Tageszusammenfassung - 03.08.2023

End-of-Day report

Timeframe: Mittwoch 02-08-2023 18:00 - Donnerstag 03-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Fake FlipperZero sites promise free devices after completing offer

A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites.

https://www.bleepingcomputer.com/news/security/fake-flipperzero-sites-promise-free-devices-after-completing-offer/

Hackers can abuse Microsoft Office executables to download malware

The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsofts Outlook email client and Access database management system.

https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-office-executables-to-download-malware/

"Grob fahrlässig": Sicherheitsproblem gefährdet Microsoft-Kunden seit Monaten

Eine Microsoft seit März bekannte kritische Schwachstelle in Azure AD macht weitere zahllose Organisationen noch heute anfällig für Cyberangriffe.

https://www.golem.de/news/grob-fahrlaessig-sicherheitsproblem-gefaehrdet-microsoft-kunden-seit-monaten-2308-176417.html

What-s happening in the world of crimeware: Emotet, DarkGate and LokiBot

In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote.

https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/

New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/

Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers

In this guest blog from researcher Marcin Wi-zowski, he details CVE-2023-21822 - a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug.

https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap-handling-in-windows-user-mode-printer-drivers

Hook, Line, and Phishlet: Conquering AD FS with Evilginx

Recently, I was assigned to a red team engagement, and the client specifically requested a phishing simulation targeting their employees. The organisation utilises AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. [..] Despite my efforts to find a detailed write-up on how to successfully phish a target where AD FS is being used, I couldn-t find a technical post covering this topic. So I saw this as an opportunity to learn

https://research.aurainfosec.io/pentest/hook-line-and-phishlet/

New Report: Medical Health Care Organizations Highly Vulnerable Due to Improper De-acquisition Processes

In Security Implications from Improper De-acquisition of Medical Infusion Pumps Heiland performs a physical and technical teardown of more than a dozen medical infusion pumps - devices used to deliver and control fluids directly into a patient-s body. Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organization-s networks.

https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-deacquisition-medical-infusion-pumps/

MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis

The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely.

https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/

Google Project Zero - Summary: MTE As Implemented

In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities. Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023.

https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.html

Microsoft veröffentlicht TokenTheft-Playbook

Der Diebstahl von Tokens kann Angreifern den Zugriff auf entsprechende Dienste ermöglichen. Als Folge eines entsprechenden Vorfalls hat Microsoft daher das sogenannte TokenTheft-Playbook veröffentlicht. Es handelt sich um ein Online-Dokument mit zahlreichen Hinweisen für "Cloud-Verantwortliche", die sich um die Sicherheit und den Schutz vor dem Diebstahl von Zugangstokens kümmern müssen.

https://www.borncity.com/blog/2023/08/03/microsoft-verffentlicht-tokentheft-playbook/

BSI Newsletter SICHER INFORMIERT vom 03.08.2023

DSGVO - ein Segen für die IT-Sicherheit, Hersteller beklagen Patch-Müdigkeit, kritische Sicherheitslücke gefährdet Router & das BSI auf der Gamescom

https://www.bsi.bund.de/SharedDocs/Newsletter/DE/BuergerCERT-Newsletter/16_Sicher-Informiert_03-08-2023.html

How Malicious Android Apps Slip Into Disguise

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-disguise/

Watchlist Internet: Bestellen Sie unsere neue Broschüre -Betrug im Internet: So schützen Sie sich-

Mit unserer neuen Broschüre -Betrug im Internet- informieren wir Interessierte zu den Themen Einkaufen im Internet, betrügerische Nachrichten, Schadsoftware, Phishing, Vorschussbetrug und Finanzbetrug. Die kostenlose Broschüre können Sie herunterladen oder bei uns bestellen.

https://www.watchlist-internet.at/news/bestellen-sie-unsere-neue-broschuere-betrug-im-internet-so-schuetzen-sie-sich/

Reptile Malware Targeting Linux Systems

Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile-s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic.

https://asec.ahnlab.com/en/55785/

2022 Top Routinely Exploited Vulnerabilities

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

Vulnerabilities

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

Security risk: Less critical Description: This module enables you to add the Matomo web statistics tracking system to your website.The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.

https://www.drupal.org/sa-contrib-2023-033

CVE-2023-35082 - Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older

A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. [..] MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats.

https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US

CVE-2023-28130 - Command Injection in Check Point Gaia Portal

The parameter hostname in the web request /cgi-bin/hosts_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user -Admin-.

https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal//

CVE-2023-31928 - XSS vulnerability in Brocade Webtools

A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user-s session with the Brocade Webtools application.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22390

CVE-2023-31927 - An information disclosure in the web interface of Brocade Fabric OS

An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22389

CVE-2023-31926 - Arbitrary File Overwrite using less command

System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22388

CVE-2023-31432 - Privilege issues in multiple commands

Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22385

CVE-2023-31431 - A buffer overflow vulnerability in -diagstatus- command

A buffer overflow vulnerability in -diagstatus- command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22384

CVE-2023-31430 - buffer overflow vulnerability in -secpolicydelete- command

A buffer overflow vulnerability in -secpolicydelete- command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22381

VE-2023-31425 - Privilege escalation via the fosexec command

A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, -root- account access is disabled.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22407

CVE-2023-31429 - Vulnerability in multiple commands

Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as -chassisdistribute-, -reboot-, -rasman-, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22408

CVE-2023-31427 - Knowledge of full path name

Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, -root- account access is disabled.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22379

CVE-2023-31428 - CLI allows upload or transfer files of dangerous types

Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under users home directory using grep.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22380

Sicherheitsupdates: Angreifer können Aruba-Switches kompromittieren (CVE-2023-3718)

Bestimmte Switch-Modelle von Aruba sind verwundbar. Die Entwickler haben eine Sicherheitslücke geschlossen.

https://heise.de/-9233677

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023)

Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database

https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-july-24-2023-to-july-30-2023/

Security updates for Thursday

Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim).

https://lwn.net/Articles/940335/

CISA Releases Five Industrial Control Systems Advisories

- ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE - ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products - ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface - ICSA-23-215-04 Sensormatic Electronics VideoEdge - ICSA-23-208-03 Mitsubishi Electric CNC Series

https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-releases-five-industrial-control-systems-advisories

Sicherheitsschwachstelle in verschiedenen Canon Inkjet-Druckermodellen (SYSS-2023-011)

Bei dem Canon Inkjet-Drucker PIXMA TR4550 besteht eine Sicherheitsschwachstelle aufgrund eines unzureichenden Schutzes sensibler Daten.

https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-verschiedenen-canon-inkjet-druckermodellen-syss-2023-011

[R1] Nessus Version 10.5.4 Fixes Multiple Vulnerabilities

Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.5.4 updates OpenSSL to version 3.0.10 to address the identified vulnerabilities.

https://www.tenable.com/security/tns-2023-27

Mozilla Releases Security Updates for Multiple Products

Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system.

https://www.cisa.gov/news-events/alerts/2023/08/02/mozilla-releases-security-updates-multiple-products

Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-commpilot-xss-jC46sezF

CODESYS: Control runtime system memory and integrity check vulnerabilities (CVE-2022-4046, CVE-2023-28355))

https://cert.vde.com/de/advisories/VDE-2023-025/

CODESYS: Vulnerability in CODESYS Development System allows execution of binaries

https://cert.vde.com/de/advisories/VDE-2023-021/

CODESYS: Missing integrity check in CODESYS Development System

https://cert.vde.com/de/advisories/VDE-2023-022/

Shelly 4PM Pro four-channel smart switch: Authentication Bypass via an out-of-bounds read vulnerability (CVE-2023-033383)

https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability

CODESYS: Multiple Vulnerabilities in CmpApp CmpAppBP and CmpAppForce

https://cert.vde.com/de/advisories/VDE-2023-019/