Tageszusammenfassung - 21.02.2023

End-of-Day report

Timeframe: Montag 20-02-2023 18:00 - Dienstag 21-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Kriminalität: Ransomware will Versicherungspolice

Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen.

https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice-2302-172056.html


Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild

A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report.

https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.html


Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs

On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.

https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/


A Deep Dive Into a PoshC2 Implant

PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant.

https://resources.securityscorecard.com/research/poshc2-implant


ClamAV Critical Patch Review

The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs.

https://onekey.com/blog/clamav-critical-patch-review/


OWASP Kubernetes Top 10

The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity.

https://sysdig.com/blog/top-owasp-kubernetes/


iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein

Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht.

https://heise.de/-7522282


What can we learn from the latest Coinbase cyberattack?

Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year.

https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/


Keine Pellets auf ferberpainting.de bestellen!

Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke.

https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-bestellen/


Ihre Bank ruft an? Es könnte sich um Betrug handeln!

Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug.

https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um-betrug-handeln/


HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)

In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group-s latest activity in Korea.

https://asec.ahnlab.com/en/48063/

Vulnerabilities

VMSA-2023-0004

CVSSv3 Range: 9.1 CVE(s): CVE-2023-20858 Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)

https://www.vmware.com/security/advisories/VMSA-2023-0004.html


VMSA-2023-0005

CVSSv3 Range: 8.8 CVE(s): CVE-2023-20855 Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855)

https://www.vmware.com/security/advisories/VMSA-2023-0005.html


Security updates for Tuesday

Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel).

https://lwn.net/Articles/923942/


TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers)

https://typo3.org/security/advisory/typo3-ext-sa-2023-002


Mitsubishi Electric MELSOFT iQ AppPortal

https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01


IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash

https://www.ibm.com/support/pages/node/690011


Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154

https://www.ibm.com/support/pages/node/690125


Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475)

https://www.ibm.com/support/pages/node/690127


Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems

https://www.ibm.com/support/pages/node/690129


Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568)

https://www.ibm.com/support/pages/node/690131


Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568)

https://www.ibm.com/support/pages/node/690149


IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928)

https://www.ibm.com/support/pages/node/6956598


Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator.

https://www.ibm.com/support/pages/node/6328143


IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)

https://www.ibm.com/support/pages/node/6953755


IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8

https://www.ibm.com/support/pages/node/6957066


IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175)

https://www.ibm.com/support/pages/node/6957134