Tageszusammenfassung - 06.03.2023

End-of-Day report

Timeframe: Freitag 03-03-2023 18:00 - Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter


Fake-Shops fälschen Zahlung mit Klarna

Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen.


DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server

Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt.


Magbo Spam Injection Encoded with hex2bin

We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection.


New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims

A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...]


How to prevent Microsoft OneNote files from infecting Windows with malware

The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files.


Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears

In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems.



strongSwan Vulnerability (CVE-2023-26463)

A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets.


Security updates for Monday

Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield).


Multiple Vulnerabilities in Arris DG3450 Cable Gateway


Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator


Docker based datastores for IBM Instana do not currently require authentication


IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450)


IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)


A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281)


Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064)


IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963


Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284)


IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853)


IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159)


IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320)


Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206)


Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow


Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015


Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426)


Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475)