Tageszusammenfassung - 17.01.2023

End-of-Day report

Timeframe: Montag 16-01-2023 18:00 - Dienstag 17-01-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th)

I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it.

https://isc.sans.edu/diary/rss/29442


The misadventures of an SPF record

I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the -+all- SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf.

https://caniphish.com/phishing-resources/blog/scanning-spf-records


Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung

Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen.

https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-sorgen-fuer-Verwirrung-7459051.html


Beware of DDosia, a botnet created to facilitate DDoS attacks

The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.

https://blog.avast.com/ddosia-project


The prevalence of RCE exploits and what you should know about RCEs

Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem.

https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what-you-should-know-about-rces


Attackers Can Abuse GitHub Codespaces for Malware Delivery

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.

https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-delivery


Gefälschtes Post-SMS im Umlauf

Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen.

https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/


Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks

We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events.

https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

Vulnerabilities

Microsoft resolves four SSRF vulnerabilities in Azure cloud services

Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security.

https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vulnerabilities-in-azure-cloud-services/


Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich

Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren.

https://heise.de/-7461118


Security updates for Tuesday

Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).

https://lwn.net/Articles/920217/


Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc.

Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen.

https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-firmware-von-inhand-networks-bedroht-roboter-stromzhler-med-gerte-etc/


LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen

Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen.

https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-controller-mit-januar-2023-updates-patchen/


Security Vulnerabilities fixed in Firefox ESR 102.7

https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/


Security Vulnerabilities fixed in Firefox 109

https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/


A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167)

https://www.ibm.com/support/pages/node/6855731


There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598)

https://www.ibm.com/support/pages/node/6855777


Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859)

https://www.ibm.com/support/pages/node/6855831


AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990)

https://www.ibm.com/support/pages/node/6855827


IBM Robotic Process Automation is vulnerable to Cross-Site Scripting.

https://www.ibm.com/support/pages/node/6855835