Tageszusammenfassung - 20.06.2023

End-of-Day report

Timeframe: Montag 19-06-2023 18:00 - Dienstag 20-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

SeroXen Mechanisms: Exploring Distribution, Risks, and Impact

This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators.

https://www.trendmicro.com/en_us/research/23/f/seroxen-mechanisms-exploring-distribution-risks-and-impact.html

New RDStealer malware steals from drives shared over Remote Desktop

A cyberespionage and hacking campaign tracked as RedClouds uses the custom RDStealer malware to automatically steal data from drives shared through Remote Desktop connections.

https://www.bleepingcomputer.com/news/security/new-rdstealer-malware-steals-from-drives-shared-over-remote-desktop/

Honeypot Recon: MSSQL Server - Database Threat Overview 22-/23-

In this article, well reveal botnet behavior before and after a successful attack. These bots have one job: to install malicious software that can mine digital coins or create backdoors into systems.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mssql-server-database-threat-overview-22-23/

Wie wir ein Bahnticket buchen wollten und am Ende 245.000 Datensätze hatten

Um die deutsch-französische Freundschaft zu feiern, haben sich Bundesverkehrsminister Wissing und sein französischer Kollege Beaune etwas Besonderes ausgedacht: Je Land 30.000 kostenlose Interrail-Tickets für Reisen in Deutschland und Frankreich für junge Erwachsene zwischen 18 und 27. Allerdings lief beim Verteilen der Interrail-Pässe einiges schief.

https://zerforschung.org/posts/freundschaftspass-de/

"iCloud-Speicher ist voll": Phishing-Kampagne zielt auf Apple-Nutzer

iCloud-Gratisspeicherplatz ist schnell gefüllt, Mails mit Upgrade-Hinweisen sind für viele Nutzer ein vertrauter Anblick. Darauf setzen erneut auch Kriminelle.

https://heise.de/-9192454

OT:Icefall: Vulnerabilities Identified in Wago Controllers

Forescout Technologies has disclosed the details of vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric.

https://www.securityweek.com/oticefall-vulnerabilities-identified-in-wago-controllers/

Vorsicht vor gefälschten Gymshark-Shops

Sie suchen nach günstigen Angeboten der Marke Gymshark? Fündig werden Sie bei den Fake-Shops gymsharkwien.com, gym-shark-osterreich.com oder gymsharkosterreichsale.com. Die Shops vermitteln durch den Zusatz -Wien- oder -Österreich- in der Internetadresse den Eindruck, dass es sich um österreichische Shops handelt. Tatsächlich sind Sie aber in einem Fake-Shop gelandet.

https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gymshark-shops/

RecordBreaker Infostealer Disguised as a .NET Installer

Malware that are being distributed disguised as cracks are evolving. In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed. If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor-s server and executed.

https://asec.ahnlab.com/en/54658/

Tsunami DDoS Malware Distributed to Linux SSH Servers

AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner. When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS bots or CoinMiners.

https://asec.ahnlab.com/en/54647/

Vulnerabilities

Router-Firmware: Asus rät aufgrund kritischer Lücken dringend zum Update

Asus hat in der Firmware für mehrere Router-Modelle kritische Schwachstellen geschlossen, die Angreifer potenziell bösartigen Code ausführen lassen.

https://www.golem.de/news/router-firmware-asus-raet-aufgrund-kritischer-luecken-dringend-zum-update-2306-175117.html

Zyxel security advisory for pre-authentication command injection vulnerability in NAS products

The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products

IBM Security Bulletins

IBM Storage Protect Server, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect Plus, ICP - IBM Answer Retrieval for Watson Discovery, IBM Watson Speech Services, IBM Robotic Process Automation, IBM dashDB Local, HMC, IBM Operations Analytics Predictive Insights, IBM Cloud Pak for Network Automation, IBM Spectrum Discover, IBM Copy Services Manager, IBM SDK and IBM Maximo.

https://www.ibm.com/support/pages/bulletin/

Security updates for Tuesday

Security updates have been issued by Debian (libxpm and php7.3), Fedora (chromium), Mageia (kernel, kernel-linus, and sysstat), Red Hat (c-ares), SUSE (libwebp), and Ubuntu (cups-filters, libjettison-java, and libsvgpp-dev).

https://lwn.net/Articles/935353/