[CERT-daily] Tageszusammenfassung - 07.03.2023
Daily end-of-shift report
team at cert.at
Tue Mar 7 18:17:15 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗
---------------------------------------------
A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/
∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗
---------------------------------------------
A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac-bypass-used-to-drop-malware/
∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗
---------------------------------------------
An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022.
---------------------------------------------
https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.html
∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..]
---------------------------------------------
https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.html
∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗
---------------------------------------------
Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).
---------------------------------------------
https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-of-life-vmware-product-ongoing/
∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗
---------------------------------------------
Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch!
---------------------------------------------
https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-plattformen-tradegpt-auf-facebook-instagram-co/
∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗
---------------------------------------------
Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen.
---------------------------------------------
https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/
∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗
---------------------------------------------
One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.
---------------------------------------------
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
=====================
= Vulnerabilities =
=====================
∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗
---------------------------------------------
Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow.
---------------------------------------------
http://blog.fefe.de/?ts=9af9c7a3
∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗
---------------------------------------------
* Exposure of sensitive information to an unauthorized actor - CVE-2023-22847
* Uncontrolled search path element - CVE-2023-23554
---------------------------------------------
https://jvn.jp/en/jp/JVN19872280/
∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-212/
∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-214/
∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗
---------------------------------------------
Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen.
---------------------------------------------
https://heise.de/-7537197
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff).
---------------------------------------------
https://lwn.net/Articles/925469/
∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP
∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-053/
∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗
---------------------------------------------
https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthenticated-insecure-deserialization-cve-2023-26326-3becb5575ed8?source=rss----68728ef06732---4
∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969
∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952319
∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959369
∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960473
∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960481
∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960485
∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960493
∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960495
∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960511
∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6828569
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list