Tageszusammenfassung - 17.03.2023

End-of-Day report

Timeframe: Donnerstag 16-03-2023 18:00 - Freitag 17-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Adobe Acrobat Sign abused to push Redline info-stealing malware

Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users.

https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to-push-redline-info-stealing-malware/


Hitachi Energy confirms data breach after Clop GoAnywhere attacks

Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.

https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data-breach-after-clop-goanywhere-attacks/


How to Google Dork a Specific Website for Hacking

You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools.

https://www.stationx.net/how-to-google-dork-a-specific-website/


Chaos Malware Quietly Evolves Persistence and Evasion Techniques

The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig-s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new.

https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/


Free decryptor released for Conti-based ransomware following data leak

Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free.

https://www.tripwire.com/state-of-security/free-decryptor-released-conti-based-ransomware-following-data-leak


Phishing-Welle: Vorsicht vor Fake Disney+ Mails

Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner - es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff -Aussetzung Ihres Disney+ Kontos- oder -Sperrung Ihres Disney+ Kontos- massenhaft verschickt!

https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-disney-mails/


#StopRansomware: LockBit 3.0

This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a


Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix

Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach.

https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentlicht-script-fr-den-winre-bitlocker-bypass-fix/


ShellBot Malware Being Distributed to Linux SSH Servers

AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.

https://asec.ahnlab.com/en/49769/


Debugging D-Link: Emulating firmware and hacking hardware

GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface.

https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware

Vulnerabilities

Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips

Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos.

https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-samsung-chips-2303-172724.html


Honeywell OneWireless Wireless Device Manager

https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06


Rockwell Automation Modbus TCP AOI Server

https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07


Omron CJ1M PLC

https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01


AVEVA Plant SCADA and AVEVA Telemetry Server

https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04


Autodesk FBX SDK

https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02


[R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2023-15


IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)

https://www.ibm.com/support/pages/node/6957836


IBM Cognos Command Center is affected by multiple vulnerabilities

https://www.ibm.com/support/pages/node/6555376


InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364)

https://www.ibm.com/support/pages/node/6963974


Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517)

https://www.ibm.com/support/pages/node/6956237


IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999]

https://www.ibm.com/support/pages/node/6964166


Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930)

https://www.ibm.com/support/pages/node/6963640


Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626)

https://www.ibm.com/support/pages/node/6963642


IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844)

https://www.ibm.com/support/pages/node/6964174


IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6964176


AIX is vulnerable to denial of service vulnerabilities

https://www.ibm.com/support/pages/node/6847947


IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)

https://www.ibm.com/support/pages/node/6957836


AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382)

https://www.ibm.com/support/pages/node/6848309