Tageszusammenfassung - 19.04.2023

End-of-Day report

Timeframe: Dienstag 18-04-2023 18:00 - Mittwoch 19-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken

Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch.

https://heise.de/-8971485

Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab

BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken.

https://heise.de/-8971821

Wenn alte Router Firmengeheimnisse preisgeben

Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus.

https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmengeheimnisse-preisgeben/

Hackers actively exploit critical RCE bug in PaperCut servers

Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers.

https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/

Zaraza Bot Targets Google Chrome to Extract Login Credentials

The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.

https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chrome-extract-login-credentials

SecurePwn Part 1: Bypassing SecurePoint UTM-s Authentication (CVE-2023-22620)

While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint-s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall-s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post.

https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/

SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897)

While my last finding affecting SecurePoint-s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I-ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done!

https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/

Threat Actors Rapidly Adopt Web3 IPFS Technology

Web3 technologies are seeing widespread adoption - including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it.

https://unit42.paloaltonetworks.com/ipfs-used-maliciously/

Play Ransomware Group Using New Custom Data-Gathering Tools

Tools allow attackers to harvest data typically locked by the operating system.

https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ransomware-volume-shadow-copy

Raspberry Robin: Anti-Evasion How-To & Exploit Analysis

During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more.

https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/

Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 2

In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...]

https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2

DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks

NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project.

https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/

Vulnerabilities

Webbrowser: Neue Zero-Day-Lücke in Google Chrome

Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen.

https://heise.de/-8971427

Security updates for Wednesday

Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim).

https://lwn.net/Articles/929533/

Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system

Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software.

https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologies-helps-to-fix-vulnerabilities-in-nokia-netact-network-management-system

WordPress plugin "LIQUID SPEECH BALLOON- vulnerable to cross-site request forgery

https://jvn.jp/en/jp/JVN99657911/