Tageszusammenfassung - 15.03.2023

End-of-Day report

Timeframe: Dienstag 14-03-2023 18:00 - Mittwoch 15-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter


IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th)

In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception.


How to Find & Fix: WordPress Pharma Hack

Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don-t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site-s good reputation to lure traffic to a scam.


New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...]


Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

At MDSec, we-re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis.


Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen

iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt.


Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab

Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen.


Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten

In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert.


Uncovering Windows Events

Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR-s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn-t a deep dive into how ETW works, [...]


Released: March 2023 Exchange Server Security Updates

Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019


How does malware spread? Top 5 ways malware gets into your network

Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware.


A look at CVE-2023-23415 - a Windows ICMP vulnerability + mitigations which is not a cyber meltdown

Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It-s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it-s a high CVSS score in Windows OS on a commonly used protocol.



Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen

Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen.


Security updates for Wednesday

Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).


SAP-Patchday enthält Updates für kritische Sicherheitslücken

Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung.


ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability


ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability


ThinkPad BIOS Vulnerabilities


AIX is affected by a denial of service (CVE-2022-45061) due to Python


Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component


Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms.


Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier