End-of-Day report
Timeframe: Donnerstag 09-03-2023 18:00 - Freitag 10-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Security: Github führt verpflichtende 2FA ein
Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten.
https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-2303-172551.html
Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten
Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden.
https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-password-manager-browserweiterung-knnen-passwrter-verraten/
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic
The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.
https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html
EJS - Server Side Prototype Pollution gadgets to RCE
Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details.
https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce
How to Avoid LDAP Injection Attacks
The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don-t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries.
https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.html
The Silent Spy Among Us: Modern Attacks Against Smart Intercoms
What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device-s camera and microphone, steal video and images, or gain a network foothold.
https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-against-smart-intercoms
Multi-Technology Script Leading to Browser Hijacking
[..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don-t know where it-s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT
https://isc.sans.edu/diary/rss/29620
The oldest privesc: injecting careless administrators terminals using TTY pushback
This trick is possibly the oldest security bug that still exists today, it-s been traced as far back as 1985. It-s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It-s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders.
https://www.errno.fr/TTYPushback.html
When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About
Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected.
https://thehackernews.com/2023/03/when-partial-protection-is-zero.html
Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)
The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc.
https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.html
Unauthorized access to Codespace secrets in GitHub
We identified a security issue in GitHub-s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub.
https://ophionsecurity.com/blog/access-organization-secrets-in-github
Pirated copies of Final Cut Pro infect Macs with cryptojacking malware
Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware.
https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-cryptojacking-malware/
GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers
New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility.
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/
Netcat Attack Cases Targeting MS-SQL Servers (LOLBins)
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike.
https://asec.ahnlab.com/en/49249/
Everything You Didn-t Know About Cross-Account and Cross-Cloud Provider Attacks
Wait, did you say -Cross-Cloud Provider Attacks-? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks.
https://orca.security/resources/blog/cross-account-cross-provider-attack-paths/
Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices
Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.
https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml).
https://lwn.net/Articles/925840/
IBM Security Bulletins 2023-03-10
* Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114)
* Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998)
* Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425)
* IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533)
* IBM QRadar WinCollect agent has multiple vulnerabilities
* IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879)
* IBM SDK, Java Technology Edition, Security Update February 2023
* multiple vulnerabilities in Java SE may affect CICS TX Advanced
* multiple vulnerabilities in Java SE may affect CICS TX Standard
* multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms
* server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced
* server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard
* server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms
* vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced
* vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard
* vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms
* Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 )
https://www.ibm.com/support/pages/bulletin/
[R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-12
[R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-13