Tageszusammenfassung - 11.09.2023

End-of-Day report

Timeframe: Freitag 08-09-2023 18:00 - Montag 11-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Microsoft Teams phishing attack pushes DarkGate malware

A new phishing campaign is abusing Microsoft Teams messages to send malicious attachments that install the DarkGate Loader malware.

https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/


Facebook Messenger phishing wave targets 100K business accounts per week

Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware.

https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-wave-targets-100k-business-accounts-per-week/


From Caribbean shores to your devices: analyzing Cuba ransomware

The article analyzes the malicious tactics, techniques and procedures (TTP) used by the operator of the Cuba ransomware, and details a Cuba attack incident.

https://securelist.com/cuba-ransomware/110533/


New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World

A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer.

https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html


Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows

A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz.

https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html


Passwortmanager: LastPass-Hacker scheinen Kennworttresore zu knacken

Cyberkriminelle haben vergangenes Jahr LastPass-Kennworttresore kopiert. Nun scheinen sie diese zu knacken und Krypto-Wallets leerzuräumen.

https://heise.de/-9300583


From ERMAC to Hook: Investigating the technical differences between two Android malware variants

Hook and ERMAC are Android based malware families that are both advertised by the actor named -DukeEugene-. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families.

https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/


Zahlreiche unseriöse Dirndl-Shops im Umlauf

Wiesenzeit ist Dirndlzeit! Das wissen auch unseriöse Shop-Betreiber:innen. Damit möglichst viele potenzielle Opfer davon erfahren, wird auf Werbung via Facebook und Instagram gesetzt. Versprochen werden hochwertige Dirndl zu einem unschlagbar günstigen Preis. Erfahrungsberichte zeigen jedoch, dass nur minderwertige Kleidung bei den Konsument:innen ankommt.

https://www.watchlist-internet.at/news/zahlreiche-unserioese-dirndl-shops-im-umlauf/


A classification of CTI Data feeds

We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria-s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic.

https://cert.at/en/blog/2023/9/cti-data-feeds

Vulnerabilities

Pyramid vulnerable to directory traversal

Pyramid provided by Pylons Project contains a directory traversal vulnerability.

https://jvn.jp/en/jp/JVN41113329/


HPE OneView: Kritische Lücke erlaubt Umgehung von Authentifizierung

HPE warnt vor mehreren Sicherheitslücken in OneView, einer Infrastrukurverwaltungssoftware. Angreifer könnten etwa die Anmeldung umgehen.

https://heise.de/-9301047


Security updates for Monday

Security updates have been issued by Debian (frr, kernel, libraw, mutt, and open-vm-tools), Fedora (cjose, pypy, vim, wireshark, and xrdp), Gentoo (apache), Mageia (chromium-browser-stable, clamav, ghostscript, librsvg, libtiff, openssl, poppler, postgresql, python-pypdf2, and unrar), Red Hat (flac), SUSE (firefox, geoipupdate, icu73_2, libssh2_org, rekor, skopeo, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp-5.4, linux-gkeop, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-6.2, linux-ibm, linux-oracle, linux-starfive, linux-gcp-5.15, linux-gkeop-5.15, and opendmarc).

https://lwn.net/Articles/944190/


Security updates available in PDF-XChange Editor/Tools 10.1.0.380

https://www.tracker-software.com/support/security-bulletins.html


Mattermost security updates 8.1.2 (ESR) / 8.0.3 / 7.8.11 (ESR) released

https://mattermost.com/blog/mattermost-security-updates-8-1-2-esr-8-0-3-7-8-11-esr-released/


AIX is vulnerable to arbitrary command execution (CVE-2023-26286)

https://www.ibm.com/support/pages/node/6983236


IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow

https://www.ibm.com/support/pages/node/7031271


Vulnerability in BIND affects IBM Integrated Analytics System (Sailfish)[CVE-2023-2828]

https://www.ibm.com/support/pages/node/7031294


Vulnerability in OpenSSH affects IBM Integrated Analytics System (Sailfish)[CVE-2023-38408]

https://www.ibm.com/support/pages/node/7031293


Vulnerabilities in IBM Websphere Application Server affects IBM Application Performance Management.

https://www.ibm.com/support/pages/node/7031576


Due to use of, IBM Application Performance Management is vulnerable to a local authenticated attacker to obtain sensitive information.

https://www.ibm.com/support/pages/node/7031614


A vulnerability in Microsoft .NET may affect IBM Robotic Process Automation allowing an attacker to conduct spoofing attacks (CVE-2022-34716)

https://www.ibm.com/support/pages/node/7031620


A vulnerability in Microsoft .NET Core may affect IBM Robotic Process Automation and result in a remote attacker obtaining sensitive information (CVE-2018-8292).

https://www.ibm.com/support/pages/node/7029529


A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064)

https://www.ibm.com/support/pages/node/7031621


IBM Robotic Process Automation could disclose sensitive information from access to RPA scripts, workflows and related data (CVE-2023-38718)

https://www.ibm.com/support/pages/node/7031619


IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115]

https://www.ibm.com/support/pages/node/7031624


A vulnerability in Newtonsoft.Json may affect IBM Robotic Process Automation and result in a denial of service (IBM X-Force ID: 234366).

https://www.ibm.com/support/pages/node/7031623


IBM Cognos Command Center is affected by multiple vulnerabilities (CVE-2023-21939, CVE-2023-21967, CVE-2022-29117, XFID: 234366)

https://www.ibm.com/support/pages/node/7012455