End-of-Day report
Timeframe: Freitag 10-02-2023 18:00 - Montag 13-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Erpressungstrojaner Play infiltriert Systeme von A10 Networks
Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein.
https://heise.de/-7493748
Gefälschtes Therme Wien-Gewinnspiel auf Facebook
Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite -Freizeit-Helden- beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting.
https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel-auf-facebook/
Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746)
Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt.
https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authentication-schwachstelle-cve-2023-21746/
We had a security incident. Here-s what we know.
TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident_heres_what_we_know/
Devs targeted by W4SP Stealer malware in malicious PyPi packages
Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-stealer-malware-in-malicious-pypi-packages/
Security baseline for Microsoft Edge version 110
We are pleased to announce the security review for Microsoft Edge, version 110! We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings.
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-110/ba-p/3740900
PCAP Data Analysis with Zeek, (Sun, Feb 12th)
Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot.
https://isc.sans.edu/diary/rss/29530
Linux auditd for Threat Hunting [Part 2]
In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors.
https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f591e8
Crypto Wallet Address Replacement Attack
At around 17:49 UTC on 9 February 2023, Phylum-s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space
https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack
The Linux Kernel and the Cursed Driver (CVE-2022-4842)
TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem.
https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-and-the-cursed-driver
Vulnerabilities
Monitorr 1.7.6 Shell Upload
Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3...
https://cxsecurity.com/issue/WLB-2023020021
Cisco Email Security Appliance URL Filtering Bypass Vulnerability
On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-url-bypass-WbMQqNJh
ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities
Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code.
https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK108467A7957&DocumentPartId=&LanguageCode=en
Security updates for Monday
Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk).
https://lwn.net/Articles/923163/
Wordpress Multiple themes - Unauthenticated Arbitrary File Upload
https://cxsecurity.com/issue/WLB-2023020022
NEC PC Settings Tool vulnerable to missing authentication for critical function
https://jvn.jp/en/jp/JVN60320736/
Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G
https://jvn.jp/en/jp/JVN98612206/
IBM Security Bulletins 2023-02-13
* AIX is vulnerable to denial of service vulnerabilities
* IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities
* IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626)
* IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system
* IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509)
* IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628)
* IBM QRadar SIEM includes multiple components with known vulnerabilities
* IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351)
* IBM Security Directory Integrator is affected by multiple security vulnerabilities
* IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579)
* IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970)
* IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165)
* IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626)
* IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution
* The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231)
* Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1)
https://www.ibm.com/support/pages/bulletin/