Tageszusammenfassung - 18.07.2023

End-of-Day report

Timeframe: Montag 17-07-2023 18:00 - Dienstag 18-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer

News

FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks

The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware. According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities.

https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html

Uncovering drIBAN fraud operations. Chapter 3: Exploring the drIBAN web inject kit

So far, we have discussed the malspam campaign that started spreading sLoad. Then, we discovered that sLoad is a dropper for Ramnit [..] After that, we also described Ramnit-s capabilities, focusing mainly on its injection and persistence techniques. As a final step, we will discuss drIBAN, a sophisticated and modular web-inject kit that can hide resources, masquerade its presence, and perform large-scale ATS attacks.

https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-3

Wordpress: Angriffswelle auf Woocommerce Payments läuft derzeit

Die IT-Forscher von Wordfence beobachten eine Angriffswelle auf das Woocommerce Payments-Plug-in. Es ist auf mehr als 600.000 Websites installiert.

https://heise.de/-9219114

JavaScript-Sandbox vm2: Neue kritische Schwachstelle, kein Update mehr

Für die jüngste kritische Sicherheitslücke im Open-Source-Projekt vm2 gibt es keinen Bugfix, sondern der Betreiber rät zum Umstieg auf isolated-vm.

https://heise.de/-9219087

Verkaufen auf Shpock: Vorsicht, wenn Sie den Kaufbetrag in Ihrer Banking-App "bestätigen" müssen

Sie verkaufen etwas auf Shpock. Sofort meldet sich jemand und möchte es kaufen. Zeitgleich erhalten Sie ein E-Mail von -TeamShpock- mit der Information, dass die Ware bezahlt wurde und Sie das Geld anfordern können. Sie werden auf eine "Auszahlungsseite" verlinkt. Vorsicht, diese Vorgehensweise ist Betrug. Wir zeigen Ihnen, wie die Betrugsmasche abläuft und wie Sie sicher auf Shpock verkaufen!

https://www.watchlist-internet.at/news/verkaufen-auf-shpock-vorsicht-wenn-sie-den-kaufbetrag-in-ihrer-banking-app-bestaetigen-muessen/

NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing

This guidance-created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA-presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s).

https://www.cisa.gov/news-events/alerts/2023/07/17/nsa-cisa-release-guidance-security-considerations-5g-network-slicing

Vulnerabilities

Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) (CVE-2023-34203)

Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user.

https://community.progress.com/s/article/Role-based-Access-Control-and-Privilege-Management-in-OEM

Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack

The flaw presents a significant supply chain risk since it allows attackers to maliciously tamper with application images, which can then infect users and customers when they install the application. [..] Orca Security immediately reported the findings to the Google Security Team, who investigated the issue and deployed a partial fix. However, Google-s fix doesn-t revoke the discovered Privilege Escalation (PE) vector. It only limits it - turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk.

https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/

Security updates for Tuesday

Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp).

https://lwn.net/Articles/938488/

Sicherheitslücken, teils kritisch, in Citrix/Netscaler ADC und Gateway - aktiv ausgenützt - Updates verfügbar

Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentisierten Angreifenden, beliebigen Code auszuführen. Diese Schwachstelle wird auch bereits aktiv ausgenützt. Weitere mit diesen Updates geschlossene Sicherheitslücken betreffen Reflected Cross Site Scripting (XSS) sowie Privilege Escalation.

https://cert.at/de/warnungen/2023/7/sicherheitslucken-teil-kritisch-in-citrixnetscaler-adc-und-gateway-updates-verfugbar

Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers

Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection.

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers

IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433)

https://www.ibm.com/support/pages/node/7012613

Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473]

https://www.ibm.com/support/pages/node/7012387

IBM Security Verify Governance has multiple vulnerabilities

https://www.ibm.com/support/pages/node/7012649

IBM Security Verify Governance has multiple vulnerabilities (CVE-2022-41946, CVE-2022-46364, CVE-2023-24998)

https://www.ibm.com/support/pages/node/7012647

Vulnerabilities in httpclient library affects IBM Engineering Test Management (ETM) (CVE-2020-13956)

https://www.ibm.com/support/pages/node/7012659

Vulnerabilities in Commons Codec library affects IBM Engineering Test Management (ETM) (IBM X-Force ID:177835)

https://www.ibm.com/support/pages/node/7012657

Vulberability in Apache commons io library affects IBM Engineering Test Management (ETM) (CVE-2021-29425)

https://www.ibm.com/support/pages/node/7012661

Vulnerability in Junit library affects IBM Engineering Test Management (ETM) ( CVE-2020-15250)

https://www.ibm.com/support/pages/node/7012663

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950)

https://www.ibm.com/support/pages/node/7011767

Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities.

https://www.ibm.com/support/pages/node/7012675

AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924)

https://www.ibm.com/support/pages/node/7012711