Tageszusammenfassung - 27.04.2023

End-of-Day report

Timeframe: Mittwoch 26-04-2023 18:00 - Donnerstag 27-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer


Google disrupts the CryptBot info-stealing malware operation

Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data.


Cisco discloses XSS zero-day flaw in server management tool

Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.


LimeRAT Malware Analysis: Extracting the Config

ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis.


Healthy security habits to fight credential breaches: Cyberattack Series

This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we-ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks.


Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp.


RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts

The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system.


LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates

Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.


State of DNS Rebinding in 2023

This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions.


Bringing IT & OT Security Together: Part 1

Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series.



Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren

Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar.


Security updates for Thursday

Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).


Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE)

Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist.


F5: K000133673 : Bootstrap vulnerability CVE-2016-10735


F5: K000133652 : Python vulnerability CVE-2018-18074


F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324


F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060


IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966)


IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966)


Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.


A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966)


IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)


IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998)


Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC


Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC


Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments


IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601]


Multiple Vulnerabilities in CloudPak for Watson AIOPs


IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol


Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861).


A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966)


Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441


IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017]


IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199]


IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431)