Tageszusammenfassung - 17.05.2023

End-of-Day report

Timeframe: Dienstag 16-05-2023 18:00 - Mittwoch 17-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Hackers use Azure Serial Console for stealthy access to VMs

A financially motivated cybergang tracked by Mandiant as UNC3944 is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.

https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-console-for-stealthy-access-to-vms/


Phishing: Streit um Google-TLDs .zip und .mov

IT- und Sicherheitsexperten streiten sich um die Sinnhaftigkeit und Risiken neuer gTLD. Neu sind die Probleme allerdings nicht.

https://www.golem.de/news/phishing-streit-um-google-tlds-zip-und-mov-2305-174242.html


Minas - on the way to complexity

Kaspersky analysis of a complicated multi-stage attack dubbed Minas that features a number of detection evasion and persistence techniques and results in a cryptocurrency miner infection.

https://securelist.com/minas-miner-on-the-way-to-complexity/109692/


Wemo Wont Fix Smart Plug Vulnerability Allowing Remote Operation

IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firms blog post is full of interesting details about how this device works (and doesnt), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemos own apps -- with third-party tools.

https://it.slashdot.org/story/23/05/17/141200/wemo-wont-fix-smart-plug-vulnerability-allowing-remote-operation


Respawning Malware Persists on PyPI

A bad actor on GitHub laces his repositories with malware written in Python and hosted on PyPI. Minutes after his malware is taken down from PyPI, the same malware respawns on PyPI under a slightly different name. He then immediately updates all of his repositories to point to this new package. Most of his GitHub projects are bots or some variety of a stealer.

https://blog.phylum.io/respawning-malware-persists-on-pypi/


Neue Scam-Website im Umlauf: finanavas.com

Investmentbetrüger versuchen mit einer neuen Website Leuten Geld aus der Tasche zu ziehen. Sie nutzen Telegram, um "Investoren" um den Finger zu wickeln.

https://heise.de/-9058909


Abo-Falle statt Informationen zu Telefonnummern auf reversera.com/de

In einer Zeit ständiger betrügerischer Anrufe und -Cold-Calls- ist ein Service, der einem Informationen zu Telefonnummern und den Besitzer:innen liefert, äußerst nützlich. Reversera.com/de der -L***-L-- L-D bietet angeblich genau das an. Tatsächlich spielte man uns im Test bei erfundenen Nummern ein Ergebnis vor. Um dieses einsehen zu können, hätten wir 50 Cent per Kreditkarte bezahlen müssen, doch die Zahlung führt in eine Abo-Falle!

https://www.watchlist-internet.at/news/abo-falle-statt-informationen-zu-telefonnummern-auf-reverseracom-de/


How to encrypt your email (and why you should)

If you send emails with sensitive or private info inside, you should consider email encryption. Heres what to know.

https://www.zdnet.com/article/how-to-encrypt-your-email-and-why-you-should/


WordPress 6.2.1 freigegeben

Die Entwickler haben zum 16. Mai 2023 WordPress Version 6.2.1 veröffentlicht. Es handelt sich um ein Wartungs- und Sicherheitsupdate, welches 30 Fehler behebt. Details lassen sich in den Veröffentlichungsmitteilungen nachlesen.

https://www.borncity.com/blog/2023/05/16/wordpress-6-2-1-freigegeben/


SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack

In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant-s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud.

https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial


CISA and Partners Release BianLian Ransomware Cybersecurity Advisory

CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory.

https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-and-partners-release-bianlian-ransomware-cybersecurity-advisory

Vulnerabilities

Webbrowser: Kritische Sicherheitslücke in Google Chrome

Google hat ein Update für den Chrome-Webbrowser herausgegeben. Es schließt mindestens eine kritische Sicherheitslücke. Angreifer könnten Schadcode einschleusen.

https://heise.de/-9057932


Security updates for Wednesday

Security updates have been issued by Debian (netatalk), Mageia (connman, firefox/nss/rootcerts, freeimage, golang, indent, kernel, python-django, python-pillow, and thunderbird), Red Hat (apr-util, firefox, java-1.8.0-ibm, libreswan, and thunderbird), SUSE (conmon, curl, java-11-openjdk, and libheif), and Ubuntu (libwebp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux, linux-aws, linux-aws-hwe, linux-kvm, linux, linux-aws, linux-azure, linux-azure-5.19, linux-kvm, linux-lowlatency, linux-raspi, node-eventsource, and openjdk-8, openjdk-lts, openjdk-17, openjdk-20).

https://lwn.net/Articles/932130/


Vulnerability Summary for the Week of May 8, 2023

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

https://www.cisa.gov/news-events/bulletins/sb23-135


Path Traversal in IP-Symcon (SYSS-2023-014)

Das Webinterface von IP-Symcon ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann.

https://www.syss.de/pentest-blog/path-traversal-in-ip-symcon-syss-2023-014


Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-7015cbae-en


Stored XSS Schwachstelle in der Umbenennen Funktionalität von Wekan (Open-Source Kanban)

https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-schwachstelle-in-der-umbenennen-funktionalitaet/


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/