Tageszusammenfassung - 13.03.2024

End-of-Day report

Timeframe: Dienstag 12-03-2024 18:00 - Mittwoch 13-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

RisePro stealer targets Github users in -gitgub- campaign

We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named -gitgub- by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram.

https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github


Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th)

Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script).

https://isc.sans.edu/diary/rss/30740


FakeBat delivered via several active malvertising campaigns

A number of software brands are being impersonated with malicious ads and fake sites to distribute malware.

https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns


Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug!

Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen.

https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsicht-vor-diesem-jobbetrug/


JetBrains vulnerability exploitation highlights debate over silent patching

Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers- servers to Rapid7-s decision to release detailed information on the vulnerabilities.

https://therecord.media/jetbrains-rapid7-silent-patching-dispute


Unpacking Flutter hives

The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code.

https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/


Threat actors leverage document publishing sites for ongoing credential and session token theft

Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow.

https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/


CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign

The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis.

https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html

Vulnerabilities

Cisco Security Advisories 2024-03-13

Security Impact Rating: 3x High, 4x Medium

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F03%2F13&firstPublishedEndDate=2024%2F03%2F13&pageNum=1&isRenderingBugList=false


Palo Alto Security Advisories 2024-03-13

Security Impact Rating: 3x Medium

https://security.paloaltonetworks.com/


Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins - $1,250 Bounty Awarded

Both miniOrange-s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.

https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpatched-in-two-permanently-closed-miniorange-wordpress-plugins-1250-bounty-awarded/


Security updates for Wednesday

Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).

https://lwn.net/Articles/965278/


März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V

Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken.

https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritische-loecher-in-hyper-v/


Adobe Releases Security Updates for Multiple Products

Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate

https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-updates-multiple-products


AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs

Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions.

https://heise.de/-9653846


Fortinet-Patchday: Updates gegen kritische Schwachstellen

Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen.

https://heise.de/-9653730


Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575

https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-update-for-cve202339368-and-cve202338575


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


Lenovo Security Advisories 2024-03-12

https://support.lenovo.com/at/de/product_security/home


Xen Security Advisory CVE-2024-2193 / XSA-453

https://xenbits.xen.org/xsa/advisory-453.html


Xen Security Advisory CVE-2023-28746 / XSA-452

https://xenbits.xen.org/xsa/advisory-452.html


Wago: Multiple vulnerabilities in web-based management of multiple products

https://cert.vde.com/de/advisories/VDE-2023-039/


Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities

https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html


Bosch: RPS and RPS-LITE operator and communication process vulnerabilities.

https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html


Canon: CPE2024-002 - Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers - 14 March 2024

https://www.canon-europe.com/support/product-security-latest-news/


SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006


SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005


SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004


Google Chrome: Drei Sicherheitslöcher gestopft

https://heise.de/-9653082