End-of-Day report
Timeframe: Mittwoch 26-07-2023 18:00 - Donnerstag 27-07-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Windows 10 KB5028244 update released with 19 fixes, improved security
Microsoft has released the optional KB5028244 Preview cumulative update for Windows 10 22H2 with 19 fixes or changes, including an update to the Vulnerable Driver Blocklist to block BYOVD attacks.
https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5028244-update-released-with-19-fixes-improved-security/
APT trends report Q2 2023
This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.
https://securelist.com/apt-trends-report-q2-2023/110231/
Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining
Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners.The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet.
https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html
Android Güncelleme - dissecting a malicious update installer
Recently, during one of F-Secure Android-s routine tests, we came across one such fake Android update sample - Android Güncelleme, that proved to be evasive and exhibited interesting exfiltration characteristics. Although the sample is not novel (some features have already been covered in other articles on the Internet), it nevertheless combines several malicious actions together, such as anti-analysis and anti-uninstallation, making it a more potent threat.
https://blog.f-secure.com/android-guncelleme-dissecting-a-malicious-update-installer/
Fruity trojan downloader performs multi-stage infection of Windows computers
For about a year, Doctor Web has been registering support requests from users complaining about Windows-based computers getting infected with the Remcos RAT (Trojan.Inject4.57973) spyware trojan. While investigating these incidents, our specialists uncovered an attack in which Trojan.Fruity.1, a multi-component trojan downloader, played a major role. To distribute it, threat actors create malicious websites and specifically crafted software installers.
https://news.drweb.com/show/?i=14728&lng=en&c=9
SySS Proof of Concept-Video: "Reversing the Irreversible, again: Unlocking locked Omnis Studio classes" (CVE-2023-38334)
Das Softwareentwicklungstool unterstützt eine nach eigenen Angaben irreversible Funktion, mit der sich Programmklassen in Omnis-Bibliotheken sperren lassen (locked classes).[..] Aufgrund von Implementierungsfehlern, die während eines Sicherheitstests entdeckt wurden, ist es jedoch möglich, gesperrte Omnis-Klassen zu entsperren, um diese im Omnis Studio-Browser weiter analysieren oder auch modifizieren zu können. Dieser Sachverhalt erfüllt nicht die Erwartungen an eine irreversible Funktion.
https://www.syss.de/pentest-blog/syss-proof-of-concept-video-reversing-the-irreversible-again-unlocking-locked-omnis-studio-classes
Vorsicht bei "fehlgeschlagenen Zahlungen" auf Booking
Sie haben eine Nachricht des Hotels bekommen, das Sie über Booking.com gebucht haben und werden zur Bestätigung Ihrer Kreditkarte aufgefordert? Achtung - hierbei handelt es sich um eine ausgeklügelte Phishing-Masche! Die Kriminellen stehlen Ihre Daten und Sie bezahlen Ihr Hotel doppelt!
https://www.watchlist-internet.at/news/vorsicht-bei-fehlgeschlagenen-zahlungen-auf-booking/
Online-Banking: Vorsicht vor Suchmaschinen-Phishing
Cyberkriminelle bewerben ihre betrügerischen Bank-Webseiten auch bei populären Suchmaschinen wie Google, Yahoo oder Bing.
https://www.zdnet.de/88410826/online-banking-vorsicht-vor-suchmaschinen-phishing/
Vulnerabilities
VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation
The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.
https://kb.cert.org/vuls/id/813349
Schwachstellen entdeckt: 40 Prozent aller Ubuntu-Systeme erlauben Rechteausweitung
Zwei Schwachstellen im OverlayFS-Modul von Ubuntu gefährden zahllose Server-Systeme. Admins sollten die Kernel-Module zeitnah aktualisieren. (Sicherheitslücke, Ubuntu)
https://www.golem.de/news/schwachstellen-entdeckt-40-prozent-aller-ubuntu-systeme-erlauben-rechteausweitung-2307-176205.html
ZDI-23-1002: SolarWinds Network Configuration Manager VulnDownloader Directory Traversal Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Configuration Manager. Authentication is required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-23-1002/
Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032
Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection. Solution: Install the latest version
https://www.drupal.org/sa-contrib-2023-032
Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031
The module doesn-t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations. Solution: Originally the solution was listed as just updating the module, however, a cache rebuild will be necessary for the solution to take effect.
https://www.drupal.org/sa-contrib-2023-031
Sitefinity Security Advisory for Addressing Security Vulnerability, July 2023
The Progress Sitefinity team recently discovered a potential security vulnerability in the Progress Sitefinity .NET Core Renderer Application. It has since been addressed. [..] For optimal security, we recommend an upgrade to the latest Sitefinity .NET Core Renderer version, which currently is 14.4.8127. A product update is also available for older supported Sitefinity versions
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-July-2023
SolarWinds Platform Security Advisories
- Access Control Bypass Vulnerability CVE-2023-3622
- Incorrect Behavior Order Vulnerability CVE-2023-33224
- Incorrect Input Neutralization Vulnerability CVE-2023-33229
- Deserialization of Untrusted Data Vulnerability CVE-2023-33225
- Incomplete List of Disallowed Inputs Vulnerability CVE-2023-23844 - Incorrect Comparison Vulnerability CVE-2023-23843
https://www.solarwinds.com/trust-center/security-advisories
SECURITY BULLETIN: July 2023 Security Bulletin for Trend Micro Apex Central
CVE Identifier(s): CVE-2023-38624, CVE-2023-38625, CVE-2023-38626, CVE-2023-38627
CVSS 3.0 Score(s): 4.2
Post-authenticated server-side request forgery (SSRF) vulnerabilities in Trend Micro Apex Central 2019 could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
https://success.trendmicro.com/dcx/s/solution/000294176?language=en_US
Security updates available in Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1
Platform: macOS
Summary: Foxit has released Foxit PDF Editor for Mac 12.1.1 and Foxit PDF Reader for Mac 12.1.1, which address potential security and stability issues.
CVE-2023-28744, CVE-2023-38111, CVE-2023-38107, CVE-2023-38109, CVE-2023-38113, CVE-2023-38112, CVE-2023-38110, CVE-2023-38117
https://www.foxit.com/support/security-bulletins.html
Sicherheitsupdates: Angreifer können Access Points von Aruba übernehmen
Wenn die Netzwerkbetriebssysteme ArubaOS 10 oder InstantOS zum Einsatz kommen, sind Access Points von Aruba verwundbar.
https://heise.de/-9227914
Jetzt patchen! Root-Sicherheitslücke gefährdet Mikrotik-Router
Stimmten die Voraussetzungen, können sich Angreifer in Routern von Mikrotik zum Super-Admin hochstufen.
https://heise.de/-9226696
Sicherheitsupdate: Angreifer können Sicherheitslösung Sophos UTM attackieren
Sophos Unified Threat Management ist verwundbar. Aktuelle Software schafft Abhilfe.
https://heise.de/-9228570
Synology-SA-23:10 SRM
Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM).
https://www.synology.com/en-global/support/security/Synology_SA_23_10
CISA Releases Five Industrial Control Systems Advisories
- ICSA-23-208-01 ETIC Telecom RAS Authentication
- ICSA-23-208-02 PTC KEPServerEX
- ICSA-23-208-03 Mitsubishi Electric CNC Series
- ICSA-22-307-01 ETIC RAS (Update A)
- ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B)
https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-releases-five-industrial-control-systems-advisories
WAGO: Multiple vulnerabilities in web-based management of multiple products
https://cert.vde.com/de/advisories/VDE-2022-060/
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js
https://www.ibm.com/support/pages/node/7012005
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Angular
https://www.ibm.com/support/pages/node/7012009
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Python
https://www.ibm.com/support/pages/node/7012001
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF
https://www.ibm.com/support/pages/node/7012033
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by multiple vulnerabilities in Golang Go
https://www.ibm.com/support/pages/node/7014267
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Bouncy Castle
https://www.ibm.com/support/pages/node/7012003
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java
https://www.ibm.com/support/pages/node/7012037
IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty.
https://www.ibm.com/support/pages/node/7014905
IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595)
https://www.ibm.com/support/pages/node/7014929
IBM B2B Advanced Communications is vulnerable to denial of service (CVE-2023-24971)
https://www.ibm.com/support/pages/node/7014933
Multiple Vulnerabilities in CloudPak for Watson AIOps
https://www.ibm.com/support/pages/node/7014939
IBM\u00ae Db2\u00ae has multiple denial of service vulnerabilities with a specially crafted query
https://www.ibm.com/support/pages/node/7010557
Watson CP4D Data Stores is vulnerable to Golang Go denial of service vulnerability ( CVE-2022-41724)
https://www.ibm.com/support/pages/node/7014981
IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667]
https://www.ibm.com/support/pages/node/7014991
IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2020-24736]
https://www.ibm.com/support/pages/node/7014993
IBM App Connect Enterprise Certified Container operands are vulnerable to security restriction bypass due to [CVE-2023-24329]
https://www.ibm.com/support/pages/node/7014995
IBM App Connect Enterprise Certified Container operands are vulnerable to privilege elevation due to [CVE-2023-26604]
https://www.ibm.com/support/pages/node/7014997
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities in libtiff
https://www.ibm.com/support/pages/node/7014999
IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155]
https://www.ibm.com/support/pages/node/7015003
IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403]
https://www.ibm.com/support/pages/node/7015007
IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Kafka nodes are vulnerable to denial of service due to [CVE-2023-34453], [CVE-2023-34454], [CVE-2023-34455]
https://www.ibm.com/support/pages/node/7015009
IBM Event Streams is affected by multiple vulnerabilities in Golang Go
https://www.ibm.com/support/pages/node/7014405