End-of-Day report
Timeframe: Donnerstag 20-04-2023 18:00 - Freitag 21-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform
Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victims Google account.
https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html
Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News.
https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html
VoIP-Anbieter 3CX: Die doppelte Supply-Chain-Attacke
Eine Analyse zeigt, dass die Verteilung des kompromittierten VoIP-Clients von 3CX auf einen vorausgehenden Lieferketten-Angriff zurückgeht.
https://heise.de/-8974948
CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100
This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device.
https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-buffer-overflow-on-the-western-digital-my-cloud-pro-series-pr4100
GitHub Announces New Security Improvements
GitHub this week introduced NPM package provenance and deployment protection rules and announced general availability of private vulnerability reporting.
https://www.securityweek.com/github-announces-new-security-improvements/
Abandoned WordPress Plugin Abused for Backdoor Deployment
Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages.
https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor-deployment/
Online-Händler:innen aufgepasst: Kriminelle machen Fake-Bestellungen und holen sich per SEPA-Lastschrift das Geld zurück
Mit vermeintlichen Bestellungen versuchen Kriminelle derzeit an das Geld von Online-Händler:innen zu kommen: Kriminellen bestellen -unabsichtlich- zu viel, verlangen anschließend den bereits bezahlten Betrag von den Händler:innen zurück. Gleichzeitig nutzen die Betrüger:innen die Funktion der SEPA-Lastschrift, bei der Zahlungsanfechtungen in einem bestimmten Zeitraum automatisch anerkannt werden.
https://www.watchlist-internet.at/news/online-haendlerinnen-aufgepasst-kriminelle-machen-fake-bestellungen-und-holen-sich-per-sepa-lastschrift-das-geld-zurueck/
Vulnerabilities
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003
CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, CVE-2023-28205. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
https://webkitgtk.org/security/WSA-2023-0003.html
VMSA-2023-0007
VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
https://www.vmware.com/security/advisories/VMSA-2023-0007.html
OpenSSL: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash.
https://www.openssl.org/news/secadv/20230420.txt
Kritische Lücken bedrohen Cisco Industrial Network Director und Modeling Labs
Es gibt wichtige Sicherheitsupdates für mehrere Cisco-Produkte. Zwei Schwachstellen gelten als kritisch.
https://heise.de/-8975027
Security updates for Friday
Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf).
https://lwn.net/Articles/929828/
CISA Adds Three Known Exploited Vulnerabilities to Catalog
https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-exploited-vulnerabilities-catalog
IBM InfoSphere DataStage Flow Designer is vulnerable to Server-Side Request Forgery
https://www.ibm.com/support/pages/node/6509084
Python is vulnerable to CVE-2022-26488 used in IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/6985049
iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity
https://www.ibm.com/support/pages/node/6985225