End-of-Day report
Timeframe: Mittwoch 07-06-2023 18:00 - Freitag 09-06-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Barracuda Email Security Gateway Appliance (ESG) sofort austauschen!
Noch ein kurzes Thema, welche wegen Feiertag etwas liegen geblieben ist. Der Hersteller Barracuda fordert Administratoren seiner Email Security Gateway Appliance (ESG) auf, die Geräte sofort auszutauschen. Hintergrund ist eine Schwachstelle in den ESG-Modellen, die zwar Ende Mai 2025 gepatcht werden sollte. Das scheint aber nicht zu wirken und der Hersteller ruft zum Austausch auf.
https://www.borncity.com/blog/2023/06/08/barracuda-email-security-gateway-appliance-esg-sofort-austauschen/
CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances
Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks Email Security Gateway (ESG) appliances.
https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/
Royal ransomware gang adds BlackSuit encryptor to their arsenal
The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operations usual encryptor.
https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-blacksuit-encryptor-to-their-arsenal/
Detecting and mitigating a multi-stage AiTM phishing and BEC campaign
Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks.
https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/
Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th)
PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday, I found a script that scored 0/59 on VT! Lets have a look at it.
https://isc.sans.edu/diary/rss/29930
Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021
On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). [...] Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.
https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit-transfer-vulnerability-cve-2023-34362
MSSQL linked servers: abusing ADSI for password retrieval
When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server instances. However, this is only one of the multiple available options, so today we are going to delve into the Active Directory Service Interfaces (ADSI) provider, which allows querying the AD using the LDAP protocol.
https://www.tarlogic.com/blog/linked-servers-adsi-passwords/
Sicherheitsupdates Cisco: Angreifer könnten Passwörter beliebiger Nutzer ändern
Unter anderem Cisco Expressway Series und Adaptive Security Appliance sind verwundbar. Admins sollten die Software aktualisieren.
https://heise.de/-9180829
Minecraft-Modifikationspakete mit Fractureiser-Malware verseucht
Minecraftspieler aufgepasst: Auf den legitimen Portalen Bukkit und CurseForge sind infizierte Modifikationen aufgetaucht.
https://heise.de/-9182068
Schadcode-Attacken auf Netzwerk-Monitoringlösung von VMware möglich
Es gibt ein wichtiges Sicherheitsupdate für VMware Aria Operations for Networks. Admins sollten zeitnah handeln.
https://heise.de/-9181036
Android-Viren: Trickreich vor Nutzern versteckt
Die Virenanalysten von Bitdefender sind beim Test einer Schutzkomponente auf Android-Malware gestoßen, die sich trickreich auf dem Smartphone versteckt.
https://heise.de/-9182008
Asylum Ambuscade: Crimeware oder Cyberspionage?
Ein seltsamer Fall eines Bedrohungsakteurs an der Grenze zwischen Crimeware und Cyberspionage.
https://www.welivesecurity.com/deutsch/2023/06/08/asylum-ambuscade-crimeware-oder-cyberspionage/
SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
A SaaS ransomware attack against a company-s Sharepoint Online was done without using a compromised endpoint.
https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-without-using-a-compromised-endpoint/
Shodan Verified Vulns 2023-06-01
Mit Stand 2023-06-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Auch diesen Monat ist ein Abfall bei fast allen Einträgen zu verzeichnen. Die einzige verhältnismäßig größere Ausnahme ist die Sicherheitslücke CVE-2015-2080 (Jetleak).
https://cert.at/de/aktuelles/2023/6/shodan-verified-vulns-2023-06-01
Adventures in Disclosure: When Reporting Bugs Goes Wrong
The Zero Day Initiative (ZDI) is the world-s largest vendor-agnostic bug bounty program. That means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc. We don-t buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. Why Disclose at All? This is a fine place to start.
https://www.thezdi.com/blog/2023/6/7/adventures-in-disclosure-when-reporting-bugs-goes-wrong
May 2023-s Most Wanted Malware: New Version of Guloader Delivers Encrypted Cloud-Based Payloads
Check Point Research reported on a new version of shellcode-based downloader GuLoader featuring fully encrypted payloads for cloud-based delivery. Our latest Global Threat Index for May 2023 saw researchers report on a new version of shellcode-based downloader GuLoader, which was the fourth most prevalent malware. With fully encrypted payloads and anti-analysis techniques, the latest form can be stored undetected in well-known public cloud services, including Google Drive.
https://blog.checkpoint.com/security/may-2023s-most-wanted-malware-new-version-of-guloader-delivers-encrypted-cloud-based-payloads/
Analyzing the FUD Malware Obfuscation Engine BatCloak
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak.html
Vulnerabilities
ZDI-23-818: (0Day) ZTE MF286R goahead Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ZTE MF286R routers. Authentication is required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-23-818/
ZDI: Sante DICOM Viewer Pro Vulnerabilities
* ZDI-23-853: Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-853/
* ZDI-23-854: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-854/
* ZDI-23-855: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-855/
* ZDI-23-856: Sante DICOM Viewer Pro JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-856/
https://www.santesoft.com/win/sante-dicom-viewer-pro/download.html
Virenschutz: Hochriskante Sicherheitslücken in Trend Micros Apex One
In der Schutzsoftware Trend Micro Apex One können Angreifer Schwachstellen missbrauchen, um ihre Rechte am System auszuweiten. Aktualisierungen stehen bereit.
https://heise.de/-9180965
Security updates for Thursday
Security updates have been issued by Debian (chromium, firefox-esr, and ruby2.5), Fedora (curl, dbus, pypy, pypy3.8, pypy3.9, python3.10, and python3.8), Red Hat (python and python-flask), Scientific Linux (emacs), SUSE (firefox, google-cloud-sap-agent, libwebp, opensc, openssl, openssl-3, openssl1, python-sqlparse, python310, and supportutils), and Ubuntu (libxml2, netatalk, and sysstat).
https://lwn.net/Articles/934245/
Security updates for Friday
Security updates have been issued by Debian (jupyter-core, openssl, and ruby2.5), Fedora (firefox), Mageia (libreoffice, openssl, and python-flask), Red Hat (python and python3), Slackware (mozilla, php8, and python3), SUSE (java-1_8_0-ibm, libcares2, mariadb, and python36), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-intel-iotg, linux-raspi, linux-xilinx-zynqmp, and mozjs102).
https://lwn.net/Articles/934316/
Delta Electronics CNCSoft-B DOPSoft
Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow
https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-01
CISA Releases Two Industrial Control Systems Advisories
CISA released two Industrial Control Systems (ICS) advisories on June 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-23-159-01 -Atlas Copco Power Focus 6000
ICSA-23-159-02 -Sensormatic Electronics Illustra Pro Gen 4
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
https://www.cisa.gov/news-events/alerts/2023/06/08/cisa-releases-two-industrial-control-systems-advisories
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/