End-of-Day report
Timeframe: Dienstag 23-05-2023 18:00 - Mittwoch 24-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Barracuda warns of email gateways breached via zero-day flaw
Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability.
https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gateways-breached-via-zero-day-flaw/
Legion Malware Upgraded to Target SSH Servers and AWS Credentials
An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.
https://thehackernews.com/2023/05/legion-malware-upgraded-to-target-ssh.html
Malvertising via brand impersonation is back again
In recent months, numerous incidents have shown that malvertising is on the rise again and affecting the user experience and trust in their favorite search engine. Indeed, Search Engine Results Pages (SERPs) include paid Google ads that in some cases lead to scams or malware.
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-its-a-jungle-out-there
Von legitim zu bösartig: Die Verwandlung einer Android-App innerhalb eines Jahres
ESET-Forscher entdecken AhRat - ein neuer Android-RAT auf der Basis von AhMyth - der Dateien exfiltriert und Audio aufzeichnet.
https://www.welivesecurity.com/deutsch/2023/05/23/von-legitim-zu-bosartig-ahrat/
Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
MikroTik patches a major security defect in its RouterOS product a full five months after it was exploited at Pwn2Own Toronto.
https://www.securityweek.com/mikrotik-belatedly-patches-routeros-flaw-exploited-at-pwn2own/
Zahlreiche World4You Phishing-Mails im Umlauf!
Website-Betreiber:innen aufgepasst: Kriminelle versenden aktuell vermehrt E-Mails im Namen des österreichischen Hosting-Providers World4You. Darin wird meist fälschlicherweise behauptet, dass Rechnungen nicht beglichen oder Webadressen gesperrt wurden.
https://www.watchlist-internet.at/news/zahlreiche-world4you-phishing-mails-im-umlauf/
CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF)
Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020.
https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update-stopransomware-guide-developed-through-joint-ransomware-task-force-jrtf
Vulnerabilities
VMSA-2023-0010
NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.
https://www.vmware.com/security/advisories/VMSA-2023-0010.html
Security updates for Wednesday
Security updates have been issued by Debian (libssh and sofia-sip), Fedora (cups-filters, dokuwiki, qt5-qtbase, and vim), Oracle (git, python-pip, and python3-setuptools), Red Hat (git, kernel, kpatch-patch, rh-git227-git, and sudo), SUSE (openvswitch, rmt-server, and texlive), and Ubuntu (binutils, cinder, cloud-init, firefox, golang-1.13, Jhead, liblouis, ncurses, node-json-schema, node-xmldom, nova, python-glance-store, python-os-brick, and runc).
https://lwn.net/Articles/932827/
Nextcloud: user_oidc app is missing bruteforce protection
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x8mc-84wj-rf34
Nextcloud: User session not correctly destroyed on logout
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38
Nextcloud: Basic auth header on WebDAV requests is not brute-force protected
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54
Apple security updates: iTunes 12.12.9 for Windows
https://support.apple.com/kb/HT213763
F5: K000134744 : Intel BIOS vulnerability CVE-2022-38087
https://my.f5.com/manage/s/article/K000134744
F5: K000134747 : PHP vulnerability CVE-2023-0568
https://my.f5.com/manage/s/article/K000134747
Bosch: Unrestricted SSH port forwarding in BVMS
https://psirt.bosch.com/security-advisories/bosch-sa-025794-bt.html
Bosch: Vulnerability in Wiegand card data interpretation
https://psirt.bosch.com/security-advisories/bosch-sa-391095-bt.html
Bosch: .NET Remote Code Execution Vulnerability in BVMS, BIS and AMS
https://psirt.bosch.com/security-advisories/bosch-sa-110112-bt.html
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to the module xml2js (CVE-2023-0842)
https://www.ibm.com/support/pages/node/6997617
IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl and Google protobuf-java. (CVE-2022-42915, CVE-2021-22569, CVE-2022-3509, CVE-2022-3171, CVE-2022-3510)
https://www.ibm.com/support/pages/node/6997631
IBM InfoSphere Information Server is affected by a remote code execution vulnerability (CVE-2023-32336)
https://www.ibm.com/support/pages/node/6995879
This Power System update is being released to address CVE 2023-30438
https://www.ibm.com/support/pages/node/6993021
TADDM affected by multiple vulnerabilities due to IBM Java and its runtime
https://www.ibm.com/support/pages/node/6997919
Vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 8 \u00a0affect Cloud Pak System. [CVE-2023-30441]
https://www.ibm.com/support/pages/node/6997913
A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554)
https://www.ibm.com/support/pages/node/6997097
A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161)
https://www.ibm.com/support/pages/node/6997921
A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161)
https://www.ibm.com/support/pages/node/6997923
A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-24966)
https://www.ibm.com/support/pages/node/6997925
Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2022-3172)
https://www.ibm.com/support/pages/node/6997115