End-of-Day report
Timeframe: Freitag 17-02-2023 18:00 - Montag 20-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
CISA warnt: Mögliche System-Kompromittierung durch Lücken in Thunderbird
Die Version 102.8 von Thunderbird schließt Schwachstellen, durch die Angreifer die Kontrolle über ein System erlangen könnten. Davor warnt die CISA.
https://heise.de/-7521002
Microsoft-Updates: Nebenwirkungen für VMware und Windows Server 2022
Die Februar-Updates zum Microsoft-Patchdays haben ungewollte Nebenwirkungen. Sie betreffen Windows Server 2022 unter VMware und die Windows-11-Updateverteilung.
https://heise.de/-7521199
Nach Cyber-Einbruch: Angreifer leiten GoDaddy-Webseiten um
Beim Webhoster GoDaddy konnten Angreifer Anfang Dezember 2022 Schadcode einschleusen, der dort gehostete Webseiten auf Malware-Seiten umleitete.
https://heise.de/-7521325
Achtung: Finanzamt schickt kein SMS
Kriminelle versenden im Namen des Finanzamtes gefälschte Nachrichten. Im SMS wird behauptet, dass Sie einen Betrag von - 286, 93 erhalten. Um das Geld zu bekommen, müssen Sie sich verifizieren und auf einen Link klicken. Klicken Sie nicht auf den Link, Sie landen auf einer Phishing-Seite.
https://www.watchlist-internet.at/news/achtung-finanzamt-schickt-kein-sms/
New WhiskerSpy malware delivered via trojanized codec installer
Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea.
https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-delivered-via-trojanized-codec-installer/
OneNote Suricata Rules, (Sun, Feb 19th)
I end my diary entry "Detecting (Malicious) OneNote Files" with a set of Suricata rules to detect various OneNote files.
https://isc.sans.edu/diary/rss/29564
The Dangers of Installing Nulled WordPress Themes and Plugins
Nulled WordPress themes and plugins are a controversial topic for many in the web development world - and arguably one of the bigger threats to WordPress security. Essentially modified versions of official WordPress themes and plugins with their licensing restrictions removed, these nulled software copies are often touted as premium functionality packaged in a free download.
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html
NimPlant - A light first-stage C2 implant written in Nim and Python
NimPlant was developed as a learning project and released to the public for transparency and educational purposes. For a large part, it makes no effort to hide its intentions. Additionally, protections have been put in place to prevent abuse. In other words, do NOT use NimPlant in production engagements as-is without thorough source code review and modifications!
https://github.com/chvancooten/NimPlant
Finding forensics breadcrumbs in Android image storage
[...] In this post I-ll be talking about image scanning apps, and how to reverse engineer them to pinpoint user activity and tie a user to a particular image-s creation from a source file e.g. pages from a PDF.
https://www.pentestpartners.com/security-blog/finding-forensics-breadcrumbs-in-android-image-storage/
Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers
Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.
https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html
QR code generator My QR Code leaks users- login data and addresses
My QR Code was informed about the leak almost two weeks ago, yet it failed to respond or secure its server.
https://www.hackread.com/qr-code-generator-my-qr-code-data-leak/
Vulnerabilities
Patchday: Fortinet schließt 40 Sicherheitslücken, PoC-Exploit angekündigt
Fortinet hat im Februar Updates für diverse Produkte veröffentlicht, die insgesamt 40 Sicherheitslücken schließen. Davon gelten zwei als kritisch.
https://heise.de/-7520937
Security updates for Monday
Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox).
https://lwn.net/Articles/923803/
Newly Disclosed Vulnerability Exposes EOL Arris Routers to Attacks
Malwarebytes warns of a remote code execution vulnerability impacting Arris G2482A, TG2492, and SBG10 routers, which have reached end-of-life (EOL).
https://www.securityweek.com/newly-disclosed-vulnerability-exposes-eol-arris-routers-to-attacks/
Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167)
As of the past 2 months, we-ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP.
https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilities_Fixed.html/
IBM Security Bulletins 2023-02-20
Flash Storage->RamSan-710, Flash Storage->RamSan-720, Flash Storage->RamSan-810, Flash Storage->RamSan-820, IBM Cloud Object Storage System, IBM Cloud Pak for Applications, IBM FlashSystem 720, IBM FlashSystem 900, IBM Multi-Enterprise Integration Gateway, IBM Multi-Enterprise Integration Gateway, IBM Power E1050 (9043-MRX), IBM Power L1022 (9786-22H), IBM Power L1024 (9786-42H), IBM Power S1014 (9105-41B), IBM Power S1022 (9105-22A), IBM Power S1022s (9105-22B), IBM Power S1024 (9105-42A), IBM WebSphere Hybrid Edition, Tivoli System Automation Application Manager
https://www.ibm.com/support/pages/bulletin/