[CERT-daily] Tageszusammenfassung - 22.05.2023

Mon May 22 18:54:36 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 19-05-2023 18:00 − Montag 22-05-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Aktuelle Qakbot/Pikabot-Welle in Österreich ∗∗∗
---------------------------------------------
Aktuell ist neben anderen Ländern auch Österreich wieder von einer Phishing/Malspam-Welle durch Qakbot/Pikabot betroffen. Die aktuelle Kampagne läuft unter dem Namen BB28 und führt nach einer erfolgten Infektion zum Nachladen von Cobalt Strike und in weiterer Folge oft zu Ransomware - hier im Speziellen häufig BlackBasta. Eine Besonderheit dieser Kampagne ist das Auftreten eines potentiellen Nachfolgers oder Mitstreiters von Qakbot namens Pikabot.
---------------------------------------------
https://cert.at/de/aktuelles/2023/5/aktuelle-qakbotpikabot-welle-in-osterreich


∗∗∗ CISA warns of Samsung ASLR bypass flaw exploited in attacks ∗∗∗
---------------------------------------------
CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-bypass-flaw-exploited-in-attacks/


∗∗∗ Cloned CapCut websites push information stealing malware ∗∗∗
---------------------------------------------
A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloned-capcut-websites-push-information-stealing-malware/


∗∗∗ Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks ∗∗∗
---------------------------------------------
The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.
---------------------------------------------
https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.html


∗∗∗ IcedID Macro Ends in Nokoyawa Ransomware ∗∗∗
---------------------------------------------
In this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
---------------------------------------------
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/


∗∗∗ Microsoft: BEC Scammers Use Residential IPs to Evade Detection ∗∗∗
---------------------------------------------
BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection.
---------------------------------------------
https://www.securityweek.com/microsoft-bec-scammers-use-residential-ips-to-evade-detection/


∗∗∗ Webinar: Wie schütze ich mich vor Love Scams? ∗∗∗
---------------------------------------------
Sie täuschen die große Liebe vor und bringen ihr Gegenüber damit um hohe Geldsummen: Beim Love-Scamming erschleichen sich Betrüger:innen auf Online-Partnerbörsen und in Sozialen Netzwerken das Vertrauen ihrer Opfer, um an deren Geld zu kommen. Nehmen Sie kostenlos teil: Dienstag 30. Mai 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-love-scams/


∗∗∗ Gratis-Testangebot einer Lichttherapie nur ein Verkaufsgespräch ∗∗∗
---------------------------------------------
Um Kund:innen zu gewinnen, verspricht Lumina Vital Ihnen Gratis-Anwendungen. Telefonisch wird auf einen Besuch bei Ihnen zu Hause gedrängt. Auch wenn Sie keinem Datum zusagen, bekommen Sie einen Brief mit einem fixierten Termin zugeschickt. Lassen Sie sich nicht unter Druck setzen, wenn Sie nichts kaufen möchten!
---------------------------------------------
https://www.watchlist-internet.at/news/gratis-testangebot-einer-lichttherapie-nur-ein-verkaufsgespraech/


∗∗∗ Threat Hunting mit PowerShell – Sicherheit auch mit kleinem Budget ∗∗∗
---------------------------------------------
[English]IT-Sicherheit sollte keine Frage des Geldes sein – das sind oft vorgeschobene Ausreden. MVP Tom Wechsler hat sich einige Gedanken um das Thema gemacht und zeigt, wie man sogar mit der PowerShell und wenigen Zeilen Code nach Problemen in der … Weiterlesen →
---------------------------------------------
https://www.borncity.com/blog/2023/05/22/threat-hunting-mit-powershell-sicherheit-auch-mit-kleinem-budget/


∗∗∗ Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware.
---------------------------------------------
https://asec.ahnlab.com/en/52920/


∗∗∗ Cloud-Based Malware Delivery: The Evolution of GuLoader ∗∗∗
---------------------------------------------
Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
---------------------------------------------
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CUPS: Sicherheitslücke in Drucksystem ermöglicht Schadcodeausführung ∗∗∗
---------------------------------------------
Im Drucksystem CUPS können Angreifer im Netz eine Sicherheitslücke missbrauchen, um beliebigen Code einzuschmuggeln und auszuführen.
---------------------------------------------
https://heise.de/-9061315


∗∗∗ Angreifer könnten Entwicklungsumgebungen mit Jenkins attackieren ∗∗∗
---------------------------------------------
Softwareentwickler aufgepasst: Es gibt wichtige Sicherheitsupdates für mehrere Jenkins-Plug-ins. Angreifer könnten auf Log-in-Daten zugreifen.
---------------------------------------------
https://heise.de/-9061545


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cups-filters, imagemagick, libwebp, sqlite, and texlive-bin), Fedora (chromium and vim), Gentoo (librecad, mediawiki, modsecurity-crs, snakeyaml, and tinyproxy), Mageia (apache-mod_security, cmark, dmidecode, freetype2, glib2.0, libssh, patchelf, python-sqlparse, sniproxy, suricata, and webkit2), Oracle (apr-util and firefox), Red Hat (git), SUSE (containerd, openvswitch, python-Flask, runc, terraform-provider-aws, and terraform-provider-null), and Ubuntu (tar).
---------------------------------------------
https://lwn.net/Articles/932625/


∗∗∗ Tornado vulnerable to open redirect ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN45127776/


∗∗∗ WordPress 6.2.2 Security Release ∗∗∗
---------------------------------------------
https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/


∗∗∗ F5: K000134681 : Spring Framework vulnerability CVE-2023-20861 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134681


∗∗∗ F5: K000134706 : Python IDNA vulnerability CVE-2022-45061 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134706


∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/22/cisa-adds-three-known-exploited-vulnerabilities-catalog


∗∗∗ Vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995893


∗∗∗ Security vulnerability in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995895


∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995887


∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960215


∗∗∗ IBM Operational Decision Manager April 2023 - Multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997063


∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.9ESR) have affected APM Synthetic Playback Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997069


∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Base(CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997075


∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines (CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997083


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997097


∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997107


∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are affected by a vulnerability in the IBM SDK, Java Technology Edition [CVE-2023-30441] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997131


∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650695


∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650699

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily