End-of-Day report
Timeframe: Montag 22-05-2023 18:00 - Dienstag 23-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Malicious Windows kernel drivers used in BlackCat ransomware attacks
The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.
https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-drivers-used-in-blackcat-ransomware-attacks/
Sicherheitslücke in Samsung-Smartphones wird angegriffen
Eine Sicherheitslücke in Samsung-Smartphones, die das Unternehmen mit den Mai-Updates schließt, wird von Angreifern missbraucht. Einige Details sind unklar.
https://heise.de/-9062566
BrutePrint: Attacke knackt Schutz mit Fingerabdrucksensoren
IT-Sicherheitsforscher haben einen Angriff namens BrutePrint auf den Zugangsschutz von Smartphones mit Fingerabdrucksensoren vorgestellt.
https://heise.de/-9062997
OffensiveCon 2023 - Exploit Engineering - Attacking the Linux Kernel
Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering - Attacking the Linux kernel.
https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineering-attacking-the-linux-kernel/
Willhaben: Betrug mit PayLivery erkennen
Betrügerische Käufer:innen fälschen den PayLivery-Dienst von Willhaben und täuschen Ihnen vor, dass sie bereits bezahlt haben. Sie locken Sie auf eine Fake-Zahlungsplattform, wo Sie Ihre Kreditkartendaten zur Anforderung der Zahlung angeben müssen. Anschließend fordert man Sie auf, den Zahlungseingang in Ihrer Bank-App zu bestätigen. In Wirklichkeit geben Sie aber eine Zahlung frei und verlieren Ihr Geld.
https://www.watchlist-internet.at/news/willhaben-betrug-mit-paylivery-erkennen/
Android app breaking bad: From legitimate screen recording to file exfiltration within a year
ESET researchers discover AhRat - a new Android RAT based on AhMyth - that exfiltrates files and records audio
https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/
Hacker nutzen Dropbox für betrügerische E-Mails
Aufgrund der Verbindung zu Dropbox scheinen die Nachrichten harmlos zu sein. Auch Sicherheitslösungen beanstanden unter Umständen die URLs zu Dropbox nicht. Nutzer laufen indes Gefahr, ihre Anmeldedaten an Hacker weiterzugeben.
https://www.zdnet.de/88409355/hacker-nutzen-dropbox-fuer-betruegerische-e-mails/
DarkCloud Infostealer Being Distributed via Spam Emails
AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.
https://asec.ahnlab.com/en/53128/
Lazarus Group Targeting Windows IIS Web Servers
AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers.
https://asec.ahnlab.com/en/53132/
Info Stealer Abusing Codespaces Puts Discord Users at Risk
In this entry, we detail our research findings on how an info stealer is able to achieve persistence on a victim-s machine by modifying the victim-s Discord client.
https://www.trendmicro.com/en_us/research/23/e/info-stealer-abusing-codespaces-puts-discord-users--data-at-risk.html
Vulnerabilities
WordPress 6.2.2: Durch Sicherheitspatch ausgelösten Fehler ausgebügelt
Die WordPress-Entwickler haben ein Sicherheitsupdate korrigiert. Die aktuelle Version steht ab sofort zum Download bereit.
https://heise.de/-9062515
Security updates for Tuesday
Security updates have been issued by Debian (node-nth-check), Mageia (mariadb and python-reportlab), Slackware (c-ares), SUSE (geoipupdate and qt6-svg), and Ubuntu (linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-bluefield, linux-gcp, linux-hwe, linux-raspi2, linux-snapdragon, and linux-gcp, linux-hwe-5.19).
https://lwn.net/Articles/932693/
CISA Releases Four Industrial Control Systems Advisories
CISA released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
* ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products
* ICSA-23-143-02 Hitachi Energy RTU500
* ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module
* ICSA-23-143-04 Horner Automation Cscape
https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-releases-four-industrial-control-systems-advisories
This Power System update is being released to address CVE 2023-30440
https://www.ibm.com/support/pages/node/6997133
IBM® MobileFirst Platform is vulnerable to CVE-2023-24998
https://www.ibm.com/support/pages/node/6997293
Vulnerabilities in Python may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift
https://www.ibm.com/support/pages/node/6997507
IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to exposing sensitive information due to flaws and configurations (CVE-2023-30441).
https://www.ibm.com/support/pages/node/6997499
IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437]
https://www.ibm.com/support/pages/node/6985605
Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22476, CVE-2022-34165)
https://www.ibm.com/support/pages/node/6997581
Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22473. CVE-2021-38951)
https://www.ibm.com/support/pages/node/6997587
Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory.
https://www.ibm.com/support/pages/node/6997593
Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-21496, CVE-2021-35550, CVE-2021-2163, CVE-2021-35603)
https://www.ibm.com/support/pages/node/6997585
A vulnerability in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights
https://www.ibm.com/support/pages/node/6997589
CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced
https://www.ibm.com/support/pages/node/6997601