End-of-Day report
Timeframe: Mittwoch 08-02-2023 18:00 - Donnerstag 09-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
New ESXiArgs ransomware version prevents VMware ESXi recovery
New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines.
https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-version-prevents-vmware-esxi-recovery/
Solving one of NOBELIUM-s most novel attacks: Cyberattack Series
This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization.
https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nobeliums-most-novel-attacks-cyberattack-series/
[SANS ISC] A Backdoor with Smart Screenshot Capability
Today, everything is -smart- or -intelligent-. We have smartphones, smart cars, smart doorbells, etc. Being -smart- means performing actions depending on the context, the environment, or user actions.
For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker-s point of view, it-s interesting to -see- what-s displayed on the victim-s computer.
https://blog.rootshell.be/2023/02/09/sans-isc-a-backdoor-with-smart-screenshot-capabilitysans-isc/
Exploit Vector Analysis of Emerging ESXiArgs Ransomware
In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXi-s OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi-s OpenSLP service.
https://www.greynoise.io/blog/exploit-vector-analysis-of-emerging-esxiargs-ransomware
Passwort-Manager: Umstrittene Sicherheitslücke in KeePass beseitigt
Eine viel diskutierte Sicherheitslücke, die Einbrechern im System den Passwort-Export erleichterte, hat der Entwickler nun mit einem Update geschlossen.
https://heise.de/-7489944
Datenleck: Deezer informiert Kunden jetzt per E-Mail
230 Millionen Deezer-Datensätze wurden entwendet und etwa beim Have-I-been-pwned-Projekt hinzugefügt. Jetzt informiert Deezer betroffene Kunden darüber.
https://heise.de/-7490760
Teures Visum bei asia-visa.com
Sie möchten ein Visum für Thailand oder Vietnam beantragen? Bei einer Internetrecherche stoßen Sie möglicherweise auf asia-visa.com - ein Anbieter, der Ihnen den -Papierkram- abnimmt. Wir raten Ihnen ab, das überteuerte Angebot zu nutzen und empfehlen, die Einreisegenehmigung über die offizielle Stelle zu beantragen.
https://www.watchlist-internet.at/news/teures-visum-bei-asia-visacom/
CISA and FBI Release ESXiArgs Ransomware Recovery Guidance
Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as -ESXiArgs.- Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware.
https://us-cert.cisa.gov/ncas/current-activity/2023/02/08/cisa-and-fbi-release-esxiargs-ransomware-recovery-guidance
Neue PayPal-Betrugsmasche - mit echten Push-Benachrichtigungen (Feb. 2023)
Über Twitter bin ich auf eine neue Betrugsmasche hingewiesen worden, die Leute schon mal ins Boxhorn jagen kann. Denn die Masche beginnt, dass das Opfer eine Push-Benachrichtigung von PayPal über eine Zahlung (per Einzug) bekommt. Aber die Nachricht ist trotzdem Betrug und hat das Ziel, an Daten des Opfers heranzukommen. Ich habe die Hinweise auf Twitter mal in diesem Beitrag zusammen gefasst.
https://www.borncity.com/blog/2023/02/08/neue-paypal-betrugsmasche-mit-echten-push-benachrichtigungen-feb-2023/
Sicherheitsvorfall bei wargaming.net (Feb. 2023)?
Ein Leser hat mich auf einen Sicherheitsvorfall beim Spieleentwickler wargaming.net aufmerksam gemacht. Ich habe dann ein wenig recherchiert, ist nicht der erste Vorfall bei diesem Anbieter. Es könnte aber auch ein Phishing-Versuch sein (das versuche ich noch zu klären). Hier einige Informationen, was mir bekannt ist.
https://www.borncity.com/blog/2023/02/09/sicherheitsvorfall-bei-wargaming-net-feb-2023/
Evasion Techniques Uncovered: An Analysis of APT Methods
DLL search order hijacking and DLL sideloading are commonly used by nation state sponsored attackers to evade detection.
https://www.rapid7.com/blog/post/2023/02/09/evasion-techniques-uncovered-an-analysis-of-apt-methods/
Vulnerabilities
Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
https://cxsecurity.com/issue/WLB-2023020017
SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow
The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php
Angreifer könnten über Nvidia GeForce Experience Daten manipulieren
In der aktuellen Version das Grafikkarten-Tools GeForce Experience von Nvidia haben die Entwickler drei Sicherheitslücken geschlossen.
https://heise.de/-7490068
Notfallpatch für Dateiübertragungslösung GoAnywhere MFT erschienen
Admins können ihre GoAnywhere-MFT-Server (On-Premises) nun mit einem Sicherheitsupdate gegen aktuelle laufende Attacken absichern.
https://heise.de/-7490040
Security updates for Thursday
Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird).
https://lwn.net/Articles/922756/
Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras
A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device-s system time. [...] Dahua device vulnerabilities may be targeted by DDoS botnets, but in the case of CVE-2022-30564, it would most likely be exploited in highly targeted attacks whose goal is to tamper with evidence, rather than cybercrime operations. The issue was reported to the vendor in the fall of 2022. Dahua has released patches for each of the impacted devices.
https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tamper-with-dahua-security-cameras/
CVE-2023-0003 Cortex XSOAR: Local File Disclosure Vulnerability in the Cortex XSOAR Server (Severity: MEDIUM)
A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server.
https://security.paloaltonetworks.com/CVE-2023-0003
CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User (Severity: MEDIUM)
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent.
https://security.paloaltonetworks.com/CVE-2023-0002
CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password (Severity: MEDIUM)
An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.
https://security.paloaltonetworks.com/CVE-2023-0001
IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-24964)
https://www.ibm.com/support/pages/node/6953519
IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)
https://www.ibm.com/support/pages/node/6891111
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Eclipse Openj9 security bypass (CVE-2022-3676)
https://www.ibm.com/support/pages/node/6953807
AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304)
https://www.ibm.com/support/pages/node/6953825
Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer
https://www.ibm.com/support/pages/node/6953873
Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer
https://www.ibm.com/support/pages/node/6953879
IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU
https://www.ibm.com/support/pages/node/6953641
IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (217968)
https://www.ibm.com/support/pages/node/6953593
Vulnerability in Axios affects IBM Process Mining . IBM X-Force ID: 232247
https://www.ibm.com/support/pages/node/6611183
Vulnerability in bpmn affects IBM Process Mining . WS-2019-0208
https://www.ibm.com/support/pages/node/6852405
Vulnerability in bpmn affects IBM Process Mining . WS-2019-0148
https://www.ibm.com/support/pages/node/6852407
Vulnerability in d3-color affects IBM Process Mining . WS-2022-0322
https://www.ibm.com/support/pages/node/6856473
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation
https://www.ibm.com/support/pages/node/6909427
IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability
https://www.ibm.com/support/pages/node/6954391
IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165)
https://www.ibm.com/support/pages/node/6954401
IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003)
https://www.ibm.com/support/pages/node/6954403
IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956)
https://www.ibm.com/support/pages/node/6954405
Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889
https://www.ibm.com/support/pages/node/6954409
Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway
https://www.ibm.com/support/pages/node/6954411
Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition
https://www.ibm.com/support/pages/node/6954421