Tageszusammenfassung - 10.08.2023

End-of-Day report

Timeframe: Mittwoch 09-08-2023 18:00 - Donnerstag 10-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Common TTPs of attacks against industrial organizations

In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.

https://securelist.com/common-ttps-of-attacks-against-industrial-organizations/110319/


Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet

Cryptographic flaws still matter. Here-s a flaw in the random-number generator used to create private keys. The seed has only 32 bits of entropy.Seems like this flaw is being exploited in the wild.

https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbitcoin-explorer-cryptocurrency-wallet.html


Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives

Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations

https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html


New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information."Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week.

https://thehackernews.com/2023/08/new-statc-stealer-malware-emerges-your.html


CISA Analysis Report: MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors

CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

https://www.cisa.gov/news-events/analysis-reports/ar23-221a


Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability. The specific flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

https://www.zerodayinitiative.com/advisories/ZDI-23-1056/


Some things never change ? such as SQL Authentication ?encryption?

Fat client applications running on (usually) Windows are still extremely common in enterprises. [..] -traditional- fat client applications will most of the time connect directly to a database (again, since we-re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). [..] Finally, how do we prevent this? Well, one solution is easy - do not use SQL Server authentication but instead have users use their Windows credentials

https://isc.sans.edu/diary/rss/30112


Honeypot: Forscher lockten Hacker in über 20.000 RDP-Sitzungen

Die Sicherheitsforscher planen für die kommenden Monate die Veröffentlichung einer Blog-Post-Serie, in der sie die Strategien und Tools der beobachteten Hacker näher erläutern wollen. Die Erkenntnisse sollen vor allem Strafverfolgern sowie anderen Sicherheitsexperten dienen, um effektive Abwehrstrategien gegen Cyberangriffe zu entwickeln und Ermittlungen gegen kriminelle Akteure in Zukunft schneller voranzutreiben

https://www.golem.de/news/honeypot-forscher-lockten-hacker-in-ueber-20-000-rdp-sitzungen-2308-176646.html


Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization

Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. [..] This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement

https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html


A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition

Team82 today shares some details about a unique attack technique that could allow an attacker to impersonate Western Digital (WD) network-attached storage (NAS) devices. [..] Western Digital has provided firmware updates for all affected devices and also released advisories (here, here, here). Connected devices have been updated automatically. Any device yet to be updated has been banned by WD from connecting to the MyCloud service until it-s running the current firmware version.

https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-wd-pr4100-edition


A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition

Team82 has developed a unique technique that allowed us to impersonate Synology-s DS920+ network-attached storage device and force its QuickConnect cloud service to redirect users to an attacker-controlled device. Synology, a top-tier NAS vendor, has addressed the vulnerabilities we uncovered, and has updated its cloud service to protect its users. [..] We uncovered not only credential theft flaws, but also remote code execution vulnerabilities [..]

https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-synology-ds920-edition


Smashing the state machine: the true potential of web race conditions

For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, Ill introduce new classes of race condition that go far beyond the limit-overrun exploits youre probably already familiar with.

https://portswigger.net/research/smashing-the-state-machine?


Wordfence Intelligence Weekly WordPress Vulnerability Report (July 31, 2023 to August 6, 2023)

Last week, there were 29 vulnerabilities disclosed in 24 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 18 Vulnerability Researchers that contributed to WordPress Security last week.

https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-july-31-2023-to-august-6-2023/


Achtung, Smishing-Welle zu Online-Banking im Umlauf!

Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass -Ihre George Registrierung-, "Ihre Bawag Security App" oder -Ihre Mein-Elba Registrierung- abläuft. Die -Legitimation- könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis.

https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-banking-im-umlauf/


Ein Deepdive in die ESXiArgs Ransomware Kampagne

Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde.

https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kampagne


Mac systems turned into proxy exit nodes by AdLoad

AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs- investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.

https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload

Vulnerabilities

Multiple Vulnerabilities in Nextcloud/Nextcloud Enterprise/Nextcloud Talk Android app

High severity: - Missing password confirmation when creating app passwords, CVSS 8.1 - Path traversal allows tricking the Talk Android app into writing files into its root directory, CVSS 7.2 - Users can delete external storage mount points, CVSS 7.7 3x Moderate Severity, 4x Low Severity

https://github.com/nextcloud/security-advisories/security


Multiple Vulnerabilities in Softing edgeAggregator/Secure Integration Server/edgeConnector Siemens

CVE-2023-27335/CVSS 8.8, CVE-2023-38126/CVSS 7.2, CVE-2023-38125/CVSS 7.5, CVE-2023-39478/CSS 6.6, CVE-2023-39479/CVSS 6.6, CVE-2023-39480/CVSS 4.4, CVE-2023-39481/CVSS 6.6, CVE-2023-39482/CVSS 4.9, CVE-2023-27336/CVSS 7.5, CVE-2023-27334/CVSS 7.5, CVE-2023-29377/CVSS 6.6

https://www.zerodayinitiative.com/advisories/published/


Videomeeting-Anwendungen: Zoom rüstet Produkte gegen mögliche Attacken

Wichtige Sicherheitsupdates, für unter anderem den Windows-Client von Zoom, schließen mehrere Lücken.

https://heise.de/-9240044


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr), Fedora (chromium, kernel, krb5, and rust), and Ubuntu (graphite-web and velocity).

https://lwn.net/Articles/941082/


Vulnerability in IBM\u00ae Java SDK affects IBM Liberty for Java for IBM Cloud due to CVE-2022-40609

https://www.ibm.com/support/pages/node/7024969