End-of-Day report
Timeframe: Dienstag 25-04-2023 18:00 - Mittwoch 26-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Never Connect to RDP Servers Over Untrusted Networks
In this article, we will demonstrate why connecting using the Remote Desktop Protocol (RDP) must be avoided on untrusted networks like in hotels, conferences, or public Wi-Fi. Protecting the connection with a VPN or a Remote Desktop Gateway is the only safe alternative.
https://www.gosecure.net/blog/2023/04/26/never-connect-to-rdp-servers-over-untrusted-networks/
So you think you can block Macros?
For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses.
https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/
Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext
Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext.
https://heise.de/-8979932
VMware Workstation und Fusion: Hersteller stopft kritische Zero-Day-Lücke
VMware stopft teils kritische Sicherheitslücken in Workstation und Fusion. Da sie auf der Pwn2Own-Konferenz vorgeführt wurden, handelt es sich um Zero-Days.
https://heise.de/-8979106
GuLoader returns with a rotten shipment
We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email.
https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rotten-shipment
So bleiben Sie mit der Watchlist Internet am Laufenden!
Das Angebot der Watchlist Internet wächst stetig: Wir geben Ihnen einen Überblick, wie Sie mit uns in puncto Internetbetrug up to date bleiben, welche Angebote Sie wo finden und auf welchen Kanälen wir vertreten sind.
https://www.watchlist-internet.at/news/so-bleiben-sie-mit-der-watchlist-internet-am-laufenden/
Hacker greifen kritische Sicherheitslücke in Druckersoftware PaperCut an
Sie können die Kontrolle über einen PaperCut-Server übernehmen. Zudem steht nun auch Beispielcode für einen Exploit öffentlich zur Verfügung.
https://www.zdnet.de/88408703/hacker-greifen-kritische-sicherheitsluecke-in-druckersoftware-papercut-an/
Attackers Use Containers for Profit via TrafficStealer
We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.
https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for-profit-via-trafficstealer.html
Vulnerabilities
VMSA-2023-0008
VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872)
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
Security updates for Wednesday
Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0).
https://lwn.net/Articles/930258/
Insecure authentication in B420 legacy communication module
BOSCH-SA-341298-BT: An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013. The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers.
https://psirt.bosch.com/security-advisories/bosch-sa-341298-bt.html
Scada-LTS Third Party Component
Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02
Keysight N8844A Data Analytics Web Service
Successful exploitation of this vulnerability could lead to remote code execution.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-01
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-73cabdde-en
Security Advisory - Identity Authentication Bypass Vulnerability in Huawei HiLink AI Life Product
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvihhalp-ea34d670-en
Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-2f201af9-en
Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp-6bcddec5-en