Tageszusammenfassung - 21.06.2023

End-of-Day report

Timeframe: Dienstag 20-06-2023 18:00 - Mittwoch 21-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Sicherheitsupdates: Angreifer können Zyxel NAS ins Visier nehmen

Aktualisierte Firmware-Versionen für verschiedene NAS-Modelle von Zyxel schließen eine kritische Schwachstelle.

https://heise.de/-9193271

Zielgerichtete Angriffe auf iPhones: Neue Details zu Spyware

iPhone-Spyware kommt per iMessage und kann laut einer Analyse etwa Dateien manipulieren und den Standort tracken. Möglicherweise zählen auch Macs zu den Zielen.

https://heise.de/-9193906

VMware Aria: Angriffe auf kritische Sicherheitslücke - Update installieren!

VMware hat seine Sicherheitsmeldung zu einer kritischen Schwachstelle in der Monitoring-Software Aria Operations aktualisiert. Demnach wird sie angegriffen.

https://heise.de/-9193354

Hilfe, Kriminelle imitieren meine Telefonnummer für betrügerische Anrufe!

Dass Kriminelle auch gerne zum Telefon greifen, um Menschen zu betrügen, ist wohl allseits bekannt. Häufig setzen sie dabei allerdings auf -Spoofing-, wodurch bei den Angerufenen nicht die tatsächliche Nummer angezeigt wird, die hinter dem Scam-Anruf steckt. Immer häufiger wenden sich Personen an uns, deren Nummer simuliert und für Spam-Anrufe genutzt wird, weil sie ständig Rückrufe verärgerter Personen erhalten, [...]

https://www.watchlist-internet.at/news/hilfe-kriminelle-imitieren-meine-telefonnummer-fuer-betruegerische-anrufe/

Microsoft fixes Azure AD auth flaw enabling account takeover

Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the targets account.

https://www.bleepingcomputer.com/news/security/microsoft-fixes-azure-ad-auth-flaw-enabling-account-takeover/

New Condi malware builds DDoS botnet out of TP-Link AX21 routers

A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.

https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddos-botnet-out-of-tp-link-ax21-routers/

Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites

Two critical-severity authentication bypass vulnerabilities in WordPress plugins with tens of thousands of installations.

https://www.securityweek.com/critical-wordpress-plugin-vulnerabilities-impact-thousands-of-sites/

Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws

Enphase Energy has ignored CISA requests to fix remotely exploitable vulnerabilities in Enphase products.

https://www.securityweek.com/enphase-ignores-cisa-request-to-fix-remotely-exploitable-flaws/

Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries

Backdoor leverages Microsoft Graph API for C&C communication.

https://symantec-enterprise-blogs.security.com/threat-intelligence/flea-backdoor-microsoft-graph-apt15

Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox)

AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox. The distributions include cases that use PowerShell and sqlps.

https://asec.ahnlab.com/en/54704/

AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice

While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass.

https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/

MOVEIt Vulnerability: A Painful Reminder That Threat Actors Aren-t the Only Ones Responsible for a Data Breach

The MOVEIt data breach continues to impact a number of both private and government groups across the US and Europe by exposing confidential data. With breaches like this becoming increasingly common, it can be easy to blame advanced persistent threat (APT) groups and other malicious actors; however, there is a valuable lesson to learn from the MOVEit breach: it is essential to be proactive about these threats, Not doing so may lead to a breach. I-ve put together this blog post as a reminder that security organizations-and quite frankly, boards and executive leadership-should view internal security threats just as seriously as external ones when it comes time to protecting their organization-s sensitive information.

https://www.safebreach.com/moveit-vulnerability-a-painful-reminder-that-threat-actors-arent-the-only-ones-responsible-for-a-data-breach/

Gaps in Azure Service Fabric-s Security Call for User Vigilance

In this blog post, we discuss different configuration scenarios that may lead to security issues with Azure Service Fabric, a distributed platform for deploying, managing, and scaling microservices and container applications.

https://www.trendmicro.com/en_us/research/23/f/gaps-in-azure-service-fabric-s-security-call-for-user-vigilance.html

GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking

Millions of GitHub repositories are potentially vulnerable to RepoJacking. New research by Aqua Nautilus sheds light on the extent of RepoJacking, which if exploited may lead to code execution on organizations- internal environments or on their customers- environments. As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular targets.

https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking

Vulnerabilities

Heap-based buffer over-read in Autodesk® Desktop Licensing Service

Autodesk® Desktop Licensing Installer has been affected by privilege escalation vulnerabilities. Exploitation of these vulnerabilities could lead to code execution due to weak permissions.

https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0011

Security updates for Wednesday

Security updates have been issued by Debian (libfastjson, libx11, opensc, python-mechanize, and wordpress), SUSE (salt and terraform-provider-helm), and Ubuntu (firefox, libx11, pngcheck, python-werkzeug, ruby3.1, and vlc).

https://lwn.net/Articles/935552/

K000135122 : Linux kernel vulnerability CVE-2023-0461

https://my.f5.com/manage/s/article/K000135122

Multiple vulnerabilities in Open JDK affecting Rational Functional Tester

https://www.ibm.com/support/pages/node/7005601

IBM Storage Protect is vulnerable to a denial of service attack due to Google Gson (CVE-2022-25647)

https://www.ibm.com/support/pages/node/7005605

Multiple vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server January 2023 CPU that is bundled with IBM WebSphere Application Server Patterns

https://www.ibm.com/support/pages/node/7005623

Python Cryptographic Authority cryptography is vulnerable to IBM X-Force ID: 239927 used in IBM Maximo Application Suite

https://www.ibm.com/support/pages/node/7005639

There is a vulnerability in Apache Commons BCEL used by IBM Maximo Asset Management (CVE-2022-42920)

https://www.ibm.com/support/pages/node/6991671

IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874)

https://www.ibm.com/support/pages/node/6964694

Multiple Vulnerabilities in IBM Java SDK affect Cloud Pak System (CVE-2023-21830, 2023-21843)

https://www.ibm.com/support/pages/node/7005573

A security vulnerability has been identified in FasterXML jackson-databind shipped with IBM Tivoli Netcool Impact (CVE-2021-46877)

https://www.ibm.com/support/pages/node/7005907