Tageszusammenfassung - 21.03.2023

End-of-Day report

Timeframe: Montag 20-03-2023 18:00 - Dienstag 21-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Windows 11 bug warns Local Security Authority protection is off

Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on.

https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-security-authority-protection-is-off/

From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th)

Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns!

https://isc.sans.edu/diary/rss/29650

Google Cloud Log Extraction

In this blog post, we review the methods through which we can extract logs from Google Cloud.

https://www.sans.org/blog/google-cloud-log-extraction/

Find Threats in Event Logs with Hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable.

https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa

Black Angel Rootkit

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams.

https://github.com/XaFF-XaFF/Black-Angel-Rootkit

Linux auditd for Threat Detection [Final]

The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings.

https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d5173706b3f

Nexus: a new Android botnet?

On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy-s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022.

https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet

Mitigating SSRF in 2023

Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become.

https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/

Malicious NuGet Packages Used to Target .NET Developers

Software developers have been targeted in a new attack via malicious packages in the NuGet repository.

https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-developers/

Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn!

Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten.

https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eurojackpot-gewinn/

Patch CVE-2023-23397 Immediately: What You Need To Know and Do

We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale.

https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immediately-what-you-need-to-know-and-do.html

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc).

https://lwn.net/Articles/926759/

Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities

https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-platform-vulnerable-to-information-disclosure-buffer-overflow-vulnerabilities/

Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859

https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023-20859

Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467

https://www.ibm.com/support/pages/node/6964588

A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941)

https://www.ibm.com/support/pages/node/6852651

IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874)

https://www.ibm.com/support/pages/node/6964694

IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes

https://www.ibm.com/support/pages/node/6963662

Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6964742

Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690)

https://www.ibm.com/support/pages/node/6964752

Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent

https://www.ibm.com/support/pages/node/6964754