End-of-Day report
Timeframe: Mittwoch 18-01-2023 18:00 - Donnerstag 19-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Illegal Solaris darknet market hijacked by competitor Kraken
Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022.
https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-market-hijacked-by-competitor-kraken/
Microsoft investigates bug behind unresponsive Windows Start Menu
Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems.
https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-behind-unresponsive-windows-start-menu/
PayPal accounts breached in large-scale credential stuffing attack
PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data.
https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/
New Blank Image attack hides phishing scripts in SVG files
An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides-phishing-scripts-in-svg-files/
Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data.
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/
SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th)
Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published.
https://isc.sans.edu/diary/rss/29452
Android Users Beware: New Hook Malware with RAT Capabilities Emerges
The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session.
https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html
CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA
CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month.
https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-github-oauth-keys-bypassing-2fa
Pwned or Bot
Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system.
https://www.troyhunt.com/pwned-or-bot/
LockBit ransomware - what you need to know
It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog.
https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know
Windows 11 22H2: Systemwiederherstellung verursacht "This app can-t open"-Fehler
Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt.
https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherstellung-verursacht-this-app-cant-open-fehler/
Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099
Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden.
https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-patch-zum-fix-der-bitlocker-bypass-schwachstelle-cve-2022-41099/
Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest
In this blog, we-ll tackle encrypting AWS in transit and at rest.
https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-security-posture-step-3-encrypt-aws-data-in-transit-and-at-rest
Following the LNK metadata trail
While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads.
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
Darth Vidar: The Dark Side of Evolving Threat Infrastructure
Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample-s code and C2 communications were observed.
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).
https://lwn.net/Articles/920478/
Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM
Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).
https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vulnerability-unified-cm
CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services
A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered.
https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execution-azure-services
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001
https://www.drupal.org/sa-core-2023-001
[R1] Nessus Version 8.15.8 Fixes One Vulnerability
https://www.tenable.com/security/tns-2023-02
Vulnerability in SANNav Software used by IBM b-type SAN directors and switches.
https://www.ibm.com/support/pages/node/6856209
IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability
https://www.ibm.com/support/pages/node/6856221
IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647)
https://www.ibm.com/support/pages/node/6856221
IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420)
https://www.ibm.com/support/pages/node/6856401
IBM Cloud Pak for Security includes components with multiple known vulnerabilities
https://www.ibm.com/support/pages/node/6856409
IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011)
https://www.ibm.com/support/pages/node/6856403
IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089)
https://www.ibm.com/support/pages/node/6856405
IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090)
https://www.ibm.com/support/pages/node/6856407
Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167)
https://www.ibm.com/support/pages/node/6856439
Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167)
https://www.ibm.com/support/pages/node/6856443