[CERT-daily] Tageszusammenfassung - 15.03.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 14-03-2023 18:00 − Mittwoch 15-03-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th) ∗∗∗
---------------------------------------------
In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception.
---------------------------------------------
https://isc.sans.edu/diary/rss/29638


∗∗∗ How to Find & Fix: WordPress Pharma Hack ∗∗∗
---------------------------------------------
Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam.
---------------------------------------------
https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html


∗∗∗ New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...]
---------------------------------------------
https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html


∗∗∗ Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability ∗∗∗
---------------------------------------------
At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis.
---------------------------------------------
https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/


∗∗∗ Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen ∗∗∗
---------------------------------------------
iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt.
---------------------------------------------
https://heise.de/-7545702


∗∗∗ Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab ∗∗∗
---------------------------------------------
Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen.
---------------------------------------------
https://heise.de/-7545903


∗∗∗ Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten ∗∗∗
---------------------------------------------
In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihre-kreditkartendaten/


∗∗∗ Uncovering Windows Events ∗∗∗
---------------------------------------------
Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn’t a deep dive into how ETW works, [...]
---------------------------------------------
https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=rss----f05f8696e3cc---4


∗∗∗ Released: March 2023 Exchange Server Security Updates ∗∗∗
---------------------------------------------
Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224


∗∗∗ How does malware spread? Top 5 ways malware gets into your network ∗∗∗
---------------------------------------------
Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware.
---------------------------------------------
https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-malware-gets-into-your-network/


∗∗∗ A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations which is not a cyber meltdown ∗∗∗
---------------------------------------------
Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad at infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol.
---------------------------------------------
https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerability-mitigations-which-is-not-a-cyber-meltdown-78a9f7e3e538



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen ∗∗∗
---------------------------------------------
Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen.
---------------------------------------------
https://heise.de/-7546150


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).
---------------------------------------------
https://lwn.net/Articles/926205/


∗∗∗ SAP-Patchday enthält Updates für kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung.
---------------------------------------------
https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritische-sicherheitslucken


∗∗∗ ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-245/


∗∗∗ ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-244/


∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABILITIES


∗∗∗ AIX is affected by a denial of service (CVE-2022-45061) due to Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963342


∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963372


∗∗∗ Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963612


∗∗∗ Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963632

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily