Tageszusammenfassung - 31.08.2023

End-of-Day report

Timeframe: Mittwoch 30-08-2023 18:00 - Donnerstag 31-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature

A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud."The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques [..]

https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html


North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro.

https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html


CISA and FBI Publish Joint Advisory on QakBot Infrastructure

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.

https://www.cisa.gov/news-events/alerts/2023/08/30/cisa-and-fbi-publish-joint-advisory-qakbot-infrastructure


Converting Tokens to Session Cookies for Outlook Web Application

More and more organizations are adopting cloud-based solutions and federating with various identity providers. As these deployments increase in complexity, ensuring that Conditional Access Policies (CAPs) always act as expected can become a challenge. Today, we will share a technique weve been using to gain access to Outlook Web Application (OWA) in a browser by utilizing Bearer and Refresh tokens for the outlook.office365.com or outlook.office.com endpoints.

https://labs.lares.com/owa-cap-bypass/


Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework

Starting with Windows Server 2016, Microsoft released its own version of this solution, Windows Containers, which offers process and Hyper-V isolation modes. The presentation covered the basics of Windows containers, broke down its file system isolation framework, reverse-engineered its main mini-filter driver, and detailed how it can be utilized and manipulated by a bad actor to bypass EDR products in multiple domains.

https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using-the-windows-container-isolation-framework


NosyMonkey: API hooking and code injection made easy

As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn-t normally do or change the way it works in some way. [..] Enter, NosyMonkey: a library to inject code and place hooks that does almost everything for you. No need to write complicated ASM shellcode, or even think about allocating code, hot patching and other dirty business.

https://www.anvilsecure.com/blog/nosymonkey.html


Bypassing Defender-s LSASS dump detection and PPL protection In Go

This blog reviews the technique that can be used to bypass Protected Process Light protection for any Windows process using theProcess Explorer driver and explores methods to bypass Windows Defender-s signature-based mechanisms for process dump detection. The tool introduced in this blog (PPLBlade), is written entirely in GO and can be used as a POC for the techniques overviewed below.

https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-and-ppl-protection-in-go-7dd85d9a32e6


Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows

In today-s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside - a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows.

https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/


Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store

ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications [..]

https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/


Infamous Chisel Malware Analysis Report

Infamous Chisel is a collection of components targeting Android devices.This malware is associated with Sandworm activity.It performs periodic scanning of files and network information for exfiltration.System and application configuration files are exfiltrated from an infected device.

https://www.cisa.gov/news-events/analysis-reports/ar23-243a


A Deep Dive into Brute Ratel C4 payloads

Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we-re presenting a technical analysis of a Brute Ratel badger/agent that doesn-t implement all the recent features of the framework.

https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/

Vulnerabilities

WordPress migration add-on flaw could lead to data breaches

All-in-One WP Migration, a popular data migration plugin for WordPress sites that has 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.

https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-flaw-could-lead-to-data-breaches/


Wordpress: Cloud-Extensions für Migrationstool ermöglichen Datenklau

Die Box-, Google-Drive-, Onedrive- und Dropbox-Erweiterungen für ein weitverbreitetes Wordpress-Migrations-Plug-in sind anfällig für Datenklau.

https://www.golem.de/news/wordpress-cloud-extensions-fuer-migrationstool-ermoeglichen-datenklau-2308-177253.html


Drupal: Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

This module makes PatternLab's custom Twig functions available to Drupal theming. The module's included examples don't sufficiently filter data. This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.

https://www.drupal.org/sa-contrib-2023-041


Drupal: Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesnt sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.

https://www.drupal.org/sa-contrib-2023-042


CISA Releases Four Industrial Control Systems Advisories

* ICSA-23-243-01 ARDEREG Sistemas SCADA, CVE-2023-4485 * ICSA-23-243-02 GE Digital CIMPLICITY, CVE-2023-4487 * ICSA-23-243-03 PTC Kepware KepServerEX, CVE-2023-29444, CVE-2023-29445, CVE-2023-29446, CVE-2023-29447 * ICSA-23-243-04 Digi RealPort Protocol, CVE-2023-4299

https://www.cisa.gov/news-events/alerts/2023/08/31/cisa-releases-four-industrial-control-systems-advisories


Sicherheitsupdates: Schadcode-Attacken auf Aruba-Switches möglich

Verschiedene Switch-Modelle von Aruba sind verwundbar. Abgesicherte Ausgaben von ArubaOS schaffen Abhilfe.

https://heise.de/-9290375


Big Data: Splunk dichtet hochriskante Lücken ab

Die Big-Data-Experten von Splunk haben aktualisierte Software bereitgestellt, die teils hochriskante Schwachstellen in der Analysesoftware ausbessert.

https://heise.de/-9290325


VMware Tools: Schwachstelle ermöglicht Angreifern unbefugte Aktionen in Gästen

VMware warnt vor einer Sicherheitslücke in VMware Tools. Sie ermöglicht eine Man-in-the-Middle-Attacke auf Gastsysteme.

https://heise.de/-9290783


Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023)

Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week.

https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-21-2023-to-august-27-2023/


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive).

https://lwn.net/Articles/943192/


Mozilla Releases Security Updates for Firefox and Firefox ESR

Mozilla has released security updates to address vulnerabilities for Firefox 117, Firefox ESR 115.2, and Firefox ESR 102.15. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

https://www.cisa.gov/news-events/alerts/2023/08/30/mozilla-releases-security-updates-firefox-and-firefox-esr


Weitere Windows-Rechteausweitung über Razer Synapse (SYSS-2023-002)

In Razer Synapse kann über eine Time-of-check Time-of-use Race Condition die Überprüfung fremder Bibliotheken durch den Dienst überlistet werden.

https://www.syss.de/pentest-blog/weitere-windows-rechteausweitung-ueber-razer-synapse-syss-2023-002


Cisco Unified Communications Products Privilege Escalation Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg


Multiple vulnerabilities in IBM Storage Defender Data Protect

https://www.ibm.com/support/pages/node/7029861


Security Vulnerability in the IBM Java Runtime Environment (JRE) affect the 3592 Enterprise Tape Controller

https://www.ibm.com/support/pages/node/691223


Vulnerability in SSLv3 affects IBM System Storage Tape Controller 3592 Model C07 (CVE-2014-3566)

https://www.ibm.com/support/pages/node/690117


IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager

https://www.ibm.com/support/pages/node/6983442


Security vulnerability in IBM Java Object Request Broker (ORB) in FileNet Content Manager

https://www.ibm.com/support/pages/node/7027874


IBM Java Runtime (JRE) security vulnerabilities CVE-2023-21830, CVE-2023-21843 in FileNet Content Manager

https://www.ibm.com/support/pages/node/6983440


Multiple Security vulnerabilities in IBM Java in FileNet Content Manager

https://www.ibm.com/support/pages/node/7001699


IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities

https://www.ibm.com/support/pages/node/7029864


TADDM affected by vulnerability due to IBM Java and its runtime

https://www.ibm.com/support/pages/node/7029984


Due to use of Mozilla Firefox, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities.

https://www.ibm.com/support/pages/node/7029986


Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are used in IBM Security Guardium Key Lifecycle Manager

https://www.ibm.com/support/pages/node/7006475


A vulnerability in Microsoft ASP.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2022-29117)

https://www.ibm.com/support/pages/node/7029527


A vulnerability in Microsoft Azure SDK for .NET affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2022-26907).

https://www.ibm.com/support/pages/node/7029524


Multiple security vulnerabilities affect IBM Robotic Process Automation

https://www.ibm.com/support/pages/node/7026754


A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170).

https://www.ibm.com/support/pages/node/7029540


Multiple security vulnerabilities in Java affect IBM Robotic Process Automation

https://www.ibm.com/support/pages/node/7026758


IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903)

https://www.ibm.com/support/pages/node/7030110


IBM MQ is affected by OpenSSL vulnerability (CVE-2023-2650)

https://www.ibm.com/support/pages/node/7030100


IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514)

https://www.ibm.com/support/pages/node/7030101


IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513)

https://www.ibm.com/support/pages/node/7030102


IBM MQ is vulnerable to a denial of service attack (CVE-2023-26285)

https://www.ibm.com/support/pages/node/7030103


IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below.

https://www.ibm.com/support/pages/node/7030159