Tageszusammenfassung - 23.03.2023

End-of-Day report

Timeframe: Mittwoch 22-03-2023 18:00 - Donnerstag 23-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a


Developing an incident response playbook

Incident response playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook.


Cropping and Redacting Images Safely, (Thu, Mar 23rd)

The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images. [..] Here are some approaches to make image redaction safer. But please use them with caution.


German and South Korean Agencies Warn of Kimsukys Expanding Cyber Attack Tactics

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users Gmail inboxes.


AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices

In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network.


Memory Forensics R&D Illustrated: Detecting Hidden Windows Services

To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background.


Malicious Actors Use Unicode Support in Python to Evade Detection

Phylum-s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that we have found prevalent in PyPI. However, one feature of this particular package caught our eye: an obfuscation technique that was foreseen in 2007 during a discussion about Python-s support for Unicode [..]


Joomla! CVE-2023-23752 to Code Execution

On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. [..] disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim-s MySQL database credentials - an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why.


Fehlalarm: Microsoft-Defender-Warnung vor deaktiviertem Schutz führt in die Irre

Unter Windows 11 zeigt Microsoft Defender auf vielen Systemen einen deaktivieren Schutz durch "die lokalen Sicherheitsautorität". Das ist ein Fehlalarm.


Technische Richtlinie zu Public Key Infrastrukturen für Technische Sicherheitseinrichtungen veröffentlicht

Das BSI hat am 23. März 2023 die neue Technische Richtlinie BSI TR-03145-5 für den sicheren Betrieb einer Public Key Infrastruktur für Technische Sicherheitseinrichtungen veröffentlicht.


Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023)

Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..]


Pack it Secretly: Earth Preta-s Updated Stealthy Strategies

After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor.



Virenschutz: Malwarebytes ermöglicht Rechteausweitung

Der Virenschutz von Malwarebytes ermöglicht Angreifern, beliebige Dateien zu löschen oder ihre Rechte im System auszuweiten. Ein Update schließt die Lücke.


Sicherheitslücke: Angreifer könnten Switches von Aruba kompromittieren (CVE-2023-1168)

Aufgrund einer Schwachstelle sind bestimmte Switches von Aruba verwundbar. Admins sollten Geräte jetzt absichern. Die Lücke betrifft die Network Analytics Engine. Dort könnte ein authentifizierter Angreifer für eine Schadcode-Attacke ansetzen, um Geräte vollständig zu kompromittieren. Wie eine Attacke ablaufen könnte, ist bislang nicht bekannt.


Security updates for Thursday

Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git).


VARTA: Multiple devices prone to hard-coded credentials (CVE-2022-22512)

VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable.


Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation

Solution: Users must check their program version by following the steps below and update their program to the latest version (versions or above). - Service operator: Replace with the latest version through MLsoft - Service user: Updated automatically when the operator switches to the latest version


SAUTER EY-modulo 5 Building Automation Stations




Schneider Electric IGSS


CP Plus KVMS Pro


ABB Pulsar Plus Controller


ProPump and Controls Osprey Pump Controller


IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835)


IBM Watson CloudPak for Data Data Stores are vulnerable to web pages stored locally which can be read by another user on the system


IBM Watson CloudPak for Data Data Stores is vulnerable to allowing a user with physical access and specific knowledge of the system to modify files or data on the system.(CVE-2023-26282)


IBM Watson CloudPak for Data Data Stores is vulnerable to an attacker with specific knowledge about the system to manipulate data due to improper input validation(CVE-2023-28512)


Security Bulletin: Watson CP4D Data Stores for Cloud Pak for Data does not encypt sensitive information before storage or transmission (CVE-2023-27291)


IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522)


Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition.


WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability


A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service.


A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-26283)


Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)


Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957