Tageszusammenfassung - 08.02.2023

End-of-Day report

Timeframe: Dienstag 07-02-2023 18:00 - Mittwoch 08-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi

Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten.

https://heise.de/-7488498


Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App!

PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung.

https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in-e-mails-und-paypal-app/


Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen

Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen.

https://heise.de/-7489560


Medusa botnet returns as a Mirai-based variant with ransomware sting

A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer.

https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-mirai-based-variant-with-ransomware-sting/


Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th)

Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them.

https://isc.sans.edu/diary/rss/29528


Post-Exploitation: Abusing the KeePass Plugin Cache

This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin.

https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cache.html


A Detailed Analysis of a New Stealer Called Stealerium

Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address.

https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer-called-stealerium


Rustproofing Linux (nccgroup)

The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer.

https://lwn.net/Articles/922638/


Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition-s Custom Deserialization

Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition.

https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-abusing-inductive-automation-ignitions-custom-deserialization


CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/


How to Use Cloud Access Security Brokers for Data Protection

A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise-s security policies whenever cloud-based resources are accessed.

https://www.hackread.com/cloud-access-security-brokers-data-protection/

Vulnerabilities

PMASA-2023-1

XSS vulnerability in drag-and-drop upload Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0.

https://www.phpmyadmin.net/security/PMASA-2023-1/


Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus

Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um.

https://heise.de/-7488524


Security updates for Wednesday

Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

https://lwn.net/Articles/922626/


Tuesday February 14 2023 Security Releases

The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues.

https://nodejs.org/en/blog/vulnerability/february-2023-security-releases


Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00)

https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithcswsa-c385b2dc-en


IBM Security Bulletins 2023-02-08

* A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access. * IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615) * IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577) * IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927) * IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) * IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929) * IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966) * IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155) * IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787) * IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) * Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 * Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. * Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. * Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496) * Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) * Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165)

https://www.ibm.com/support/pages/bulletin/