End-of-Day report
Timeframe: Donnerstag 25-05-2023 18:00 - Freitag 26-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Microsoft 365 phishing attacks use encrypted RPMSG messages
Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways.
https://www.bleepingcomputer.com/news/security/microsoft-365-phishing-attacks-use-encrypted-rpmsg-messages/
Dark Frost Botnet targets the gaming sector with powerful DDoS
Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks. The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot.
https://securityaffairs.com/146683/malware/dark-frost-botnet.html
New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids
A new strain of malicious software thats engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, [...]
https://thehackernews.com/2023/05/new-cosmicenergy-malware-exploits-ics.html
Sicherheitslücken in Gesundheits-App: Datendiebstahl wäre möglich gewesen
Lücken in Gesundheits-Apps haben den schlechten Zustand der Digitalisierung im Gesundheitswesen offengelegt. Es fehle eine "sichere Basisinfrastruktur".
https://heise.de/-9064935
Cold as Ice: Unit 42 Wireshark Quiz for IcedID
IcedID is a known vector for ransomware. Analyze infection traffic from this banking trojan in our latest Wireshark tutorial.
https://unit42.paloaltonetworks.com/wireshark-quiz-icedid/
Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight
During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule.
https://www.thezdi.com/blog/2023/5/24/exploiting-the-sonos-one-speaker-three-different-ways-a-pwn2own-toronto-highlight
What is a web shell?
What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog.
https://blog.talosintelligence.com/what-is-a-web-shell/
New Info Stealer Bandit Stealer Targets Browsers, Wallets
This is an analysis of Bandit Stealer, a new Go-based information-stealing malware capable of evading detection as it targets multiple browsers and cryptocurrency wallets.
https://www.trendmicro.com/en_us/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html
Vulnerabilities
LibreOffice-Lücken: Risiko von Codeschmuggel mit präparierten Dokumenten
Neue LibreOffice-Versionen stopfen teils hochriskante Sicherheitslücken. Mit manipulierten Spreadsheets könnten Angreifer Schadcode einschleusen.
https://heise.de/-9066277
Kritische Lücken in Netzwerkverwaltungssoftware D-Link D-View 8 geschlossen
D-Link hat offensichtlich knapp fünf Monate gebraucht, um einen Sicherheitspatch für D-View 8 zu entwickeln, der sich aber immer noch im Beta-Stadium befindet.
https://heise.de/-9066361
Security updates for Friday
Security updates have been issued by Debian (sniproxy), Fedora (c-ares), Oracle (apr-util, curl, emacs, git, go-toolset and golang, go-toolset:ol8, gssntlmssp, libreswan, mysql:8.0, thunderbird, and webkit2gtk3), Red Hat (go-toolset-1.19 and go-toolset-1.19-golang and go-toolset:rhel8), Slackware (ntfs), SUSE (rmt-server), and Ubuntu (linux-raspi, linux-raspi-5.4 and python-django).
https://lwn.net/Articles/933071/
K000134793 : OpenJDK vulnerability CVE-2018-2952
https://my.f5.com/manage/s/article/K000134793
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in Perl (CVE-2020-10543)
https://www.ibm.com/support/pages/node/6998419
IBM MQ is affected by a vulnerability in the IBM Runtime Environment, Java Technology Edition (CVE-2023-30441)
https://www.ibm.com/support/pages/node/6998353
: IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java
https://www.ibm.com/support/pages/node/6998677
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java
https://www.ibm.com/support/pages/node/6998685
IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java
https://www.ibm.com/support/pages/node/6998673
IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java
https://www.ibm.com/support/pages/node/6998679
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java
https://www.ibm.com/support/pages/node/6998675
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java
https://www.ibm.com/support/pages/node/6998681
Vulnerability in IBM Java (CVE-2022-21426) affects Power HMC
https://www.ibm.com/support/pages/node/6998705
Vulnerability in OpenSSL (CVE-2022-4304, CVE-2022-4450, CVE-2023-0215 and CVE-2023-0286 ) affects Power HMC
https://www.ibm.com/support/pages/node/6998707
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023
https://www.ibm.com/support/pages/node/6998727
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
https://www.ibm.com/support/pages/node/6998753
AIX is vulnerable to security restrictions bypass due to curl (CVE-2022-32221)
https://www.ibm.com/support/pages/node/6998763