End-of-Day report
Timeframe: Mittwoch 29-03-2023 18:00 - Donnerstag 30-03-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Cyberkriminelle versenden Schadsoftware im Namen von DocuSign
Elektronische Signaturdienste wie DocuSign sind spätestens seit der Covid19-Pandemie beliebt, um Verträge oder andere Dokumente zeitsparend und unkompliziert zu unterzeichnen. Ein Trend, der auch von Betrüger:innen aufgegriffen wird: So geben sich Cyberkriminelle per E-Mail als DocuSign aus, um Schadsoftware zu verbreiten.
https://www.watchlist-internet.at/news/cyberkriminelle-versenden-schadsoftware-im-namen-von-docusign/
Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns
Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung (-ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema ist Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, die versuchen User:innen zu verleiten Entscheidungen zu treffen, die nicht in Ihrem besten Interesse liegen. Was Dark Patterns sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier!
https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-dark-patterns/
EDR Product Analysis of an Infostealer
As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer
https://asec.ahnlab.com/en/50685/
Vulnerabilities
QNAP warns customers to patch Linux Sudo flaw in NAS devices
Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability.
https://www.bleepingcomputer.com/news/security/qnap-warns-customers-to-patch-linux-sudo-flaw-in-nas-devices/
Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012
Security risk: Moderately critical
Description: This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.The module does not sufficiently sanitize some data presented in its reports.
https://www.drupal.org/sa-contrib-2023-012
CVE-2022-37734: graphql-java Denial-of-Service
graphql-java is the most popular GraphQL server written in Java. It was found to be vulnerable to DoS attacks through the directive overload. [..] The vulnerability was fixed in two stages. The first fix introduced a security control, whereas the second one targeted the root cause. The first fix is presented in the versions of graphql-java 19.0 and later, 18.3, and 17.4. The second fix has been applied in the version 20.1 [..]
https://checkmarx.com/blog/cve-2022-37734-graphql-java-denial-of-service/
Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability (CVE-2023-25076)
Talos discovered a remote code execution vulnerability that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code. Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available [..]
https://blog.talosintelligence.com/vulnerability-spotlight-sniproxy-contains-remote-code-execution-vulnerability/
X.org vulnerability and releases (CVE-2023-1393)
The X.Org project has announced a vulnerability in its X server and Xwayland. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [..] That has led to the release of xorg-server 21.1.8, xwayland 22.1.9, and xwayland 23.1.1.
https://lwn.net/Articles/927887/
Security updates for Thursday
Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x11-server, xstream, and zstd), and Ubuntu (linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-aws-5.4, linux-azure-5.4, linux-gcp- linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, php-nette, and xorg-server, xorg-server-hwe-18.04, xwayland).
https://lwn.net/Articles/927855/
Synology-SA-23:02 Sudo
A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).
https://www.synology.com/en-global/support/security/Synology_SA_23_02
Popular PABX platform, 3CX Desktop App suffers supply chain attack
CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).
https://www.hackread.com/3cx-desktop-app-supply-chain-attack/
Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-capic-csrfv-DMx6KSwV
Hitachi Energy IEC 61850 MMS-Server
https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01
Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation
https://www.ibm.com/support/pages/node/6966998
IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645)
https://www.ibm.com/support/pages/node/6959353
IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645)
https://www.ibm.com/support/pages/node/6959355
IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
https://www.ibm.com/support/pages/node/6967016
Multiple Vulnerabilities in CloudPak for Watson AIOPs
https://www.ibm.com/support/pages/node/6967012
CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard
https://www.ibm.com/support/pages/node/6967018
CVE-2022-41723 may affect IBM CICS TX Advanced
https://www.ibm.com/support/pages/node/6967026
CVE-2022-41723 may affect IBM CICS TX Standard
https://www.ibm.com/support/pages/node/6967022
Multiple vulnerabilities may affect IBM SDK, Java Technology Edition
https://www.ibm.com/support/pages/node/6967213
CVE-2022-21426 may affect IBM SDK, Java Technology Edition
https://www.ibm.com/support/pages/node/6967221
Multiple Vulnerabilities in CloudPak for Watson AIOPs
https://www.ibm.com/support/pages/node/6967243
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378
https://www.ibm.com/support/pages/node/6967241
IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities
https://www.ibm.com/support/pages/node/6967283
Vulnerabilities in PostgreSQL may affect IBM Spectrum Protect Plus (CVE-2022-2625, CVE-2022-1552, CVE-2021-3677)
https://www.ibm.com/support/pages/node/6967285
A vulnerability in GNU Tar affects IBM MQ Operator and Queue manager container images (CVE-2022-48303)
https://www.ibm.com/support/pages/node/6966198