[CERT-daily] Tageszusammenfassung - 23.05.2023

Daily end-of-shift report team at cert.at
Tue May 23 18:56:25 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Montag 22-05-2023 18:00 − Dienstag 23-05-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Malicious Windows kernel drivers used in BlackCat ransomware attacks ∗∗∗
---------------------------------------------
The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-drivers-used-in-blackcat-ransomware-attacks/


∗∗∗ Sicherheitslücke in Samsung-Smartphones wird angegriffen ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in Samsung-Smartphones, die das Unternehmen mit den Mai-Updates schließt, wird von Angreifern missbraucht. Einige Details sind unklar.
---------------------------------------------
https://heise.de/-9062566


∗∗∗ BrutePrint: Attacke knackt Schutz mit Fingerabdrucksensoren ∗∗∗
---------------------------------------------
IT-Sicherheitsforscher haben einen Angriff namens BrutePrint auf den Zugangsschutz von Smartphones mit Fingerabdrucksensoren vorgestellt.
---------------------------------------------
https://heise.de/-9062997


∗∗∗ OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel ∗∗∗
---------------------------------------------
Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering – Attacking the Linux kernel.
---------------------------------------------
https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineering-attacking-the-linux-kernel/


∗∗∗ Willhaben: Betrug mit PayLivery erkennen ∗∗∗
---------------------------------------------
Betrügerische Käufer:innen fälschen den PayLivery-Dienst von Willhaben und täuschen Ihnen vor, dass sie bereits bezahlt haben. Sie locken Sie auf eine Fake-Zahlungsplattform, wo Sie Ihre Kreditkartendaten zur Anforderung der Zahlung angeben müssen. Anschließend fordert man Sie auf, den Zahlungseingang in Ihrer Bank-App zu bestätigen. In Wirklichkeit geben Sie aber eine Zahlung frei und verlieren Ihr Geld.
---------------------------------------------
https://www.watchlist-internet.at/news/willhaben-betrug-mit-paylivery-erkennen/


∗∗∗ Android app breaking bad: From legitimate screen recording to file exfiltration within a year ∗∗∗
---------------------------------------------
ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio
---------------------------------------------
https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/


∗∗∗ Hacker nutzen Dropbox für betrügerische E-Mails ∗∗∗
---------------------------------------------
Aufgrund der Verbindung zu Dropbox scheinen die Nachrichten harmlos zu sein. Auch Sicherheitslösungen beanstanden unter Umständen die URLs zu Dropbox nicht. Nutzer laufen indes Gefahr, ihre Anmeldedaten an Hacker weiterzugeben.
---------------------------------------------
https://www.zdnet.de/88409355/hacker-nutzen-dropbox-fuer-betruegerische-e-mails/


∗∗∗ DarkCloud Infostealer Being Distributed via Spam Emails ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
---------------------------------------------
https://asec.ahnlab.com/en/53128/


∗∗∗ Lazarus Group Targeting Windows IIS Web Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
---------------------------------------------
https://asec.ahnlab.com/en/53132/


∗∗∗ Info Stealer Abusing Codespaces Puts Discord Users at Risk ∗∗∗
---------------------------------------------
In this entry, we detail our research findings on how an info stealer is able to achieve persistence on a victim’s machine by modifying the victim’s Discord client.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/e/info-stealer-abusing-codespaces-puts-discord-users--data-at-risk.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ WordPress 6.2.2: Durch Sicherheitspatch ausgelösten Fehler ausgebügelt ∗∗∗
---------------------------------------------
Die WordPress-Entwickler haben ein Sicherheitsupdate korrigiert. Die aktuelle Version steht ab sofort zum Download bereit.
---------------------------------------------
https://heise.de/-9062515


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-nth-check), Mageia (mariadb and python-reportlab), Slackware (c-ares), SUSE (geoipupdate and qt6-svg), and Ubuntu (linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-bluefield, linux-gcp, linux-hwe, linux-raspi2, linux-snapdragon, and linux-gcp, linux-hwe-5.19).
---------------------------------------------
https://lwn.net/Articles/932693/


∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 
* ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products 
* ICSA-23-143-02 Hitachi Energy RTU500 
* ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module 
* ICSA-23-143-04 Horner Automation Cscape
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-releases-four-industrial-control-systems-advisories


∗∗∗ This Power System update is being released to address CVE 2023-30440 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997133


∗∗∗ IBM® MobileFirst Platform is vulnerable to CVE-2023-24998 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997293


∗∗∗ Vulnerabilities in Python may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997507


∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to exposing sensitive information due to flaws and configurations (CVE-2023-30441). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997499


∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985605


∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22476, CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997581


∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22473. CVE-2021-38951) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997587


∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997593


∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-21496, CVE-2021-35550, CVE-2021-2163, CVE-2021-35603) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997585


∗∗∗ A vulnerability in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997589


∗∗∗ CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997601

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list