End-of-Day report
Timeframe: Donnerstag 06-07-2023 18:00 - Freitag 07-07-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Google Play apps with 1.5 million installs send your data to China
Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond whats needed to offer the promised functionality. [..] File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.file.box.master.gkd."
https://www.bleepingcomputer.com/news/security/google-play-apps-with-15-million-installs-send-your-data-to-china/
Iranian Hackers Sophisticated Malware Targets Windows and macOS Users
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware."TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report.
https://thehackernews.com/2023/07/iranian-hackers-sophisticated-malware.html
BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days
Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it.
https://thehackernews.com/2023/07/blackbyte-20-ransomware-infiltrate.html
StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability
A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges.
https://github.com/lrh2000/StackRot
Sie sollen eine -Erstattung aus dem Sozialfonds erhalten-? Ignorieren Sie diese SMS!
Unsere Leser:innen melden uns aktuell SMS, die im Namen des -Staates- verschickt werden. Angeblich sollen Sie eine -Erstattung aus dem Sozialfonds- erhalten. Achtung, Phishing-Alarm! Löschen Sie die SMS und geben Sie auf keinen Fall Ihre Kontodaten an.
https://www.watchlist-internet.at/news/sie-sollen-eine-erstattung-aus-dem-sozialfonds-erhalten-ignorieren-sie-diese-sms/
A Network of SOCs?
I wrote most of this text quickly in January 2021 when the European Commission asked me to apply my lessons learned from the CSIRTs Network to a potential European Network of SOCs. During 2022, the plans for SOC collaboration have been toned down a bit, the DIGITAL Europe funding scheme proposes multiple platforms where SOCs can work together. In 2023, the newly proposed -Cyber Solidarity Act- builds upon this and codifies the concept of a -national SOC- and -cross-border SOC platforms- into an EU regulation.
https://cert.at/en/blog/2023/7/a-network-of-socs
Cybererpresser: Ransomware-Gruppe BianLian verzichtet auf Verschlüsselung
Die Hintermänner konzentrieren sich auf die Exfiltration von Daten. Sie reagieren auf die Veröffentlichung eines kostenlosen Entschlüsselungstools für die Ransomware BianLian.
https://www.zdnet.de/88410380/cybererpresser-ransomware-gruppe-bianlian-verzichtet-auf-verschluesselung/
CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants
Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants.
https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-and-partners-release-joint-cybersecurity-advisory-newly-identified-truebot-malware-variants
Vulnerabilities
Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities
Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks.
https://thehackernews.com/2023/07/google-releases-android-patch-update.html
Mastodon Social Network Patches Critical Flaws Allowing Server Takeover
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460, [..]
https://thehackernews.com/2023/07/mastodon-social-network-patches.html
CISA Releases Three Industrial Control Systems Advisories
* ICSA-23-187-01 PiiGAB M-Bus
* ICSA-23-187-02 ABUS TVIP
* ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module (Update A)
https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-releases-three-industrial-control-systems-advisories
VMSA-2023-0015
CVSSv3 Range: 5.3
CVE(s): CVE-2023-20899
VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors: An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.
https://www.vmware.com/security/advisories/VMSA-2023-0015.html
Security updates for Friday
Security updates have been issued by Debian (debian-archive-keyring, libusrsctp, nsis, ruby-redcloth, and webkit2gtk), Fedora (firefox), Mageia (apache-ivy, cups, curaengine, glances, golang, keepass, libreoffice, minidlna, nodejs, opensc, perl-DBD-SQLite, python-setuptools, python-wheel, skopeo/buildah/podman, systemd, testng, and webkit2), SUSE (bind), and Ubuntu (Gerbv, golang-websocket, linux-gke, linux-intel-iotg, and linux-oem-5.17).
https://lwn.net/Articles/937616/
[R1] Nessus Agent Version 10.4.1 Fixes Multiple Vulnerabilities
Nessus Agent leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider.Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues.
https://www.tenable.com/security/tns-2023-24
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/