End-of-Day report
Timeframe: Freitag 10-03-2023 18:00 - Montag 13-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Clop-Ransomware: Opfer der GoAnywhere-Attacken müssen jetzt zahlen
Aufgrund einer Sicherheitslücke in der Dateiübertragungslösung GoAnywhere MFT konnten Angreifer zuschlagen und erpressen nun Firmen.
https://heise.de/-7543629
Banking-Trojaner: 400 Einrichtungen im Visier von Android-Malware
IT-Forscher beobachten die Weiterentwicklung des Banking-Trojaners Xenomorph für Android. Inzwischen versteht er sich auf 400 Finanzinstitutionen.
https://heise.de/-7543682
Das Finanzamt versendet keine Pfändungsandrohung per SMS!
Aktuell werden erneut massenhaft Betrugs-SMS im Namen des Finanzamts versendet. Angeblich hätten Sie trotz mehrerer Mahnungen eine offene Forderung gegen Sie nicht bezahlt. Daher würde nun ein Gerichtsvollzieher Ihren Hausrat pfänden. Achtung: Bezahlen Sie die Forderung nicht! Die Nachricht stammt nicht vom Finanzamt und Ihr Geld landet bei Kriminellen.
https://www.watchlist-internet.at/news/das-finanzamt-versendet-keine-pfaendungsandrohungen-per-sms/
Security researchers targeted with new malware via job offers on LinkedIn
A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families.
https://www.bleepingcomputer.com/news/security/security-researchers-targeted-with-new-malware-via-job-offers-on-linkedin/
Medusa ransomware gang picks up steam as it targets companies worldwide
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.
https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/
DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality.
https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/
Overview of a Mirai Payload Generator, (Sat, Mar 11th)
The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads.
https://isc.sans.edu/diary/rss/29624
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPIs ChatGPT, Spotify, Tableau, and Zoom.
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html
"FakeGPT": New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs
A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app -backdoor- giving the threat actors super-admin permissions.
https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-stealing-facebook-ad-accounts-with-4c9996a8f282
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users.
https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware
Persistence - Context Menu
Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu.
https://pentestlab.blog/2023/03/13/persistence-context-menu/
CISA Warns of Plex Vulnerability Linked to LastPass Hack
CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog.
https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-lastpass-hack/
Vulnerabilities
Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover
[...] After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/ API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env.
https://blog.agilehunt.com/blogs/security/msrc-critical-google-iap-authorization-bypass-allows-access-to-internal-envirnment-leading-to-zero-interaction-account-takeover
Kritische Sicherheitslücken: Lexmark aktualisiert Firmware für viele Drucker
Diverse Drucker von Lexmark haben kritische Sicherheitslücken, die Angreifern das Ausführen von Schadcode ermöglichen. Updates stehen schon bereit.
https://heise.de/-7543959
Security updates for Monday
Security updates have been issued by Debian (imagemagick, libapache2-mod-auth-mellon, mpv, rails, and ruby-sidekiq), Fedora (chromium, dcmtk, and strongswan), Mageia (chromium-browser-stable, dcmtk, kernel, kernel-linus, libreswan, microcode, redis, and tmux), SUSE (postgresql14 and python39), and Ubuntu (linux-kvm, linux-raspi-5.4, and thunderbird).
https://lwn.net/Articles/925987/
Shodan Verified Vulns 2023-03-01
Mit Stand 2023-03-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Die Schwachstellen CVE-2021-43798 (Grafana Path Traversal Vulnerability) und CVE-2022-32548 (DrayTek Authentication Bypass Vulnerability) sind nun wieder in den Daten von Shodan enthalten. Im Vormonat fehlten diese Daten. Verglichen mit den Daten von Jänner 2023 sind keine auffälligen Änderungen zu erkennen. Ähnlich verhält sich die Schwachstelle CVE-2022-36804 [...]
https://cert.at/de/aktuelles/2023/3/shodan-verified-vulns-2023-03-01
IBM Security Bulletins 2023-03-13
* A vulnerability (CVE-2022-21299) in IBM Java Runtime affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition
* A vulnerability has been identified in IBM Spectrum Scale which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927)
* EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery
* IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364)
* IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758)
* IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509)
* IBM Security Guardium is affected by multiple vulnerabilities
* IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152)
* IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Security (CVE-2022-31692, CVE-2022-22978)
* June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition
* Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.
* Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition
* Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-21628, CVE-2022-21626)
* Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023
* SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products
* The dashboard UI of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-22876)
* There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920)
* Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1)
* Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1)
* Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171)
https://www.ibm.com/support/pages/bulletin/
[R1] Tenable Plugin Feed ID #202212081952 Fixes Arbitrary Code Execution Vulnerability
https://www.tenable.com/security/tns-2023-14