End-of-Day report
Timeframe: Donnerstag 27-07-2023 18:00 - Freitag 28-07-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
New Android malware uses OCR to steal credentials from images
Two new Android malware families named CherryBlos and FakeTrade were discovered on Google Play, aiming to steal cryptocurrency credentials and funds or conduct scams.
https://www.bleepingcomputer.com/news/security/new-android-malware-uses-ocr-to-steal-credentials-from-images/
Nutzerdaten in Gefahr: Hunderttausende von Wordpress-Seiten anfällig für Datenklau
Drei Schwachstellen im Wordpress-Plugin Ninja Forms können mitunter massive Datenlecks zur Folge haben. Admins sollten zeitnah updaten.
https://www.golem.de/news/nutzerdaten-in-gefahr-hunderttausende-von-wordpress-seiten-anfaellig-fuer-datenklau-2307-176251.html
ShellCode Hidden with Steganography, (Fri, Jul 28th)
When hunting, I'm often surprised by the interesting pieces of code that you may discover... Attackers (or pentesters/redteamers) like to share scripts on VT to evaluate the detection rates against many antivirus products. Sometimes, you find something cool stuffs.
https://isc.sans.edu/diary/rss/30074
Hackers Abusing Windows Search Feature to Install Remote Access Trojans
A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows.
https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html
IcedID Malware Adapts and Expands Threat with Updated BackConnect Module
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module thats used for post-compromise activity on hacked systems, new findings from Team Cymru reveal.
https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html
Hackers are infecting Call of Duty (Modern Warfare 2 (2009)) players with a self-spreading malware
Hackers are infecting players of an old Call of Duty game with a worm that spreads automatically in online lobbies, according to two analyses of the malware. [..] Activision spokesperson Neil Wood referred to a tweet posted by the company on an official Call of Duty updates Twitter account, which vaguely acknowledges the malware. -Multiplayer for Call of Duty: Modern Warfare 2 (2009) on Steam was brought offline while we investigate reports of an issue,- the tweet read.
https://techcrunch.com/2023/07/27/hackers-are-infecting-call-of-duty-players-with-a-self-spreading-malware/
Angreifer können NAS- und IP-Videoüberwachungssysteme von Qnap lahmlegen
Mehrere Netzwerkprodukte von Qnap sind für eine DoS-Attacken anfällig. Dagegen abgesicherte Software schafft Abhilfe.
https://heise.de/-9229575
The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022
This is Google-s fourth annual year-in-review of 0-days exploited in-the-wild [2021, 2020, 2019] and builds off of the mid-year 2022 review. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a whole, looking for trends, gaps, lessons learned, and successes.
https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html
Zimbra Patches Exploited Zero-Day Vulnerability
Zimbra has released patches for a cross-site scripting (XSS) vulnerability that has been exploited in malicious attacks.
https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerability/
CISA and Partners Release Joint Cybersecurity Advisory on Preventing Web Application Access Control Abuse
The Australian Signals Directorate-s Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) are releasing a joint Cybersecurity Advisory (CSA), Preventing Web Application Access Control Abuse, to warn vendors, designers, developers, and end-user organizations of web applications about insecure direct object reference (IDOR) vulnerabilities.
https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-release-joint-cybersecurity-advisory-preventing-web-application-access-control
Vulnerabilities
Major Security Flaw Discovered in Metabase BI Software - Urgent Update Required
Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations.
https://thehackernews.com/2023/07/major-security-flaw-discovered-in.html
ZDI-23-1010: Adtran SR400ac ping Command Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adtran SR400ac routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
https://www.zerodayinitiative.com/advisories/ZDI-23-1010/
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software ACLs Not Installed upon Reload
An issue with the boot-time programming of access control lists (ACLs) for Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software could allow a device to boot without all of its ACLs being correctly installed. This issue is due to a logic error that occurs when ACLs are programmed at boot time. If object groups are not in sequential order in the startup configuration, some access control entries (ACEs) may not be installed.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-aclconfig-wVK52f3z
Security updates for Thursday
Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04).
https://lwn.net/Articles/939445/
Security updates for Friday
Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel).
https://lwn.net/Articles/939519/
Vulnerability in QVPN Device Client for Windows
An insecure library loading vulnerability has been reported to affect devices running QVPN Device Client for Windows.
https://www.qnap.com/en-us/security-advisory/QSA-23-04
Vulnerability in QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances)
An uncontrolled resource consumption vulnerability has been reported to affect multiple QNAP operating systems.
https://www.qnap.com/en-us/security-advisory/QSA-23-09
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/