End-of-Day report
Timeframe: Freitag 08-09-2023 18:00 - Montag 11-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Microsoft Teams phishing attack pushes DarkGate malware
A new phishing campaign is abusing Microsoft Teams messages to send malicious attachments that install the DarkGate Loader malware.
https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/
Facebook Messenger phishing wave targets 100K business accounts per week
Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware.
https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-wave-targets-100k-business-accounts-per-week/
From Caribbean shores to your devices: analyzing Cuba ransomware
The article analyzes the malicious tactics, techniques and procedures (TTP) used by the operator of the Cuba ransomware, and details a Cuba attack incident.
https://securelist.com/cuba-ransomware/110533/
New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World
A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.
https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html
Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows
A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz.
https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html
Passwortmanager: LastPass-Hacker scheinen Kennworttresore zu knacken
Cyberkriminelle haben vergangenes Jahr LastPass-Kennworttresore kopiert. Nun scheinen sie diese zu knacken und Krypto-Wallets leerzuräumen.
https://heise.de/-9300583
From ERMAC to Hook: Investigating the technical differences between two Android malware variants
Hook and ERMAC are Android based malware families that are both advertised by the actor named -DukeEugene-. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families.
https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/
Zahlreiche unseriöse Dirndl-Shops im Umlauf
Wiesenzeit ist Dirndlzeit! Das wissen auch unseriöse Shop-Betreiber:innen. Damit möglichst viele potenzielle Opfer davon erfahren, wird auf Werbung via Facebook und Instagram gesetzt. Versprochen werden hochwertige Dirndl zu einem unschlagbar günstigen Preis. Erfahrungsberichte zeigen jedoch, dass nur minderwertige Kleidung bei den Konsument:innen ankommt.
https://www.watchlist-internet.at/news/zahlreiche-unserioese-dirndl-shops-im-umlauf/
A classification of CTI Data feeds
We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria-s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic.
https://cert.at/en/blog/2023/9/cti-data-feeds
Vulnerabilities
Pyramid vulnerable to directory traversal
Pyramid provided by Pylons Project contains a directory traversal vulnerability.
https://jvn.jp/en/jp/JVN41113329/
HPE OneView: Kritische Lücke erlaubt Umgehung von Authentifizierung
HPE warnt vor mehreren Sicherheitslücken in OneView, einer Infrastrukurverwaltungssoftware. Angreifer könnten etwa die Anmeldung umgehen.
https://heise.de/-9301047
Security updates for Monday
Security updates have been issued by Debian (frr, kernel, libraw, mutt, and open-vm-tools), Fedora (cjose, pypy, vim, wireshark, and xrdp), Gentoo (apache), Mageia (chromium-browser-stable, clamav, ghostscript, librsvg, libtiff, openssl, poppler, postgresql, python-pypdf2, and unrar), Red Hat (flac), SUSE (firefox, geoipupdate, icu73_2, libssh2_org, rekor, skopeo, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp-5.4, linux-gkeop, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-6.2, linux-ibm, linux-oracle, linux-starfive, linux-gcp-5.15, linux-gkeop-5.15, and opendmarc).
https://lwn.net/Articles/944190/
Security updates available in PDF-XChange Editor/Tools 10.1.0.380
https://www.tracker-software.com/support/security-bulletins.html
Mattermost security updates 8.1.2 (ESR) / 8.0.3 / 7.8.11 (ESR) released
https://mattermost.com/blog/mattermost-security-updates-8-1-2-esr-8-0-3-7-8-11-esr-released/
AIX is vulnerable to arbitrary command execution (CVE-2023-26286)
https://www.ibm.com/support/pages/node/6983236
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow
https://www.ibm.com/support/pages/node/7031271
Vulnerability in BIND affects IBM Integrated Analytics System (Sailfish)[CVE-2023-2828]
https://www.ibm.com/support/pages/node/7031294
Vulnerability in OpenSSH affects IBM Integrated Analytics System (Sailfish)[CVE-2023-38408]
https://www.ibm.com/support/pages/node/7031293
Vulnerabilities in IBM Websphere Application Server affects IBM Application Performance Management.
https://www.ibm.com/support/pages/node/7031576
Due to use of, IBM Application Performance Management is vulnerable to a local authenticated attacker to obtain sensitive information.
https://www.ibm.com/support/pages/node/7031614
A vulnerability in Microsoft .NET may affect IBM Robotic Process Automation allowing an attacker to conduct spoofing attacks (CVE-2022-34716)
https://www.ibm.com/support/pages/node/7031620
A vulnerability in Microsoft .NET Core may affect IBM Robotic Process Automation and result in a remote attacker obtaining sensitive information (CVE-2018-8292).
https://www.ibm.com/support/pages/node/7029529
A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064)
https://www.ibm.com/support/pages/node/7031621
IBM Robotic Process Automation could disclose sensitive information from access to RPA scripts, workflows and related data (CVE-2023-38718)
https://www.ibm.com/support/pages/node/7031619
IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115]
https://www.ibm.com/support/pages/node/7031624
A vulnerability in Newtonsoft.Json may affect IBM Robotic Process Automation and result in a denial of service (IBM X-Force ID: 234366).
https://www.ibm.com/support/pages/node/7031623
IBM Cognos Command Center is affected by multiple vulnerabilities (CVE-2023-21939, CVE-2023-21967, CVE-2022-29117, XFID: 234366)
https://www.ibm.com/support/pages/node/7012455