End-of-Day report
Timeframe: Freitag 27-01-2023 18:00 - Montag 30-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Jetzt patchen! Sicherheitsforscher kombinieren Lücken in VMware vRealize Log
Angreifer könnten zeitnah vRealize Log von VMware ins Visier nehmen und Schadcode mit Root-Rechten ausführen. Sicherheitsupdates sind verfügbar.
https://heise.de/-7474931
Vorsicht vor gefälschten FinanzOnline-Benachrichtigungen
Kriminelle versenden gefälschte FinanzOnline-E-Mails. Aktuell sind uns zwei Varianten bekannt: In einem Mail wird behauptet, dass Sie eine Erstattung aus dem Sozialfonds erhalten. In einem anderen Mail steht, dass Sie eine Rückerstattung erhalten und einen QR-Code scannen müssen. Folgen Sie nicht den Anweisungen, es handelt sich um Betrug.
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonline-benachrichtigungen/
Malware PlugX infiziert USB-Geräte
Sicherheitsforscher der Unit 42 von Palo Alto Networks haben Cyberangriffe mit neuer Variante der altbekannten Schadsoftware beobachtet. Die mutmaßlich aus China stammende PlugX-Malware ist aufgefallen, weil diese Variante alle angeschlossenen USB-Wechselmediengeräte wie Disketten-, Daumen- oder Flash-Laufwerke sowie alle weiteren Systeme [...]
https://www.borncity.com/blog/2023/01/28/malware-plugx-infiziert-usb-gerte/
Laufwerksverschlüsselung per BitLocker: Das sollten Sie beachten
Die Geräteverschlüsselung von Microsoft schützt Ihre Daten vor unerwünschten Zugriffen. Zuweilen greift BitLocker automatisch, oft muss man selbst Hand anlegen.
https://heise.de/-7467041
Shady reward apps on Google Play amass 20 million downloads
A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices.
https://www.bleepingcomputer.com/news/security/shady-reward-apps-on-google-play-amass-20-million-downloads/
SaaS Rootkit Exploits Hidden Rules in Microsoft 365
A vulnerability within Microsofts OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.
https://www.darkreading.com/vulnerabilities-threats/saas-rootkit-exploits-hidden-rules-in-microsoft-365-
Gootkit Malware Continues to Evolve with New Components and Obfuscations
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group.
https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html
Titan Stealer: A New Golang-Based Information Stealer Malware Emerges
A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," [...]
https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html
Asking MEMORY.DMP and Volatility to make up
A few days ago Ive posted RE category write-ups from the KnightCTF 2023. Another category Ive looked at - quite intensely at that - was forensics. While this blog post isnt a write-up for that category, I still wanted (and well, was asked to actually) write down some steps I took to make Volatility work with MEMORY.DMP file provided in the "Take care of this" challenge series. Or actually steps I took to convert MEMORY.DMP into something volatility could work with.
https://gynvael.coldwind.pl/?id=762
Analysis Report on Malware Distributed via Microsoft OneNote
This document is an analysis report on malware that is being actively distributed using Microsoft OneNote. The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened.
https://asec.ahnlab.com/en/46457/
Vulnerabilities
Qnap-NAS: Kritische Sicherheitslücke ermöglicht Unterjubeln von Schadcode
In Qnap-Netzwerkgeräten mit QTS- und QuTS-hero-Betriebssystem könnten Angreifer Schadcode einschleusen und ausführen. Updates schließen die kritische Lücke.
https://heise.de/-7475288
Security updates for Monday
Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific
https://lwn.net/Articles/921620/
CERT-Warnung: Standard KeePass-Setup ermöglicht Passwort-Klau (CVE-2023-24055)
Kurzer Hinweis bzw. Warnung an Nutzer des KeePass Password Safe zur Verwaltung von Kennwörtern und Zugangsdaten. Das Cyber Emergency Response Team aus Belgien (CERT.be) hat am 27. Januar 2023 eine Warnung zu KeePass veröffentlicht. Im Standard-Setup sind Schreibzugriffe auf die [...]
https://www.borncity.com/blog/2023/01/30/cert-warnung-standard-keepass-setup-ermglicht-passwort-klau-cve-2023-24055/
IBM Planning Analytics Workspace is affected by vulnerabilties
https://www.ibm.com/support/pages/node/6848023
Enterprise Content Management System Monitor is affected by a vulnerability in Eclipse Openj9
https://www.ibm.com/support/pages/node/6890603
Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to Denial of Service (DoS) attacks (CVE-2022-40153)
https://www.ibm.com/support/pages/node/6890629
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF
https://www.ibm.com/support/pages/node/6855093
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go
https://www.ibm.com/support/pages/node/6855105
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF
https://www.ibm.com/support/pages/node/6855099
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF
https://www.ibm.com/support/pages/node/6855097
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/support/pages/node/6855101