End-of-Day report
Timeframe: Montag 17-04-2023 18:00 - Dienstag 18-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
Recycled Core Routers Exposed Sensitive Corporate Network Info
Researchers warn about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data.
https://www.darkreading.com/vulnerabilities-threats/recycled-core-routers-exposed-sensitive-corporate-network-info
YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) thats used to deliver the Aurora information stealer malware.
https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html
Memory corruption in JCRE: An unpatchable HSM may swallow your private key
The key has always been a core target of security protection. Due to the limitation of key slots, most cryptocurrency hardware wallets use MCU chips (such as STM32F205RE) to implement. However, people who have higher security requirements to safeguarding the private keys are often interested in Java cards [...]
https://hardenedvault.net/blog/2023-04-18-java-card-runtime-memory-corruption/
Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight
[...] In order to truly protect ourselves from RaaS gangs, we have to -peel back the onion-, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage. One of the most concerning behaviors we-ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.
https://www.malwarebytes.com/blog/business/2023/04/living-off-the-land-lotl-attacks-detecting-ransomware-gangs-hiding-in-plain-sight
New Captcha Protected Phishing Attack Targets Access to Payroll Files
We have discovered a new phishing attack that specifically targets individuals who need access to payroll files through Microsoft Teams.
https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-access-to-payroll-files/
Sicherheitsupdates: Trend Micro Security macht Windows-PCs verwundbar
Es gibt ein wichtiges Update für die Anti-Viren-Anwendung Trend Micro Security für Windows.
https://heise.de/-8969449
US-Behörde: Schwachstelle in altem macOS wird für Angriffe ausgenutzt
Nach Informationen der Cyber-Sicherheitsbehörde gibt es Hinweise auf aktiv durchgeführte Angriffe. Für sehr alte Macs liegen keine Patches vor.
https://heise.de/-8970903
Kleinanzeigenbetrug: Vorsicht, wenn jemand per Scheck bezahlen möchte
Sie verkaufen ein Fahrrad auf Ländleanzeiger.at. Ein Interessent meldet sich und möchte es kaufen. Weil der Interessent gerade keinen Zugriff auf sein Bankkonto hat, möchte er es per Scheck bezahlen. Nach einigen Tagen kommt tatsächlich ein Scheck an - aber mit einem viel zu hohen Betrag. Vorsicht: Der Scheck ist Fake. Brechen Sie den Kontakt ab, Sie werden betrogen.
https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-wenn-jemand-per-scheck-bezahlen-moechte/
Shodan Verified Vulns 2023-04-01
Mit Stand 2023-04-01 sieht Shodan in Österreich die folgenden Schwachstellen: Dieses Monat stechen keine wirklich nennenswerten Veränderungen ins Auge.
https://cert.at/de/aktuelles/2023/4/shodan-verified-vulns-2023-04-01
APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers
APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108
Windows 10/11: Microsoft veröffentlicht Fix für OOBE-Bitlocker-Ausfall-Bug
Microsoft propagiert zwar Bitlocker zur Verschlüsselung von Laufwerken unter Windows. Aber es gibt immer wieder Bugs, die die Verschlüsselung verhindern oder Dritten unbefugten Zugriff auf verschlüsselte Laufwerke ermöglichen. Ein Microsoft Supporter hat jetzt einen Fall enthüllt, bei dem Bitlocker in der Out-of-the-Box (OOBE) Phase der Windows-Installation nicht aktiviert wird.
https://www.borncity.com/blog/2023/04/18/windows-10-11-microsoft-verffentlicht-fix-fr-oobe-bitlocker-ausfall-bug/
Automating Qakbot Detection at Scale With Velociraptor
This blog offers a practical methodology to extract configuration data from recent Qakbot samples.
https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/
Vulnerabilities
Garrett: PSA: upgrade your LUKS key derivation function
[...] the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id.
https://lwn.net/Articles/929343/
New sandbox escape PoC exploit available for VM2 library, patch now
Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...]
https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-exploit-available-for-vm2-library-patch-now/
Security updates for Tuesday
Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox).
https://lwn.net/Articles/929389/
Multiple critical vulnerabilities in Strapi versions <=4.7.1
Strapi had multiple critical vulnerabilities that could be chained together to gain unauthenticated remote code execution. This is my public disclosure of the vulnerabilities i found in strapi, how they were patched and some nonsensical ramblings.
https://www.ghostccamm.com/blog/multi_strapi_vulns/
Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products
https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scripting-vulnerabilities-patched-in-weaver-products/
Omron CS/CJ Series
https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-01
Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 released, fix CVE-2023-20862
https://spring.io/blog/2023/04/17/spring-security-6-1-0-rc1-6-0-3-5-8-3-and-5-7-8-released-fix-cve-2023-20862
Kubernetes kube-apiserver vulnerability
https://www.ibm.com/support/pages/node/6982927
IBM Sterling Order Management Golang Go Vulnerability
https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Sterling%20Order%20Management
Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST
https://www.ibm.com/support/pages/node/6984199
IBM InfoSphere Information Server is affected by a vulnerability in libcurl (CVE-2022-32221)
https://www.ibm.com/support/pages/node/6984203
Vulnerabilities in IBM Java included with IBM Tivoli Monitoring.
https://www.ibm.com/support/pages/node/6854647
Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-24998))
https://www.ibm.com/support/pages/node/6984345
Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6
https://www.ibm.com/support/pages/node/6984347
Vulnerabilities in Apache Shiro (CVE-2022-40664) and Apache Commons FileUpload (CVE-2023-24998) affect IBM WebSphere Service Registry and Repository.
https://www.ibm.com/support/pages/node/6962169
Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST
https://www.ibm.com/support/pages/node/6984413