Tageszusammenfassung - 27.04.2023

End-of-Day report

Timeframe: Mittwoch 26-04-2023 18:00 - Donnerstag 27-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer

News

Google disrupts the CryptBot info-stealing malware operation

Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data.

https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot-info-stealing-malware-operation/

Cisco discloses XSS zero-day flaw in server management tool

Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.

https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day-flaw-in-server-management-tool/

LimeRAT Malware Analysis: Extracting the Config

ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis.

https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html

Healthy security habits to fight credential breaches: Cyberattack Series

This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we-ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks.

https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-habits-to-fight-credential-breaches-cyberattack-series/

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp.

https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html

RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts

The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system.

https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html

LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates

Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.

https://heise.de/-8981054

State of DNS Rebinding in 2023

This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions.

https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/

Bringing IT & OT Security Together: Part 1

Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series.

https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-together-part-1/

Vulnerabilities

Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren

Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar.

https://heise.de/-8980645

Security updates for Thursday

Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).

https://lwn.net/Articles/930367/

Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE)

Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist.

https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-2023-27524-ermglicht-remote-code-execution-rce/

IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966)

https://www.ibm.com/support/pages/node/6986343

IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966)

https://www.ibm.com/support/pages/node/6986341

Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

https://www.ibm.com/support/pages/node/6986361

A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966)

https://www.ibm.com/support/pages/node/6986365

IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149)

https://www.ibm.com/support/pages/node/6985675

IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6986509

Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC

https://www.ibm.com/support/pages/node/6986543

Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC

https://www.ibm.com/support/pages/node/6986547

Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments

https://www.ibm.com/support/pages/node/6986573

IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601]

https://www.ibm.com/support/pages/node/6986575

Multiple Vulnerabilities in CloudPak for Watson AIOPs

https://www.ibm.com/support/pages/node/6986577

IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol

https://www.ibm.com/support/pages/node/6986323

Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861).

https://www.ibm.com/support/pages/node/6986585

A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966)

https://www.ibm.com/support/pages/node/6986619

Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441

https://www.ibm.com/support/pages/node/6986617

IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017]

https://www.ibm.com/support/pages/node/6986625

IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199]

https://www.ibm.com/support/pages/node/6986629

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431)

https://www.ibm.com/support/pages/node/6986627