End-of-Day report
Timeframe: Donnerstag 09-02-2023 18:00 - Freitag 10-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th)
PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one.
https://isc.sans.edu/diary/rss/29538
Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign
Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but - more importantly - also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites.
https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-hacked-sites-in-adsense-fraud-campaign.html
Cracking the Odd Case of Randomness in Java
During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java-s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood.
https://www.elttam.com/blog/cracking-randomness-in-java/
What are the writable shares in this big domain?
RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights.
https://github.com/oldboy21/RSMBI
0Day Avalanche Blockchain API DoS
This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless.
https://g.livejournal.com/15852.html
Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe
Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen.
https://www.watchlist-internet.at/news/fake-spendenaufrufe-kriminelle-missbrauchen-erdbebenkatastrophe/
Vulnerabilities
CKSource CKEditor5 35.4.0 Cross Site Scripting
CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data.
https://cxsecurity.com/issue/WLB-2023020019
Security updates for Friday
Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).
https://lwn.net/Articles/922929/
Statement About the DoS Vulnerability in the E5573Cs-322
https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20230210-01-dos-en
Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)
https://www.ibm.com/support/pages/node/6954671
Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676)
https://www.ibm.com/support/pages/node/6954673
Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676)
https://www.ibm.com/support/pages/node/6954675
Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC
https://www.ibm.com/support/pages/node/6954681
Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC
https://www.ibm.com/support/pages/node/6954683
Vulnerability in Firefox (CVE-2022-43926) affects Power HMC
https://www.ibm.com/support/pages/node/6954679
A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477)
https://www.ibm.com/support/pages/node/6954685
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907]
https://www.ibm.com/support/pages/node/6954691
Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway.
https://www.ibm.com/support/pages/node/6954695
CVE-2022-3676 may affect IBM TXSeries for Multiplatforms
https://www.ibm.com/support/pages/node/6954701
IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476)
https://www.ibm.com/support/pages/node/6823807
IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012)
https://www.ibm.com/support/pages/node/6851373
IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165)
https://www.ibm.com/support/pages/node/6622055
IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750)
https://www.ibm.com/support/pages/node/6622053
IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230)
https://www.ibm.com/support/pages/node/6622051
IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775)
https://www.ibm.com/support/pages/node/6622041
IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744)
https://www.ibm.com/support/pages/node/6622047
IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626)
https://www.ibm.com/support/pages/node/6954727
A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477)
https://www.ibm.com/support/pages/node/6954723