Tageszusammenfassung - 31.05.2023

End-of-Day report

Timeframe: Dienstag 30-05-2023 18:00 - Mittwoch 31-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Zero-Day-Lücke: Leck in Barracudas ESG bereits seit 7 Monaten missbraucht

Barracuda hat vergangene Woche eine Zero-Day-Lücke in den ESG-Appliances abgedichtet. Untersuchungen ergeben, dass sie bereits seit Oktober missbraucht wurden.

https://heise.de/-9083222

Android-Spyware SpinOk kommt auf mehr als 421 Millionen Installationen

Ein Android-Software-Modul mit Spyware-Funktionen hat Doctor Web in Apps auf Google Play mit mehr als 421 Millionen Downloads aufgespürt. Google ist informiert.

https://heise.de/-9069832

Ransomware: Schutzkonzept gegen Angriffe

Trotz Maßnahmen gegen Cyber-Angriffe und Ransomware gelingen viele Attacken. Die Daten sind verschlüsselt. Einige Punkte verhelfen zu brauchbaren Backups.

https://heise.de/-9069092

RomCom malware spread via Google Ads for ChatGPT, GIMP, more

A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers.

https://www.bleepingcomputer.com/news/security/romcom-malware-spread-via-google-ads-for-chatgpt-gimp-more/

Mirai Variant Opens Tenda, Zyxel Gear to RCE, DDoS

Researchers have observed several cyberattacks leveraging a botnet called IZ1H9, which exploits vulnerabilities in exposed devices and servers running on Linux.

https://www.darkreading.com/endpoint/mirai-variant-tenda-zyxel-rce-ddos

Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs-a feature ripe for abuse, researchers say.

https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/

Netflix-Phishing-Nachrichten aktuell besonders gefährlich!

Netflix hat mit Mai 2023 das Account-Sharing - also das Teilen von Netflix-Konten - unterbunden, wodurch zahlreiche Userinnen und User ihren Zugriff verloren haben, oder weitere Gebühren zu bezahlen haben. Gleichzeitig sind unzählige Netflix-Phishing-Mails im Umlauf, die zwar in keinem Zusammenhang mit den neuen Account-Sharing-Richtlinien stehen, aber durch die Umstellungen schneller für echt gehalten werden. Achtung: Hier dürfen keine Daten bekanntgegeben werden!

https://www.watchlist-internet.at/news/netflix-phishing-nachrichten-aktuell-besonders-gefaehrlich/

Investigating BlackSuit Ransomware-s Similarities to Royal

In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware.

https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html

Vulnerabilities

New macOS vulnerability, Migraine, could bypass System Integrity Protection

A new vulnerability, which we refer to as -Migraine- for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023.

https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection/

Barracuda Email Security Gateway Appliance (ESG) Vulnerability

Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments.

https://www.barracuda.com/company/legal/esg-vulnerability

CVE-2023-34152: Shell Command Injection Bug Affecting ImageMagick

[...] recent findings have brought to light a trio of security vulnerabilities that could transform this useful tool into a potential weapon in the hands of malicious entities. * CVE-2023-34151: Undefined behaviors of casting double to size_t in svg, mvg, and other coders * CVE-2023-34152: RCE (shell command injection) vulnerability * CVE-2023-34153: Shell command injection vulnerability

https://securityonline.info/cve-2023-34152-shell-command-injection-bug-affecting-imagemagick/

Webbrowser: Google Chrome 114 schließt 16 Lücken und verbessert Sicherheit

Neben den üblichen geschlossenen Sicherheitslücken, derer 16 an der Zahl, liefert Google Chrome 114 auch teils neue oder verbesserte Sicherheitsfunktionen.

https://heise.de/-9069705

Zwangsupdate: WordPress-Websites über Jetpack-Lücke manipulierbar

Die Jetpack-Entwickler haben 102 fehlerbereinigte Versionen ihres WordPress-Plug-ins veröffentlicht.

https://heise.de/-9069974

Security updates for Wednesday

Security updates have been issued by Debian (connman and kamailio), Fedora (texlive-base), Mageia (cups-filters, postgresql, qtbase5, tcpreplay, tomcat, and vim), Slackware (openssl), SUSE (amazon-ssm-agent, cni, cni-plugins, compat-openssl098, installation-images, libaom, openssl, openssl-1_0_0, openssl-1_1, terraform, terraform-provider-helm, tiff, tomcat, and wireshark), and Ubuntu (batik, flask, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-oracle, linux-oracle-5.4, mozjs102, nanopb, openssl, openssl1.0, snapd, and texlive-bin).

https://lwn.net/Articles/933360/

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0004

Date Reported: May 30, 2023 Advisory ID: WSA-2023-0004 CVE identifiers: CVE-2023-28204, CVE-2023-32373.

https://webkitgtk.org/security/WSA-2023-0004.html

Possible damage of secure element in Bosch IP cameras

BOSCH-SA-435698-BT: Due to an error in the software interface to the secure element chip on the cameras, the chip can be **permanently damaged** leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off".

https://psirt.bosch.com/security-advisories/bosch-sa-435698-bt.html