Tageszusammenfassung - 07.03.2023

End-of-Day report

Timeframe: Montag 06-03-2023 18:00 - Dienstag 07-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner


Proof-of-Concept released for critical Microsoft Word RCE bug

A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds.


Old Windows -Mock Folders- UAC bypass used to drop malware

A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.


Sheins Android App Caught Transmitting Clipboard Data to Remote Servers

An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022.


SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms

Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..]


Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing

Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).


Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co.

Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich -einfachen Menschen- den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch!


Betrugsmasche gegen Verrechnung

Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen.


Using Memory Analysis to Detect EDR-Nullifying Malware

One tool Trend Micro described, dubbed -AVBurner-, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.



Benutzt hier jemand SHA-3? Die Referenzimplementation ...

Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow.


Multiple vulnerabilities in PostgreSQL extension module pg_ivm

* Exposure of sensitive information to an unauthorized actor - CVE-2023-22847 * Uncontrolled search path element - CVE-2023-23554


ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.


ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability.


Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13

Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen.


Security updates for Tuesday

Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff).


Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities




WordPress BuddyForms Plugin - Unauthenticated Insecure Deserialization (CVE-2023-26326)


Docker based datastores for IBM Instana do not currently require authentication


IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)


IBM Spectrum Symphony is vulnerable to Host header injection


IBM Data Risk Manager is affected by multiple vulnerabilities


IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy


IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel


IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities


IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities.


IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450)


IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715)