Tageszusammenfassung - 27.06.2023

End-of-Day report

Timeframe: Montag 26-06-2023 18:00 - Dienstag 27-06-2023 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner

News

Prominent cryptocurrency exchange infected with previously unseen Mac malware

Its not yet clear how the full-featured JokerSpy backdoor gets installed.

https://arstechnica.com/?p=1950160

New Mockingjay process injection technique evades EDR detection

A new process injection technique named Mockingjay could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems.

https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injection-technique-evades-edr-detection/

The Importance of Malware Triage, (Tue, Jun 27th)

When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, its essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you dont need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you dont have time to analyze all samples!

https://isc.sans.edu/diary/rss/29984

Smartwatches Are Being Used To Distribute Malware

"Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office."

https://it.slashdot.org/story/23/06/27/0641253/smartwatches-are-being-used-to-distribute-malware

SNAPPY: Detecting Rogue and Fake 802.11 Wireless Access Points Through Fingerprinting Beacon Management Frames

I-ve found a novel technique to detect both rogue and fake 802.11 wireless access points through fingerprinting Beacon Management Frames, and created a tool to do so, called snap.py (Snappy) - the blog post title doesn-t lie!

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/snappy-detecting-rogue-and-fake-80211-wireless-access-points-through-fingerprinting-beacon-management-frames/

New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain

Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems."The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," [..]

https://thehackernews.com/2023/06/new-ongoing-campaign-targets-npm.html

Anatsa banking Trojan hits UK, US and DACH with new campaign

As of March 2023, ThreatFabric-s cyber fraud analysts have been monitoring multiple ongoing Google Play Store dropper campaigns delivering the Android banking Trojan Anatsa, with over 30.000 installations. The threat actors behind this new wave of Anatsa showed interest in new institutions from the US, UK, and DACH region. Our fraud intelligence platform was able to confirm this dangerous malware family adding multiple Android banking apps from these regions as new targets.

https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign

Rowpress: DRAM-Angriff Rowhammer hat einen jüngeren Bruder

Ein neuer Seitenkanalangriff manipuliert vermeintlich geschützte Bereiche des Arbeitsspeichers und funktioniert unabhängig von der eingesetzten CPU.

https://heise.de/-9199330

Malvertising: A stealthy precursor to infostealers and ransomware attacks

Malvertising, the practice of using online ads to spread malware, can have dire consequences-and the problem only seems to be growing.

https://www.malwarebytes.com/blog/business/2023/06/malvertising-a-stealthy-precursor-to-infostealers-and-ransomware-attacks

-Hallo Mama, mein Handy ist kaputt-

Eine unbekannte Nummer schreibt Ihnen. Angeblich ist es Ihr Kind. In der Nachricht steht, dass das Handy kaputt ist und das jetzt die neue Nummer sei. Antworten Sie nicht, dahinter steckt Betrug. Wenn Sie zurückschreiben, bitten Kriminelle Sie um eine dringende Überweisung und Sie verlieren Geld.

https://www.watchlist-internet.at/news/hallo-mama-mein-handy-ist-kaputt/

Breaking GPT-4 Bad: Check Point Research Exposes How Security Boundaries Can Be Breached as Machines Wrestle with Inner Conflicts

Highlights Check Point Research examines security and safety aspects of GPT-4 and reveals how limitations can be bypassed Researchers present a new mechanism dubbed -double bind bypass-, colliding GPT-4s internal motivations against itself

https://blog.checkpoint.com/artificial-intelligence/breaking-gpt-4-bad-check-point-research-exposes-how-security-boundaries-can-be-breached-as-machines-wrestle-with-inner-conflicts/

A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation

SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and [..]

https://cybergeeks.tech/a-technical-analysis-of-the-saltwater-backdoor-used-in-barracuda-0-day-vulnerability-cve-2023-2868-exploitation/

CISA Releases SCuBA TRA and eVRF Guidance Documents

CISA has released several documents as part of the Secure Cloud Business Applications (SCuBA) project: - The Technical Reference Architecture (TRA) document [..] is [..] a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. - The extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.

https://www.cisa.gov/news-events/alerts/2023/06/27/cisa-releases-scuba-tra-and-evrf-guidance-documents

Vulnerabilities

Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX), and Jetson Nano (including Jetson Nano 2GB) - June 2023

NVIDIA has released a software update for NVIDIA Jetson AGX Xavier series, Jetson Xavier NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX), and Jetson Nano devices (including Jetson Nano 2GB) in the NVIDIA JetPack software development kit (SDK). The update addresses security issues that may lead to code execution, denial of service, information disclosure, and loss of integrity.

https://nvidia.custhelp.com/app/answers/detail/a_id/5466

Security Bulletin: NVIDIA GPU Display Driver - June 2023

NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure.

https://nvidia.custhelp.com/app/answers/detail/a_id/5468

Webbrowser: Update für Google Chrome dichtet hochriskante Sicherheitslücken ab

Google hat den Webbrowser Chrome in aktualisierter Fassung veröffentlicht. In der neuen Version dichten die Entwickler hochriskante Sicherheitslecks ab.

https://heise.de/-9199157

Sicherheitsupdates: Dell-BIOS gegen verschiedene Attacken gerüstet

Wer einen Computer von Dell besitzt, sollte das BIOS aus Sicherheitsgründen auf den aktuellen Stand bringen.

https://heise.de/-9199274

Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin

On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates.

https://www.wordfence.com/blog/2023/06/arbitrary-user-password-change-vulnerability-in-learndash-lms-wordpress-plugin/

Security updates for Tuesday

Security updates have been issued by Debian (c-ares and libx11), Fedora (chromium and kubernetes), Red Hat (python3 and python38:3.8, python38-devel:3.8), and SUSE (amazon-ssm-agent, kernel, kubernetes1.24, libvirt, nodejs16, openssl-1_1, and webkit2gtk3).

https://lwn.net/Articles/936549/

Synology-SA-23:09 Mail Station

Multiple vulnerabilities allow remote attackers to potentially inject SQL commands and inject arbitrary web scripts or HTML via a susceptible version of Mail Station.

https://www.synology.com/en-global/support/security/Synology_SA_23_09

Zahlreiche Schwachstellen mit hohem Risiko in ILIAS eLearning platform

Es wurden Sicherheitslücken mit hohem Risiko in der ILIAS eLearning Plattform identifiziert, welche es einem Angreifer über mehrere Angriffspfade ermöglichen, beliebigen Code auszuführen. Zum einen werden Eingaben in einer "unserialize" Funktion nicht ausreichend gefiltert, zum anderen können beliebige PHP Dateien durch Umgehen eines Filters hochgeladen werden. Des weiteren können Cross-Site Scripting Angriffe durchgeführt werden.

https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachstellen-mit-hohem-risiko-in-ilias-elearning-platform/

[R1] Tenable Plugin Feed ID #202306261202 Fixes Privilege Escalation Vulnerability

As a part of Tenable-s vulnerability disclosure program, a vulnerability in a Nessus plugin was identified and reported. This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.

https://www.tenable.com/security/tns-2023-21

A vulnerability in the IBM Spectrum Protect Backup-Archive Client on Microsoft Windows Workstation operating systems can lead to local user escalated privileges (CVE-2023-28956)

https://www.ibm.com/support/pages/node/7005519

Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management

https://www.ibm.com/support/pages/node/7007069

A vulnerabbility exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-21426).

https://www.ibm.com/support/pages/node/7007317

A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2022-39161)

https://www.ibm.com/support/pages/node/7007313

A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2022-39161)

https://www.ibm.com/support/pages/node/7007315

A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2023-21830, CVE-2023-21843).

https://www.ibm.com/support/pages/node/7007353

A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2023-24998)

https://www.ibm.com/support/pages/node/7007355

IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-32695]

https://www.ibm.com/support/pages/node/7007367

Vulnerability in Spring Security affects IBM Process Mining . CVE-2023-20862

https://www.ibm.com/support/pages/node/7007371

Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20873

https://www.ibm.com/support/pages/node/7007373

Vulnerability in Apache Tomcat affects IBM Process Mining . Multiple CVEs

https://www.ibm.com/support/pages/node/7007375

CVE-2022-21426 may affect JAXP component in Java SE used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint

https://www.ibm.com/support/pages/node/7007387

A vulnerability has been identified in IBM Storage Scale System which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927)

https://www.ibm.com/support/pages/node/7007405

Hitachi Energy FOXMAN-UN and UNEM Products

https://www.cisa.gov/news-events/ics-advisories/icsa-23-178-01