Tageszusammenfassung - 06.03.2023

End-of-Day report

Timeframe: Freitag 03-03-2023 18:00 - Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

Fake-Shops fälschen Zahlung mit Klarna

Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen.

https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-klarna/


DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server

Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt.

https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-mrz-2023-patchday-fr-windows-10-11-und-server/


Magbo Spam Injection Encoded with hex2bin

We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection.

https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.html


New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims

A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...]

https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.html


How to prevent Microsoft OneNote files from infecting Windows with malware

The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files.

https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/


Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears

In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems.

https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoin-tears/

Vulnerabilities

strongSwan Vulnerability (CVE-2023-26463)

A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets.

https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html


Security updates for Monday

Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield).

https://lwn.net/Articles/925323/


Multiple Vulnerabilities in Arris DG3450 Cable Gateway

https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-arris-dg3450-cable-gateway/


Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator

https://www.ibm.com/support/pages/node/6959963


Docker based datastores for IBM Instana do not currently require authentication

https://www.ibm.com/support/pages/node/6959969


IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450)

https://www.ibm.com/support/pages/node/6959973


IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)

https://www.ibm.com/support/pages/node/6952319


A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281)

https://www.ibm.com/support/pages/node/6960159


Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064)

https://www.ibm.com/support/pages/node/6960175


IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963

https://www.ibm.com/support/pages/node/6960189


Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284)

https://www.ibm.com/support/pages/node/6960201


IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853)

https://www.ibm.com/support/pages/node/6960211


IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159)

https://www.ibm.com/support/pages/node/6960215


IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320)

https://www.ibm.com/support/pages/node/6960213


Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206)

https://www.ibm.com/support/pages/node/258535


Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow

https://www.ibm.com/support/pages/node/258547


Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015

https://www.ibm.com/support/pages/node/273103


Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426)

https://www.ibm.com/support/pages/node/278361


Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475)

https://www.ibm.com/support/pages/node/541019