End-of-Day report
Timeframe: Montag 22-04-2024 18:00 - Dienstag 23-04-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Analyzing Forest Blizzard-s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions.
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
Struts "devmode": Still a problem ten years later?, (Tue, Apr 23rd)
Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution.
https://isc.sans.edu/diary/rss/30866
An Analysis of the DHEat DoS Against SSH in Cloud Environments
The DHEat attack remains viable against most SSH installations, as default settings are inadequate at deflecting it. Very little bandwidth is needed to cause a dramatic effect on targets, including those with a high degree of resources.
https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-against-ssh-in-cloud-environments/
Neu auf Vinted? Scannen Sie keinen QR-Code!
Vorsicht! Kriminelle kontaktieren gezielt neue Vinted-Nutzer:innen. Sie geben vor, den Artikel kaufen zu wollen und schicken einen QR-Code. Der QR-Code führt jedoch zu einer gefälschten Zahlungsseite von Vinted. Dort erfragen die Kriminellen Ihre Bankdaten und versuchen Ihnen Geld zu stehlen.
https://www.watchlist-internet.at/news/neu-auf-vinted-scannen-sie-keinen-qr-code/
Suspected CoralRaider continues to expand victimology using three information stealers
Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/
GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining
Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.
https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/
Vulnerabilities
Security updates for Tuesday
Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid).
https://lwn.net/Articles/970889/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Welotec: Clickjacking Vulnerability in WebUI
https://cert.vde.com/de/advisories/VDE-2024-023/