End-of-Day report
Timeframe: Montag 06-03-2023 18:00 - Dienstag 07-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Proof-of-Concept released for critical Microsoft Word RCE bug
A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds.
https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/
Old Windows -Mock Folders- UAC bypass used to drop malware
A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.
https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac-bypass-used-to-drop-malware/
Sheins Android App Caught Transmitting Clipboard Data to Remote Servers
An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022.
https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.html
SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..]
https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.html
Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing
Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).
https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-of-life-vmware-product-ongoing/
Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co.
Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich -einfachen Menschen- den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch!
https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-plattformen-tradegpt-auf-facebook-instagram-co/
Betrugsmasche gegen Verrechnung
Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen.
https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/
Using Memory Analysis to Detect EDR-Nullifying Malware
One tool Trend Micro described, dubbed -AVBurner-, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/
Vulnerabilities
Benutzt hier jemand SHA-3? Die Referenzimplementation ...
Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow.
http://blog.fefe.de/?ts=9af9c7a3
Multiple vulnerabilities in PostgreSQL extension module pg_ivm
* Exposure of sensitive information to an unauthorized actor - CVE-2023-22847
* Uncontrolled search path element - CVE-2023-23554
https://jvn.jp/en/jp/JVN19872280/
ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-23-212/
ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-23-214/
Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13
Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen.
https://heise.de/-7537197
Security updates for Tuesday
Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff).
https://lwn.net/Articles/925469/
Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-cmd-inj-KMFynVcP
PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT
https://cert.vde.com/de/advisories/VDE-2022-053/
WordPress BuddyForms Plugin - Unauthenticated Insecure Deserialization (CVE-2023-26326)
https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthenticated-insecure-deserialization-cve-2023-26326-3becb5575ed8?source=rss68728ef067324
Docker based datastores for IBM Instana do not currently require authentication
https://www.ibm.com/support/pages/node/6959969
IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)
https://www.ibm.com/support/pages/node/6952319
IBM Spectrum Symphony is vulnerable to Host header injection
https://www.ibm.com/support/pages/node/6959369
IBM Data Risk Manager is affected by multiple vulnerabilities
https://www.ibm.com/support/pages/node/6960473
IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy
https://www.ibm.com/support/pages/node/6960481
IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel
https://www.ibm.com/support/pages/node/6960485
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
https://www.ibm.com/support/pages/node/6960493
IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities.
https://www.ibm.com/support/pages/node/6960495
IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450)
https://www.ibm.com/support/pages/node/6960511
IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715)
https://www.ibm.com/support/pages/node/6828569