Tageszusammenfassung - 18.09.2023

End-of-Day report

Timeframe: Freitag 15-09-2023 18:00 - Montag 18-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter


BlackCat ransomware hits Azure Storage with Sphynx encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets Azure cloud storage.


Microsoft leaks 38TB of private data via unsecured Azure storage

The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository.


Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients

Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack. The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a "dark pattern." "The fact that Google Authenticator syncs to the cloud is a novel attack vector," Snir Kodesh, Retool's head of engineering, said. "What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication."


Fuzzing with multiple servers in parallel: AFL++ with Network File Systems

When fuzzing large-scale applications, using a single server (even with 4 64-core AMD Ryzen CPUs) may not be powerful enough by itself. That-s where parallelized/distributed fuzzing comes in (i.e. automatic sharing of results between fuzzing systems). In this guide, we-ll take a look at how to set up multiple servers fuzzing the same program using AFL++, linked all together with an NFS (Network File System).



donut-decryptor checks file(s) for known signatures of the donut obfuscators loader shellcode. If located, it will parse the shellcode to locate, decrypt, and extract the DONUT_INSTANCE structure embedded in the binary, and report pertinent configuration data. If a DONUT_MODULE is present in the binary it is decrypted and dumped to disk.


CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution

MEDIUM | AUGUST 23, 2023 | CVE-2023-34040: In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers [...] According to the description in security bulletin, we can simply attain some critical points resulting in the vulnerability.


AWS-s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation

The Sysdig Threat Research Team (TRT) has uncovered a novel cloud-native cryptojacking operation which they-ve named AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker. The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000/day.


Fileless Remote Code Execution on Juniper Firewalls

CVE-2023-36845 is a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. Juniper scored the vulnerability as a medium severity issue. However, in this blog, we-ll show you how this vulnerability alone can achieve remote, unauthenticated code execution without even touching the disk.


Sherlock: Spyware kommt über Online-Werbung

Die israelische Firma Insanet soll eine Spähsoftware entwickelt haben, die über gezielte Werbebanner auf Windows-PCs und gängige Smartphones ausgespielt wird.


CISA Releases New Identity and Access Management Guidance

CISA has released new guidance on how federal agencies can integrate identity and access management into their ICAM architecture.


Verkaufen auf Vinted: Vermeintliche Käufer:innen locken auf gefälschte Zahlungsplattform

Sie verkaufen etwas auf Vinted? Vorsicht, wenn interessierte Käufer:innen nach Ihrer E-Mail-Adresse fragen. Dahinter steckt eine Betrugsmasche, die darauf abzielt, Sie auf eine gefälschte Vinted-Zahlungsplattform zu locken. Auf dieser Plattform erhalten Sie angeblich den Kaufbetrag. Tatsächlich stehlen die Kriminellen dort Ihre Bank- oder Kreditkartendaten und überzeugen Sie, Zahlungen freizugeben.


Vorsicht: Steam Fake Accounts und Scam-Methoden

Kurze Warnung für Leser und Leserinnen, die auf der Plattform Steam unterwegs sind. Ein Leser hat mich auf eine Betrugswelle aufmerksam gemacht, die gerade läuft und mit gefälschten Konten operiert.


18th September - Threat Intelligence Report

For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin.


Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement

While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actors server - a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which weve dubbed SprySOCKS due to its swift behavior and SOCKS implementation.


MidgeDropper Variant Targets Work-from-Home Employees on Windows PCs

If you are working from home, you need to be on the lookout for the new and complex variant of MidgeDropper malware.



Qnap-Updates schließen hochriskante Lücke

Qnap hat aktualisierte Betriebssysteme veröffentlicht. Die neuen QTS-, QuTS-hero- und QuTScloud-Releases schließen teils hochriskante Lücken.


Anonymisierendes Linux: Kritische libWebP-Lücke in Tails 5.17.1 geschlossen

Die Maintainer des anonymisierenden Linux Tails für den USB-Stick haben in Version 5.17.1 die bereits angegriffene, kritische libWebP-Lücke geschlossen.


Security updates for Monday

Security updates have been issued by Debian (firefox-esr, libwebp, and thunderbird), Fedora (chromium, curl, flac, libtommath, libwebp, matrix-synapse, python-matrix-common, redis, and rust-pythonize), Gentoo (binwalk, ghostscript, python-requests, rar, samba, and wireshark), Oracle (.NET 6.0, kernel, and kernel-container), Slackware (python3), and SUSE (firefox).


Authenticated Remote Code Execution und fehlende Authentifizierung in Atos Unify OpenScape


Vulnerabilities in Apache Struts library affect Tivoli Netcool\/OMNIbus WebGUI


Vulnerabilities in Certifi, cryptography, python-requests and Tornado can affect IBM Storage Protect Plus Microsoft File Systems Backup and Restore [CVE-2023-37920, CVE-2023-38325, CVE-2023-32681, CVE-2023-28370]