[CERT-daily] Tageszusammenfassung - 29.06.2023

Thu Jun 29 18:45:24 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 28-06-2023 18:00 − Donnerstag 29-06-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Linux version of Akira ransomware targets VMware ESXi servers ∗∗∗
---------------------------------------------
The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/


∗∗∗ Exploit released for new Arcserve UDP auth bypass vulnerability ∗∗∗
---------------------------------------------
Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-new-arcserve-udp-auth-bypass-vulnerability/


∗∗∗ Security Baseline for M365 Apps for enterprise v2306 ∗∗∗
---------------------------------------------
Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2306.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702


∗∗∗ GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT, (Thu, Jun 29th) ∗∗∗
---------------------------------------------
On Monday 2023-06-26, I received an email in one of my honeypot accounts, and the email led to a loader-based infection for Remcos RAT.  The loader seems to be a GuLoader- or ModiLoader (DBatLoader)-style malware, but it's not like the GuLoader or ModiLoader samples I've run across so far.
---------------------------------------------
https://isc.sans.edu/diary/rss/29990


∗∗∗ Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes ∗∗∗
---------------------------------------------
Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse. The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week.
---------------------------------------------
https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.html


∗∗∗ Finding Gadgets for CPU Side-Channels with Static Analysis Tools ∗∗∗
---------------------------------------------
We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in do_prlimit (CVE-2023-0458) and one in copy_from_user (CVE-2023-0459). In this writeup, we explain these issues and how we found them.
---------------------------------------------
https://github.com/google/security-research/blob/master/pocs/cpus/spectre-gadgets/README.md


∗∗∗ Verantwortungsvolle Veröffentlichung einer Exploit-Kette, die auf die Implementierung der RFC-Schnittstelle im SAP Application Server für ABAP abzielt ∗∗∗
---------------------------------------------
In einer unabhängigen Analyse der serverseitigen Implementierung der proprietären Remote Function Call (RFC)-Schnittstelle in SAP NetWeaver Application Server ABAP und ABAP Platform (beide im Folgenden als AS ABAP bezeichnet) wurden von Fabian Hagg, Sicherheitsforscher im SEC Consult Vulnerability Lab und SAP Security Experte, eine Reihe von schwerwiegenden Implementierungs- und Designfehlern identifiziert.
---------------------------------------------
https://sec-consult.com/de/blog/detail/verantwortungsvolle-veroeffentlichung-einer-exploit-kette-die-auf-die-implementierung-der-rfc-schnittstelle-im-sap-application-server-fuer-abap-abzielt/


∗∗∗ Das können Sie tun, wenn Kriminelle Ihren Online-Shop kopieren ∗∗∗
---------------------------------------------
Fake-Shops bieten im Internet Markenprodukte zu Spottpreisen an. Kriminelle bauen dabei die echten Webseiten einfach nach, sodass die Fälschung auf den ersten Blick oft gar nicht ersichtlich ist. Wir zeigen Ihnen, was Sie tun können, wenn Ihr Online-Shop betroffen ist und wie Sie Ihre Kund:innen schützen können.
---------------------------------------------
https://www.watchlist-internet.at/news/das-koennen-sie-tun-wenn-kriminelle-ihren-online-shop-kopieren/


∗∗∗ CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments ∗∗∗
---------------------------------------------
Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical in securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joint-guidance-defending-continuous-integrationcontinuous-delivery-cicd


∗∗∗ Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts ∗∗∗
---------------------------------------------
In Mandiant’s initial publication of this vulnerability, we covered the attackers’ exploitation of CVE-2023-20867, the harvesting of ESXi service account credentials on vCenter machines, and the implications of backdoor communications over VMCI socket. In this blog post, we will focus on the artifacts, logging options, and hardening steps to detect and prevent the following tactics and techniques seen being used by UNC3886.
---------------------------------------------
https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening


∗∗∗ Introducing KBOM – Kubernetes Bill of Materials ∗∗∗
---------------------------------------------
SBOM (Software Bill of Materials) is an accepted best practice to map the components and dependencies of your applications in order to better understand your applications’ risks. SBOMs are used as a basis for vulnerability assessment, licensing compliance, and more. There are plenty of available tools, such as Aqua Trivy, that help you easily generate SBOM for your applications.
---------------------------------------------
https://blog.aquasec.com/introducing-kbom-kubernetes-bill-of-materials


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal Security advisories 2023-06-28 ∗∗∗
---------------------------------------------
Drupal released 7 new security advisories. (1x Critical, 5x Moderatly Critical, 1x Less Critical)
---------------------------------------------
https://www.drupal.org/security


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and maradns), SUSE (iniparser, kubernetes1.23, python-reportlab, and python-sqlparse), and Ubuntu (accountsservice and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/936752/


*** IBM Security Bulletins ***
---------------------------------------------
AIX, IBM QRadar SIEM, WebSphere Application Server, IBM Security SOAR, IBM Cloud Pak, CICS, IBM SDK, IBM Tivoli, FileNet Content Manager, Db2 Graph, IBM OpenPages and IBM Semeru Runtime.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0005 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2023-0005.html


∗∗∗ F5: K000135262 : Apache Tomcat vulnerability CVE-2023-28709 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000135262


∗∗∗ Stable Channel Update for ChromeOS/ChromeOS Flex ∗∗∗
---------------------------------------------
http://chromereleases.googleblog.com/2023/06/stable-channel-update-for_28.html


∗∗∗ [R1] Nessus Version 10.5.3 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-22


∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01


∗∗∗ Ovarro TBox RTUs ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03


∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04


∗∗∗ Medtronic Paceart Optima System ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-180-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily