End-of-Day report
Timeframe: Mittwoch 30-08-2023 18:00 - Donnerstag 31-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature
A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud."The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques [..]
https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html
North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository
Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro.
https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html
CISA and FBI Publish Joint Advisory on QakBot Infrastructure
CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections.
https://www.cisa.gov/news-events/alerts/2023/08/30/cisa-and-fbi-publish-joint-advisory-qakbot-infrastructure
Converting Tokens to Session Cookies for Outlook Web Application
More and more organizations are adopting cloud-based solutions and federating with various identity providers. As these deployments increase in complexity, ensuring that Conditional Access Policies (CAPs) always act as expected can become a challenge. Today, we will share a technique weve been using to gain access to Outlook Web Application (OWA) in a browser by utilizing Bearer and Refresh tokens for the outlook.office365.com or outlook.office.com endpoints.
https://labs.lares.com/owa-cap-bypass/
Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework
Starting with Windows Server 2016, Microsoft released its own version of this solution, Windows Containers, which offers process and Hyper-V isolation modes. The presentation covered the basics of Windows containers, broke down its file system isolation framework, reverse-engineered its main mini-filter driver, and detailed how it can be utilized and manipulated by a bad actor to bypass EDR products in multiple domains.
https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using-the-windows-container-isolation-framework
NosyMonkey: API hooking and code injection made easy
As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn-t normally do or change the way it works in some way. [..] Enter, NosyMonkey: a library to inject code and place hooks that does almost everything for you. No need to write complicated ASM shellcode, or even think about allocating code, hot patching and other dirty business.
https://www.anvilsecure.com/blog/nosymonkey.html
Bypassing Defender-s LSASS dump detection and PPL protection In Go
This blog reviews the technique that can be used to bypass Protected Process Light protection for any Windows process using theProcess Explorer driver and explores methods to bypass Windows Defender-s signature-based mechanisms for process dump detection. The tool introduced in this blog (PPLBlade), is written entirely in GO and can be used as a POC for the techniques overviewed below.
https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-and-ppl-protection-in-go-7dd85d9a32e6
Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows
In today-s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside - a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows.
https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/
Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store
ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications [..]
https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/
Infamous Chisel Malware Analysis Report
Infamous Chisel is a collection of components targeting Android devices.This malware is associated with Sandworm activity.It performs periodic scanning of files and network information for exfiltration.System and application configuration files are exfiltrated from an infected device.
https://www.cisa.gov/news-events/analysis-reports/ar23-243a
A Deep Dive into Brute Ratel C4 payloads
Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we-re presenting a technical analysis of a Brute Ratel badger/agent that doesn-t implement all the recent features of the framework.
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/
Vulnerabilities
WordPress migration add-on flaw could lead to data breaches
All-in-One WP Migration, a popular data migration plugin for WordPress sites that has 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-flaw-could-lead-to-data-breaches/
Wordpress: Cloud-Extensions für Migrationstool ermöglichen Datenklau
Die Box-, Google-Drive-, Onedrive- und Dropbox-Erweiterungen für ein weitverbreitetes Wordpress-Migrations-Plug-in sind anfällig für Datenklau.
https://www.golem.de/news/wordpress-cloud-extensions-fuer-migrationstool-ermoeglichen-datenklau-2308-177253.html
Drupal: Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041
This module makes PatternLab's custom Twig functions available to Drupal theming.
The module's included examples don't sufficiently filter data.
This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme.
https://www.drupal.org/sa-contrib-2023-041
Drupal: Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042
This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesnt sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site.
https://www.drupal.org/sa-contrib-2023-042
CISA Releases Four Industrial Control Systems Advisories
* ICSA-23-243-01 ARDEREG Sistemas SCADA, CVE-2023-4485
* ICSA-23-243-02 GE Digital CIMPLICITY, CVE-2023-4487
* ICSA-23-243-03 PTC Kepware KepServerEX, CVE-2023-29444, CVE-2023-29445, CVE-2023-29446, CVE-2023-29447
* ICSA-23-243-04 Digi RealPort Protocol, CVE-2023-4299
https://www.cisa.gov/news-events/alerts/2023/08/31/cisa-releases-four-industrial-control-systems-advisories
Sicherheitsupdates: Schadcode-Attacken auf Aruba-Switches möglich
Verschiedene Switch-Modelle von Aruba sind verwundbar. Abgesicherte Ausgaben von ArubaOS schaffen Abhilfe.
https://heise.de/-9290375
Big Data: Splunk dichtet hochriskante Lücken ab
Die Big-Data-Experten von Splunk haben aktualisierte Software bereitgestellt, die teils hochriskante Schwachstellen in der Analysesoftware ausbessert.
https://heise.de/-9290325
VMware Tools: Schwachstelle ermöglicht Angreifern unbefugte Aktionen in Gästen
VMware warnt vor einer Sicherheitslücke in VMware Tools. Sie ermöglicht eine Man-in-the-Middle-Attacke auf Gastsysteme.
https://heise.de/-9290783
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023)
Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week.
https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-21-2023-to-august-27-2023/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive).
https://lwn.net/Articles/943192/
Mozilla Releases Security Updates for Firefox and Firefox ESR
Mozilla has released security updates to address vulnerabilities for Firefox 117, Firefox ESR 115.2, and Firefox ESR 102.15. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.
https://www.cisa.gov/news-events/alerts/2023/08/30/mozilla-releases-security-updates-firefox-and-firefox-esr
Weitere Windows-Rechteausweitung über Razer Synapse (SYSS-2023-002)
In Razer Synapse kann über eine Time-of-check Time-of-use Race Condition die Überprüfung fremder Bibliotheken durch den Dienst überlistet werden.
https://www.syss.de/pentest-blog/weitere-windows-rechteausweitung-ueber-razer-synapse-syss-2023-002
Cisco Unified Communications Products Privilege Escalation Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg
Multiple vulnerabilities in IBM Storage Defender Data Protect
https://www.ibm.com/support/pages/node/7029861
Security Vulnerability in the IBM Java Runtime Environment (JRE) affect the 3592 Enterprise Tape Controller
https://www.ibm.com/support/pages/node/691223
Vulnerability in SSLv3 affects IBM System Storage Tape Controller 3592 Model C07 (CVE-2014-3566)
https://www.ibm.com/support/pages/node/690117
IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager
https://www.ibm.com/support/pages/node/6983442
Security vulnerability in IBM Java Object Request Broker (ORB) in FileNet Content Manager
https://www.ibm.com/support/pages/node/7027874
IBM Java Runtime (JRE) security vulnerabilities CVE-2023-21830, CVE-2023-21843 in FileNet Content Manager
https://www.ibm.com/support/pages/node/6983440
Multiple Security vulnerabilities in IBM Java in FileNet Content Manager
https://www.ibm.com/support/pages/node/7001699
IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities
https://www.ibm.com/support/pages/node/7029864
TADDM affected by vulnerability due to IBM Java and its runtime
https://www.ibm.com/support/pages/node/7029984
Due to use of Mozilla Firefox, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities.
https://www.ibm.com/support/pages/node/7029986
Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are used in IBM Security Guardium Key Lifecycle Manager
https://www.ibm.com/support/pages/node/7006475
A vulnerability in Microsoft ASP.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2022-29117)
https://www.ibm.com/support/pages/node/7029527
A vulnerability in Microsoft Azure SDK for .NET affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2022-26907).
https://www.ibm.com/support/pages/node/7029524
Multiple security vulnerabilities affect IBM Robotic Process Automation
https://www.ibm.com/support/pages/node/7026754
A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170).
https://www.ibm.com/support/pages/node/7029540
Multiple security vulnerabilities in Java affect IBM Robotic Process Automation
https://www.ibm.com/support/pages/node/7026758
IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903)
https://www.ibm.com/support/pages/node/7030110
IBM MQ is affected by OpenSSL vulnerability (CVE-2023-2650)
https://www.ibm.com/support/pages/node/7030100
IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514)
https://www.ibm.com/support/pages/node/7030101
IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513)
https://www.ibm.com/support/pages/node/7030102
IBM MQ is vulnerable to a denial of service attack (CVE-2023-26285)
https://www.ibm.com/support/pages/node/7030103
IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below.
https://www.ibm.com/support/pages/node/7030159