End-of-Day report
Timeframe: Donnerstag 29-06-2023 18:00 - Freitag 30-06-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Torrent of image-based phishing emails are harder to detect and more convincing
The arms race between scammers and defenders continues.
https://arstechnica.com/?p=1951208
Spamdexing: What is SEO Spam & How to Remove It
Ever had an uninvited guest crash your party, resulting in chaos, confusion, and some unhappy visitors? Well, SEO spam is that party crasher - just for websites. Why should you care, you ask? Well, just imagine your meticulously crafted website content being replaced with unsolicited ads for services and products that would make your grandma blush. Or even worse, your loyal site visitors being redirected to shady third party websites. Not the picture of ideal user experience,
https://blog.sucuri.net/2023/06/spamdexing-what-is-seo-spam.html
Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign
An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. "This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said [...]
https://thehackernews.com/2023/06/cybercriminals-hijacking-vulnerable-ssh.html
Its 2023 and memory overwrite bugs are not just a thing, theyre still number one
Cough, cough, use Rust. Plus: Eight more exploited bugs added to CISAs must-patch list The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US governments list of known vulnerabilities that are under active attack and need to be patched, we note.
https://go.theregister.com/feed/www.theregister.com/2023/06/29/cwe_top_25_2023/
Router-Malware: Aktuelle Kampagne des Mirai-Botnet greift viele Lücken an
Das Mirari-Botnet ist weiter aktiv. Die Drahtzieher nutzen in einer aktuellen Kampagne zahlreiche Sicherheitslücken, um diverse Internetrouter zu infizieren.
https://heise.de/-9203406
200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in -Ultimate Member- Plugin
Attackers exploit critical vulnerability in the Ultimate Member plugin to create administrative accounts on WordPress websites.
https://www.securityweek.com/200000-wordpress-sites-exposed-to-attacks-exploiting-flaw-in-ultimate-member-plugin/
Neue browserbasierte Social-Engineering-Trends
Report von WatchGuard Threat Lab: Angreifer nutzen neue Wege, um im Internet surfende Anwender auszutricksen.
https://www.zdnet.de/88410262/neue-browserbasierte-social-engineering-trends/
Malware Execution Method Using DNS TXT Record
AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware.
https://asec.ahnlab.com/en/54916/
Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents.
https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html
Decrypted: Akira Ransomware
Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (docker-registry, flask, systemd, and trafficserver), Fedora (moodle, python-reportlab, suricata, and vim), Red Hat (go-toolset and golang, go-toolset-1.19 and go-toolset-1.19-golang, go-toolset:rhel8, open-vm-tools, python27:2.7, and python3), SUSE (buildah, chromium, gifsicle, libjxl, sqlite3, and xonotic), and Ubuntu (linux, linux-allwinner, linux-allwinner-5.19, linux-aws, linux-aws-5.19, linux-azure, linux-gcp, linux-gcp-5.19, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux-starfive-5.19, linux, linux-aws, linux-aws-5.15, linux-aws-5.4, linux-azure, linux-azure-5.15, linux-azure-5.4, linux-azure-fde-5.15, linux-bluefield, linux-gcp, linux-gcp-5.15, linux-gcp-5.4, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux-oem-6.1).
https://lwn.net/Articles/936949/
Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-23
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/