Tageszusammenfassung - 27.03.2023

End-of-Day report

Timeframe: Freitag 24-03-2023 18:00 - Montag 27-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

Guidance for investigating attacks using CVE-2023-23397

This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization-s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process.

https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/


WooCommerce Credit Card Skimmer Reveals Tampered Plugin

Disclaimer: The malware infection described in this article does not affect the software plugin as a whole and does not indicate any vulnerabilities or security flaws within WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors.

https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-plugin.html


Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Affecting Multiple Cisco Products

On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This paper discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in the transmit queues in an access point to an attacker-controlled device. This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-ffeb-22epcEWu


Visual Signature Spoofing in PDFs

Visual Signature Spoofing was partially successful in forging signed documents. Due to the limited support of JavaScript in the other PDF applications, it was only possible to create visual signature spoofs for Adobe Acrobat Reader DC. Other PDF applications may also become vulnerable in the future if they add support for the necessary JavaScript functions.

https://sec-consult.com/blog/detail/visual-signature-spoofing-in-pdfs/


Using an Undocumented Amplify API to Leak AWS Account IDs

In a previous blog post I mentioned that I was getting back into AWS vulnerability research in my free time. I-ve been taking a closer look at undocumented AWS APIs, trying to find hidden functionality that may be useful for an attacker or cross tenant boundaries. [...] I reported this API to AWS who responded that it did not -represent a security issue-, however, 3 days later, the API was disabled.

https://frichetten.com/blog/undocumented-amplify-api-leak-account-id/


Microsoft verteilt Sicherheitsupdate für Windows Snipping Tool

Microsoft hat ein außerplanmäßiges Sicherheitsupdate veröffentlicht. Es soll eine Schwachstelle im Windows Snipping Tool beseitigen - der in Windows 10 und Windows 11 integrierten Screenshot-App. Ähnlich wie zuletzt auch unter Android entfernt das Tool -gelöschte- Bereiche von zugeschnittenen Screenshots nicht vollständig, sodass sie nachträglich wiederhergestellt werden können.

https://www.zdnet.de/88408044/microsoft-verteilt-sicherheitsupdate-fuer-windows-snipping-tool/


Deprecation of Remote PowerShell in Exchange Online - Re-enabling or Extending RPS support

PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security - together.

https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-remote-powershell-in-exchange-online-re-enabling/ba-p/3779692


OneNote Embedded URL Abuse

Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix.

https://blog.nviso.eu/2023/03/27/onenote-embedded-url-abuse/


Rhadamanthys: The -Everything Bagel- Infostealer

Key Takeaways: * Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals. * A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff. * Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware. * Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic.

https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/

Vulnerabilities

Cisco IOS XE Software Privilege Escalation Vulnerability

A vulnerability in the Cloud Management for Catalyst migration feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Cisco IOS XE Meraki migration feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-sABD8hcU


ABB RCCMD - Use of default password (CVE-2022-4126)

A software update is available that resolves a privately reported vulnerability [...] An attacker who successfully exploited this vulnerability could take control of the computer the software runs on and possibly insert and run arbitrary code.

https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=2CMT006099_EN


Security updates for Monday

Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird).

https://lwn.net/Articles/927451/


baserCMS vulnerable to arbitrary file uploads

https://jvn.jp/en/jp/JVN61105618/


IBM Security Bulletins 2023-03-25 - 2023-03-27

https://www.ibm.com/support/pages/bulletin/