End-of-Day report
Timeframe: Freitag 05-05-2023 18:00 - Montag 08-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Meet Akira - A new ransomware operation targeting the enterprise
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.
https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/
Datenleck: Firmware- und Bootguard-Schlüssel von MSI veröffentlicht
Eine Ransomwaregruppe hat nach einem Hack etliche interne Daten von MSI veröffentlicht. Darunter auch private Schlüssel zum Signieren.
https://www.golem.de/news/datenleck-firmware-und-bootguard-schluessel-von-msi-veroeffentlicht-2305-173996.html
New Cactus ransomware encrypts itself to evade antivirus
While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection. [..] Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encrypts-itself-to-evade-antivirus/
Breaking down Reverse shell commands
In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement. For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working.
https://adityatelange.in/blog/revshells/
Quickly Finding Encoded Payloads in Office Documents
Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py. Some shortcuts can be used [..] But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output.
https://isc.sans.edu/diary/rss/29818
Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot
Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. By using it, users take on the risk that any vulnerabilities in Dependabot itself may lead to the compromise of the very supply chain they are trying to secure. This article is about a vulnerability in Dependabot that allowed arbitrary user to gain access to a subset of GitHub repositories that have Dependabot enabled.
https://giraffesecurity.dev/posts/dependabot-confusion/
Microsoft-Webbrowser: Edge 113 schließt Sicherheitslücken
Microsoft hat den Webbrowser Edge in Version 113 veröffentlicht. Einige Funktionen haben die Entwickler darin verbessert sowie Schwachstellen abgedichtet.
https://heise.de/-8990437
Achtung! Diese Kosmetika sind gesundheitsschädigend!
Derzeit warnen die Agentur für Gesundheit und Ernährungssicherheit (AGES) und das Bundesamt für Verbrauchergesundheit (BAVG) vor kosmetischen Produkten, die verbotene und gesundheitsschädigende Duftstoffe enthalten. Die Produkte werden vor allem online verkauft. Wir zeigen Ihnen, von welchen Produkten Sie lieber die Finger lassen sollten.
https://www.watchlist-internet.at/news/achtung-diese-kosmetika-sind-gesundheitsschaedigend/
Webinar: Sicher (ver)kaufen über Willhaben, Shpock & Co.
Was muss ich beachten, wenn ich auf Kleinanzeigenplattformen wie Willhaben, Shpock, Vinted & Co. etwas als Privatperson kaufen oder verkaufen möchte? Unser Rechtsexperte der Internet Ombudsstelle gibt Tipps für die sichere Abwicklung solcher Online-Geschäfte. Nehmen Sie kostenlos teil: Dienstag 16. Mai 2023, 18:30 - 20:00 Uhr via zoom
https://www.watchlist-internet.at/news/webinar-sicher-verkaufen-ueber-willhaben-shpock-co/
PRFs, PRPs and other fantastic things
A few weeks ago I ran into a conversation on Twitter about the weaknesses of applied cryptography textbooks, and how they tend to spend way too much time lecturing people about Feistel networks and the boring details of AES. Some of the folks in this conversation suggested that instead of these things, we should be into more fundamental topics like -what is a pseudorandom function.-
https://blog.cryptographyengineering.com/2023/05/08/prfs-prps-and-other-fantastic-things/
WordPress plugin vulnerability puts two million websites at risk
Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks.
https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-websites-at-risk/
Cisco SPA112 2-Port Telefonadapter unsicher, es bleibt nur noch entsorgen
Die US-Anbieter Cisco warnt in eine Meldung vor einer kritischen Schwachstelle in einem seiner Telefonadapter. Diese Schwachstelle ermöglicht einem Angreifer die Kontrolle über das Gerät zu übernehmen. Leider bleibt betroffenen Nutzern nur, diesen Telefonadapter zu entsorgen [...]
https://www.borncity.com/blog/2023/05/06/cisco-spa112-2-port-telefonadapter-unsicher-es-bleibt-nur-noch-entsorgen/
Vulnerabilities
ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000
Vendor: ads-tec Industrial IT GmbH
Product name: IRF1000, IRF3000, IRF3000
CVE Numbers: CVE-2014-3669, CVE-2014-8142, CVE-2014-9425, CVE-2015-0231, CVE-2015-2348, CVE-2015-2787, CVE-2015-3414, CVE-2015-3415, CVE-2015-4602, CVE-2015-6835, CVE-2015-8876, CVE-2016-10161, CVE-2016-7124, CVE-2016-7411, CVE-2016-9138, CVE-2017-11142, CVE-2017-12933, CVE-2017-8923
CVSS Score: up to 9.8
https://cert.vde.com/de/advisories/VDE-2023-009/
Security updates for Monday
Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk).
https://lwn.net/Articles/931259/
3 Schwachstellen in MS Azure API-Management entdeckt
Sicherheitsforscher des israelischen Sicherheitsanbieters Ermetic haben drei Schwachstellen in Microsofts Azure API-Management entdeckt. Zwei SSRF-Schwachstellen (Server-Side Request Forgery) und ein Problem beim uneingeschränkten Datei-Upload schaffen Risiken für die Microsoft Cloud-Umgebung. Die Schwachstellen können von böswilligen Akteuren missbraucht werden [...]
https://www.borncity.com/blog/2023/05/06/3-schwachstellen-in-ms-azure-api-management-entdeckt/
Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server
https://www.ibm.com/support/pages/node/6988347
Security Vulnerabilities in IBM WebSphere Liberty and xml2js affect IBM Voice Gateway
https://www.ibm.com/support/pages/node/6988603
Vulnerability in Jettison affects IBM Process Mining . CVE-2023-1436
https://www.ibm.com/support/pages/node/6988673
Vulnerabilities have been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24966, CVE-2022-39161)
https://www.ibm.com/support/pages/node/6988885
Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar
https://www.ibm.com/support/pages/node/6988889
Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar
https://www.ibm.com/support/pages/node/6988899
Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar
https://www.ibm.com/support/pages/node/6988895
Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar
https://www.ibm.com/support/pages/node/6988893
Atlas eDiscovery Process Management is affected by a vulnerable xmlbeans-2.3.0.jar
https://www.ibm.com/support/pages/node/6988897
Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-24302]
https://www.ibm.com/support/pages/node/6988909