Tageszusammenfassung - 13.04.2023

End-of-Day report

Timeframe: Mittwoch 12-04-2023 18:00 - Donnerstag 13-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer

News

(Gepatchte aber dennoch) üble Sicherheitslücke in (einer optionalen Komponente von) Microsoft Windows

Es entbehrt nicht einer gewissen Ironie, dass die meisten Blogeinträge, welche sich in den letzten Monaten mit Sicherheitslücken in Produkten von Microsoft beschäftigt haben, von dem Mitarbeiter des CERT stammen, dessen Kenntnisse rund um Windows, Office und den ganzen Rest wohl mit Abstand am schwächsten sind - und damit herzlich willkommen zu einem weiteren Beitrag, welcher diese Kriterien vollständig erfüllt.

https://cert.at/de/blog/2023/4/gepatchte-aber-dennoch-uble-sicherheitslucke-in-einer-optionalen-komponente-von-microsoft-windows

NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet

Entwarnung: Nach der BSI-Warnung vor einer kritischen Lücke in NTP kommen IT-Experten bei der Analyse auf eine geringere Bedrohung. NTP will Patches liefern.

https://heise.de/-8949340

Uncommon infection methods-part 2

Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive.

https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/

New Python-Based "Legion" Hacking Tool Emerges on Telegram

An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.

https://thehackernews.com/2023/04/new-python-based-legion-hacking-tool.html

Indirect Prompt Injection Threats

If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information. The user doesnt have to ask about the website or do anything except interact with Bing Chat while the website is opened in the browser.

https://greshake.github.io/

Malware Disguised as Document from Ukraines Energoatom Delivers Havoc Demon Backdoor

[...] FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine-s nuclear power plants. [...] Aside from highlighting the technical details of this latest multi-staged attack [...] this article also discusses some strange artifacts that make us think this could be a work-in-progress or part of a red-team exercise.

https://www.fortinet.com/blog/threat-research/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor

BSI-Studie: Gängige Mikrocontroller sind für Hardware-Angriffe anfällig

Bei Hardware-Sicherheitstoken und Krypto-Wallets, smarten Schlössern und Kassensystemen haben Hacker leichtes Spiel, warnen Fraunhofer-Forscher im BSI-Auftrag.

https://heise.de/-8949244

Vorsicht vor Fake Urlaubsangeboten!

Die Urlaubszeit rückt langsam aber sicher näher, das treibt auch Kriminelle auf den Plan. Betrügerische Anbieter wie Kofi Vermittlung (kofireisen.com) versuchen Sie mit angeblich günstigen Angeboten abzuzocken! Achten Sie bei der Urlaubsbuchung auf folgende Warnsignale für entspannte Ferien statt einer Kostenfalle!

https://www.watchlist-internet.at/news/vorsicht-vor-fake-urlaubsangeboten/

Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land

The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works.

https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/

Vulnerabilities

Softwareentwicklung: Jenkins-Plug-ins verwundbar, viele Updates stehen noch aus

Software-Entwicklungsumgebungen mit Jenkins sind attackierbar. Bislang sind nur wenige betroffene Plug-ins abgesichert.

https://heise.de/-8949204

Sicherheitsupdates: Netzwerkanalysetool Wireshark anfällig für DoS-Attacken

Die Wireshark-Entwickler haben zwei neue Versionen des Tools veröffentlicht. Darin haben sie unter anderem drei Sicherheitslücken geschlossen.

https://heise.de/-8949661

Security updates for Thursday

Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird).

https://lwn.net/Articles/928976/

Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. April 2023)

Zum 11. April 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1).

https://www.borncity.com/blog/2023/04/13/windows-7-server-2008-r2-server-2012-r2-updates-11-april-2023/

Patchday: Microsoft Office Updates (11. April 2023)

Am 11. April 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endet der Support für Office 2013.

https://www.borncity.com/blog/2023/04/13/patchday-microsoft-office-updates-11-april-2023/

Drupal: Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013

https://www.drupal.org/sa-contrib-2023-013

Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data

https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-solutions-exposes-video-security-data/

Mattermost security updates 7.9.2 / 7.8.3 (ESR) / 7.7.4 / 7.1.8 (ESR) released

https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7-4-7-1-8-esr-released/

Multiple Vulnerabilities in the Autodesk® AutoCAD® Desktop Software

https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0005

MISP 2.4.170 released with new features, workflow improvements and bugs fixed

https://github.com/MISP/MISP/releases/tag/v2.4.170

CVE-2023-0004 PAN-OS: Local File Deletion Vulnerability (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2023-0004

CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2023-0005

CVE-2023-0006 GlobalProtect App: Local File Deletion Vulnerability (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2023-0006

Spring Framework 6.0.8, 5.3.27 and 5.2.24.RELEASE fix cve-2023-20863

https://spring.io/blog/2023/04/13/spring-framework-6-0-8-5-3-27-and-5-2-24-release-fix-cve-2023-20863

B. Braun Battery Pack SP with Wi-Fi

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-103-01

DataPower Operations Dashboard vulnerable to multiple CVEs

https://www.ibm.com/support/pages/node/6983234

AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528)

https://www.ibm.com/support/pages/node/6983232

AIX is vulnerable to arbitrary command execution (CVE-2023-26286)

https://www.ibm.com/support/pages/node/6983236

Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

https://www.ibm.com/support/pages/node/6983270

A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

https://www.ibm.com/support/pages/node/6983272

Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426

https://www.ibm.com/support/pages/node/6983454

A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6983456

IBM Maximo Asset Management is vulnerable to HTML injection (CVE-2023-27864)

https://www.ibm.com/support/pages/node/6983460

IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667]

https://www.ibm.com/support/pages/node/6983480

IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities.

https://www.ibm.com/support/pages/node/6983482

IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to denial of service due to [CVE-2022-37603]

https://www.ibm.com/support/pages/node/6983484

A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6983486

A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-0482)

https://www.ibm.com/support/pages/node/6983490

A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023)

https://www.ibm.com/support/pages/node/6983492

AIX is vulnerable to arbitrary command execution (CVE-2023-26286)

https://www.ibm.com/support/pages/node/6983236