End-of-Day report
Timeframe: Mittwoch 14-06-2023 18:00 - Donnerstag 15-06-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Microsoft: Windows Kernel CVE-2023-32019 fix is disabled by default
Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases.
https://www.bleepingcomputer.com/news/security/microsoft-windows-kernel-cve-2023-32019-fix-is-disabled-by-default/
Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022."UNC4841 is an espionage actor behind this wide-ranging campaign in support of the Peoples Republic of China," Google-owned Mandiant said in a new report published today, [...]
https://thehackernews.com/2023/06/chinese-unc4841-group-exploits-zero-day.html
Hardware Hacking to Bypass BIOS Passwords
This article serves as a beginner-s hardware hacking journey, performing a BIOS password bypass on Lenovo laptops. We identify what the problem is, how to identify a vulnerable chip, how to bypass a vulnerable chip, and finally, analyse why this attack works and ways that it can be prevented.
https://blog.cybercx.co.nz/bypassing-bios-password
Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver
Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. [..] While I-ve seen a lot of material from the defensive community (they were fast on this one) about the detection mechanism, IOCs, prevention policies and intelligence, I feel some other, perhaps more interesting vulnerable code paths in this driver were not explored nor discussed.
https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/
Sicherheitsupdates: Attacken auf Pixel-Smartphones von Google gesichtet
Google hat etliche Sicherheitslücken in Pixel-Smartphones mit Android 13 geschlossen. Eine Lücke gilt als kritisch.
https://heise.de/-9188302
Eset schließt Sicherheitslücken in Virenscannern für Linux und Mac
Aufgrund einer hochriskanten Sicherheitslücke in Esets Virenschutz für Linux und Mac können Angreifer ihre Rechte ausweiten. Updates stehen bereit.
https://heise.de/-9188823
Kritisches Leck: Codeschmuggel auf mehr als 50 HP Laserjet MFP-Modelle möglich
HP warnt vor einer kritischen Sicherheitslücke in mehr als 50 HP (Enterprise) Laserjet MFP-Modellen. Angreifer aus dem Netz können Schadcode einschleusen.
https://heise.de/-9188162
WhatsApp Backups im Visier von Android GravityRAT
ESET-Forscher analysierten eine aktualisierte Version der Android-Spyware GravityRAT, die WhatsApp-Backup-Dateien stiehlt und Befehle zum Löschen von Dateien empfangen kann.
https://www.welivesecurity.com/deutsch/2023/06/15/whatsapp-backups-im-visier-von-android-gravityrat/
Android Malware Impersonates ChatGPT-Themed Applications
Android malware posing as ChatGPT-themed apps targets mobile users. We report on instances of this attack vector, identifying two distinct types.
https://unit42.paloaltonetworks.com/android-malware-poses-as-chatgpt/
Unternehmen von LinkedIn-Betrugsfällen betroffen
Beliebteste Betrugsform sind Kontaktanfragen von einer unbekannten Person mit einem verdächtigen Link in der Nachricht.
https://www.zdnet.de/88409942/unternehmen-von-linkedin-betrugsfaellen-betroffen/
CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs)
Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. BMCs are trusted components designed into a computers hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down.
https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs
Gut gemachter Phishing-Versuch mit Malware im Namen Microsofts
Ein Blog-Leser hat mich auf einen gut gemachten Phishing-Versuch per E-Mail aufmerksam gemacht, der das Thema Multifactor-Authentifizierung (MFA) aufgreift. Dabei wird suggeriert, dass die Mail von Microsoft selbst stammt (es wird eine Sub-Domain von Microsoft benutzt) und die Leute agieren [...]
https://www.borncity.com/blog/2023/06/15/gut-gemachter-phishing-versuch-mit-malware-im-namen-microsofts/
Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers
Without altering a single line of code, attackers poisoned the NPM package -bignum- by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones.
https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/
Vulnerabilities
ZDI-23-858: (0Day) Pulse Secure Client SetupService Directory Traversal Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Pulse Secure Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
https://www.zerodayinitiative.com/advisories/ZDI-23-858/
Security updates for Thursday
Security updates have been issued by Debian (webkit2gtk), Fedora (python-django-filter and qt), Mageia (cups, firefox/nss, httpie, thunderbird, and webkit2), Red Hat (.NET 6.0, .NET 7.0, c-ares, firefox, jenkins and jenkins-2-plugins, nodejs, nodejs:18, python3, python3.11, python3.9, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (frr, opensc, python3, and rekor), and Ubuntu (c-ares, glib2.0, libcap2, linux-intel-iotg-5.15, pano13, and requests).
https://lwn.net/Articles/934802/
Vulnerabilities in Samba
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system.
https://www.qnap.com/en-us/security-advisory/QSA-23-05
Windows PowerShell PS1 Trojan File RCE
https://cxsecurity.com/issue/WLB-2023060031
Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020
https://www.drupal.org/sa-contrib-2023-020
CVE-2023-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2023-0010
CVE-2023-0009 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2023-0009
IBM Sterling Partner Engagement Manager is vulnerable to CSS injection due to Swagger UI (CVE-2019-17495)
https://www.ibm.com/support/pages/node/7004151
IBM Sterling Partner Engagement Manager vulnerable to buffer overflow due to OpenJDK (CVE-2023-2597)
https://www.ibm.com/support/pages/node/7004153
IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342)
https://www.ibm.com/support/pages/node/7004175
A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2022-39161]
https://www.ibm.com/support/pages/node/7004183
Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase ( CVE-2023-24966, CVE-2022-39161, CVE-2023-27554, CVE-2023-24998)
https://www.ibm.com/support/pages/node/7004187
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7004199
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd
https://www.ibm.com/support/pages/node/7004197
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util
https://www.ibm.com/support/pages/node/6999605