End-of-Day report
Timeframe: Montag 16-01-2023 18:00 - Dienstag 17-01-2023 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
News
Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th)
I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it.
https://isc.sans.edu/diary/rss/29442
The misadventures of an SPF record
I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the -+all- SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf.
https://caniphish.com/phishing-resources/blog/scanning-spf-records
Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung
Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen.
https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-sorgen-fuer-Verwirrung-7459051.html
Beware of DDosia, a botnet created to facilitate DDoS attacks
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.
https://blog.avast.com/ddosia-project
The prevalence of RCE exploits and what you should know about RCEs
Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem.
https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what-you-should-know-about-rces
Attackers Can Abuse GitHub Codespaces for Malware Delivery
A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.
https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-delivery
Gefälschtes Post-SMS im Umlauf
Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen.
https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/
Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events.
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html
Vulnerabilities
Microsoft resolves four SSRF vulnerabilities in Azure cloud services
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security.
https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vulnerabilities-in-azure-cloud-services/
Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich
Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren.
https://heise.de/-7461118
Security updates for Tuesday
Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).
https://lwn.net/Articles/920217/
Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc.
Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen.
https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-firmware-von-inhand-networks-bedroht-roboter-stromzhler-med-gerte-etc/
LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen
Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen.
https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-controller-mit-januar-2023-updates-patchen/
Security Vulnerabilities fixed in Firefox ESR 102.7
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
Security Vulnerabilities fixed in Firefox 109
https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/
A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167)
https://www.ibm.com/support/pages/node/6855731
There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598)
https://www.ibm.com/support/pages/node/6855777
Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859)
https://www.ibm.com/support/pages/node/6855831
AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990)
https://www.ibm.com/support/pages/node/6855827
IBM Robotic Process Automation is vulnerable to Cross-Site Scripting.
https://www.ibm.com/support/pages/node/6855835