End-of-Day report
Timeframe: Montag 20-02-2023 18:00 - Dienstag 21-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Kriminalität: Ransomware will Versicherungspolice
Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen.
https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice-2302-172056.html
Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild
A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report.
https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.html
Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
A Deep Dive Into a PoshC2 Implant
PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant.
https://resources.securityscorecard.com/research/poshc2-implant
ClamAV Critical Patch Review
The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs.
https://onekey.com/blog/clamav-critical-patch-review/
OWASP Kubernetes Top 10
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity.
https://sysdig.com/blog/top-owasp-kubernetes/
iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein
Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht.
https://heise.de/-7522282
What can we learn from the latest Coinbase cyberattack?
Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year.
https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/
Keine Pellets auf ferberpainting.de bestellen!
Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke.
https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-bestellen/
Ihre Bank ruft an? Es könnte sich um Betrug handeln!
Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug.
https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um-betrug-handeln/
HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)
In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group-s latest activity in Korea.
https://asec.ahnlab.com/en/48063/
Vulnerabilities
VMSA-2023-0004
CVSSv3 Range: 9.1
CVE(s): CVE-2023-20858
Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)
https://www.vmware.com/security/advisories/VMSA-2023-0004.html
VMSA-2023-0005
CVSSv3 Range: 8.8
CVE(s): CVE-2023-20855
Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855)
https://www.vmware.com/security/advisories/VMSA-2023-0005.html
Security updates for Tuesday
Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel).
https://lwn.net/Articles/923942/
TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers)
https://typo3.org/security/advisory/typo3-ext-sa-2023-002
Mitsubishi Electric MELSOFT iQ AppPortal
https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01
IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash
https://www.ibm.com/support/pages/node/690011
Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154
https://www.ibm.com/support/pages/node/690125
Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475)
https://www.ibm.com/support/pages/node/690127
Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems
https://www.ibm.com/support/pages/node/690129
Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568)
https://www.ibm.com/support/pages/node/690131
Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568)
https://www.ibm.com/support/pages/node/690149
IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928)
https://www.ibm.com/support/pages/node/6956598
Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator.
https://www.ibm.com/support/pages/node/6328143
IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)
https://www.ibm.com/support/pages/node/6953755
IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8
https://www.ibm.com/support/pages/node/6957066
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175)
https://www.ibm.com/support/pages/node/6957134