[CERT-daily] Tageszusammenfassung - 11.09.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 08-09-2023 18:00 − Montag 11-09-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Microsoft Teams phishing attack pushes DarkGate malware ∗∗∗
---------------------------------------------
A new phishing campaign is abusing Microsoft Teams messages to send malicious attachments that install the DarkGate Loader malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/


∗∗∗ Facebook Messenger phishing wave targets 100K business accounts per week ∗∗∗
---------------------------------------------
Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-wave-targets-100k-business-accounts-per-week/


∗∗∗ From Caribbean shores to your devices: analyzing Cuba ransomware ∗∗∗
---------------------------------------------
The article analyzes the malicious tactics, techniques and procedures (TTP) used by the operator of the Cuba ransomware, and details a Cuba attack incident.
---------------------------------------------
https://securelist.com/cuba-ransomware/110533/


∗∗∗ New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World ∗∗∗
---------------------------------------------
A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
---------------------------------------------
https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html


∗∗∗ Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows ∗∗∗
---------------------------------------------
A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz.
---------------------------------------------
https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html


∗∗∗ Passwortmanager: LastPass-Hacker scheinen Kennworttresore zu knacken ∗∗∗
---------------------------------------------
Cyberkriminelle haben vergangenes Jahr LastPass-Kennworttresore kopiert. Nun scheinen sie diese zu knacken und Krypto-Wallets leerzuräumen.
---------------------------------------------
https://heise.de/-9300583


∗∗∗ From ERMAC to Hook: Investigating the technical differences between two Android malware variants ∗∗∗
---------------------------------------------
Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families.
---------------------------------------------
https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/


∗∗∗ Zahlreiche unseriöse Dirndl-Shops im Umlauf ∗∗∗
---------------------------------------------
Wiesenzeit ist Dirndlzeit! Das wissen auch unseriöse Shop-Betreiber:innen. Damit möglichst viele potenzielle Opfer davon erfahren, wird auf Werbung via Facebook und Instagram gesetzt. Versprochen werden hochwertige Dirndl zu einem unschlagbar günstigen Preis. Erfahrungsberichte zeigen jedoch, dass nur minderwertige Kleidung bei den Konsument:innen ankommt.
---------------------------------------------
https://www.watchlist-internet.at/news/zahlreiche-unserioese-dirndl-shops-im-umlauf/


∗∗∗ A classification of CTI Data feeds ∗∗∗
---------------------------------------------
We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic.
---------------------------------------------
https://cert.at/en/blog/2023/9/cti-data-feeds



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Pyramid vulnerable to directory traversal ∗∗∗
---------------------------------------------
Pyramid provided by Pylons Project contains a directory traversal vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN41113329/


∗∗∗ HPE OneView: Kritische Lücke erlaubt Umgehung von Authentifizierung ∗∗∗
---------------------------------------------
HPE warnt vor mehreren Sicherheitslücken in OneView, einer Infrastrukurverwaltungssoftware. Angreifer könnten etwa die Anmeldung umgehen.
---------------------------------------------
https://heise.de/-9301047


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (frr, kernel, libraw, mutt, and open-vm-tools), Fedora (cjose, pypy, vim, wireshark, and xrdp), Gentoo (apache), Mageia (chromium-browser-stable, clamav, ghostscript, librsvg, libtiff, openssl, poppler, postgresql, python-pypdf2, and unrar), Red Hat (flac), SUSE (firefox, geoipupdate, icu73_2, libssh2_org, rekor, skopeo, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp-5.4, linux-gkeop, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-6.2, linux-ibm, linux-oracle, linux-starfive, linux-gcp-5.15, linux-gkeop-5.15, and opendmarc).
---------------------------------------------
https://lwn.net/Articles/944190/


∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.0.380 ∗∗∗
---------------------------------------------
https://www.tracker-software.com/support/security-bulletins.html


∗∗∗ Mattermost security updates 8.1.2 (ESR) / 8.0.3 / 7.8.11 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-8-1-2-esr-8-0-3-7-8-11-esr-released/


∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983236


∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031271


∗∗∗ Vulnerability in BIND affects IBM Integrated Analytics System (Sailfish)[CVE-2023-2828] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031294


∗∗∗ Vulnerability in OpenSSH affects IBM Integrated Analytics System (Sailfish)[CVE-2023-38408] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031293


∗∗∗ Vulnerabilities in IBM Websphere Application Server affects IBM Application Performance Management. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031576


∗∗∗ Due to use of, IBM Application Performance Management is vulnerable to a local authenticated attacker to obtain sensitive information. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031614


∗∗∗ A vulnerability in Microsoft .NET may affect IBM Robotic Process Automation allowing an attacker to conduct spoofing attacks (CVE-2022-34716) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031620


∗∗∗ A vulnerability in Microsoft .NET Core may affect IBM Robotic Process Automation and result in a remote attacker obtaining sensitive information (CVE-2018-8292). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7029529


∗∗∗ A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031621


∗∗∗ IBM Robotic Process Automation could disclose sensitive information from access to RPA scripts, workflows and related data (CVE-2023-38718) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031619


∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031624


∗∗∗ A vulnerability in Newtonsoft.Json may affect IBM Robotic Process Automation and result in a denial of service (IBM X-Force ID: 234366). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031623


∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities (CVE-2023-21939, CVE-2023-21967, CVE-2022-29117, XFID: 234366) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012455

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily