkungen der Eltern auf einfache Weise umgehen.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/app-bypass-und-andere-schwachstellen-in-boomerang-parental-control-app/
∗∗∗ Nvidia: Treiber-Update schließt Codeschmuggel-Schwachstellen ∗∗∗
---------------------------------------------
Nvidias Grafikkartentreiber für Linux und Windows haben hochriskante Sicherheitslücken. Der Hersteller liefert jetzt Aktualisierungen zum Abdichten der Lecks.
---------------------------------------------
https://heise.de/-9200904
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Mageia (docker-docker-registry, libcap, libx11, mediawiki, python-requests, python-tornado, sofia-sip, sqlite, and xonotic), Red Hat (kernel, kernel-rt, kpatch-patch, libssh, libtiff, python27:2.7, python39:3.9, python39-devel:3.9, ruby:2.7, sqlite, systemd, and virt:rhel, virt-devel:rhel), SUSE (bind, cosign, guile1, lilypond, keepass, kubernetes1.24, nodejs16, nodejs18, phpMyAdmin, and sqlite3), and Ubuntu (etcd).
---------------------------------------------
https://lwn.net/Articles/936671/
*** IBM Security Bulletins ***
---------------------------------------------
IBM App Connect Enterprise, IBM Security Guardium, CloudPak for Watson, IBM MQ, IBM Maximo Manage application, IBM TXSeries, IBM CICS TX, IBM Cloud Object Storage Systems, IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manager, IBM Informix JDBC Driver, IBM i, IBM Tivoli Netcool Impact, IBM Robotic Process Automation, IBM WebSphere Application Server and FileNet Content Manager.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Path Traversal / Cross-Site Scripting im Gira KNX IP-Router (SYSS-2023-015/-016) ∗∗∗
---------------------------------------------
Das Webinterface des Gira KNX IP-Routers ermöglicht ein Path Traversal (Zugriff auf Systemdateien) und ist anfällig für Cross-Site Scripting-Angriffe.
---------------------------------------------
https://www.syss.de/pentest-blog/path-traversal-/-cross-site-scripting-im-gira-knx-ip-router-syss-2023-015/-016
∗∗∗ Information Disclosure Vulnerability in Bosch IP cameras ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-839739-bt.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list