[CERT-daily] Tageszusammenfassung - 31.05.2023

Wed May 31 19:00:25 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 30-05-2023 18:00 − Mittwoch 31-05-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Zero-Day-Lücke: Leck in Barracudas ESG bereits seit 7 Monaten missbraucht ∗∗∗
---------------------------------------------
Barracuda hat vergangene Woche eine Zero-Day-Lücke in den ESG-Appliances abgedichtet. Untersuchungen ergeben, dass sie bereits seit Oktober missbraucht wurden.
---------------------------------------------
https://heise.de/-9083222


∗∗∗ Android-Spyware SpinOk kommt auf mehr als 421 Millionen Installationen ∗∗∗
---------------------------------------------
Ein Android-Software-Modul mit Spyware-Funktionen hat Doctor Web in Apps auf Google Play mit mehr als 421 Millionen Downloads aufgespürt. Google ist informiert.
---------------------------------------------
https://heise.de/-9069832


∗∗∗ Ransomware: Schutzkonzept gegen Angriffe ∗∗∗
---------------------------------------------
Trotz Maßnahmen gegen Cyber-Angriffe und Ransomware gelingen viele Attacken. Die Daten sind verschlüsselt. Einige Punkte verhelfen zu brauchbaren Backups.
---------------------------------------------
https://heise.de/-9069092


∗∗∗ RomCom malware spread via Google Ads for ChatGPT, GIMP, more ∗∗∗
---------------------------------------------
A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/romcom-malware-spread-via-google-ads-for-chatgpt-gimp-more/


∗∗∗ Mirai Variant Opens Tenda, Zyxel Gear to RCE, DDoS ∗∗∗
---------------------------------------------
Researchers have observed several cyberattacks leveraging a botnet called IZ1H9, which exploits vulnerabilities in exposed devices and servers running on Linux.
---------------------------------------------
https://www.darkreading.com/endpoint/mirai-variant-tenda-zyxel-rce-ddos


∗∗∗ Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor ∗∗∗
---------------------------------------------
Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say.
---------------------------------------------
https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/


∗∗∗ Netflix-Phishing-Nachrichten aktuell besonders gefährlich! ∗∗∗
---------------------------------------------
Netflix hat mit Mai 2023 das Account-Sharing – also das Teilen von Netflix-Konten – unterbunden, wodurch zahlreiche Userinnen und User ihren Zugriff verloren haben, oder weitere Gebühren zu bezahlen haben. Gleichzeitig sind unzählige Netflix-Phishing-Mails im Umlauf, die zwar in keinem Zusammenhang mit den neuen Account-Sharing-Richtlinien stehen, aber durch die Umstellungen schneller für echt gehalten werden. Achtung: Hier dürfen keine Daten bekanntgegeben werden!
---------------------------------------------
https://www.watchlist-internet.at/news/netflix-phishing-nachrichten-aktuell-besonders-gefaehrlich/


∗∗∗ Investigating BlackSuit Ransomware’s Similarities to Royal ∗∗∗
---------------------------------------------
In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ New macOS vulnerability, Migraine, could bypass System Integrity Protection ∗∗∗
---------------------------------------------
A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/


∗∗∗ Barracuda Email Security Gateway Appliance (ESG) Vulnerability ∗∗∗
---------------------------------------------
Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments.
---------------------------------------------
https://www.barracuda.com/company/legal/esg-vulnerability


∗∗∗ CVE-2023-34152: Shell Command Injection Bug Affecting ImageMagick ∗∗∗
---------------------------------------------
[...] recent findings have brought to light a trio of security vulnerabilities that could transform this useful tool into a potential weapon in the hands of malicious entities. 
* CVE-2023-34151: Undefined behaviors of casting double to size_t in svg, mvg, and other coders 
* CVE-2023-34152: RCE (shell command injection) vulnerability 
* CVE-2023-34153: Shell command injection vulnerability
---------------------------------------------
https://securityonline.info/cve-2023-34152-shell-command-injection-bug-affecting-imagemagick/


∗∗∗ Webbrowser: Google Chrome 114 schließt 16 Lücken und verbessert Sicherheit ∗∗∗
---------------------------------------------
Neben den üblichen geschlossenen Sicherheitslücken, derer 16 an der Zahl, liefert Google Chrome 114 auch teils neue oder verbesserte Sicherheitsfunktionen.
---------------------------------------------
https://heise.de/-9069705


∗∗∗ Zwangsupdate: WordPress-Websites über Jetpack-Lücke manipulierbar ∗∗∗
---------------------------------------------
Die Jetpack-Entwickler haben 102 fehlerbereinigte Versionen ihres WordPress-Plug-ins veröffentlicht.
---------------------------------------------
https://heise.de/-9069974


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (connman and kamailio), Fedora (texlive-base), Mageia (cups-filters, postgresql, qtbase5, tcpreplay, tomcat, and vim), Slackware (openssl), SUSE (amazon-ssm-agent, cni, cni-plugins, compat-openssl098, installation-images, libaom, openssl, openssl-1_0_0, openssl-1_1, terraform, terraform-provider-helm, tiff, tomcat, and wireshark), and Ubuntu (batik, flask, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-oracle, linux-oracle-5.4, mozjs102, nanopb, openssl, openssl1.0, snapd, and texlive-bin).
---------------------------------------------
https://lwn.net/Articles/933360/


∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0004 ∗∗∗
---------------------------------------------
Date Reported: May 30, 2023 
Advisory ID: WSA-2023-0004 
CVE identifiers: CVE-2023-28204, CVE-2023-32373.
---------------------------------------------
https://webkitgtk.org/security/WSA-2023-0004.html


∗∗∗ Possible damage of secure element in Bosch IP cameras ∗∗∗
---------------------------------------------
BOSCH-SA-435698-BT: Due to an error in the software interface to the secure element chip on the cameras, the chip can be **permanently damaged** leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off".
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-435698-bt.html


∗∗∗ DataSpider Servista uses a hard-coded cryptographic key ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN38222042/


∗∗∗ [20230501] - Core - Open Redirects and XSS within the mfa selection ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/899-20230501-core-open-redirects-and-xss-within-the-mfa-selection.html


∗∗∗ [20230502] - Core - Bruteforce prevention within the mfa screen ∗∗∗
---------------------------------------------
https://developer.joomla.org:443/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily