End-of-Day report
Timeframe: Freitag 16-06-2023 18:00 - Montag 19-06-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Android spyware camouflaged as VPN, chat apps on Google Play
Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists.
https://www.bleepingcomputer.com/news/security/android-spyware-camouflaged-as-vpn-chat-apps-on-google-play/
Security Expert Defeats Lenovo Laptop BIOS Password With a Screwdriver
Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password.
https://it.slashdot.org/story/23/06/16/2322255/security-expert-defeats-lenovo-laptop-bios-password-with-a-screwdriver?utm_source=rss1.0mainlinkanon&utm_medium=feed
From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet
Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as its also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report.
https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html
New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis.
https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html
[SANS ISC] Malware Delivered Through .inf File
Today, I published the following diary on isc.sans.edu: -Malware Delivered Through .inf File-: Microsoft has used -.inf- files for a while. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection].
https://blog.rootshell.be/2023/06/19/sans-isc-malware-delivered-through-inf-file/
The Phantom Menace: Exposing hidden risks through ACLs in Active Directory (Part 1)
The abuse of misconfigured Access Control Lists is nothing new. However, it is still one of the main ways of lateral movement and privilege escalation within an active directory domain. [..] In this post, we will discuss, in a general overview, some concepts that will help us understand how Windows handles access relationships and privileges between objects and how to enumerate these relationships.
https://labs.lares.com/securing-active-directory-via-acls/
Speculative Denial-of-Service Attacks in Ethereum
Block proposers speculatively execute transactions when creating blocks to maximize their profits. How can this go wrong? In -Speculative Denial-of-Service Attacks in Ethereum-, we show how speculative execution allows attackers to cheaply DoS the network.
https://medium.com/@aviv.yaish/speculative-denial-of-service-attacks-in-ethereum-c4bfbbaec4a2
Warning: Malware Disguised as a Security Update Installer Being Distributed
AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software.
https://asec.ahnlab.com/en/54375/
Vulnerabilities
ZDI-23-889: Schneider Electric IGSS DashFiles Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
https://www.zerodayinitiative.com/advisories/ZDI-23-889/
Security updates for Monday
Security updates have been issued by Debian (golang-go.crypto, maradns, requests, sofia-sip, and xmltooling), Fedora (chromium, iaito, iniparser, libX11, matrix-synapse, radare2, and thunderbird), Red Hat (c-ares, jenkins and jenkins-2-plugins, and texlive), SUSE (bluez, chromium, go1.19, go1.20, jetty-minimal, kernel, kubernetes1.18, kubernetes1.23, kubernetes1.24, libX11, open-vm-tools, openvswitch3, opera, syncthing, and xen), and Ubuntu (libcap2, libpod, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-lowlatency, linux-raspi, linux-oem-5.17, linux-oem-6.1, pypdf2, and qemu).
https://lwn.net/Articles/935184/
Vulnerability in Apache Commons FileUpload may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6998653
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester
https://www.ibm.com/support/pages/node/7004699
Vulnerability in Eclipse OpenJ9 affects Rational Performance Tester (CVE-2022-3676)
https://www.ibm.com/support/pages/node/7004703
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester
https://www.ibm.com/support/pages/node/7004701
Vulnerability in Eclipse OpenJ9 affects Rational Service Tester (CVE-2022-3676)
https://www.ibm.com/support/pages/node/7004705
Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management
https://www.ibm.com/support/pages/node/6995589
Vulnerabilities with OpenSSL, Apache HTTP Server, Python affect IBM Cloud Object Storage Systems (June 2023v1)
https://www.ibm.com/support/pages/node/7004661
A vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Performance Tester.
https://www.ibm.com/support/pages/node/7004709
A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Service Tester.
https://www.ibm.com/support/pages/node/7004711
Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-1280, CVE-2023-0386, CVE-2022-4269, CVE-2022-2873, CVE-2022-4378)
https://www.ibm.com/support/pages/node/6995585
Vulnerabilities with Linux Kernel, OpenJDK affect IBM Cloud Object Storage Systems (June 2023)
https://www.ibm.com/support/pages/node/7002711
Vulnerabilities in Golang Go might affect IBM Spectrum Copy Data Management ( CVE-2023-24536, CVE-2023-24537, CVE-2023-24538)
https://www.ibm.com/support/pages/node/6998399
IBM Sterling Control Center is vulnerable to denial of service attack due to Java SE (CVE-2022-21426)
https://www.ibm.com/support/pages/node/7004723
IBM Sterling Control Center is vulnerable to denial of service due to Java SE (CVE-2023-21830, CVE-2023-21843)
https://www.ibm.com/support/pages/node/7004721
Vulnerabilities in OpenSSL might affect IBM Spectrum Copy Data Management (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
https://www.ibm.com/support/pages/node/6995593
IBM Aspera Shares is vulnerable to cross-site scripting due to JQuery-UI (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182)
https://www.ibm.com/support/pages/node/7004731
Vulnerabilities in Oracle Java SE might affect IBM Spectrum Copy Data Management (CVE-2023-21968, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21937, CVE-2023-21930)
https://www.ibm.com/support/pages/node/6995595
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd
https://www.ibm.com/support/pages/node/7004197
Vulnerabilities in Flask and Pallets Werkzeug may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2023-30861, CVE-2023-25577, CVE-2023-23934)
https://www.ibm.com/support/pages/node/6999973
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol
https://www.ibm.com/support/pages/node/6986323
Multiple vulnerabilities may affect IBM® SDK, Java- Technology Edition
https://www.ibm.com/support/pages/node/7001663