Tageszusammenfassung - 28.04.2023

End-of-Day report

Timeframe: Donnerstag 27-04-2023 18:00 - Freitag 28-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a

News

CISA warns of critical bugs in Illumina DNA sequencing systems

The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illuminas Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-in-illumina-dna-sequencing-systems/


Quick IOC Scan With Docker, (Fri, Apr 28th)

When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content.

https://isc.sans.edu/diary/rss/29788


WordPress Vulnerability & Patch Roundup April 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april-2023.html


Attention Online Shoppers: Dont Be Fooled by Their Sleek, Modern Looks - Its Magecart!

An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.

https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html


New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victims machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and [...]

https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.html


Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707)

While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI.

https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-deserialization-leading-to-rce-cve-2023-21707/


Many Public Salesforce Sites are Leaking Private Data

A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.

https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leaking-private-data/


Rapture, a Ransomware Family With Similarities to Paradise

In March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.

https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html

Vulnerabilities

Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability

A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U


Grafana: Update schließt hochriskante Schwachstelle im Datenvisualisierungs-Tool

Grafana hat Updates für zahlreiche Versionszweige veröffentlicht. Sie schließen unter anderem eine Denial-of-Service-Lücke, die als hochriskant gilt.

https://heise.de/-8981605


Long Term Support Channel Update for ChromeOS

LTS-108 is being updated in the LTS channel to 108.0.5359.230 (Platform Version: 15183.93.0) for most ChromeOS devices. [...] This update contains multiple Security fixes [...]

https://chromereleases.googleblog.com/2023/04/long-term-support-channel-update-for_27.html


Security updates for Friday

Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca).

https://lwn.net/Articles/930462/


Use of Telnet in the interface module SLC-0-GPNT00300

BOSCH-SA-387640: The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin [1] regarding the availability of a Telnet interface for debugging.The SLC-0-GPNT00300 provides a Telnet interface for debugging, which is enabled by factory default. No password is set in the default configuration. If the password is not set by the customer, a remote unauthorized adversary could connect via Telnet.

https://psirt.bosch.com/security-advisories/bosch-sa-387640.html


SonicOS SSLVPN: Schwachstelle CVE-2023-1101 bei MFA - neue Firmware für Gen6-Firewalls (6.5.4.12-101n)

Kleine Erinnerung für Administratoren, die Produkte von Sonic Wall verwenden. In SonicOS SSLVPN gibt es eine kritische Schwachstelle, die einem authentifizierten Angreifer ermöglicht, exzessive MFA-Codes zu verwenden. Die Schwachstelle CVE-2023-1101 hat von SonicWall [...]

https://www.borncity.com/blog/2023/04/27/sonicos-sslvpn-schwachstelle-cve-2023-1101-bei-mfa-neue-firmware-fr-gen6-firewalls-6-5-4-12-101n/


Illumina Universal Copy Service

[...] Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; [...]

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/