End-of-Day report
Timeframe: Donnerstag 17-08-2023 18:00 - Freitag 18-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
-Ihre Rückerstattung ist online verfügbar-: Phishing-Mail im Namen von oesterreich.gv.at
Aktuell melden uns zahlreiche Leser:innen eine betrügerische E-Mail, die im Namen von oesterreich.gv.at verschickt wird. In der E-Mail wird behauptet, dass eine Rückerstattung von 176,88 Euro aussteht. Achtung: Dahinter stecken Kriminelle!
https://www.watchlist-internet.at/news/ihre-rueckerstattung-ist-online-verfuegbar-phishing-mail-im-namen-von-oesterreichgvat/
Microsoft: BlackCats Sphynx ransomware embeds Impacket, RemCom
Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network.
https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-ransomware-embeds-impacket-remcom/
From a Zalando Phishing to a RAT, (Fri, Aug 18th)
Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign.
https://isc.sans.edu/diary/rss/30136
Critical Security Update for Magento Open Source & Adobe Commerce
Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read.
https://blog.sucuri.net/2023/08/critical-security-update-for-magento-adobe-commerce.html
New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the companys [...]
https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.html
Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams
[...] another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. [...] This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community.
https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2
Recapping the top stories from Black Hat and DEF CON
If you-re in the same boat as me and couldn-t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.
https://blog.talosintelligence.com/threat-source-newsletter-aug-17-2023/
NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security
A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required.
https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html
Kommentar zum Azure-Master-Key-Diebstahl: Microsofts Reaktion lässt tief blicken
Microsoft lässt sich einen Signing Key für Azure klauen. Bis jetzt ist die Tragweite des Angriffs unklar. Das ist unverantwortlich, kommentiert Oliver Diedrich.
https://heise.de/-9258697
Gefälschte Buchungsseite vom Hotel Regina
Planen Sie gerade einen Urlaub in Wien? Vorsicht, wenn Sie das Hotel Regina buchen wollen. Kriminelle haben eine gefälschte Buchungsseite ins Netz gestellt. Die Internetadresse der betrügerischen Buchungsseite lautet regina-hotel-vienna.h-rez.com. Wenn Sie dort buchen, stehlen Kriminelle Ihnen persönliche Daten und Kreditkartendaten.
https://www.watchlist-internet.at/news/gefaelschte-buchungsseite-vom-hotel-regina/
Vulnerabilities
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability. By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices. CVE IDs: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution
K30444545 : libxslt vulnerability CVE-2019-11068
https://my.f5.com/manage/s/article/K30444545
IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7027948
IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7027944
Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote information transfer due to CouchDB CVE-2023-26268
https://www.ibm.com/support/pages/node/7028066
Multiple vulnerabilities affect IBM SDK, Java Technology Edition
https://www.ibm.com/support/pages/node/7028074
Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights
https://www.ibm.com/support/pages/node/7028087
A security vulnerability has been identified in the Apache POI, which is vulnerable to Denial of Service. (CVE-2017-5644)
https://www.ibm.com/support/pages/node/711741
AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python
https://www.ibm.com/support/pages/node/7028095
RESTEasy component is vulnerable to CVE-2023-0482 is used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7028099
netplex json-smart-v2 component is vulnerable to CVE-2023-1370 is used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7028097