End-of-Day report
Timeframe: Freitag 03-03-2023 18:00 - Montag 06-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Fake-Shops fälschen Zahlung mit Klarna
Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen.
https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-klarna/
DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server
Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt.
https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-mrz-2023-patchday-fr-windows-10-11-und-server/
Magbo Spam Injection Encoded with hex2bin
We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection.
https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.html
New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims
A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...]
https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.html
How to prevent Microsoft OneNote files from infecting Windows with malware
The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files.
https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/
Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears
In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems.
https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-novel-ecdsa-attack-and-bitcoin-tears/
Vulnerabilities
strongSwan Vulnerability (CVE-2023-26463)
A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets.
https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html
Security updates for Monday
Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield).
https://lwn.net/Articles/925323/
Multiple Vulnerabilities in Arris DG3450 Cable Gateway
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-arris-dg3450-cable-gateway/
Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator
https://www.ibm.com/support/pages/node/6959963
Docker based datastores for IBM Instana do not currently require authentication
https://www.ibm.com/support/pages/node/6959969
IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450)
https://www.ibm.com/support/pages/node/6959973
IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)
https://www.ibm.com/support/pages/node/6952319
A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281)
https://www.ibm.com/support/pages/node/6960159
Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064)
https://www.ibm.com/support/pages/node/6960175
IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963
https://www.ibm.com/support/pages/node/6960189
Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284)
https://www.ibm.com/support/pages/node/6960201
IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853)
https://www.ibm.com/support/pages/node/6960211
IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159)
https://www.ibm.com/support/pages/node/6960215
IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320)
https://www.ibm.com/support/pages/node/6960213
Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206)
https://www.ibm.com/support/pages/node/258535
Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow
https://www.ibm.com/support/pages/node/258547
Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015
https://www.ibm.com/support/pages/node/273103
Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426)
https://www.ibm.com/support/pages/node/278361
Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475)
https://www.ibm.com/support/pages/node/541019