Tageszusammenfassung - 23.01.2023

End-of-Day report

Timeframe: Freitag 20-01-2023 18:00 - Montag 23-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Anmeldung bei ManageEngine ServiceDesk Plus MSP mit beliebigem Passwort möglich

Es gibt wichtige Sicherheitsupdates für die Helpdesk-Software ManageEngine ServiceDesk Plus MSP von Zoho.

https://heise.de/-7467650


"Cyberkriminelle" verschaffen sich Zugang zu Sky-Kundenkonten

Der Pay-TV-Anbieter Sky bestätigt, dass sich bösartige Akteure Zugriff zu Kundenkonten verschafft haben. Details gibt es noch nicht, der Schaden ist unklar.

https://heise.de/-7468078


Vorsicht vor Betrug bei der Wohnungssuche im Ausland

Sie planen ein Auslandssemester oder suchen für einen befristeten Zeitraum eine Wohnung oder ein WG-Zimmer? Nehmen Sie sich vor günstigen Traumwohnungen in Acht! Dahinter könnte eine Betrugsmasche stecken. Finger weg, wenn Sie ohne Besichtigung eine Zahlung leisten müssen, die angeblich von TripAdvisor, Airbnb oder Booking.com verwaltet wird. Sie verlieren Ihr Geld und stehen ohne Wohnung da.

https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-fuer-ihr-auslandssemester/


Massive ad-fraud op dismantled after hitting millions of iOS devices

A massive ad fraud operation dubbed Vastflux that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN.

https://www.bleepingcomputer.com/news/security/massive-ad-fraud-op-dismantled-after-hitting-millions-of-ios-devices/


Whos Resolving This Domain?, (Mon, Jan 23rd)

Challenge of the day: To find the process that resolved a specific domain. And this is not always easy!

https://isc.sans.edu/diary/rss/29462


Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks

The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week.

https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html


ShareFinder: How Threat Actors Discover File Shares

Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all [...]

https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/


Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation

Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047, which was being actively exploited. Shortly thereafter, Microsoft published an article providing some technical details [...]

https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation


Inglourious Drivers - A Journey of Finding Vulnerabilities in Drivers

TL;DR I discovered multiple bugs in OEM vendors for peripheral devices, which affected many users of these OEM vendors (Razer, EVGA, MSI, AMI). Many of the vulnerabilities originated in a [...]

https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers-a-journey-of-finding-vulnerabilities-in-drivers

Vulnerabilities

Unter Attacke: Sicherheitsleck in GTA V ermöglicht Codeschmuggel

Angreifer missbrauchen eine Sicherheitslücke im Spiel GTA V, um die Statistiken von Opfern zu verändern. Sie könnten jedoch Schadcode unterzuschieben.

https://heise.de/-7467685


Technical Advisory - U-Boot - Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)

U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and [...]

https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347/


Security updates for Monday

Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools).

https://lwn.net/Articles/920829/


A CVE-2022-21626 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

https://www.ibm.com/support/pages/node/6856759


Multiple vulnerability affect IBM Business Automation Workflow - CVE-2022-42003, CVE-2022-42004

https://www.ibm.com/support/pages/node/6856761