End-of-Day report
Timeframe: Freitag 17-03-2023 18:00 - Montag 20-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
New -HinataBot- botnet could launch massive 3.3 Tbps DDoS attacks
A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks.
https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-launch-massive-33-tbps-ddos-attacks/
Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen
Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so.
https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-wiederherstellen-2303-172759.html
Ransomware: Emotet kehrt zurück - als OneNote-E-Mail-Anhang
Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer.
https://heise.de/-7551285
Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht
Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst.
https://heise.de/-7557288
Researchers Shed Light on CatB Ransomwares Evasion Techniques
The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities.
https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html
Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research
In this blog post, we-ll share some of our latest research into bypassing CloudTrail. We-ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment.
https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/
IcedID-s VNC Backdoors: Dark Cat, Anubis & Keyhole
In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data.
https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/
Vulnerabilities
Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen
Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern.
https://heise.de/-7550599
OpenSSH 9.3 dichtet Sicherheitslecks ab
Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler.
https://heise.de/-7550738
Security updates for Monday
Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim).
https://lwn.net/Articles/926636/
IBM Security Bulletins 2023-03-20
* Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930)
* Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286)
* IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes
* Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command.
* IBM Aspera Faspex can be vulnerable to improperly authorized password changes
* Vulnerability in EFS affects AIX (CVE-2021-29861)
* Vulnerability in libc affects AIX (CVE-2021-29860)
* Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)
* Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
* A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813)
* Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)
* Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4
* Vulnerability in Node.js affects IBM Voice Gateway
* IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes
* Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925)
* Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler.
* IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998)
https://www.ibm.com/support/pages/bulletin/
Spring Framework 5.2.23 fixes cve-2023-20861
https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20861
Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861
https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861