End-of-Day report
Timeframe: Freitag 18-08-2023 18:00 - Montag 21-08-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice
While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggios third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation.
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-18th-2023-lockbit-on-thin-ice/
WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams
Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker thats engineered to conduct tech support scams.The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks [..]
https://thehackernews.com/2023/08/wooflocker-toolkit-hides-malicious.html
How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes
>From a user-s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you-re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments.
https://thehackernews.com/2023/08/how-to-investigate-oauth-grant-for.html
Journey into Windows Kernel Exploitation: The Basics
This blogpost embarks on the initial stages of kernel exploitation. The content serves as an introduction, leading to an imminent and comprehensive whitepaper centered around this subject matter. Through this, a foundation is laid for understanding how kernel drivers are developed, as well as basic understanding around key concepts that will be instrumental to comprehending the paper itself.
https://blog.neuvik.com/journey-into-windows-kernel-exploitation-the-basics-fff72116ca33
mTLS: When certificate authentication is done wrong
In this post, well deep dive into some interesting attacks on mTLS authentication. Well have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages.
https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/
ScienceLogic Dumpster Fire
In the last email correspondence with the vendor, nearly 9 months ago, the security director asserted that the vulnerabilities were addressed. However, they remained reluctant to proceed with CVE issuance. Considering the extensive duration that-s transpired, we opted to independently proceed with CVE issuance and disclosure. As a result, the vulnerabilities we identified are logged as CVE-2022-48580 through CVE-2022-48604.
https://www.securifera.com/blog/2023/08/16/sciencelogic-dumpster-fire/
Volatility Workbench: Empowering memory forensics investigations
Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computers volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs.
https://cybersecurity.att.com/blogs/security-essentials/volatility-workbench-empowering-memory-forensics-investigations
Vorsicht vor Investment-Tipps aus Telegram-Gruppen
Zahlreiche Telegram-Gruppen wie -Didi Random-, -Glück liebt Geld- oder -Geld-Leuchtturm- versprechen schnellen Reichtum. In diesen Gruppen erhalten Sie angebliche Investmenttipps, Erfolgsgeschichten von Anleger:innen und Kontakte zu -Finanz-Gurus-, die Ihnen bei der Geldanlage helfen. Wenn Sie bei den empfohlenen Plattformen investieren, verlieren Sie viel Geld!
https://www.watchlist-internet.at/news/vorsicht-vor-investment-tipps-aus-telegram-gruppen/
Vulnerabilities
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting (CVE-2023-40068)
Description: WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79).
Impact: An arbitrary script may be executed on the web browser of the user who is logging in to the product with the editor or higher privilege.
https://jvn.jp/en/jp/JVN98946408/
Multiple vulnerabilities in LuxCal Web Calendar
Impact:
- An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-39543
- A remote attacker may execute arbitrary queries against the database and obtain or alter the information in it - CVE-2023-39939
https://jvn.jp/en/jp/JVN04876736/
CD_SVA_2023_3: Wibu Systems - CodeMeter Runtime - security vulnerability addressed
A report has been received for the following security vulnerability in the zenon software platform: CVE-2023-3935 Further details regarding the vulnerability, mitigation options and product fixes that may be available, can be found in [...]
https://selfservice.copadata.com/portal/en/kb/articles/cd-sva-2023-3-wibu-systems-codemeter-runtime-security-vulnerabilties-addressed-17-8-2023
CVE-2023-38035 - Vulnerability affecting Ivanti Sentry
A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. We have reported this as CVE-2023-38035. This vulnerability impacts all supported versions - Versions 9.18. 9.17 and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions [..] While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet.
https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-sentry
Update bereits ausgespielt: Kritische Lücke in WinRAR erlaubte Code-Ausführung
Das verbreitete Kompressionstool WinRAR besaß in älteren Versionen eine schwere Lücke, die beliebige Codeausführung erlaubte. Die aktuelle Version schließt sie.
https://heise.de/-9268105
Security updates for Monday
Security updates have been issued by Debian (fastdds, flask, and kernel), Fedora (chromium, dotnet6.0, dotnet7.0, gerbv, java-1.8.0-openjdk, libreswan, procps-ng, and spectre-meltdown-checker), SUSE (chromium, kernel-firmware, krb5, opensuse-welcome, and python-mitmproxy), and Ubuntu (clamav, firefox, and vim).
https://lwn.net/Articles/942311/
GraphQL Java component is vulnerable to CVE-2023-28867 is used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7028108
Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7028091
Mutiple Vulnerabilties Affecting IBM Watson Machine Learning Accelerator
https://www.ibm.com/support/pages/node/7028166
IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to denial of service, availability, integrity, and confidentiality impacts due to multiple vulnerabilities.
https://www.ibm.com/support/pages/node/7028168
IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2454)
https://www.ibm.com/support/pages/node/7028185
A security vulnerability in Microsoft.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2023-29331).
https://www.ibm.com/support/pages/node/7026762