End-of-Day report
Timeframe: Mittwoch 22-02-2023 18:00 - Donnerstag 23-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
New S1deload Stealer malware hijacks Youtube, Facebook accounts
An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency.
https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware-hijacks-youtube-facebook-accounts/
Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries
Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.
https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.html
Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products
Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.
https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html
OffSec Tools
This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments.
https://github.com/Syslifters/offsec-tools
Technical Analysis of BlackBasta Ransomware 2.0
Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates.
https://www.zscaler.com/blogs/security-research/back-black-basta
Users looking for ChatGPT apps get malware instead
The massive popularity of OpenAI-s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public-s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages.
https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/
Stealthy Mac Malware Delivered via Pirated Apps
Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware.
https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-apps/
Anti-Forensic Techniques Used By Lazarus Group
Since approximately a year ago, the Lazarus group-s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group-s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.
https://asec.ahnlab.com/en/48223/
ChromeLoader Disguised as Illegal Game Programs Being Distributed
Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files.
https://asec.ahnlab.com/en/48211/
Vulnerabilities
Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities
Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.
https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/
BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig
In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen.
https://heise.de/-7524562
Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken
In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt.
https://heise.de/-7525432
Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023)
Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.
https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vulnerability-report-feb-13-2023-to-feb-19-2023/
Security updates for Thursday
Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe).
https://lwn.net/Articles/924236/
Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software
https://csirt.divd.nl/cases/DIVD-2022-00052/
Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI
https://www.ibm.com/support/pages/node/6957680
Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI
https://www.ibm.com/support/pages/node/6957708
Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI
https://www.ibm.com/support/pages/node/6957710
Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI
https://www.ibm.com/support/pages/node/6957714
CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced
https://www.ibm.com/support/pages/node/6957754
CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard
https://www.ibm.com/support/pages/node/6957758
CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms
https://www.ibm.com/support/pages/node/6957764