End-of-Day report
Timeframe: Freitag 03-02-2023 18:00 - Montag 06-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Weltweiter Ransomware-Angriff
Bei einem weltweit breit gestreuten Ransomware-Angriff wurden laut Medienberichten tausende ESXi-Server, die u. a. zur Virtualisierung von IT-Fachverfahren genutzt werden, verschlüsselt. Der regionale Schwerpunkt der Angriffe lag dabei auf Frankreich, den USA, Deutschland und Kanada, auch weitere Länder sind betroffen.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2023/230206_ESXi-Schwachstelle-massiv-ausgenutzt.html
Downloads via Google Ads: "Tsunami" an Malvertising verbreitet Schadsoftware
Immer mehr Angreifer versuchen, Geräte von Nutzern mit Malware zu infizieren. Forscher beobachten einen massiven Anstieg auf Google bei der Suche nach Software.
https://heise.de/-7485196
Tiere zu verschenken: Vorsicht vor betrügerischen Inseraten auf Facebook
In Facebook-Gruppen tauchen immer wieder betrügerische Inserate für abzugebende Hunde oder Pferde auf. Angeblich sei der Besitzer bzw. die Besitzerin plötzlich verstorben. Daher suchen die Angehörigen dringend einen guten Platz für das Tier. Sie müssen lediglich die Transportkosten bezahlen, da sich das Tier im Ausland befindet. Dahinter steckt aber Betrug, das Tier gibt es gar nicht und Sie verlieren viel Geld!
https://www.watchlist-internet.at/news/tiere-zu-verschenken-vorsicht-vor-betruegerischen-inseraten-auf-facebook/
Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th)
If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2]
https://isc.sans.edu/diary/rss/29510
Royal Ransomware adds support for encrypting Linux, VMware ESXi systems
Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, [...]
https://securityaffairs.com/141876/cyber-crime/royal-ransomware-vmware-esxi.html
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection
An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said [...]
https://thehackernews.com/2023/02/formbook-malware-spreads-via.html
GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry
E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, [...]
https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html
ImageMagick: The hidden vulnerability behind your online images
In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified: [...]
https://www.metabaseq.com/imagemagick-zero-days/
The Defenders Guide to OneNote MalDocs
With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files.
https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs
How the CISA catalog of vulnerabilities can help your organization
The CISA catalog of known exploited vulnerabilities is designed for the federal government and useful to everyone.
https://www.malwarebytes.com/blog/news/2023/02/how-the-cisa-catalog-can-help-our-organization
Collect, Exfiltrate, Sleep, Repeat
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command [...]
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
Solving a VM-based CTF challenge without solving it properly
A pretty common reverse-engineering CTF challenge genre for the hard/very-hard bucket are virtual machines. There are several flavors to this*, but the most common one is to implement a custom VM in a compiled language and provide it together with bytecode of a flag checker. This was the case for the More Control task from Byte Bandits CTF 2023 - the task this entry is about.
https://gynvael.coldwind.pl/?id=763
Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations
Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit.
https://asec.ahnlab.com/en/47088/
Vulnerabilities
High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder
On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations. The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant [...]
https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-metform-elementor-contact-form-builder/
Security updates for Monday
Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird).
https://lwn.net/Articles/922337/
CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list
The Cybersecurity and Infrastructure Security Agency (CISA) said two vulnerabilities from Oracle and SugarCRM are actively being exploited and ordered federal civilian agencies to patch them before February 23.
https://therecord.media/cisa-adds-oracle-sugarcrm-bugs-to-exploited-vulnerabilities-list/
Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC)
https://www.ibm.com/support/pages/node/6570741
Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC)
https://www.ibm.com/support/pages/node/6592963
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java- Technology Edition for IBM Content Collector for SAP Applications
https://www.ibm.com/support/pages/node/6953401
Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2022-3676)
https://www.ibm.com/support/pages/node/6953433
IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983)
https://www.ibm.com/support/pages/node/6857695