Tageszusammenfassung - 02.02.2023

End-of-Day report

Timeframe: Mittwoch 01-02-2023 18:00 - Donnerstag 02-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner

News

New DDoS-as-a-Service platform used in recent attacks on hospitals

A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe.

https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platform-used-in-recent-attacks-on-hospitals/


New Nevada Ransomware targets Windows and VMware ESXi systems

A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.

https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/


LockBit ransomware goes Green, uses new Conti-based encryptor

The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/


Password-stealing -vulnerability- reported in KeePass - bug or feature?

Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability-reported-in-keypass-bug-or-feature/


Rotating Packet Captures with pfSense, (Wed, Feb 1st)

Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files.

https://isc.sans.edu/diary/rss/29500


What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits

We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.

https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about-water-dybbuk.html


OpenSSH 9.2 released

OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable.

https://lwn.net/Articles/922006/

Vulnerabilities

Vulnerability Causing Deletion of All Users in CrushFTP Admin Area

During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerability-causing-deletion-of-all-users-in-crushftp-admin-area/


Security updates for Thursday

Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).

https://lwn.net/Articles/921957/


WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001

CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

https://webkitgtk.org/security/WSA-2023-0001.html


Jira Service Management Server and Data Center Advisory (CVE-2023-22501)

This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0

https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html


Drupal Releases Security Update to Address a Vulnerability in Apigee Edge

Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal-s security advisory SA-CONTRIB-2023-005 and apply the necessary update.

https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-security-update-address-vulnerability-apigee-edge


Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-xss-PU6dnfD9?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Prime%20Infrastructure%20Reflected%20Cross-Site%20Scripting%20Vulnerability&vs_k=1


Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20RV340,%20RV340W,%20RV345,%20and%20RV345P%20Dual%20WAN%20Gigabit%20VPN%20Routers%20Arbitrary%20File%20Upload%20Vulnerability&vs_k=1


Cisco Identity Services Engine Privilege Escalation Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-os-injection-pxhKsDM?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Identity%20Services%20Engine%20Privilege%20Escalation%20Vulnerabilities&vs_k=1


Cisco IOx Application Hosting Environment Command Injection Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-8whGn5dL?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20IOx%20Application%20Hosting%20Environment%20Command%20Injection%20Vulnerability&vs_k=1


Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns

https://www.ibm.com/support/pages/node/6912697


IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350)

https://www.ibm.com/support/pages/node/6921243


IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities.

https://www.ibm.com/support/pages/node/6921285


IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004)

https://www.ibm.com/support/pages/node/6952181


IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436)

https://www.ibm.com/support/pages/node/6909467