End-of-Day report
Timeframe: Dienstag 24-01-2023 18:00 - Mittwoch 25-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Vorsicht vor Phishing-Mails von FinanzOnline und ID Austria
Betrüger*innen versuchen mit gefälschten Mails an sensible Daten zu kommen.
https://futurezone.at/digital-life/phishing-mails-finanzonline-id-austria-vorsicht-so-schuetzt-man-sich-warnung/402304283
GoTo-Hacker erbeuten verschlüsselte Backups inklusive Schlüssel
GoTo, ein Anbieter für Software-as-a-Service und Remote-Work-Tools, veröffentlicht weitere Erkenntnisse über einen IT-Sicherheitsvorfall.
https://heise.de/-7470609
OTORIO DCOM Hardening Toolkit für Windows für OT-Systeme veröffentlicht
In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle, die eine Umgehung der Sicherheitsfunktionen ermöglicht. Microsoft hat das dokumentiert und gepatcht, und will im März 2023 aber einen letzten einen Patch freigeben. Sicherheitsanbieter OTORIO hat im Vorfeld ein OpenSource DCOM Hardening Toolkit für OT-Systeme veröffentlicht, mit dem Unternehmen ihre DCOM-Umgebungen analysieren und ggf. härten können.
https://www.borncity.com/blog/2023/01/25/otorio-dcom-hardening-toolkit-fr-windows-fr-ot-systeme-verffentlicht/
Recovery-Scam durch betrugsdezernat.com und betrugsdezernat.org!
Wer auf betrügerischen Investment-Plattformen Geld verloren hat, wünscht sich meist nichts mehr, als sämtliche Einzahlungen zurückerhalten zu können. Darauf setzen auch die Kriminellen, die schon hinter dem Investitionsbetrug steckten. Sie geben sich als (häufig erfundene) Behörden aus und behaupten, das verlorene Geld festgesetzt zu haben. Eine kleine Vorauszahlung der Opfer soll zur Rückbuchung aller Verluste führen.
https://www.watchlist-internet.at/news/recovery-scam-durch-betrugsdezernatcom-und-betrugsdezernatorg/
Senden Sie Ihre Daten nicht an gewerbe-datenanzeiger.at!
Haben auch Sie eine Nachricht von Gewerbe Datenanzeiger bekommen, die Sie auffordert, Ihre Firmendaten preiszugeben? Ignorieren Sie die Nachricht, wenn Sie antworten, schließen Sie ein teures Abo in Höhe von 1.992 - ab!
https://www.watchlist-internet.at/news/senden-sie-ihre-daten-nicht-an-gewerbe-datenanzeigerat/
Ransomware access brokers use Google ads to breach your network
A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims passwords, and ultimately breach networks for ransomware attacks.
https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-use-google-ads-to-breach-your-network/
New stealthy Python RAT malware targets Windows in attacks
A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems.
https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malware-targets-windows-in-attacks/
Lessons Learned from the Windows Remote Desktop Honeypot Report
Over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their Windows Remote Desktop honeypot system. Here is what they learned.
https://www.bleepingcomputer.com/news/security/lessons-learned-from-the-windows-remote-desktop-honeypot-report/
A First Malicious OneNote Document, (Wed, Jan 25th)
Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1].
https://isc.sans.edu/diary/rss/29470
Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network
Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing - including tech support scams, adult dating, phishing, or drive-by-downloads. Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: [...]
https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html
At the Edge of Tier Zero: The Curious Case of the RODC
The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don-t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can control -enterprise identities-, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance.
https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-the-rodc-ef5f1799ca06?source=rssf05f8696e3cc4
Vulnerability of Zyxel switches posed serious risk for business processes of many companies
The issue received a CVSSv3 score of 8.2, qualifying it as high severity
https://www.ptsecurity.com/ww-en/about/news/vulnerability-of-zyxel-switches-posed-serious-risk-for-business-processes-of-many-companies
Attacking The Supply Chain: Developer
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly -trusted-.
https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-developer.html
Vulnerabilities
Xen Security Advisory CVE-2022-42330 / XSA-425
Guests can cause Xenstore crash via soft reset
https://xenbits.xen.org/xsa/advisory-425.html
Kritische Schadcode-Lücken in Logging-Tool VMware vRealize Log geschlossen
Netzwerk-Admins sollten ihre Systeme mit VMware vRealize Log auf den aktuellen Stand bringen, um Angreifer auszusperren.
https://heise.de/-7470157
Kritische Sicherheitslücke: Neuere Lexmark-Drucker ermöglichen Codeschmuggel
Lexmark warnt vor Sicherheitslücken in seinen Druckern. Neuere Modelle ermöglichten Angreifern, Schadcode einzuschleusen und auszuführen. Updates stehen bereit.
https://heise.de/-7470640
Security updates for Wednesday
Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind,
https://lwn.net/Articles/921194/
[R1] Tenable.sc 6.0.0 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-03
IBM Security Verify Governance, Identity Manager virtual appliance component uses weaker than expected cryptography (CVE-2022-22462)
https://www.ibm.com/support/pages/node/6857339
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2022-40750)
https://www.ibm.com/support/pages/node/6857579
IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772)
https://www.ibm.com/support/pages/node/6833806
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd
https://www.ibm.com/support/pages/node/6857613
Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server
https://www.ibm.com/support/pages/node/6857607