End-of-Day report
Timeframe: Mittwoch 10-05-2023 18:00 - Donnerstag 11-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Interview: Hacker Witold Waligóra über Seitenkanalangriffe
Wir haben beim Hacker Witold Waligóra nachgehakt, was man mit Seitenkanalattacken erreichen kann und wie man sich dagegen schützt.
https://heise.de/-8983428
Smishing: Vorsicht vor betrügerischer Reisepass-SMS!
Haben Sie ein SMS bekommen, in dem behauptet wird Ihr Reisepass wäre fertig? Klicken Sie nicht auf den Link "oesterreich.at-anmelden.net", es handelt sich um einen Betrugsversuch!
https://www.watchlist-internet.at/news/smishing-vorsicht-vor-betruegerischen-sms/
Fake in-browser Windows updates push Aurora info-stealer malware
A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware.
https://www.bleepingcomputer.com/news/security/fake-in-browser-windows-updates-push-aurora-info-stealer-malware/
RapperBot DDoS malware adds cryptojacking as new revenue stream
New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines.
https://www.bleepingcomputer.com/news/security/rapperbot-ddos-malware-adds-cryptojacking-as-new-revenue-stream/
Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs
Two years ago, a popular ransomware-as-a-service groups source code got leaked. Now other ransomware groups are using it for their own purposes.
https://www.darkreading.com/cloud/multiple-ransomware-groups-adapt-babuk-code-to-target-esxi-vms
New ransomware trends in 2023
On the eve of the global Anti-Ransomware Day, Kaspersky researchers share an overview of the key trends observed among ransomware groups.
https://securelist.com/new-ransomware-trends-in-2023/109660/
Analysis of CLR SqlShell Used to Attack MS-SQL Servers
This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
https://asec.ahnlab.com/en/52479/
Vulnerabilities
Experts share details of five flaws that can be chained to hack Netgear RAX30 Routers
Researchers disclosed the details of five vulnerabilities that can be chained to take over some Netgear router models.
https://securityaffairs.com/146111/hacking/netgear-router-exploit-2.html
Zyxel Chained Remote Code Execution
This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router [..]
https://cxsecurity.com/issue/WLB-2023050030
Multiple vulnerabilities in Danfoss EM100
Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the EM100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the EM100, as its vendor Danfoss confirms the EM100 to be End of Life and that it will not be releasing a patch for this product. [..] If this is not possible, ensure it is not connected to the public Internet.
https://csirt.divd.nl/cases/DIVD-2023-00021/
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)
Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Review those vulnerabilities in this report now to ensure your site is not affected.
https://www.wordfence.com/blog/2023/05/wordfence-intelligence-weekly-wordpress-vulnerability-report-may-1-2023-to-may-7-2023/
CISA Releases Fifteen Industrial Control Systems Advisories
* ICSA-23-131-01 Siemens Solid Edge
* ICSA-23-131-02 Siemens SCALANCE W1750D
* ICSA-23-131-03 Siemens Siveillance
* ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7
* ICSA-23-131-05 Siemens SINEC NMS Third-Party
* ICSA-23-131-06 Siemens SCALANCE LPE9403
* ICSA-23-131-07 Sierra Wireless AirVantage
* ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers
* ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive
* ICSA-23-131-10 Rockwell Automation Arena Simulation Software
* ICSA-23-131-11 BirdDog Cameras & Encoders
* ICSA-23-131-12 SDG PnPSCADA
* ICSA-23-131-13 PTC Vuforia Studio
* ICSA-23-131-14 Rockwell PanelView 800
* ICSA-23-131-15 Rockwell ThinManager
https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-releases-fifteen-industrial-control-systems-advisories
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and nvidia-graphics-drivers-legacy-390xx), Fedora (firefox, java-11-openjdk, LibRaw, moodle, python-django3, and vtk), Slackware (mozilla), SUSE (buildah, cloud-init, container-suseconnect, firefox, golang-github-prometheus-prometheus, kernel, and ntp), and Ubuntu (heat, linux-azure-fde-5.15, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-raspi, linux-raspi-5.4, linux-raspi2, neutron, openvswitch, and sqlparse).
https://lwn.net/Articles/931638/
ThinkPad Dock Firmware Update Tool Elevation of Privilege Vulnerability
http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-ELEVATION-OF-PRIVILEGE-VULNERABILITY
CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2023-0008
CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2023-0007
Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-43930, CVE-2014-3577, CVE-2022-43927, CVE-2022-43929)
https://www.ibm.com/support/pages/node/6989465
IBM Content Manager Enterprise Edition is affected by a vulnerability in Eclipse Openj9
https://www.ibm.com/support/pages/node/6987029
Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson
https://www.ibm.com/support/pages/node/6856659
Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson
https://www.ibm.com/support/pages/node/6856661
Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson
https://www.ibm.com/support/pages/node/6856663
A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - IBM\u00ae Java SDK CVE-2023-30441
https://www.ibm.com/support/pages/node/6989589
A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24966)
https://www.ibm.com/support/pages/node/6989591
A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2022-39161)
https://www.ibm.com/support/pages/node/6989593
Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487)
https://www.ibm.com/support/pages/node/6989625
IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554)
https://www.ibm.com/support/pages/node/6989451
Multiple Security Vulnerabilities have been fixed in IBM Security Verify Access
https://www.ibm.com/support/pages/node/6989653
A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-27554)
https://www.ibm.com/support/pages/node/6989657