End-of-Day report
Timeframe: Donnerstag 16-03-2023 18:00 - Freitag 17-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Adobe Acrobat Sign abused to push Redline info-stealing malware
Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users.
https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to-push-redline-info-stealing-malware/
Hitachi Energy confirms data breach after Clop GoAnywhere attacks
Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.
https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data-breach-after-clop-goanywhere-attacks/
How to Google Dork a Specific Website for Hacking
You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools.
https://www.stationx.net/how-to-google-dork-a-specific-website/
Chaos Malware Quietly Evolves Persistence and Evasion Techniques
The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig-s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new.
https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/
Free decryptor released for Conti-based ransomware following data leak
Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free.
https://www.tripwire.com/state-of-security/free-decryptor-released-conti-based-ransomware-following-data-leak
Phishing-Welle: Vorsicht vor Fake Disney+ Mails
Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner - es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff -Aussetzung Ihres Disney+ Kontos- oder -Sperrung Ihres Disney+ Kontos- massenhaft verschickt!
https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-disney-mails/
#StopRansomware: LockBit 3.0
This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix
Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach.
https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentlicht-script-fr-den-winre-bitlocker-bypass-fix/
ShellBot Malware Being Distributed to Linux SSH Servers
AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.
https://asec.ahnlab.com/en/49769/
Debugging D-Link: Emulating firmware and hacking hardware
GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface.
https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware
Vulnerabilities
Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips
Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos.
https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-samsung-chips-2303-172724.html
Honeywell OneWireless Wireless Device Manager
https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06
Rockwell Automation Modbus TCP AOI Server
https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07
Omron CJ1M PLC
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01
AVEVA Plant SCADA and AVEVA Telemetry Server
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04
Autodesk FBX SDK
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02
[R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-15
IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)
https://www.ibm.com/support/pages/node/6957836
IBM Cognos Command Center is affected by multiple vulnerabilities
https://www.ibm.com/support/pages/node/6555376
InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364)
https://www.ibm.com/support/pages/node/6963974
Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)
https://www.ibm.com/support/pages/node/6956237
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999]
https://www.ibm.com/support/pages/node/6964166
Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930)
https://www.ibm.com/support/pages/node/6963640
Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626)
https://www.ibm.com/support/pages/node/6963642
IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844)
https://www.ibm.com/support/pages/node/6964174
IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6964176
AIX is vulnerable to denial of service vulnerabilities
https://www.ibm.com/support/pages/node/6847947
IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)
https://www.ibm.com/support/pages/node/6957836
AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382)
https://www.ibm.com/support/pages/node/6848309