End-of-Day report
Timeframe: Dienstag 25-07-2023 18:00 - Mittwoch 26-07-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Mysterious Decoy Dog malware toolkit still lurks in DNS shadows
New details have emerged about Decoy Dog, a largely undetected sophisticated toolkit likely used for at least a year in cyber intelligence operations, relying on the domain name system (DNS) for command and control activity.
https://www.bleepingcomputer.com/news/security/mysterious-decoy-dog-malware-toolkit-still-lurks-in-dns-shadows/
New Nitrogen malware pushed via Google Ads for ransomware attacks
A new Nitrogen initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads.
https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-via-google-ads-for-ransomware-attacks/
How to Scan A Website for Vulnerabilities
Even the most diligent site owners should consider when they had their last website security check. As our own research indicates, infections resulting from known website vulnerabilities continue to plague website owners. According to our 2022 Hacked Website Report, last year alone WordPress accounted for 96.2% of infected websites due to its market share and popularity. Statistics like these highlight why it-s so important that you regularly scan your website for vulnerabilities.
https://blog.sucuri.net/2023/07/how-to-scan-website-for-vulnerabilities.html
Sneaky Python package security fixes help no one - except miscreants
Good thing these eggheads have created a database of patches - Python security fixes often happen through "silent" code commits, without an associated Common Vulnerabilities and Exposures (CVE) identifier, according to a group of computer security researchers.
https://go.theregister.com/feed/www.theregister.com/2023/07/26/python_silent_security_fixes/
Tool Release: Cartographer
Cartographer is a Ghidra plugin that creates a visual "map" of code coverage data, enabling researchers to easily see what parts of a program are executed. It has a wide range of uses, such as better understanding a program, honing in on target functionality, or even discovering unused content in video games.
https://research.nccgroup.com/2023/07/20/tool-release-cartographer/
New Realst Mac malware, disguised as blockchain games, steals cryptocurrency wallets
Fake blockchain games, that are being actively promoted by cybercriminals on social media, are actually designed to infect the computers of unsuspecting Mac users with cryptocurrency-stealing malware.
https://grahamcluley.com/new-realst-mac-malware-disguised-as-blockchain-games-steals-cryptocurrency-wallets/
Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability
GreyNoise researchers have identified active exploitation for a remote code execution (RCE) vulnerability in Citrix ShareFile (CVE-2023-24489)
https://www.greynoise.io/blog/introducing-cve-2023-24489-a-critical-citrix-sharefile-rce-vulnerability
Vulnerabilities
ModSecurity v3: DoS Vulnerability in Four Transformations (CVE-2023-38285)
ModSecurity is an open-source Web Application Firewall (WAF) engine maintained by Trustwave. This blog post discusses an issue with four transformation actions that could enable a Denial of Service (DoS) attack by a malicious actor. The issue has been addressed with fixes in v3.0.10. ModSecurity v2 is not affected.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
B&R Automation Runtime SYN Flooding Vulnerability in Portmapper
CVE-2023-3242, CVSS v3.1 Base Score: 8.6 The Portmapper service used in Automation Runtime versions
https://www.br-automation.com/downloads_br_productcatalogue/assets/1689787619746-en-original-1.0.pdf
Security updates for Wednesday
Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django).
https://lwn.net/Articles/939305/
Mattermost security updates 8.0.1 / 7.10.5 / 7.8.9 (ESR) released
We-re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 8.0.1, 7.10.5, and 7.8.9 (Extended Support Release), for both Team Edition and Enterprise Edition.
https://mattermost.com/blog/mattermost-security-updates-8-0-1-7-10-5-7-8-9-esr-released/
Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch
BOSCH-SA-247054-BT: Multiple vulnerabilities were found in the PRA-ES8P2S Ethernet-Switch. Customers are advised to upgrade to version 1.01.10 since it solves all vulnerabilities listed. Customers are advised to isolate the switch from the Internet if upgrading is not possible. The PRA-ES8P2S switch contains technology from the Advantech EKI-7710G series switches.
https://psirt.bosch.com/security-advisories/bosch-sa-247054-bt.html
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
https://www.cisa.gov/news-events/alerts/2023/07/26/cisa-adds-one-known-exploited-vulnerability-catalog-0
Fujitsu Real-time Video Transmission Gear "IP series" uses a hard-coded credentials
https://jvn.jp/en/jp/JVN95727578/
AIX is vulnerable to denial of service due to zlib (CVE-2022-37434)
https://www.ibm.com/support/pages/node/7014483
AIX is vulnerable to a denial of service due to libxml2 (CVE-2023-29469 and CVE-2023-28484)
https://www.ibm.com/support/pages/node/7014485
IBM Security Directory Suite has multiple vulnerabilities [CVE-2022-33163 and CVE-2022-33168]
https://www.ibm.com/support/pages/node/7001885
A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-35890)
https://www.ibm.com/support/pages/node/7014649
A security vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-32342)
https://www.ibm.com/support/pages/node/7014651
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
https://www.ibm.com/support/pages/node/7014659
CVE-2023-0465 may affect IBM CICS TX Advanced 10.1
https://www.ibm.com/support/pages/node/7014675
IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query
https://www.ibm.com/support/pages/node/7010557
IBM Operational Decision Manager July 2023 - Multiple CVEs
https://www.ibm.com/support/pages/node/7014699
IBM Sterling Connect:Direct for UNIX is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342)
https://www.ibm.com/support/pages/node/7014693
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to TensorFlow denial of service vulnerabilitiy [CVE-2023-25661]
https://www.ibm.com/support/pages/node/7014695
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to YAML denial of service vulnerabilitiy [CVE-2023-2251]
https://www.ibm.com/support/pages/node/7014697