End-of-Day report
Timeframe: Dienstag 28-02-2023 18:00 - Mittwoch 01-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln
In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln.
https://heise.de/-7531171
Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware
Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus.
https://heise.de/-7531337
Gefälschter PayLife-Login in Anzeigen bei Google-Suche!
PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren!
https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeigen-bei-google-suche/
The dangers from across browser-windows
Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...]
https://certitude.consulting/blog/de/the-dangers-from-across-browser-windows/
BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11
Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann.
https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-secure-boot-in-windows-11/
CISA: ZK Java Framework RCE Flaw Under Active Exploit
The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.
https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-active-exploit
SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
DNS abuse: Advice for incident responders
What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers.
https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-responders/
Google Cloud Platform allows data exfiltration without a (forensic) trace
Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP-s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP-s basic storage logs - which are, by the way, not enabled by default - use the same description/event (objects.get) for [...]
https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/
Making New Connections - Leveraging Cisco AnyConnect Client to Drop and Run Payloads
The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...]
https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-cisco-anyconnect-client-to-drop-and-run-payloads/
The Level of Human Engagement Behind Automated Attacks
Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic -spray and pray- strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack.
https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behind-automated-attacks/
Vulnerabilities
Security updates for Wednesday
Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar).
https://lwn.net/Articles/924794/
Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products
Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek.
https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-kepware-iiot-products/
Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-pi-epnm-xss-mZShH2J
Cisco Webex App for Web Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-Yn8HHsMJ
Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP
Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-proxy-dos-vY5dQhrV
Cisco Unified Intelligence Center Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-infodisc-ssrf-84ZBmwVk
TPM 2.0 Vulnerabilities
https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES
Nuvoton TPM Denial of Service Vulnerability
https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-SERVICE-VULNERABILITY
Malicious IKEv2 packet by authenticated peer can cause libreswan to restart
https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt
[R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5
https://www.tenable.com/security/tns-2023-08
[R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6
https://www.tenable.com/security/tns-2023-07
IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165)
https://www.ibm.com/support/pages/node/6856457
DataPower Operator vulnerable to Denial of Service (CVE-2022-41724)
https://www.ibm.com/support/pages/node/6958490
Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities.
https://www.ibm.com/support/pages/node/6958504
Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390)
https://www.ibm.com/support/pages/node/6959019
Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor
https://www.ibm.com/support/pages/node/6959033
IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL
https://www.ibm.com/support/pages/node/6958701
IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509)
https://www.ibm.com/support/pages/node/6957688
IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902)
https://www.ibm.com/support/pages/node/6957686