[CERT-daily] Tageszusammenfassung - 21.03.2023

Tue Mar 21 18:50:04 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗
---------------------------------------------
Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-security-authority-protection-is-off/


∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗
---------------------------------------------
Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns!
---------------------------------------------
https://isc.sans.edu/diary/rss/29650


∗∗∗ Google Cloud Log Extraction ∗∗∗
---------------------------------------------
In this blog post, we review the methods through which we can extract logs from Google Cloud.
---------------------------------------------
https://www.sans.org/blog/google-cloud-log-extraction/


∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗
---------------------------------------------
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable.
---------------------------------------------
https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa


∗∗∗ Black Angel Rootkit ∗∗∗
---------------------------------------------
Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams.
---------------------------------------------
https://github.com/XaFF-XaFF/Black-Angel-Rootkit


∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗
---------------------------------------------
The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings.
---------------------------------------------
https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d5173706b3f


∗∗∗ Nexus: a new Android botnet? ∗∗∗
---------------------------------------------
On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022.
---------------------------------------------
https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet


∗∗∗ Mitigating SSRF in 2023 ∗∗∗
---------------------------------------------
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become.
---------------------------------------------
https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/


∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗
---------------------------------------------
Software developers have been targeted in a new attack via malicious packages in the NuGet repository.
---------------------------------------------
https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-developers/


∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗
---------------------------------------------
Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eurojackpot-gewinn/


∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗
---------------------------------------------
We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc).
---------------------------------------------
https://lwn.net/Articles/926759/


∗∗∗ XSA-429 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-429.html


∗∗∗ XSA-428 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-428.html


∗∗∗ XSA-427 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-427.html


∗∗∗ Keysight N6845A Geolocation Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01


∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02


∗∗∗ VISAM VBASE Automation Base ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05


∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03


∗∗∗ Rockwell Automation ThinManager ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06


∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-platform-vulnerable-to-information-disclosure-buffer-overflow-vulnerabilities/


∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023-20859


∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964588


∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852651


∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964694


∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963662


∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964742


∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964752


∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964754

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily