End-of-Day report
Timeframe: Mittwoch 01-02-2023 18:00 - Donnerstag 02-02-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
New DDoS-as-a-Service platform used in recent attacks on hospitals
A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe.
https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platform-used-in-recent-attacks-on-hospitals/
New Nevada Ransomware targets Windows and VMware ESXi systems
A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.
https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/
LockBit ransomware goes Green, uses new Conti-based encryptor
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/
Password-stealing -vulnerability- reported in KeePass - bug or feature?
Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?
https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability-reported-in-keypass-bug-or-feature/
Rotating Packet Captures with pfSense, (Wed, Feb 1st)
Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files.
https://isc.sans.edu/diary/rss/29500
What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits
We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.
https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about-water-dybbuk.html
OpenSSH 9.2 released
OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable.
https://lwn.net/Articles/922006/
Vulnerabilities
Vulnerability Causing Deletion of All Users in CrushFTP Admin Area
During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerability-causing-deletion-of-all-users-in-crushftp-admin-area/
Security updates for Thursday
Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).
https://lwn.net/Articles/921957/
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001
CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
https://webkitgtk.org/security/WSA-2023-0001.html
Jira Service Management Server and Data Center Advisory (CVE-2023-22501)
This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0
https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html
Drupal Releases Security Update to Address a Vulnerability in Apigee Edge
Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal-s security advisory SA-CONTRIB-2023-005 and apply the necessary update.
https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-security-update-address-vulnerability-apigee-edge
Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-xss-PU6dnfD9?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Prime%20Infrastructure%20Reflected%20Cross-Site%20Scripting%20Vulnerability&vs_k=1
Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20RV340,%20RV340W,%20RV345,%20and%20RV345P%20Dual%20WAN%20Gigabit%20VPN%20Routers%20Arbitrary%20File%20Upload%20Vulnerability&vs_k=1
Cisco Identity Services Engine Privilege Escalation Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-os-injection-pxhKsDM?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Identity%20Services%20Engine%20Privilege%20Escalation%20Vulnerabilities&vs_k=1
Cisco IOx Application Hosting Environment Command Injection Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOx%20Application%20Hosting%20Environment%20Command%20Injection%20Vulnerability&vs_k=1
Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns
https://www.ibm.com/support/pages/node/6912697
IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350)
https://www.ibm.com/support/pages/node/6921243
IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities.
https://www.ibm.com/support/pages/node/6921285
IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004)
https://www.ibm.com/support/pages/node/6952181
IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436)
https://www.ibm.com/support/pages/node/6909467