End-of-Day report
Timeframe: Dienstag 28-03-2023 18:00 - Mittwoch 29-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
WiFi protocol flaw allows attackers to hijack network traffic
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form.
https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/
H26Forge: Mehrheit der Video-Decoder wohl systematisch angreifbar
Immer wieder sorgen Bugs in Video-Decodern für Sicherheitslücken bis hin zu Zero Days. Wissenschaftler zeigen nun eine riesige Angriffsfläche.
https://www.golem.de/news/h26forge-mehrheit-der-video-decoder-wohl-systematisch-angreifbar-2303-173055.html
Network Data Collector Placement Makes a Difference, (Tue, Mar 28th)
A previous diary [1] described processing some local PCAP data with Zeek. This data was collected using tcpdump on a DShield Honeypot. When looking at the Zeek connection logs, the connection state information was unexpected. To help understand why, we will compare data from different locations on the network and process the data in a similar way. This will help narrow down where the discrepancies might be coming from, or at least where they are not coming from.
https://isc.sans.edu/diary/rss/29664
MacStealer: Mac-Malware will Passwörter und Krypto-Wallets klauen
Eine im Dark Web günstig angebotene Malware soll sensible Daten von Macs extrahieren und über den Messenger Telegram an Angreifer übermitteln.
https://heise.de/-8153293
Remote PowerShell: Einfallstor bei Exchange Online jetzt mit Gnadenfrist
Ein halbes Jahr länger bleibt Administratoren, bis sie sich von ihren unsicheren PowerShell-cmdlets für Exchange Online verabschieden müssen.
https://heise.de/-8186790
Kriminelle erfinden Behörden wie -finanzaufsichtsbehoerde.com- für Authority-Scams
Um ihren Opfern das Geld aus der Tasche zu ziehen, greifen Kriminelle häufig zu kreativen Methoden. Aktuell erfinden sie Behörden wie zum Beispiel auf -finanzaufsichtsbehoerde.com- und -betrugsdezernat.com- oder imitieren echte Behörden und Institutionen. Egal, was man Ihnen hier verspricht, übermitteln Sie keine Daten und bezahlen Sie kein Geld an derartige Plattformen!
https://www.watchlist-internet.at/news/kriminelle-erfinden-behoerden-wie-finanzaufsichtsbehoerdecom-fuer-authority-scams/
Spyware vendors use 0-days and n-days against popular platforms
[...] In this blog, we-re sharing details about two distinct campaigns we-ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.
https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/
Active Exploitation of IBM Aspera Faspex CVE-2022-47986
Rapid7 is aware of at least one incident where a customer was compromised via CVE-2022-47986. We strongly recommend patching on an emergency basis.
https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-aspera-faspex-cve-2022-47986/
New OpcJacker Malware Distributed via Fake VPN Malvertising
We discovered a new malware, which we named -OpcJacker- (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.
https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html
In eigener Sache: CERT.at sucht Verstärkung
Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security, welche:r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite.
https://cert.at/de/blog/2023/3/in-eigener-sache-certat-sucht-verstarkung-20230328
Vulnerabilities
Security updates for Wednesday
Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).
https://lwn.net/Articles/927666/
Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed)
In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure.
https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed/
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2Arnie CabralTue, 03/28/2023 - 11:10 Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components in use (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers.
https://www.tenable.com/security/tns-2023-17
Security Advisory 2023-02 for PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3
Hello, Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to a low severity security issue found. Please find the full text of the advisory below. The 4.6, 4.7 and 4.8 changelogs are available. The 4.6.6 (signature), 4.7.5 (signature) and 4.8.4 (signature) tarballs are available from our download server. Patches are available at patches.
https://blog.powerdns.com/2023/03/29/security-advisory-2023-02-for-powerdns-recursor-up-to-and-including-4-6-5-4-7-4-and-4-8-3/
IBM Security Bulletins 2023-03-29
https://www.ibm.com/support/pages/bulletin/
K000133135: NGINX Agent vulnerability CVE-2023-1550
https://my.f5.com/manage/s/article/K000133135
Security Vulnerabilities fixed in Thunderbird 102.9.1
https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/
Buffer Overflow Vulnerabilities in Samba
https://www.qnap.com/en-us/security-advisory/QSA-23-02
Buffer Overflow Vulnerability in Samba
https://www.qnap.com/en-us/security-advisory/QSA-23-03
Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP
https://www.qnap.com/en-us/security-advisory/QSA-23-06
Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR
https://www.qnap.com/en-us/security-advisory/QSA-23-10
Vulnerability in sudo
https://www.qnap.com/en-us/security-advisory/QSA-23-11
Multiple Vulnerabilities in OpenSSL
https://www.qnap.com/en-us/security-advisory/QSA-23-15
Sielco Analog FM Transmitter 2.12 id Cookie Brute Force Session Hijacking
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php
Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php
Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php
Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php