End-of-Day report
Timeframe: Freitag 21-04-2023 18:00 - Montag 24-04-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Decoy Dog malware toolkit found after analyzing 70 billion DNS queries
A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.
https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-found-after-analyzing-70-billion-dns-queries/
Open Source: Gelöschte Curl-Instanz zerschießt Windows-Updates
Auch wenn Security-Scanner vor ungepatchter Software warnen, sollten Windows-Systemkomponenten wie Curl nicht manipuliert werden.
https://www.golem.de/news/open-source-geloeschte-curl-instanz-zerschiesst-windows-updates-2304-173666.html
New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said.
https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html
XWorm RAT: Avira-Sicherheitsexperten warnen vor Malware
Sicherheitsexperten von Avira warnen vor der Malware XWorm RAT
https://heise.de/-8976282
"Notstart" über CAN-Bus-Hack: Altes Nokia-Handy erlaubt Auto-Diebstahl per Klick
Der jüngst aufgezeigte CAN-Injection-Angriff auf das Bussystem Controller Area Network zieht weitere Kreise. Es tauchen immer mehr Kits zum "Notstarten" auf.
https://heise.de/-8976444
Bumblebee-Malware: Opfersuche mit Malvertising für trojanisierte Installer
IT-Forscher haben trojanisierte Installer für professionelle Software entdeckt. Sie würden mit Malvertising beworben und enthielten den Schädling Bumblebee.
https://heise.de/-8977016
Fake-Shops für Autoreifen boomen
Sie suchen im Internet nach günstigen Autoreifen? Nehmen Sie den Online-Shop genau unter die Lupe, es kursieren unzählige Fake-Shops! Die betrügerischen Shops wirken sehr professionell, haben ein Impressum und unschlagbare Preise. Wir zeigen Ihnen, wie Sie Shops überprüfen.
https://www.watchlist-internet.at/news/fake-shops-fuer-autoreifen-boomen/
TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451.
https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
Updates and Timeline for 3CX and X_Trader Hacks
Mandiant revealed this week that the hack of 3CX was actually a double supply-chain hack that first involved hacking and compromising another companys software. Heres a timeline of the events.
https://zetter.substack.com/p/updates-and-timeline-for-3cx-and
Knapp zwei Drittel der XIoT-Schwachstellen remote ausnutzbar
Sicherheitstechnisch droht uns wohl ein Desaster - ich habe den State of XIoT Security Report: 2H 2022 von Claroty bereits einige Tage vorliegen. Dieser zeigt zwar die positiven Auswirkungen verstärkter Schwachstellen-Forschung und höheren Investitionen der Anbieter im Hinblick auf die XIoT-Sicherheit. Aber die Botschaft ist auch, dass Zahl der entdeckten Schwachstellen in diesem Bereit um 80 % zugenommen hat. Viele XIoT-Schwachstellen sind zudem remote ausnutzbar.
https://www.borncity.com/blog/2023/04/23/knapp-zwei-drittel-der-xiot-schwachstellen-remote-ausnutzbar/
ViperSoftX Updates Encryption, Steals Data
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries
What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you-d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in some of the world-s largest organizations, including five Fortune 500 companies.
https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries
Vulnerabilities
Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges
The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges.
https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalation/
APC warns of critical unauthenticated RCE flaws in UPS software
APCs Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.
https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauthenticated-rce-flaws-in-ups-software/
Jetzt patchen! Angreifer attackieren Druck-Management-Lösung Papercut MF/NG
Eine kritische Sicherheitslücke gefährdet Systeme, auf denen Papercut läuft. Sicherheitsupdates sind verfügbar.
https://heise.de/-8976755
Solarwinds-Update dichtet zwei hochriskante Sicherheitslücken ab
Solarwinds stopft mit Software-Updates mehrere Sicherheitslücken, zwei davon gelten als hochriskant. IT-Verantwortliche sollten zügig aktualisieren.
https://heise.de/-8976832
Sicherheitspatches: Angreifer könnten Nvidia Cuda, DGX-1 & Co. attackieren
Nvidia hat wichtige Sicherheitsupdates für verschiedene Produkte veröffentlicht. Admins sollten schnell handeln.
https://heise.de/-8976961
Security updates for Monday
Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf).
https://lwn.net/Articles/930052/
Multiple Vulnerabilities in Autodesk® InfraWorks® Software
Autodesk® InfraWorks® has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities.
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0007
ZDI-23-451: (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-451/
ZDI-23-452: (Pwn2Own) TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-452/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/