End-of-Day report
Timeframe: Mittwoch 28-06-2023 18:00 - Donnerstag 29-06-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Linux version of Akira ransomware targets VMware ESXi servers
The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.
https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/
Exploit released for new Arcserve UDP auth bypass vulnerability
Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges.
https://www.bleepingcomputer.com/news/security/exploit-released-for-new-arcserve-udp-auth-bypass-vulnerability/
Security Baseline for M365 Apps for enterprise v2306
Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2306.
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702
GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT, (Thu, Jun 29th)
On Monday 2023-06-26, I received an email in one of my honeypot accounts, and the email led to a loader-based infection for Remcos RAT. The loader seems to be a GuLoader- or ModiLoader (DBatLoader)-style malware, but it's not like the GuLoader or ModiLoader samples I've run across so far.
https://isc.sans.edu/diary/rss/29990
Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes
Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse. The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week.
https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.html
Finding Gadgets for CPU Side-Channels with Static Analysis Tools
We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in do_prlimit (CVE-2023-0458) and one in copy_from_user (CVE-2023-0459). In this writeup, we explain these issues and how we found them.
https://github.com/google/security-research/blob/master/pocs/cpus/spectre-gadgets/README.md
Verantwortungsvolle Veröffentlichung einer Exploit-Kette, die auf die Implementierung der RFC-Schnittstelle im SAP Application Server für ABAP abzielt
In einer unabhängigen Analyse der serverseitigen Implementierung der proprietären Remote Function Call (RFC)-Schnittstelle in SAP NetWeaver Application Server ABAP und ABAP Platform (beide im Folgenden als AS ABAP bezeichnet) wurden von Fabian Hagg, Sicherheitsforscher im SEC Consult Vulnerability Lab und SAP Security Experte, eine Reihe von schwerwiegenden Implementierungs- und Designfehlern identifiziert.
https://sec-consult.com/de/blog/detail/verantwortungsvolle-veroeffentlichung-einer-exploit-kette-die-auf-die-implementierung-der-rfc-schnittstelle-im-sap-application-server-fuer-abap-abzielt/
Das können Sie tun, wenn Kriminelle Ihren Online-Shop kopieren
Fake-Shops bieten im Internet Markenprodukte zu Spottpreisen an. Kriminelle bauen dabei die echten Webseiten einfach nach, sodass die Fälschung auf den ersten Blick oft gar nicht ersichtlich ist. Wir zeigen Ihnen, was Sie tun können, wenn Ihr Online-Shop betroffen ist und wie Sie Ihre Kund:innen schützen können.
https://www.watchlist-internet.at/news/das-koennen-sie-tun-wenn-kriminelle-ihren-online-shop-kopieren/
CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments
Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical in securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security.
https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joint-guidance-defending-continuous-integrationcontinuous-delivery-cicd
Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts
In Mandiant-s initial publication of this vulnerability, we covered the attackers- exploitation of CVE-2023-20867, the harvesting of ESXi service account credentials on vCenter machines, and the implications of backdoor communications over VMCI socket. In this blog post, we will focus on the artifacts, logging options, and hardening steps to detect and prevent the following tactics and techniques seen being used by UNC3886.
https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening
Introducing KBOM - Kubernetes Bill of Materials
SBOM (Software Bill of Materials) is an accepted best practice to map the components and dependencies of your applications in order to better understand your applications- risks. SBOMs are used as a basis for vulnerability assessment, licensing compliance, and more. There are plenty of available tools, such as Aqua Trivy, that help you easily generate SBOM for your applications.
https://blog.aquasec.com/introducing-kbom-kubernetes-bill-of-materials
Vulnerabilities
Drupal Security advisories 2023-06-28
Drupal released 7 new security advisories. (1x Critical, 5x Moderatly Critical, 1x Less Critical)
https://www.drupal.org/security
Security updates for Thursday
Security updates have been issued by Debian (chromium and maradns), SUSE (iniparser, kubernetes1.23, python-reportlab, and python-sqlparse), and Ubuntu (accountsservice and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon).
https://lwn.net/Articles/936752/
IBM Security Bulletins
AIX, IBM QRadar SIEM, WebSphere Application Server, IBM Security SOAR, IBM Cloud Pak, CICS, IBM SDK, IBM Tivoli, FileNet Content Manager, Db2 Graph, IBM OpenPages and IBM Semeru Runtime.
https://www.ibm.com/support/pages/bulletin/
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0005
https://webkitgtk.org/security/WSA-2023-0005.html
F5: K000135262 : Apache Tomcat vulnerability CVE-2023-28709
https://my.f5.com/manage/s/article/K000135262
Stable Channel Update for ChromeOS/ChromeOS Flex
http://chromereleases.googleblog.com/2023/06/stable-channel-update-for_28.html
[R1] Nessus Version 10.5.3 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-22
Delta Electronics InfraSuite Device Master
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01
-Ovarro TBox RTUs
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03
-Mitsubishi Electric MELSEC-F Series
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04
Medtronic Paceart Optima System
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-180-01