End-of-Day report
Timeframe: Freitag 15-09-2023 18:00 - Montag 18-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
BlackCat ransomware hits Azure Storage with Sphynx encryptor
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets Azure cloud storage.
https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azure-storage-with-sphynx-encryptor/
Microsoft leaks 38TB of private data via unsecured Azure storage
The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository.
https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-private-data-via-unsecured-azure-storage/
Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients
Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack. The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a "dark pattern." "The fact that Google Authenticator syncs to the cloud is a novel attack vector," Snir Kodesh, Retool's head of engineering, said. "What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication."
https://thehackernews.com/2023/09/retool-falls-victim-to-sms-based.html
Fuzzing with multiple servers in parallel: AFL++ with Network File Systems
When fuzzing large-scale applications, using a single server (even with 4 64-core AMD Ryzen CPUs) may not be powerful enough by itself. That-s where parallelized/distributed fuzzing comes in (i.e. automatic sharing of results between fuzzing systems). In this guide, we-ll take a look at how to set up multiple servers fuzzing the same program using AFL++, linked all together with an NFS (Network File System).
https://joshua.hu/fuzzing-multiple-servers-parallel-aflplusplus-nfs
donut-decryptor
donut-decryptor checks file(s) for known signatures of the donut obfuscators loader shellcode. If located, it will parse the shellcode to locate, decrypt, and extract the DONUT_INSTANCE structure embedded in the binary, and report pertinent configuration data. If a DONUT_MODULE is present in the binary it is decrypted and dumped to disk.
https://github.com/volexity/donut-decryptor
CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution
MEDIUM | AUGUST 23, 2023 | CVE-2023-34040: In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers [...] According to the description in security bulletin, we can simply attain some critical points resulting in the vulnerability.
https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserialization-Remote-Code-Execution/
AWS-s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation
The Sysdig Threat Research Team (TRT) has uncovered a novel cloud-native cryptojacking operation which they-ve named AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker. The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000/day.
https://sysdig.com/blog/ambersquid/
Fileless Remote Code Execution on Juniper Firewalls
CVE-2023-36845 is a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. Juniper scored the vulnerability as a medium severity issue. However, in this blog, we-ll show you how this vulnerability alone can achieve remote, unauthenticated code execution without even touching the disk.
https://vulncheck.com/blog/juniper-cve-2023-36845
Sherlock: Spyware kommt über Online-Werbung
Die israelische Firma Insanet soll eine Spähsoftware entwickelt haben, die über gezielte Werbebanner auf Windows-PCs und gängige Smartphones ausgespielt wird.
https://www.heise.de/-9308891.html
CISA Releases New Identity and Access Management Guidance
CISA has released new guidance on how federal agencies can integrate identity and access management into their ICAM architecture.
https://www.securityweek.com/cisa-releases-new-identity-and-access-management-guidance/
Verkaufen auf Vinted: Vermeintliche Käufer:innen locken auf gefälschte Zahlungsplattform
Sie verkaufen etwas auf Vinted? Vorsicht, wenn interessierte Käufer:innen nach Ihrer E-Mail-Adresse fragen. Dahinter steckt eine Betrugsmasche, die darauf abzielt, Sie auf eine gefälschte Vinted-Zahlungsplattform zu locken. Auf dieser Plattform erhalten Sie angeblich den Kaufbetrag. Tatsächlich stehlen die Kriminellen dort Ihre Bank- oder Kreditkartendaten und überzeugen Sie, Zahlungen freizugeben.
https://www.watchlist-internet.at/news/verkaufen-auf-vinted-vermeintliche-kaeuferinnen-locken-auf-gefaelschte-zahlungsplattform/
Vorsicht: Steam Fake Accounts und Scam-Methoden
Kurze Warnung für Leser und Leserinnen, die auf der Plattform Steam unterwegs sind. Ein Leser hat mich auf eine Betrugswelle aufmerksam gemacht, die gerade läuft und mit gefälschten Konten operiert.
https://www.borncity.com/blog/2023/09/16/vorsicht-steam-fake-accounts-und-scam-methoden/
18th September - Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin.
https://research.checkpoint.com/2023/18th-september-threat-intelligence-report/
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actors server - a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which weve dubbed SprySOCKS due to its swift behavior and SOCKS implementation.
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html
MidgeDropper Variant Targets Work-from-Home Employees on Windows PCs
If you are working from home, you need to be on the lookout for the new and complex variant of MidgeDropper malware.
https://www.hackread.com/midgedropper-variant-work-from-home-windows/
Vulnerabilities
Qnap-Updates schließen hochriskante Lücke
Qnap hat aktualisierte Betriebssysteme veröffentlicht. Die neuen QTS-, QuTS-hero- und QuTScloud-Releases schließen teils hochriskante Lücken.
https://www.heise.de/-9308427.html
Anonymisierendes Linux: Kritische libWebP-Lücke in Tails 5.17.1 geschlossen
Die Maintainer des anonymisierenden Linux Tails für den USB-Stick haben in Version 5.17.1 die bereits angegriffene, kritische libWebP-Lücke geschlossen.
https://www.heise.de/-9307906.html
Security updates for Monday
Security updates have been issued by Debian (firefox-esr, libwebp, and thunderbird), Fedora (chromium, curl, flac, libtommath, libwebp, matrix-synapse, python-matrix-common, redis, and rust-pythonize), Gentoo (binwalk, ghostscript, python-requests, rar, samba, and wireshark), Oracle (.NET 6.0, kernel, and kernel-container), Slackware (python3), and SUSE (firefox).
https://lwn.net/Articles/944744/
Authenticated Remote Code Execution und fehlende Authentifizierung in Atos Unify OpenScape
https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-remote-code-execution-fehlende-authentifizierung-atos-unify-openscape/
Vulnerabilities in Apache Struts library affect Tivoli Netcool\/OMNIbus WebGUI
https://www.ibm.com/support/pages/node/7033228
Vulnerabilities in Certifi, cryptography, python-requests and Tornado can affect IBM Storage Protect Plus Microsoft File Systems Backup and Restore [CVE-2023-37920, CVE-2023-38325, CVE-2023-32681, CVE-2023-28370]
https://www.ibm.com/support/pages/node/7031489