End-of-Day report
Timeframe: Dienstag 27-06-2023 18:00 - Mittwoch 28-06-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
Andariel-s silly mistakes and a new malware family
In this crimeware report, Kaspersky researchers provide insights into Andariel-s activity targeting organizations: clumsy commands executed manually, off-the-shelf tools and EasyRat malware.
https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/
Warning: JavaScript registry npm vulnerable to manifest confusion abuse
Failure to match metadata with packaged files is perfect for supply chain attacks. The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files.
https://go.theregister.com/feed/www.theregister.com/2023/06/27/javascript_registry_npm_vulnerable/
Black Basta Ransomware
What is Black Basta Ransomware? Black Basta is a threat group that provides ransomware-as-a-service (RaaS). The service is maintained by dedicated developers and is a highly efficient and professionally run operation; there-s a TOR website that provides a victim login portal, a chat room, and a wall of company-s names who-s data has been leaked.
https://www.pentestpartners.com/security-blog/black-basta-ransomware/
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
Manic Menagerie 2.0 is a campaign deploying coin miners and web shells, among other tactics. Hijacked machines could be used as C2 for further operations.
https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/
Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
Volexity works with many individuals and organizations often subjected to sophisticated and highly targeted spear-phishing campaigns from a variety of nation-state-level threat actors. In the last few years, Volexity has observed threat actors dramatically increase the level of effort they put into compromising credentials or systems of individual targets.
https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/
Hackers Hiding DcRAT Malware in Fake OnlyFans Content
A malicious campaign targeting smartphone users has been uncovered, utilizing fake OnlyFans content to distribute a dangerous Remote Access Trojan (RAT) known as DcRAT malware.
https://www.hackread.com/hackers-dcrat-malware-fake-onlyfans-content/
Newly Surfaced ThirdEye Infostealer Targeting Windows Devices
FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer.
https://www.hackread.com/thirdeye-infostealer-windows-devices/
Vulnerabilities
Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems.
https://thehackernews.com/2023/06/critical-sql-injection-flaws-expose.html
App Bypass und andere Schwachstellen in Boomerang Parental Control App
Die Kinderüberwachungs-App "Boomerang" von National Education Technologies ist von Schwachstellen mit hohem Risiko betroffen. Angreifer können ein lokales ADB Backup erzeugen, über welches Zugang zu API Token erlangt werden kann. Dadurch kann ein Angreifer Privilege Escalation durchführen oder auch Cross-Site Scripting im Web Dashboard der Eltern. Des weiteren können Kinder die Beschränkungen der Eltern auf einfache Weise umgehen.
https://sec-consult.com/de/vulnerability-lab/advisory/app-bypass-und-andere-schwachstellen-in-boomerang-parental-control-app/
Nvidia: Treiber-Update schließt Codeschmuggel-Schwachstellen
Nvidias Grafikkartentreiber für Linux und Windows haben hochriskante Sicherheitslücken. Der Hersteller liefert jetzt Aktualisierungen zum Abdichten der Lecks.
https://heise.de/-9200904
Security updates for Wednesday
Security updates have been issued by Mageia (docker-docker-registry, libcap, libx11, mediawiki, python-requests, python-tornado, sofia-sip, sqlite, and xonotic), Red Hat (kernel, kernel-rt, kpatch-patch, libssh, libtiff, python27:2.7, python39:3.9, python39-devel:3.9, ruby:2.7, sqlite, systemd, and virt:rhel, virt-devel:rhel), SUSE (bind, cosign, guile1, lilypond, keepass, kubernetes1.24, nodejs16, nodejs18, phpMyAdmin, and sqlite3), and Ubuntu (etcd).
https://lwn.net/Articles/936671/
IBM Security Bulletins
IBM App Connect Enterprise, IBM Security Guardium, CloudPak for Watson, IBM MQ, IBM Maximo Manage application, IBM TXSeries, IBM CICS TX, IBM Cloud Object Storage Systems, IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manager, IBM Informix JDBC Driver, IBM i, IBM Tivoli Netcool Impact, IBM Robotic Process Automation, IBM WebSphere Application Server and FileNet Content Manager.
https://www.ibm.com/support/pages/bulletin/
Path Traversal / Cross-Site Scripting im Gira KNX IP-Router (SYSS-2023-015/-016)
Das Webinterface des Gira KNX IP-Routers ermöglicht ein Path Traversal (Zugriff auf Systemdateien) und ist anfällig für Cross-Site Scripting-Angriffe.
https://www.syss.de/pentest-blog/path-traversal-/-cross-site-scripting-im-gira-knx-ip-router-syss-2023-015/-016
Information Disclosure Vulnerability in Bosch IP cameras
https://psirt.bosch.com/security-advisories/bosch-sa-839739-bt.html