End-of-Day report
Timeframe: Mittwoch 17-05-2023 18:00 - Freitag 19-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Attacken könnten bevorstehen: Kritische Root-Lücken bedrohen Cisco-Switches
Cisco hat unter anderem mehrere kritische Sicherheitslücken in verschiedenen Small-Business-Switches geschlossen. Aber nicht alle Modelle bekommen Updates.
https://heise.de/-9059775
Passwortmanager KeePass: Sicherheitsforscher liest Master-Passwort aus
Einem Sicherheitsforscher ist es gelungen, Master-Passwörter von KeePass auszulesen. Entsprechende Angriffe sind allerdings aufwendig.
https://heise.de/-9059945
Zero-Days und mehr: Ein Blick auf Apples jüngste Sicherheitspatches
iOS 16.5, macOS 13.4 und die anderen Updates patchen wie üblich auch Sicherheitsfehler. Auch bereits ausgenutzte Fehler sind dabei.
https://heise.de/-9059799
Malware infizierte fast 10 Millionen Android-Handys
Zahlreiche Smartphones wurden mit vorinstallierter, schädlicher Software ausgeliefert.
https://futurezone.at/produkte/android-schadsoftware-infiziert-10-millionen-handys-geraete/402455433
MalasLocker ransomware targets Zimbra servers, demands charity donation
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.
https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targets-zimbra-servers-demands-charity-donation/
Hackers target vulnerable Wordpress Elementor plugin after PoC released
Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month.
https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-wordpress-elementor-plugin-after-poc-released/
Playing for the Wrong Team: Dangerous Functionalities in Microsoft Teams Enable Phishing and Malware Delivery by Attackers
Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office-s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, as Proofpoint has shown in the past, this migration to the cloud also introduces new kinds of threats.
https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities-in-microsoft-teams-enable-phishing
RATs found hiding in the npm attic
ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
The Paillier Cryptosystem with Applications to Threshold ECDSA
You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it-s used in complex protocols, and how to implement it securely.
https://research.nccgroup.com/2023/05/19/the-paillier-cryptosystem-with-applications-to-threshold-ecdsa/
All your building are belong to us
TL;DR: Building Management Systems (BMS) bring new risks to businesses that haven-t had previous experience of securing Operational Technology (OT). While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. IoT offerings in this space can help manage risk within your networks, but can also provide unintended access to sensitive information.
https://www.pentestpartners.com/security-blog/all-your-building-are-belong-to-us/
CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver
This post covers an exploit chain demonstrated by Nguy-n Hoàng Th-ch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor.
https://www.thezdi.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware-workstation-at-pwn2own-vancouver
VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled
Highlights: CloudGuard Spectral detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to steal PII records and to set remote shell to their machines Once detected, we-ve alerted VSCode on these extensions. Soon after notification, they were removed by the VSCode marketplace team. VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft.
https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/
Visualizing QakBot Infrastructure
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
Vulnerabilities
File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015
The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability [...]
https://www.drupal.org/sa-contrib-2023-015
SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central
Trend Micro has released a new build for Trend Micro Apex Central that resolves several known vulnerabilities.
https://success.trendmicro.com/dcx/s/solution/000293107?language=en_US
SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex One
Trend Micro has released a new Critical Patch (CP) for Trend Micro Apex One and Trend Micro Apex One as a Service that resolves several known vulnerabilities.
https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US
Cisco Security Advisories 2023-05-17
Cisco has published 9 security advisories: (1x Critical, 8x Medium)
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2023%2F05%2F17&firstPublishedEndDate=2023%2F05%2F17
CISA Releases Five Industrial Control Systems Advisories
* ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector * ICSA-23-138-03 Hitachi Energy-s MicroSCADA Pro/X SYS600 Products * ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series * ICSA-23-138-01 Carlo Gavazzi Powersoft * ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics (Update B)
https://www.cisa.gov/news-events/alerts/2023/05/18/cisa-releases-five-industrial-control-systems-advisories
Security updates for Thursday
Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Fedora (clevis-pin-tpm2, greetd, keyring-ima-signer, libkrun, mirrorlist-server, nispor, nmstate, qt5-qtbase, rust-afterburn, rust-below, rust-bodhi-cli, rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Oracle (apr-util, curl, emacs, firefox, kernel, libreswan, mysql, nodejs and nodejs-nodemon, openssh, thunderbird, and webkit2gtk3), Red Hat (apr-util, emacs, firefox, git, jenkins and jenkins-2-plugins, kernel, kpatch-patch, and thunderbird), Scientific Linux (apr-util, firefox, and thunderbird), Slackware (curl), SUSE (cups-filters, curl, java-1_8_0-openjdk, kernel, mysql-connector-java, and ovmf), and Ubuntu (cups-filters, git, linux-gcp-4.15, linux-oracle, linux-raspi, node-minimatch, ruby2.3, ruby2.5, ruby2.7, and runc).
https://lwn.net/Articles/932371/
Security updates for Friday
Security updates have been issued by Fedora (cups-filters, kitty, mingw-LibRaw, nispor, rust-ybaas, and rust-yubibomb), Mageia (kernel-linus), Red Hat (jenkins and jenkins-2-plugins), SUSE (openvswitch and ucode-intel), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-oracle-5.15, linux-ibm, linux-oracle, and linux-oem-6.0).
https://lwn.net/Articles/932464/
Path Traversal in SymBox, SymOS (SYSS-2023-014)
Das Webinterface von SymBox, SymOS ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann.
https://www.syss.de/pentest-blog/path-traversal-in-symbox-symos-syss-2023-014
Spring Boot available now, fixing CVE-2023-20883
https://spring.io/security/cve-2023-20883
Mattermost security updates 7.10.1 / 7.9.4 / 7.8.5 (ESR) released
https://mattermost.com/blog/mattermost-security-updates-7-10-1-7-9-4-7-8-5-esr-released/
CPE2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup - 18 May 2023
https://www.canon-europe.com/support/product-security-latest-news/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/