End-of-Day report
Timeframe: Dienstag 18-07-2023 18:00 - Mittwoch 19-07-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Neue Ransomware: Kriminelle verschlüsseln Systeme im Namen von Sophos
Eine vermeintliche Verschlüsselungssoftware von Sophos entpuppt sich als Bitcoin einspielender Ransomware-Dienst für kriminelle Akteure.
https://www.golem.de/news/neue-ransomware-kriminelle-verschluesseln-systeme-im-namen-von-sophos-2307-175980.html
Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability
On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as lots of publications and tweets about the vulnerability and its exploitation. Below, we will highlight the key points and then focus on the initial use of this vulnerability by attackers before it became public.
https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/
Massive Google Colaboratory Abuse: Gambling and Subscription Scam
While Google-s free and open tools are undeniably valuable for collaboration (and innovation), it-s evident that complications arise when they become a haven for bad actors. Millions of documents with spam content on the Google Colab platform reveal that spammers have found yet another method to host doorways that they actively promote via spam link injections on compromised websites.
https://blog.sucuri.net/2023/07/massive-google-colaboratory-abuse-gambling-and-subscription-scam.html
LKA Niedersachsen warnt vor Phishing und Abofallen mit iCloud- und Google-Mails
Derzeit versenden Betrüger Mails, laut denen Apple iCloud- oder Google-Speicherplatz volllaufe. Davor warnt das LKA Niedersachsen.
https://heise.de/-9220688
Network and Information Systems Security (NIS2): recommendations for NRENs
GÉANT worked with Stratix, an independent consultancy firm specialised in communication infrastructures and services, to go through the steps that NRENs need to follow and the questions that need to be answered during the NIS2 implementation phase.
https://connect.geant.org/2023/07/19/network-and-information-systems-security-nis2-recommendations-for-nrens
HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within
Despite risks to their own data and devices, some users continue to be lured into downloading illegal versions of popular paid-for software, disregarding the potentially more severe repercussions than legitimate alternatives. We have analyzed how cybercriminals deploy HotRat, a remote access trojan (RAT), through an AutoHotkey script attached to cracked software.
https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-software-downloads-and-hidden-autohotkey-script-within/
Vulnerabilities
OpenSSL Security Advisory: Excessive time spent checking DH keys and parameters (CVE-2023-3446)
Severity: Low Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.
https://www.openssl.org/news/secadv/20230714.txt
Webbrowser: Google stopft 20 Sicherheitslecks in Chrome 115
Google hat den Webbrowser Chrome in Version 115 vorgelegt. Darin bessern die Entwickler 20 Schwachstellen aus.
https://heise.de/-9220438
Security updates for Wednesday
Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl).
https://lwn.net/Articles/938596/
Session Token Enumeration in RWS WorldServer
Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions.
https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/
Oracle Releases Security Updates
Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for July 2023 to address vulnerabilities affecting multiple products.
https://www.cisa.gov/news-events/alerts/2023/07/18/oracle-releases-security-updates
Vulnerability with guava (CVE-2023-2976) affect IBM Cloud Object Storage Systems (July 2023)
https://www.ibm.com/support/pages/node/7012815
IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161)
https://www.ibm.com/support/pages/node/7010311
IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966)
https://www.ibm.com/support/pages/node/7010313
Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server
https://www.ibm.com/support/pages/node/7012979
IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554)
https://www.ibm.com/support/pages/node/6989451
IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below.
https://www.ibm.com/support/pages/node/7013037
IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below.
https://www.ibm.com/support/pages/node/7013035
IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to SOAPAction spoofing (CVE-2022-38712)
https://www.ibm.com/support/pages/node/6855613
WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a server-side request forgery vulnerability(CVE-2022-35282).
https://www.ibm.com/support/pages/node/6827807
IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a remote code execution vulnerability (CVE-2023-23477)
https://www.ibm.com/support/pages/node/6953111
IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6964530
IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283)
https://www.ibm.com/support/pages/node/6983186
IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6983188
CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Standard
https://www.ibm.com/support/pages/node/7013135
CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Advanced
https://www.ibm.com/support/pages/node/7013139
IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities
https://www.ibm.com/support/pages/node/7013143
-Weintek Weincloud
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04