Tageszusammenfassung - 23.02.2023

End-of-Day report

Timeframe: Mittwoch 22-02-2023 18:00 - Donnerstag 23-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

New S1deload Stealer malware hijacks Youtube, Facebook accounts

An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency.

https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware-hijacks-youtube-facebook-accounts/


Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries

Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.

https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.html


Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.

https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html


OffSec Tools

This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments.

https://github.com/Syslifters/offsec-tools


Technical Analysis of BlackBasta Ransomware 2.0

Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates.

https://www.zscaler.com/blogs/security-research/back-black-basta


Users looking for ChatGPT apps get malware instead

The massive popularity of OpenAI-s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public-s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages.

https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/


Stealthy Mac Malware Delivered via Pirated Apps

Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware.

https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-apps/


Anti-Forensic Techniques Used By Lazarus Group

Since approximately a year ago, the Lazarus group-s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group-s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.

https://asec.ahnlab.com/en/48223/


ChromeLoader Disguised as Illegal Game Programs Being Distributed

Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files.

https://asec.ahnlab.com/en/48211/

Vulnerabilities

Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities

Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.

https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/


BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig

In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen.

https://heise.de/-7524562


Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken

In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt.

https://heise.de/-7525432


Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023)

Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.

https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vulnerability-report-feb-13-2023-to-feb-19-2023/


Security updates for Thursday

Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe).

https://lwn.net/Articles/924236/


Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software

https://csirt.divd.nl/cases/DIVD-2022-00052/


Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI

https://www.ibm.com/support/pages/node/6957680


Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI

https://www.ibm.com/support/pages/node/6957708


Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI

https://www.ibm.com/support/pages/node/6957710


Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI

https://www.ibm.com/support/pages/node/6957714


CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced

https://www.ibm.com/support/pages/node/6957754


CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard

https://www.ibm.com/support/pages/node/6957758


CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms

https://www.ibm.com/support/pages/node/6957764