End-of-Day report
Timeframe: Dienstag 11-04-2023 18:00 - Mittwoch 12-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Patchday: Angreifer infizieren Windows mit Nokoyawa-Ransomware
Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Dynamics 365 und Windows veröffentlicht.
https://heise.de/-8935888
BSI warnt vor kritischen Zero-Day-Lücken im NTP-Server
Ein IT-Forscher hat fünf Sicherheitslücken im Zeitserver NTP gemeldet. Das BSI stuft die Lücken als kritisch ein. Ein Update steht bislang noch nicht bereit.
https://heise.de/-8948528
Warten auf Sicherheitspatches: BIOS-Lücken gefährden Lenovo-Laptops
Angreifer könnten Lenovo-Laptops attackieren und im schlimmsten Fall Schadcode ausführen. Updates sind noch nicht verfügbar.
https://heise.de/-8948481
Phishing-Alarm: -New Fax Document(s) has been received-
Derzeit werden willkürlich E-Mails an Unternehmen versendet, in denen behauptet wird, dass die Empfänger:innen ein neues Fax-Dokument erhalten hätten. Um das Dokument anzusehen, muss ein Link angeklickt werden. Achtung: Kriminelle versuchen das Microsoft-Konto der betroffenen Mitarbeiter:innen zu kapern.
https://www.watchlist-internet.at/news/phishing-alarm-new-fax-documents-has-been-received/
Abo-Falle statt Kaffeemaschinen-Gewinnspiel im Namen von MediaMarkt
Auf Facebook wird ein betrügerisches Gewinnspiel im Namen von MediaMarkt durch Kriminelle beworben. Versprochen werden Kaffeemaschinen von DeLonghi für nur 1,95 Euro wegen einer angeblichen Vertragsauflösung zwischen dem Hersteller und MediaMarkt. Tatsächlich landen Sie hier aber in einer teuren Abo-Falle. Die Kaffeemaschinen gibt es nicht.
https://www.watchlist-internet.at/news/abo-falle-statt-kaffeemaschinen-gewinnspiel-im-namen-von-mediamarkt/
Remote Code Execution (RCE) in Hashicorp Vault
Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack.
https://www.oxeye.io/blog/rce-through-sql-injection-vulnerability-in-hashicorps-vault
Hacked sites caught spreading malware via fake Chrome updates
Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors.
https://www.bleepingcomputer.com/news/security/hacked-sites-caught-spreading-malware-via-fake-chrome-updates/
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
The Service Accounts Challenge: Cant See or Secure Them Until Its Too Late
Heres a hard question to answer: How many service accounts do you have in your environment?. A harder one is: Do you know what these accounts are doing?. And the hardest is probably: If any of your service account was compromised and used to access resources would you be able to detect and stop that in real-time?
https://thehackernews.com/2023/04/the-service-accounts-challenge-cant-see.html
Another zero-click Apple spyware maker just popped up on the radar again
Malware reportedly developed by a little-known Israeli commercial spyware maker has been found on devices of journalists, politicians, and an NGO worker in multiple countries, say researchers.
https://go.theregister.com/feed/www.theregister.com/2023/04/12/quadream_spyware_microsoft_citizenlab/
Recent IcedID (Bokbot) activity
This week, weve seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com.
https://isc.sans.edu/diary/rss/29740
BumbleBee hunting with a Velociraptor
The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community.
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages
Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server.
https://thehackernews.com/2023/04/cryptocurrency-stealer-malware.html
Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts
On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts.
https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impacting-600000-sites-patched-in-limit-login-attempts/
On self-healing code and the obvious issue
While browsing the news in the morning Ive found an article on Ars Technica titles "Developer creates -self-healing- programs that fix themselves thanks to AI". Its about Wolverine, which is an automated extension of what was demoed during the GPT-4 reveal, i.e. the perceived ability of GPT-4 to understand error messages and suggest fixes.
https://gynvael.coldwind.pl/?id=766
Vulnerabilities
Patchday: Fortinet schließt kritische und hochriskante Lücken
Am April-Patchday liefert Fortinet für zahlreiche Produkte Sicherheitsupdates aus. Eine der damit geschlossenen Lücken stuft der Hersteller als kritisch ein.
https://heise.de/-8939457
Patchday: Kritische Schadcode-Lücken in Adobe-Anwendungen geschlossen
Wer Anwendungen von Adobe nutzt, sollte diese aus Sicherheitsgründen auf den aktuellen Stand bringen.
https://heise.de/-8935948
Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin
On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, [...]
https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin/
Security updates for Wednesday
Security updates have been issued by Fedora (chromium, ghostscript, glusterfs, netatalk, php-Smarty, and skopeo), Mageia (ghostscript, imgagmagick, ipmitool, openssl, sudo, thunderbird, tigervnc/x11-server, and vim), Oracle (curl, haproxy, and postgresql), Red Hat (curl, haproxy, httpd:2.4, kernel, kernel-rt, kpatch-patch, and postgresql), Slackware (mozilla), SUSE (firefox), and Ubuntu (dotnet6, dotnet7, firefox, json-smart, linux-gcp, linux-intel-iotg, and sudo).
https://lwn.net/Articles/928870/
Patchday: Windows 11/Server 2022-Updates (11. April 2023)
Am 11. April 2023 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für Windows 11 22H1 und 22H2 veröffentlicht. Zudem erhielt Windows Server 2022 ein Update. Hier einige Details zu diesen Updates, die Schwachstellen sowie Probleme [...]
https://www.borncity.com/blog/2023/04/12/patchday-windows-11-server-2022-updates-11-april-2023/
FANUC ROBOGUIDE-HandlingPRO
Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-101-01
NVIDIA Display Driver Advisory - March 2023
http://support.lenovo.com/product_security/PS500558-NVIDIA-DISPLAY-DRIVER-ADVISORY-MARCH-2023
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/