End-of-Day report
Timeframe: Donnerstag 03-08-2023 18:00 - Freitag 04-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
A Call to Action: Bolster UEFI Cybersecurity Now
Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode. [...] Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice. CISA encourages the UEFI community to pursue all the options discussed in this blog with vigor. And the work must start today.
https://www.cisa.gov/news-events/news/call-action-bolster-uefi-cybersecurity-now
Fake VMware vConnector package on PyPI targets IT pros
A malicious package that mimics the VMware vSphere connector module vConnector was uploaded on the Python Package Index (PyPI) under the name VMConnect, targeting IT professionals.
https://www.bleepingcomputer.com/news/security/fake-vmware-vconnector-package-on-pypi-targets-it-pros/
Midnight Blizzard conducts targeted social engineering over Microsoft Teams
Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM).
https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd)
Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting.
https://isc.sans.edu/diary/rss/30094
Malicious npm Packages Found Exfiltrating Sensitive Data from Developers
Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," [...]
https://thehackernews.com/2023/08/malicious-npm-packages-found.html
Are Leaked Credentials Dumps Used by Attackers?
I-ve been watching dumps of leaked credentials for a long time. [...] But are these leaks used to try to get access to mailboxes (or other services)? [...] Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials!
https://isc.sans.edu/diary/rss/30098
Handwerker:innen aufgepasst: Hier sollten Sie keine Werkzeuge kaufen!
Aktuell stoßen wir auf zahlreiche Fake-Shops, die Werkzeuge aller Art verkaufen. Allein in den letzten zwei Wochen haben wir mehr als 70 Online-Shops gefunden, die Werkzeuge anbieten - diese aber trotz Bezahlung nicht liefern.
https://www.watchlist-internet.at/news/handwerkerinnen-aufgepasst-hier-sollten-sie-keine-werkzeuge-kaufen/
Vulnerabilities
VMware VMSA-2023-0017 - VMware Horizon Server updates address multiple security vulnerabilities
- Request smuggling vulnerability (CVE-2023-34037), CVSSv3 base score of 5.3 - Information disclosure vulnerability (CVE-2023-34038), CVSSv3 base score of 5.3
https://www.vmware.com/security/advisories/VMSA-2023-0017.html
Mozilla VPN: CVE-2023-4104: Privileged vpndaemon on Linux wrongly and incompletely implements Polkit authentication
[...] it contains a privileged D-Bus service running as root and a Polkit policy. In the course of this review we noticed a broken and otherwise lacking Polkit authorization logic in the privileged `mozillavpn linuxdaemon` process. We publish this report today, because the maximum embargo period of 90 days we offer has been exceeded. Most of the issues mentioned in this report are currently not addressed by upstream, as is outlined in more detail below.
https://www.openwall.com/lists/oss-security/2023/08/03/1
Security updates for Friday
Security updates have been issued by CentOS (bind and kernel), Debian (cjose, firefox-esr, ntpsec, and python-django), Fedora (chromium, firefox, librsvg2, and webkitgtk), Red Hat (firefox), Scientific Linux (firefox and openssh), SUSE (go1.20, ImageMagick, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, kernel, openssl-1_1, pipewire, python-pip, and xtrans), and Ubuntu (cargo, rust-cargo, cpio, poppler, and xmltooling).
https://lwn.net/Articles/940481/
Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext
https://jvn.jp/en/jp/JVN38847224/
Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data
https://www.ibm.com/support/pages/node/7020316
Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms.
https://www.ibm.com/support/pages/node/7010369
IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query
https://www.ibm.com/support/pages/node/7010557
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Tensorflow vulnerabilities.
https://www.ibm.com/support/pages/node/7020364