Tageszusammenfassung - 04.04.2023

End-of-Day report

Timeframe: Montag 03-04-2023 18:00 - Dienstag 04-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

WinRAR SFX archives can run PowerShell without being detected

Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.

https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/

Analyzing the efile.com Malware "efail", (Tue, Apr 4th)

Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed.

https://isc.sans.edu/diary/rss/29712

Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/

Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions

Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files That's going to change going forward.

https://thehackernews.com/2023/04/microsoft-tightens-onenote-security-by.html

A fresh look at user enumeration in Microsoft Teams

The technique to enumerate user details and presence information via Microsoft Teams is not new and was described in a blog post by immunit.ch and their tool "TeamsUserEnum". This blog post adds more information related to user enumeration via Teams and covers different endpoints used by different account types.

https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/

Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns

Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung (-ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema sind Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, mit denen versucht wird, User:innen zu Entscheidungen zu verleiten, die nicht in ihrem besten Interesse liegen. Was Dark Patterns genau sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier!

https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-dark-patterns/

Lebenslauf-Editor auf zety.de führt in Abo-Falle

Auf zety.de können Sie angeblich professionelle Lebensläufe und Bewerbungen erstellen. Per Klick wählen Sie eine gewünschte Vorlage und befüllen sie mit Ihren Daten - scheinbar kostenlos. Erst wenn Sie Ihr Dokument herunterladen möchten, erfahren Sie, dass der Dienst doch nicht gratis ist. Wenn Sie überweisen, schließen Sie ein Abo ab!

https://www.watchlist-internet.at/news/lebenslauf-editor-auf-zetyde-fuehrt-in-abo-falle/

Weitere Informationen zu Angriffen gegen 3CX Desktop App

Seit der Veröffentlichung unserer letzten Meldung zu den Angriffen gegen die bzw. durch Missbrauch der 3CX Desktop App sind inzwischen weitere Details und neue Informationen bekannt geworden. Die wichtigsten Details in dieser Hinsicht sind: [...]

https://cert.at/de/aktuelles/2023/4/weitere-informationen-zu-angriffen-gegen-3cx-desktop-app

Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities

The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.

https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/

Rorschach - A New Sophisticated and Fast Ransomware

Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO).

https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/

Vulnerabilities

VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID

The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.[..] The uClibc library has not been updated since May of 2012.

https://kb.cert.org/vuls/id/473698

Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server (CVE-2022-43769, CVE-2022-43939, CVE-2022-43773, CVE-2022-43938)

A few months ago I was working on an engagement where Pentaho was used to collect data and generate reports. [..] I found a total of eight vulnerabilties, three of which enable command execution on the residing host. [..] 31 March 2023: Vendor released patches, but no public CVE disclosure.

https://research.aurainfosec.io/pentest/pentah0wnage/

Nexx Smart Home Device

AFFECTED PRODUCTS - Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior - Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior - Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior

https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01

Patchday: Android-Lücken mit kritischem Risiko gestopft

Zum April-Patchday hat Google Sicherheitslücken im Android-Betriebssystem geschlossen, die die Entwickler teils als kritisch einstufen.

https://heise.de/-8522365

Sophos: Kritische Sicherheitslücke in Web-Appliance ermöglicht Codeschmuggel

Sophos hat in der Web Appliance (SWA) Sicherheitslücken geschlossen, die Angreifern etwa das Ausführen beliebigen Codes ermöglichen.

https://heise.de/-8525279

Security updates for Tuesday

Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim).

https://lwn.net/Articles/928294/

Netty Vulnerabilites 4.0.37

https://www.ibm.com/support/pages/node/6980407

A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-26283)

https://www.ibm.com/support/pages/node/6980411

IBM Sterling Order Management Golang Go Vulnerability

https://www.ibm.com/support/pages/node/6980457

Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1)

https://www.ibm.com/support/pages/node/6962855

IBM Aspera Faspex 5.0.5 has addressed CVE-2022-4304

https://www.ibm.com/support/pages/node/6980501

IBM Security Verify Access Appliance includes components with known vulnerabilities (CVE-2022-29154, CVE-2022-0391)

https://www.ibm.com/support/pages/node/6980521

A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477)

https://www.ibm.com/support/pages/node/6980519

Vulnerability in py library affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-42969]

https://www.ibm.com/support/pages/node/6980723

Vulnerability in cryptography affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-0286]

https://www.ibm.com/support/pages/node/6980351

A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2023-26283)

https://www.ibm.com/support/pages/node/6980725

IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541)

https://www.ibm.com/support/pages/node/6980727

IBM Event Streams is affected by vulnerabilities in Node.js (CVE-2022-25927 and CVE-2022-25881)

https://www.ibm.com/support/pages/node/6980735

IBM Event Streams is affected by a vulnerability in Apache Kafka (CVE-2023-25194)

https://www.ibm.com/support/pages/node/6980743

IBM Event Streams is vulnerable to a denial of service due to Redis (CVE-2023-25155)

https://www.ibm.com/support/pages/node/6980747

Multiple vulnerabilities have been identified in IBM HTTP Server used by IBM Rational ClearQuest

https://www.ibm.com/support/pages/node/6980737

IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403)

https://www.ibm.com/support/pages/node/6956289

IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690)

https://www.ibm.com/support/pages/node/6963650

IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509)

https://www.ibm.com/support/pages/node/6963077

IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853)

https://www.ibm.com/support/pages/node/6960211

There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management

https://www.ibm.com/support/pages/node/6980757

IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715)

https://www.ibm.com/support/pages/node/6828569