End-of-Day report
Timeframe: Freitag 28-07-2023 18:00 - Montag 31-07-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Linux version of Abyss Locker ransomware targets VMware ESXi servers
The Abyss Locker operation is the latest to develop a Linux encryptor to target VMwares ESXi virtual machines platform in attacks on the enterprise.
https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/
Hackers exploit BleedingPipe RCE to target Minecraft servers, players
Hackers are actively exploiting a BleedingPipe remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices.
https://www.bleepingcomputer.com/news/security/hackers-exploit-bleedingpipe-rce-to-target-minecraft-servers-players/
P2PInfect server botnet spreads using Redis replication feature
Threat actors are actively targeting exposed instances of the Redis open-source data store with a peer-to-peer self-replicating worm with versions for both Windows and Linux that the malware authors named P2Pinfect.
https://www.bleepingcomputer.com/news/security/p2pinfect-server-botnet-spreads-using-redis-replication-feature/
Automatically Finding Prompt Injection Attacks
Researchers have just published a paper showing how to automate the discovery of prompt injection attacks.
https://www.schneier.com/blog/archives/2023/07/automatically-finding-prompt-injection-attacks.html
WordPress Vulnerability & Patch Roundup July 2023
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
https://blog.sucuri.net/2023/07/wordpress-vulnerability-patch-roundup-july-2023.html
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021.
https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html
Apple iOS, Google Android Patch Zero-Days in July Security Updates
Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.
https://www.wired.com/story/apple-google-microsoft-zero-day-fix-july-2023/
Exploiting the StackRot vulnerability
For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited. As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period.
https://lwn.net/Articles/939542/
Sie verkaufen Ihr Auto? Vorsicht bei Abwicklung über Kurierdiensten oder Speditionen
Auf allen gängigen Verkaufsplattformen gibt es sie: betrügerische Anfragen. Die Person will Ihr Auto ohne Besichtigung und Preisverhandlung kaufen, schickt ungefragt eine Ausweiskopie und wirkt unkompliziert. Da die Person aber im Ausland ist und das Auto nicht abholen kann, beauftragt sie einen Kurierdienst. Spätestens jetzt sollten die Alarmglocken schrillen, denn es handelt sich um eine Betrugsmasche!
https://www.watchlist-internet.at/news/sie-verkaufen-ihr-auto-vorsicht-bei-abwicklung-ueber-kurierdiensten-oder-speditionen/
Windows UAC aushebeln
Gerade auf Twitter auf ein Projekt mit dem Namen Defeating Windows User Account Control gestoßen, wo jemand über Wege nachdenkt, die Benutzerkontensteuerung von Windows auszuhebeln. Er hat ein kleines Tool entwickelt, mit dem sich die Windows-Benutzerkontensteuerung durch Missbrauch der integrierten [...]
https://www.borncity.com/blog/2023/07/29/windows-uac-aushebeln/
CISA Releases Malware Analysis Reports on Barracuda Backdoors
CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances.
https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors
Vulnerabilities
CVE-2023-35081 - New Ivanti EPMM Vulnerability
During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions - Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.
https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability
WAGO: Bluetooth LE vulnerability in WLAN-ETHERNET-Gateway
https://cert.vde.com/de/advisories/VDE-2023-014/
WAGO: Multiple products prone to multiple vulnerabilities in e!Runtime / CODESYS V3 Runtime
https://cert.vde.com/de/advisories/VDE-2023-026/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/