End-of-Day report
Timeframe: Dienstag 14-03-2023 18:00 - Mittwoch 15-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th)
In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception.
https://isc.sans.edu/diary/rss/29638
How to Find & Fix: WordPress Pharma Hack
Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don-t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site-s good reputation to lure traffic to a scam.
https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html
New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining
Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...]
https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability
At MDSec, we-re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis.
https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen
iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt.
https://heise.de/-7545702
Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab
Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen.
https://heise.de/-7545903
Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten
In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert.
https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihre-kreditkartendaten/
Uncovering Windows Events
Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR-s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn-t a deep dive into how ETW works, [...]
https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=rssf05f8696e3cc4
Released: March 2023 Exchange Server Security Updates
Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224
How does malware spread? Top 5 ways malware gets into your network
Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware.
https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-malware-gets-into-your-network/
A look at CVE-2023-23415 - a Windows ICMP vulnerability + mitigations which is not a cyber meltdown
Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It-s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it-s a high CVSS score in Windows OS on a commonly used protocol.
https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerability-mitigations-which-is-not-a-cyber-meltdown-78a9f7e3e538
Vulnerabilities
Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen
Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen.
https://heise.de/-7546150
Security updates for Wednesday
Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).
https://lwn.net/Articles/926205/
SAP-Patchday enthält Updates für kritische Sicherheitslücken
Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung.
https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritische-sicherheitslucken
ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-245/
ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-244/
ThinkPad BIOS Vulnerabilities
http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABILITIES
AIX is affected by a denial of service (CVE-2022-45061) due to Python
https://www.ibm.com/support/pages/node/6963342
Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component
https://www.ibm.com/support/pages/node/6963372
Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms.
https://www.ibm.com/support/pages/node/6963612
Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier
https://www.ibm.com/support/pages/node/6963632