End-of-Day report
Timeframe: Freitag 14-04-2023 18:00 - Montag 17-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Juice Jacking: FBI warnt ohne Anlass vor öffentlichen USB-Ladestationen
Angreifer könnten USB-Ladestationen an Flughäfen & Co. kompromittieren, um so Malware auf Smartphones zu schieben. Das ist jedoch nicht wirklich aktuell.
https://heise.de/-8966067
Zero-Day: Pinduoduo konnte Daten stehlen und Malware installieren
Die chinesische Android-App Pinduoduo konnte eine Zero-Day-Lücke in Android missbrauchen. Die CISA mahnt zum Anwenden des Android-Updates.
https://heise.de/-8968204
Sonderupdate: Google Chrome 112.0.5615.121 und Edge 112.0.1722.48
Google hat zum 14. April 2023 außerplanmäßig Updates des Google Chrome Browsers 112 im Extended und Stable Channel für Mac, Linux und Windows freigegeben. Microsoft hat gleichzeitig den Edge Version 112 aktualisiert. Es sind Sicherheitsupdates, welche die als hoch eingestufte Schwachstelle CVE-2023-2033 schließen.
https://www.borncity.com/blog/2023/04/16/google-chrome-112-0-5615-121-sonderupdate/
Dating: Auf live-treffen.com & royacca.com chatten Sie kostenpflichtig mit Fake-Profilen
Auf den Dating-Plattformen live-treffen.com & royacca.com finden Sie schnell interessante Menschen. Ob es sich dabei um echte Personen handelt, ist unklar, denn die Plattformen nutzen -professionelle Animateure-, die mit Ihnen chatten. Das Problem dabei: Jede Nachricht kostet und Sie wissen nicht, ob Sie mit echten oder fiktiven Profilen schreiben.
https://www.watchlist-internet.at/news/dating-auf-live-treffencom-royaccacom-chatten-sie-kostenpflichtig-mit-fake-profilen/
Android malware infiltrates 60 Google Play apps with 100M installs
A new Android malware named Goldoson has infiltrated the platforms official app store, Google Play, through 60 apps that collectively have 100 million downloads.
https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-60-google-play-apps-with-100m-installs/
Hackers start abusing Action1 RMM in ransomware attacks
Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action1-rmm-in-ransomware-attacks/
QBot banker delivered through business correspondence
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to.
https://securelist.com/qbot-banker-business-correspondence/109535/
FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks
A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino, is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer [...]
https://thehackernews.com/2023/04/fin7-and-ex-conti-cybercrime-gangs-join.html
Bypassing Windows Defender (10 Ways)
In this article I will be explaining 10 ways/techniques to bypass a fully updated Windows system with up-to-date Windows Defender intel in order to execute unrestricted code (other than permissions/ACLs, that is).
https://www.fo-sec.com/articles/10-defender-bypass-methods
LockBit Ransomware Group Developing Malware to Encrypt Files on macOS
The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat.
https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to-encrypt-files-on-macos/
Trigona Ransomware Attacking MS-SQL Servers
AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware.
https://asec.ahnlab.com/en/51343/
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice).
https://lwn.net/Articles/929303/
K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567
https://my.f5.com/manage/s/article/K000133522?utm_source=f5support&utm_medium=RSS
Microsoft Defender Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934
Vulnerabilities in Samba shipped with IBM OS Image for Red Hat Enterprise Linux System (CVE-2022-32742)
https://www.ibm.com/support/pages/node/6983851
IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370)
https://www.ibm.com/support/pages/node/6984157
There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881)
https://www.ibm.com/support/pages/node/6984165
IBM Cloud Pak for Network Automation 2.4.5 addresses multiple security vulnerabilities
https://www.ibm.com/support/pages/node/6984171
IBM Db2\u00ae Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548
https://www.ibm.com/support/pages/node/6984185