End-of-Day report
Timeframe: Freitag 26-05-2023 18:00 - Dienstag 30-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
QBot malware abuses Windows WordPad EXE to infect devices
The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.
https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices/
Hot Pixels attack checks CPU temp, power changes to steal data
A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the targets browser and infer the navigation history.
https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu-temp-power-changes-to-steal-data/
Android apps with spyware installed 421 million times from Google Play
A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times.
https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-installed-421-million-times-from-google-play/
Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th)
I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py
https://isc.sans.edu/diary/rss/29894
Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th)
Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29.
https://isc.sans.edu/diary/rss/29896
Beware of the new phishing technique -file archiver in the browser- that exploits zip domains
-file archiver in the browser- is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain.
https://securityaffairs.com/146828/cyber-crime/file-archiver-in-the-browser-phishing.html
Severe Flaw in Google Clouds Cloud SQL Service Exposed Confidential Data
A new security flaw has been disclosed in the Google Cloud Platforms (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data.
https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.html
Vorsicht vor Fake-Service-Telefonnummern beim Googeln!
Die Suche nach einer Service-Telefonnummer stellt sich bei manchen Web-Angeboten als kompliziertes Unterfangen heraus. Deshalb ist es oft einfacher, nicht auf den jeweiligen Unternehmens-Websites sondern direkt über die Suchmaschine nach den Kontaktdaten zu suchen. Doch Vorsicht: Unter echte Kontaktdaten mischen Kriminelle auch Fake-Seiten und -Nummern, über die Ihnen Geld und Daten gestohlen werden. Ein aktuelles Beispiel sind Fake-Nummern der Fluglinie Ryanair!
https://www.watchlist-internet.at/news/vorsicht-vor-fake-service-telefonnummern-beim-googeln/
Vulnerabilities
OpenSSL 3.0 Series Release Notes [30 May 2023]
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650])
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255])
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
* Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465])
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
https://www.openssl.org/news/openssl-3.0-notes.html
OpenSSL 1.1.1 Series Release Notes [30th May 2023]
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
https://www.openssl.org/news/openssl-1.1.1-notes.html
Sicherheitslücke in Moxa MXsecurity Series gefährdet kritische Infrastrukturen
Eine kritische Sicherheitslücke in der Netzwerküberwachungslösung MXsecurity bringt Industrieanlagen in Gefahr.
https://heise.de/-9068382
Angreifer könnten Netzwerkanalysetool Wireshark crashen lassen
In der aktuellen Wireshark-Version haben die Entwickler mehrere Sicherheitsprobleme gelöst.
https://heise.de/-9069031
Kollaborations-Suite Nextcloud: Teils hochriskante Lücken geschlossen
In der Kollaborations-Software Nextcloud klaffen Sicherheitslücken mit teils hohem Risiko. Aktualisierte Software steht bereit.
https://heise.de/-9068654
VMSA-2023-0011
VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.
https://www.vmware.com/security/advisories/VMSA-2023-0011.html
Many Vulnerabilities Found in PrinterLogic Enterprise Software
Vulnerabilities identified in PrinterLogic-s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks.
https://www.securityweek.com/many-vulnerabilities-found-in-printerlogic-enterprise-software/
Security updates for Monday
Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo).
https://lwn.net/Articles/933165/
Security updates for Tuesday
Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl).
https://lwn.net/Articles/933246/
Advantech WebAccess/SCADA
https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01
Zyxel security advisory for post-authentication command injection vulnerability in NAS products
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-nas-products
Starlette vulnerable to directory traversal
https://jvn.jp/en/jp/JVN95981715/
Technical Advisory - Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)
https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight/
Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution
https://blog.talosintelligence.com/vulnerability-in-mitsubishi-plc-could-lead-to-dos-code-execution/
Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer
https://www.ibm.com/support/pages/node/6998795
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2022-39161)
https://www.ibm.com/support/pages/node/6998811
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-27554)
https://www.ibm.com/support/pages/node/6998813
A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-24966)
https://www.ibm.com/support/pages/node/6999091
A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-30441).
https://www.ibm.com/support/pages/node/6999115
Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860]
https://www.ibm.com/support/pages/node/6999119
Apache Commons Text vulnerability affects Netcool Operations Insight [CVE-2022-42889]
https://www.ibm.com/support/pages/node/6999133
A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-27554)
https://www.ibm.com/support/pages/node/6999213
A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center (CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CV)
https://www.ibm.com/support/pages/node/6999215
[All] Expat - CVE-2022-43680 (Publicly disclosed vulnerability)
https://www.ibm.com/support/pages/node/6999237
Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to HTTP request splitting attacks (CVE-2023-25690)
https://www.ibm.com/support/pages/node/6999241
IBM Copy Services Manager is vulnerable to crypto attack vulnerabilities due to IBM Java 8 vulnerabilities.
https://www.ibm.com/support/pages/node/6999269
IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928)
https://www.ibm.com/support/pages/node/6981113