Tageszusammenfassung - 16.03.2023

End-of-Day report

Timeframe: Mittwoch 15-03-2023 18:00 - Donnerstag 16-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

CVE-2023-23397 - der (interessante) Teufel steckt im Detail

Im Regelfall veröffentlichen wir zu Sicherheitslücken, die durch den Hersteller im Rahmen eines regulären Patchzyklus behoben werden, keine Warnung. Die Motivation dahinter ist, dass wir unsere Warnungen als Werkzeug betrachten, Informationen über kritische Schwachstellen mit entsprechender Urgenz an die jeweiligen Adressat:innen bringen wollen. Dementsprechend entscheiden wir relativ konservativ, wovor oder worüber wir warnen, um die Wirkung selbiger nicht zu verwässern. Aber, wie so oft, bestätigen Ausnahmen die Regel [...]

https://cert.at/de/blog/2023/3/cve-2023-23397-der-teufel-steckt-im-detail

CISA warns of Adobe ColdFusion bug exploited as a zero-day

CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/

Winter Vivern APT hackers use fake antivirus scans to install malware

An advanced hacking group named Winter Vivern targets European government organizations and telecommunication service providers to conduct espionage.

https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-use-fake-antivirus-scans-to-install-malware/

BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.

https://www.darkreading.com/risk/bianlian-ransomware-pivots-encryption-pure-data-theft-extortion

Simple Shellcode Dissection, (Thu, Mar 16th)

Most people will never execute a suspicious program or -executable-. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected? I-ll explain with the help of a file I found in a phishing campaign.

https://isc.sans.edu/diary/rss/29642

Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency

Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).

https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html

SSRF Cross Protocol Redirect Bypass

Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves!

https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html

Falsche WhatsApp und Telegram Apps auf der Jagd nach Krypto-Wallets

ESET-Forscher analysierten Android- und Windows-Clipper, die Sofortnachrichten manipulieren und OCR verwenden können, um Kryptowährungen zu stehlen.

https://www.welivesecurity.com/deutsch/2023/03/16/falsche-whatsapp-und-telegram-apps-auf-der-jagd-nach-krypto-wallets/

Bee-Ware of Trigona, An Emerging Ransomware Strain

Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.

https://unit42.paloaltonetworks.com/trigona-ransomware-update/

DotRunpeX - demystifying new virtualized .NET injector used in the wild

ImplMap2x64dbgInvoke-DotRunpeXextractThe post DotRunpeX - demystifying new virtualized .NET injector used in the wild appeared first on Check Point Research.

https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/

Vulnerabilities

Webkonferenzen: Hochriskante Lücken in Zoom

In der Online-Konferenzsoftware Zoom haben die Entwickler mehrere Schwachstellen geschlossen. Einige gelten als hochriskant und könnten Codeschmuggel erlauben.

https://heise.de/-7547291

Kritisches Leck in SSL-VPN-Gateway von Array Networks

Die SSL-VPN-Gateways von Array Networks haben eine kritische Sicherheitslücke. Angreifer könnten aus dem Netz ohne Authentifizierung Code einschleusen.

https://heise.de/-7548009

Security updates for Thursday

Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2).

https://lwn.net/Articles/926289/

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

https://www.drupal.org/sa-contrib-2023-010

Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus

https://www.ibm.com/support/pages/node/6963634

EBICs client of IBM Sterling B2B Integrator vulnerable to multiple issues due to Dojo Toolkit

https://www.ibm.com/support/pages/node/6963652

IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690)

https://www.ibm.com/support/pages/node/6963650

IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Pallets Werkzeug .

https://www.ibm.com/support/pages/node/6963668

IBM Aspera Faspex can be vulnerable to improperly authorized password changes

https://www.ibm.com/support/pages/node/6963662

Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)

https://www.ibm.com/support/pages/node/6955067

Vulnerability in PyPI cryptography and Python may affect IBM Spectrum Protect Plus File Systems Agent (CVE-2023-23931, CVE-2023-0286, CVE-2023-24329)

https://www.ibm.com/support/pages/node/6957718

Vulnerabilities in Linux Kernel may affect IBM Spectrum Protect Plus

https://www.ibm.com/support/pages/node/6963936

Multiple Vulnerabilities in Intel Firmware affect Cloud Pak System

https://www.ibm.com/support/pages/node/6611963

CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced

https://www.ibm.com/support/pages/node/6963940

CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard

https://www.ibm.com/support/pages/node/6963942

Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843)

https://www.ibm.com/support/pages/node/6960739

Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557)

https://www.ibm.com/support/pages/node/6960747

IBM Sterling B2B Integrator vulnerable to sensitive information exposure due to IBM MQ (CVE-2022-42436)

https://www.ibm.com/support/pages/node/6963954

IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171)

https://www.ibm.com/support/pages/node/6963956

IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501)

https://www.ibm.com/support/pages/node/6963962

IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364)

https://www.ibm.com/support/pages/node/6963958

IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363)

https://www.ibm.com/support/pages/node/6963960