End-of-Day report
Timeframe: Mittwoch 15-02-2023 18:00 - Donnerstag 16-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Emsisoft says hackers are spoofing its certs to breach networks
-A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses.
https://www.bleepingcomputer.com/news/security/emsisoft-says-hackers-are-spoofing-its-certs-to-breach-networks/
Hackers backdoor Microsoft IIS servers with new Frebniis malware
Hackers are deploying a new malware named Frebniss on Microsofts Internet Information Services (IIS) that stealthily executes commands sent via web requests.
https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-iis-servers-with-new-frebniis-malware/
-Fake Customer Trick-: Kriminelle ergaunern hochwertige Produkte
Der Name des Halbleiterherstellers Infineon wird derzeit für kriminelle Zwecke missbraucht: Per Mail geben sich Betrüger:innen als Infineon-Mitarbeiter Marcus Schlenker aus und bekunden Interesse an einer Großbestellung. Für die Empfänger:innen klingt das nach einem unkomplizierten und schnellen Geschäft. Doch tatsächlich landen die versendeten Produkte in den Händen von Kriminellen, auf die Bezahlung warten die Opfer vergeblich.
https://www.watchlist-internet.at/news/fake-customer-trick-kriminelle-ergaunern-hochwertige-produkte/
Malware Reverse Engineering for Beginners - Part 2
Often, malware targeting Windows will be packed and delivered as a second stage. There are different ways to -deliver- malware to the endpoint. This blog will cover key concepts and examples regarding how malware is packed, obfuscated, delivered, and executed on the endpoint.
https://www.intezer.com/blog/incident-response/malware-reverse-engineering-for-beginners-part-2/
Vulnerabilities
Patchday bei Intel: Angreifer könnten Server über Root-Lücke attackieren
Intel hat für verschiedene Firm- und Software wichtige Sicherheitsupdates veröffentlicht. In vielen Fällen könnten sich Angreifer höhere Rechte verschaffen.
https://heise.de/-7517141
Jetzt patchen! Entwickler des CMS Joomla warnen vor kritischer Sicherheitslücke
Es ist ein "sehr wichtiger" Sicherheitspatch für Joomla erscheinen.
https://heise.de/-7517312
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04).
https://lwn.net/Articles/923503/
Splunk Enterprise Updates Patch High-Severity Vulnerabilities
Splunk updates for Enterprise products resolve multiple high-severity vulnerabilities, including several in third-party packages.
https://www.securityweek.com/splunk-enterprise-updates-patch-high-severity-vulnerabilities/
Security Vulnerabilities fixed in Thunderbird 102.8
CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers
CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8
...
https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
MISP 2.4.168 released with bugs fixed, security fixes and major improvements in STIX support.
We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes.
https://github.com/MISP/MISP/releases/tag/v2.4.168
ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-xxe-TcSZduhN
ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy
WAGO: Exposure of configuration interface in unmanaged switches
https://cert.vde.com/de/advisories/VDE-2022-055/
IBM App Connect Enterprise is affected by a remote attacker due to the zip4j library [CVE-2023-22899]
https://www.ibm.com/support/pages/node/6955913
Multiple vulnerabilities in moment.js affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31129, CVE-2022-24785)
https://www.ibm.com/support/pages/node/6852667
IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities.
https://www.ibm.com/support/pages/node/6850801
WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF
https://www.ibm.com/support/pages/node/6956223
Intel Ethernet controllers as used in IBM QRadar SIEM are vulnerable to a denial of service (CVE-2021-0197, CVE-2021-0198, CVE-2021-0199, CVE-2021-0200)
https://www.ibm.com/support/pages/node/6956287