Tageszusammenfassung - 16.05.2023

End-of-Day report

Timeframe: Montag 15-05-2023 18:00 - Dienstag 16-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

VirusTotal AI code analysis expands Windows, Linux script support

Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature.

https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-expands-windows-linux-script-support/

Open-source Cobalt Strike port Geacon used in macOS attacks

Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.

https://www.bleepingcomputer.com/news/security/open-source-cobalt-strike-port-geacon-used-in-macos-attacks/

Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th)

There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications.

https://isc.sans.edu/diary/rss/29840

Triple Threat: Breaking Teltonika Routers Three Ways

Comprehensive research was conducted on Teltonika Networks- IIoT products, with a focus on industrial cellular devices widely used in various industries, specifically, the Teltonika Remote Management System, and RUT model routers.

https://claroty.com/team82/research/triple-threat-breaking-teltonika-routers-three-ways

You-ve been kept in the dark (web): exposing Qilin-s RaaS program

All you need to know about Qilin ransomware and its operations targeting critical sectors.

https://www.group-ib.com/blog/qilin-ransomware/

Seitenkanalangriff auf Cortex-M: Zugriff auf sensible Informationen

Auf der Blackhat Asia haben IT-Forscher Seitenkanalangriffe auf ARM-Cortex-M-Mikroprozessoren vorgestellt. Sie ermöglichen Zugriff auf sensible Informationen.

https://heise.de/-9057108

It-s always DNS, here-s why-

There-s an old adage in network and Internet support: When something breaks in any network -it was DNS-. Sadly it-s usually true.

https://www.pentestpartners.com/security-blog/its-always-dns-heres-why/

Vorsicht vor Anrufen von -austriamegachance.com-

Ihr Telefon klingelt. Austria Mega Chance meldet sich, eine Lotto-Tipp-Dienstleistung. Ihnen werden hohe Gewinnchancen beim Lotto versprochen und eine Dienstleistung für Gemeinschaftstipps angeboten. Die aufdringliche Person entlockt Ihnen Kontodaten. Einige Zeit später werden Ihnen dann monatlich, ohne schriftliche Infos oder einen Vertrag unterschieben zu haben, knapp 70 Euro von Ihrem Konto abgebucht. Wir zeigen Ihnen, was Sie tun können!

https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-von-austriamegachancecom/

Microsoft SharePoint scannt Password-geschützte ZIP-Archive

Es sieht so aus, dass Microsoft in seinen Cloud-Speichern auch ZIP-Archive auf schädliche Inhalte (und ggf. weitere Inhalte) scannt - auch Archive, die vom Benutzer mit einem Kennwort vor der Einsichtnahme geschützt sind.

https://www.borncity.com/blog/2023/05/16/microsoft-sharepoint-scannt-password-geschtzte-zip-archive/

The Dragon Who Sold His Camaro: Analyzing Custom Router Implant

Through our investigation, we have gained a deeper comprehension of the ways in which attackers are employing malware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and tools utilized by Camaro Dragon in their attacks.

https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/

8220 Gang Evolves With New Strategies

We observed the threat actor group known as -8220 Gang- employing new strategies for their respective campaigns, including exploits for the Linux utility -lwp-download- and CVE-2017-3506, an Oracle WebLogic vulnerability.

https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

How to Write a PoC for an Uninitialized Smart Contract Vulnerability in BadgerDAO Using Foundry

In this post, we-re going to learn how Foundry can be used to write a proof of concept (PoC) for uninitialized smart contract vulnerabilities.

https://www.cyberark.com/resources/threat-research-blog/how-to-write-a-poc-for-an-uninitialized-smart-contract-vulnerability-in-badgerdao-using-foundry

Vulnerabilities

IBM Security Bulletins

IBM Cloud Pak for Network Automation, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM Cloud Automation Manager, Tivoli Monitoring, IBM Business Monitor, IBM Business Automation Workflow Enterprise Service Bus, WebSphere Application Server, Tivoli Application Dependency Discovery Manager, IBM Operations Analytics - Predictive Insights, IBM Security Verify Information Queue.

https://www.ibm.com/support/pages/bulletin/

CISA Releases Three Industrial Control Systems Advisories

* ICSA-23-136-02 Rockwell ArmorStart * ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint * ICSA-23-136-01 Snap One OvrC Cloud

https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-releases-three-industrial-control-systems-advisories

JavaScript-Sandbox vm2: PoC zeigt neuen Sandbox-Ausbruch

Eine kritische Lücke in der JavaScript-Sandbox vm2 können Angreifer zum Ausbruch missbrauchen. Aktualisierte Software steht bereit, die die Lücken schließt.

https://heise.de/-9056842

Security updates for Tuesday

Security updates have been issued by Debian (epiphany-browser, python-ipaddress, and sqlparse), Fedora (python-django3 and qemu), Red Hat (apr-util, autotrace, bind, bind9.16, container-tools:4.0, container-tools:rhel8, ctags, curl, device-mapper-multipath, dhcp, edk2, emacs, freeradius:3.0, freerdp, frr, gcc-toolset-12-binutils, git, git-lfs, go-toolset:rhel8, grafana, grafana-pcp, gssntlmssp, Image Builder, kernel, kernel-rt, libarchive, libreswan, libtar, libtiff, mingw-expat, mysql:8.0, net-snmp, pcs, php:7.4, poppler, postgresql-jdbc, python-mako, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, samba, sysstat, tigervnc, unbound, virt:rhel and virt-devel:rhel, wayland, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (dmidecode, postgresql13, prometheus-sap_host_exporter, python-cryptography, rekor, and thunderbird), and Ubuntu (firefox, matrix-synapse, and mysql-8.0).

https://lwn.net/Articles/932033/