End-of-Day report
Timeframe: Dienstag 04-04-2023 18:00 - Mittwoch 05-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Open garage doors anywhere in the world by exploiting this -smart- device
A universal password. Unencrypted user data and commands. What could go wrong?
A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed.
Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.
Immediately unplug all Nexx devices
https://arstechnica.com/?p=1929120
Exploration of DShield Cowrie Data with jq, (Wed, Apr 5th)
There have been other diaries [1][2] showing how to explore JSON data with jq [3]. We'll review some options to understand unfamiliar JSON data and ways to filter that information. Using tools like Security Information and Event Management (SIEM) systems can help aggregate data and make it more easily searched and visualized. There are still times where being able to quickly search JSON data can be useful, especially if a SIEM option is not immediately available.
https://isc.sans.edu/diary/rss/29714
ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs
An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network. Unlike other ALPHV affiliates, UNC4466 doesn-t rely on stolen credentials for initial access to victim environments. Mandiant [...]
https://securityaffairs.com/144438/cyber-crime/alphv-blackcat-ransomware-veritas-flaws.html
Deobfuscating the Recent Emotet Epoch 4 Macro
This analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscating-the-recent-emotet-epoch-4-macro/
Cyber-Betrüger: Zahlungsaufforderung für Lösegeld - jedoch ohne Ransomware
Auf die aktuell häufigen Cyber-Attacken stürzen sich weitere Betrüger. Sie verschicken Mails mit Zahlungsaufforderungen, ohne Ransomware eingeschleust zu haben.
https://heise.de/-8587724
Pre-ransomware notifications are paying off right from the bat
CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023.
Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we-ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.
https://www.malwarebytes.com/blog/news/2023/04/pre-ransomware-notifications-are-paying-off-right-from-the-bat
Detecting Karakurt - an extortion focused threat actor
NCC Group-s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.
https://research.nccgroup.com/2023/04/05/detecting-karakurt-an-extortion-focused-threat-actor/
Markenfälschungen im Online-Handel - So schützen Sie sich!
Wer im Internet nach Markenkleidung, Uhren, Accessoires oder aber Medikamenten sucht, stößt häufig auf unseriöse Angebote. In einigen Fällen führt eine Bestellung günstiger Markenprodukte zum Erhalt eines gefälschten Produkts, manchmal erhält man gar nichts und insbesondere bei Medikamenten kann das Produkt sogar gefährlich sein. Worauf man in Online-Shops und auf Plattformen wie Amazon achten kann, um sich zu schützen [...]
https://www.watchlist-internet.at/news/markenfaelschungen-im-online-handel-so-schuetzen-sie-sich/
How we-re protecting users from government-backed attacks from North Korea
Googles Threat Analysis Group shares information on ARCHIPELAGO as well as the work to stop government-backed attackers.
https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/
MS OneNote soll künftig 120 gefährliche Filetypen blockieren
Microsoft reagiert wohl auf den Umstand, dass OneNote inzwischen als Malware-Schleuder für Systeme missbraucht wird. Die Anwendung soll zukünftig 120 gefährliche Filetypen blockieren, so dass diese durch Downloads aus dem Internet nicht mehr für Malware-Angriffe missbraucht werden können.
https://www.borncity.com/blog/2023/04/05/ms-onenote-soll-knftig-120-gefhrliche-filetypen-blockieren/
Vulnerabilities
Multiple Vulnerabilities in Autodesk® InfoWorks® software
Autodesk® InfoWorks® WS Pro and InfoWorks® ICM have been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Patch releases are available in Autodesk Access or the Accounts Portal or the Innovyze Web Portal to help resolve these vulnerabilities. The patch versions are listed below.
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0001
Chrome 112: 16 Sicherheitslücken gestopft
Google hat den Webbrowser Chrome in Version 112 freigegeben. Die Entwickler dichten 16 Schwachstellen ab. Chromium-basierte Browser dürften bald nachziehen.
https://heise.de/-8572482
Technical Advisory - play-pac4j Authentication rule bypass
Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user-s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query string section of a URL.
https://research.nccgroup.com/2023/04/05/technical-advisory-play-pac4j-authentication-rule-bypass/
Security updates for Wednesday
Security updates have been issued by Debian (ghostscript and openimageio), Fedora (kernel, rubygem-actioncable, rubygem-actionmailbox, rubygem-actionmailer, rubygem-actionpack, rubygem-actiontext, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activestorage, rubygem-activesupport, rubygem-rails, and rubygem-railties), Oracle (gnutls, httpd, kernel, nodejs:16, nodejs:18, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Red Hat (gnutls, httpd, httpd:2.4, kernel, kpatch-patch, pcs, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Scientific Linux (httpd and tigervnc, xorg-x11-server), SUSE (aws-efs-utils.11048, libheif, liblouis, openssl, python-cryptography, python-Werkzeug, skopeo, tomcat, and wireshark), and Ubuntu (imagemagick, ipmitool, and node-trim-newlines).
https://lwn.net/Articles/928408/
Kritische Schwachstelle CVE-2023-1707 in HP-Drucker-Firmware, kein Patch verfügbar
Die Firmware von verschiedenen Laser-Drucker ist gegenüber der Schwachstelle CVE-2023-1707 anfällig. Bestimmte HP Enterprise LaserJet und HP LaserJet sind in verwalteten Umgebungen potenziell anfällig für die Offenlegung von Informationen, wenn IPsec mit FutureSmart Version 5.6 aktiviert ist.
https://www.borncity.com/blog/2023/04/05/kritische-schwachstelle-cve-2023-1707-in-hp-drucker-firmware-kein-patch-verfgbar/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/