[CERT-daily] Tageszusammenfassung - 20.03.2023

Daily end-of-shift report team at cert.at
Mon Mar 20 19:10:39 CET 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗
---------------------------------------------
A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-launch-massive-33-tbps-ddos-attacks/


∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗
---------------------------------------------
Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so.
---------------------------------------------
https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-wiederherstellen-2303-172759.html


∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗
---------------------------------------------
Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer.
---------------------------------------------
https://heise.de/-7551285


∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗
---------------------------------------------
Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst.
---------------------------------------------
https://heise.de/-7557288


∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗
---------------------------------------------
The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities.
---------------------------------------------
https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html


∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗
---------------------------------------------
In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/


∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗
---------------------------------------------
In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data.
---------------------------------------------
https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗
---------------------------------------------
Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern.
---------------------------------------------
https://heise.de/-7550599


∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗
---------------------------------------------
Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler.
---------------------------------------------
https://heise.de/-7550738


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim).
---------------------------------------------
https://lwn.net/Articles/926636/


∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗
---------------------------------------------
* Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) 
* Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286) 
* IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes 
* Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command. 
* IBM Aspera Faspex can be vulnerable to improperly authorized password changes 
* Vulnerability in EFS affects AIX (CVE-2021-29861) 
* Vulnerability in libc affects AIX (CVE-2021-29860) 
* Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) 
* Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) 
* A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813) 
* Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) 
* Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4 
* Vulnerability in Node.js affects IBM Voice Gateway 
* IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes 
* Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925) 
* Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler. 
* IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) 
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20861


∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list