Tageszusammenfassung - 24.08.2023

End-of-Day report

Timeframe: Mittwoch 23-08-2023 18:00 - Donnerstag 24-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer

News

New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute

The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems positions by scanning nearby Wi-Fi access points as a data point for Googles geolocation API," [...]

https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html

Using LLMs to reverse JavaScript variable name minification

This blog introduces a novel way to reverse minified Javascript using large language models (LLMs) like ChatGPT and llama2 while keeping the code semantically intact. The code is open source and available at Github

https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification

Microsoft: Windows-Update-Vorschauen schützen vor Downfall-CPU-Lücke

Microsoft hat die Vorschauen auf die Windows-Updates im September veröffentlicht. Sie bringen Gegenmaßnahmen für die Downfall-Intel-CPU-Lücke mit.

https://heise.de/-9283485

FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to -remove all ESG appliances immediately-.

https://www.securityweek.com/fbi-patches-for-recent-barracuda-esg-zero-day-ineffective/

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

https://blog.talosintelligence.com/lazarus-quiterat/

Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models - CoinLoader Case Study

In this blog post, we provide a deep dive into Check Point-s ongoing use of such a model to sweep across this haystack, and routinely thwart malicious campaigns abusing the DNS protocol to communicate with C&C servers. We focus on one such campaign, of CoinLoader, and lay out its infrastructure as well as an in-depth technical analysis of its DNS tunnelling functionality.

https://research.checkpoint.com/2023/tunnel-warfare-exposing-dns-tunneling-campaigns-using-generative-models-coinloader-case-study/

Vulnerabilities

Sicherheitsupdates: DoS-Attacken auf Firewalls und Switches von Cisco möglich

Angreifer können Geräte von Cisco via DoS-Attacken lahmlegen. Der Netzwerkausrüster hat Sicherheitspatches veröffentlicht.

https://heise.de/-9283445

Security Advisories for Drupal contributed projects

* Config Pages - Moderately critical - Information Disclosure * Shorthand - Critical - Access bypass * SafeDelete - Moderately critical - Access bypass * Data field - Moderately critical - Access bypass * ACL - Critical - Arbitrary PHP code execution * Forum Access - Critical - Arbitrary PHP code execution * Flexi Access - Critical - Arbitrary PHP code execution

https://www.drupal.org/security/contrib

CVE-2023-35150: Arbitrary Code Injection in XWiki.org XWiki

[..] detail a recently patched remote code execution vulnerability in the XWiki free wiki software platform. This bug was originally discovered by Michael Hamann with public Proof-of-Concept (PoC) code provided by Manuel Leduc. Successful exploitation of this vulnerability would allow an authenticated attacker to perform an arbitrary code injection on affected systems.

https://www.zerodayinitiative.com/blog/2023/8/22/cve-2023-35150-arbitrary-code-injection-in-xwikiorg-xwiki

Security updates for Thursday

Security updates have been issued by Debian (w3m), Fedora (libqb), Mageia (docker-containerd, kernel, kernel-linus, microcode, php, redis, and samba), Oracle (kernel, kernel-container, and openssh), Scientific Linux (subscription-manager), SUSE (ca-certificates-mozilla, erlang, gawk, gstreamer-plugins-base, indent, java-1_8_0-ibm, kernel, kernel-firmware, krb5, libcares2, nodejs14, nodejs16, openssl-1_1, openssl-3, poppler, postfix, redis, webkit2gtk3, and xen), and Ubuntu (php8.1).

https://lwn.net/Articles/942654/

Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU

https://www.ibm.com/support/pages/node/7028350

IBM Security Guardium is affected by multiple vulnerabilities

https://www.ibm.com/support/pages/node/7028511

IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437)

https://www.ibm.com/support/pages/node/7028506

IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904)

https://www.ibm.com/support/pages/node/7028509

IBM Security Guardium is affected by an SQL Injection vulnerability (CVE-2023-33852)

https://www.ibm.com/support/pages/node/7028514

IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740)

https://www.ibm.com/support/pages/node/7028513

AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python

https://www.ibm.com/support/pages/node/7028095

IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4304)

https://www.ibm.com/support/pages/node/7028709

IBM Data Risk Manager is affected by multiple vulnerabilities

https://www.ibm.com/support/pages/node/7028713

IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality due to [CVE-2023-26268]

https://www.ibm.com/support/pages/node/7028728

IBM App Connect Enterprise Certified Container operands that use the Box or Snowflake connectors are vulnerable to arbitrary code execution due to [CVE-2023-37466], [CVE-2023-37903]

https://www.ibm.com/support/pages/node/7028727