End-of-Day report
Timeframe: Montag 26-06-2023 18:00 - Dienstag 27-06-2023 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
News
Prominent cryptocurrency exchange infected with previously unseen Mac malware
Its not yet clear how the full-featured JokerSpy backdoor gets installed.
https://arstechnica.com/?p=1950160
New Mockingjay process injection technique evades EDR detection
A new process injection technique named Mockingjay could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems.
https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injection-technique-evades-edr-detection/
The Importance of Malware Triage, (Tue, Jun 27th)
When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, its essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you dont need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you dont have time to analyze all samples!
https://isc.sans.edu/diary/rss/29984
Smartwatches Are Being Used To Distribute Malware
"Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office."
https://it.slashdot.org/story/23/06/27/0641253/smartwatches-are-being-used-to-distribute-malware
SNAPPY: Detecting Rogue and Fake 802.11 Wireless Access Points Through Fingerprinting Beacon Management Frames
I-ve found a novel technique to detect both rogue and fake 802.11 wireless access points through fingerprinting Beacon Management Frames, and created a tool to do so, called snap.py (Snappy) - the blog post title doesn-t lie!
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/snappy-detecting-rogue-and-fake-80211-wireless-access-points-through-fingerprinting-beacon-management-frames/
New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain
Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems."The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," [..]
https://thehackernews.com/2023/06/new-ongoing-campaign-targets-npm.html
Anatsa banking Trojan hits UK, US and DACH with new campaign
As of March 2023, ThreatFabric-s cyber fraud analysts have been monitoring multiple ongoing Google Play Store dropper campaigns delivering the Android banking Trojan Anatsa, with over 30.000 installations. The threat actors behind this new wave of Anatsa showed interest in new institutions from the US, UK, and DACH region. Our fraud intelligence platform was able to confirm this dangerous malware family adding multiple Android banking apps from these regions as new targets.
https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign
Rowpress: DRAM-Angriff Rowhammer hat einen jüngeren Bruder
Ein neuer Seitenkanalangriff manipuliert vermeintlich geschützte Bereiche des Arbeitsspeichers und funktioniert unabhängig von der eingesetzten CPU.
https://heise.de/-9199330
Malvertising: A stealthy precursor to infostealers and ransomware attacks
Malvertising, the practice of using online ads to spread malware, can have dire consequences-and the problem only seems to be growing.
https://www.malwarebytes.com/blog/business/2023/06/malvertising-a-stealthy-precursor-to-infostealers-and-ransomware-attacks
-Hallo Mama, mein Handy ist kaputt-
Eine unbekannte Nummer schreibt Ihnen. Angeblich ist es Ihr Kind. In der Nachricht steht, dass das Handy kaputt ist und das jetzt die neue Nummer sei. Antworten Sie nicht, dahinter steckt Betrug. Wenn Sie zurückschreiben, bitten Kriminelle Sie um eine dringende Überweisung und Sie verlieren Geld.
https://www.watchlist-internet.at/news/hallo-mama-mein-handy-ist-kaputt/
Breaking GPT-4 Bad: Check Point Research Exposes How Security Boundaries Can Be Breached as Machines Wrestle with Inner Conflicts
Highlights Check Point Research examines security and safety aspects of GPT-4 and reveals how limitations can be bypassed Researchers present a new mechanism dubbed -double bind bypass-, colliding GPT-4s internal motivations against itself
https://blog.checkpoint.com/artificial-intelligence/breaking-gpt-4-bad-check-point-research-exposes-how-security-boundaries-can-be-breached-as-machines-wrestle-with-inner-conflicts/
A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation
SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and [..]
https://cybergeeks.tech/a-technical-analysis-of-the-saltwater-backdoor-used-in-barracuda-0-day-vulnerability-cve-2023-2868-exploitation/
CISA Releases SCuBA TRA and eVRF Guidance Documents
CISA has released several documents as part of the Secure Cloud Business Applications (SCuBA) project:
- The Technical Reference Architecture (TRA) document [..] is [..] a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks.
- The extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.
https://www.cisa.gov/news-events/alerts/2023/06/27/cisa-releases-scuba-tra-and-evrf-guidance-documents
Vulnerabilities
Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX), and Jetson Nano (including Jetson Nano 2GB) - June 2023
NVIDIA has released a software update for NVIDIA Jetson AGX Xavier series, Jetson Xavier NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX), and Jetson Nano devices (including Jetson Nano 2GB) in the NVIDIA JetPack software development kit (SDK). The update addresses security issues that may lead to code execution, denial of service, information disclosure, and loss of integrity.
https://nvidia.custhelp.com/app/answers/detail/a_id/5466
Security Bulletin: NVIDIA GPU Display Driver - June 2023
NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure.
https://nvidia.custhelp.com/app/answers/detail/a_id/5468
Webbrowser: Update für Google Chrome dichtet hochriskante Sicherheitslücken ab
Google hat den Webbrowser Chrome in aktualisierter Fassung veröffentlicht. In der neuen Version dichten die Entwickler hochriskante Sicherheitslecks ab.
https://heise.de/-9199157
Sicherheitsupdates: Dell-BIOS gegen verschiedene Attacken gerüstet
Wer einen Computer von Dell besitzt, sollte das BIOS aus Sicherheitsgründen auf den aktuellen Stand bringen.
https://heise.de/-9199274
Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin
On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates.
https://www.wordfence.com/blog/2023/06/arbitrary-user-password-change-vulnerability-in-learndash-lms-wordpress-plugin/
Security updates for Tuesday
Security updates have been issued by Debian (c-ares and libx11), Fedora (chromium and kubernetes), Red Hat (python3 and python38:3.8, python38-devel:3.8), and SUSE (amazon-ssm-agent, kernel, kubernetes1.24, libvirt, nodejs16, openssl-1_1, and webkit2gtk3).
https://lwn.net/Articles/936549/
Synology-SA-23:09 Mail Station
Multiple vulnerabilities allow remote attackers to potentially inject SQL commands and inject arbitrary web scripts or HTML via a susceptible version of Mail Station.
https://www.synology.com/en-global/support/security/Synology_SA_23_09
Zahlreiche Schwachstellen mit hohem Risiko in ILIAS eLearning platform
Es wurden Sicherheitslücken mit hohem Risiko in der ILIAS eLearning Plattform identifiziert, welche es einem Angreifer über mehrere Angriffspfade ermöglichen, beliebigen Code auszuführen. Zum einen werden Eingaben in einer "unserialize" Funktion nicht ausreichend gefiltert, zum anderen können beliebige PHP Dateien durch Umgehen eines Filters hochgeladen werden. Des weiteren können Cross-Site Scripting Angriffe durchgeführt werden.
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachstellen-mit-hohem-risiko-in-ilias-elearning-platform/
[R1] Tenable Plugin Feed ID #202306261202 Fixes Privilege Escalation Vulnerability
As a part of Tenable-s vulnerability disclosure program, a vulnerability in a Nessus plugin was identified and reported. This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.
https://www.tenable.com/security/tns-2023-21
A vulnerability in the IBM Spectrum Protect Backup-Archive Client on Microsoft Windows Workstation operating systems can lead to local user escalated privileges (CVE-2023-28956)
https://www.ibm.com/support/pages/node/7005519
Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management
https://www.ibm.com/support/pages/node/7007069
A vulnerabbility exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-21426).
https://www.ibm.com/support/pages/node/7007317
A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2022-39161)
https://www.ibm.com/support/pages/node/7007313
A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2022-39161)
https://www.ibm.com/support/pages/node/7007315
Vulnerability in Spring Security affects IBM Process Mining . Multiple CVEs
https://www.ibm.com/support/pages/node/7007351
Vulnerability in Spring Security affects IBM Process Mining . CVE-2022-22978
https://www.ibm.com/support/pages/node/7007363
Vulnerability in Spring Security affects IBM Process Mining . CVE-2021-22119
https://www.ibm.com/support/pages/node/7007359
Vulnerability in Pallets Flask affects IBM Process Mining . CVE-2023-30861
https://www.ibm.com/support/pages/node/7007345
Vulnerability in Spring Boot affects IBM Process Mining . CVE-2023-20883
https://www.ibm.com/support/pages/node/7007349
Vulnerability in netplex json-smart affects IBM Process Mining . CVE-2023-1370
https://www.ibm.com/support/pages/node/7007357
Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20863
https://www.ibm.com/support/pages/node/7007365
A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2023-21830, CVE-2023-21843).
https://www.ibm.com/support/pages/node/7007353
A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7007355
IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-32695]
https://www.ibm.com/support/pages/node/7007367
Vulnerability in Spring Security affects IBM Process Mining . CVE-2023-20862
https://www.ibm.com/support/pages/node/7007371
Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20873
https://www.ibm.com/support/pages/node/7007373
Vulnerability in Apache Tomcat affects IBM Process Mining . Multiple CVEs
https://www.ibm.com/support/pages/node/7007375
CVE-2022-21426 may affect JAXP component in Java SE used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint
https://www.ibm.com/support/pages/node/7007387
A vulnerability has been identified in IBM Storage Scale System which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927)
https://www.ibm.com/support/pages/node/7007405
Hitachi Energy FOXMAN-UN and UNEM Products
https://www.cisa.gov/news-events/ics-advisories/icsa-23-178-01