Tageszusammenfassung - 15.03.2023

End-of-Day report

Timeframe: Dienstag 14-03-2023 18:00 - Mittwoch 15-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th)

In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception.

https://isc.sans.edu/diary/rss/29638


How to Find & Fix: WordPress Pharma Hack

Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don-t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site-s good reputation to lure traffic to a scam.

https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html


New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining

Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...]

https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html


Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

At MDSec, we-re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis.

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/


Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen

iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt.

https://heise.de/-7545702


Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab

Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen.

https://heise.de/-7545903


Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten

In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert.

https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihre-kreditkartendaten/


Uncovering Windows Events

Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR-s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn-t a deep dive into how ETW works, [...]

https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=rssf05f8696e3cc4


Released: March 2023 Exchange Server Security Updates

Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224


How does malware spread? Top 5 ways malware gets into your network

Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware.

https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-malware-gets-into-your-network/


A look at CVE-2023-23415 - a Windows ICMP vulnerability + mitigations which is not a cyber meltdown

Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It-s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it-s a high CVSS score in Windows OS on a commonly used protocol.

https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerability-mitigations-which-is-not-a-cyber-meltdown-78a9f7e3e538

Vulnerabilities

Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen

Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen.

https://heise.de/-7546150


Security updates for Wednesday

Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).

https://lwn.net/Articles/926205/


SAP-Patchday enthält Updates für kritische Sicherheitslücken

Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung.

https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritische-sicherheitslucken


ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-245/


ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-244/


ThinkPad BIOS Vulnerabilities

http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABILITIES


AIX is affected by a denial of service (CVE-2022-45061) due to Python

https://www.ibm.com/support/pages/node/6963342


Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component

https://www.ibm.com/support/pages/node/6963372


Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms.

https://www.ibm.com/support/pages/node/6963612


Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier

https://www.ibm.com/support/pages/node/6963632