The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Your Business Data and Machine Learning at Risk: Attacks Against Apache NiFi

Published: 2023-05-30

Last Updated: 2023-05-31 11:07:11 UTC

by Johannes Ullrich (Version: 1)

Apache NiFi describes itself as “an easy-to-use, powerful, and reliable system to process and distribute data.” In simple terms, NiFi implements a web-based interface to define how data is moved from a source to a destination. Users may define various “processors” to manipulate data along the way. This is often needed when processing business data or preparing data for machine learning. A dataset used for machine learning may arrive in one format (let's say JSON), but to conveniently use it for training, it must be converted to JSON or inserted into a database. The features are not just attractive to machine learning, but many business processes require similar functionality.

Read the full entry:

https://isc.sans.edu/diary/Your+Business+Data+and+Machine+Learning+at+Risk+Attacks+Against+Apache+NiFi/29900/

Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT

Published: 2023-05-30

Last Updated: 2023-05-30 01:01:59 UTC

by Brad Duncan (Version: 1)

Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29.

I caught the email in one of my honeypot accounts on Monday 2023-05-29 at 4:14 UTC. These messages often spoof companies sending invoices or purchase orders. This campaign didn't appear to be specifically targeted at my honeypot account.

Read the full entry:

https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896/

Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files

Published: 2023-05-29

Last Updated: 2023-05-29 07:27:43 UTC

by Didier Stevens (Version: 1)

I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py.

All embedded content is found inside stream "PowerPoint Document". For VBA, I already wrote a blog post a couple years ago: "Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt".

The analysis process for embedded files is quite similar.

Read the full entry:

https://isc.sans.edu/diary/Analyzing+Office+Documents+Embedded+Inside+PPT+PowerPoint+Files/29894/

Wireshark 4.0.6 Released (2023.05.29)

https://isc.sans.edu/diary/Wireshark+406+Released/29892/

We Can no Longer Ignore the Cost of Cybersecurity (2023.05.28)

https://isc.sans.edu/diary/We+Can+no+Longer+Ignore+the+Cost+of+Cybersecurity/29890/

DocuSign-themed email leads to script-based infection (2023.05.27)

https://isc.sans.edu/diary/DocuSignthemed+email+leads+to+scriptbased+infection/29888/

Using DFIR Techniques To Recover From Infrastructure Outages (2023.05.26)

https://isc.sans.edu/diary/Using+DFIR+Techniques+To+Recover+From+Infrastructure+Outages/29886/

IR Case/Alert Management (2023.05.24)

https://isc.sans.edu/diary/IR+CaseAlert+Management/29880/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-2868 - The Barracuda Email Security Gateway (appliance form factor only) product is vulnerable to remote command injection through a failure to comprehensively sanitize the processing of .tar files.Product: Barracuda Email Security GatewayCVSS Score: 9.4** KEV since 2023-05-26 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2868NVD References: - https://status.barracuda.com/incidents/34kx82j5n4q9- https://www.barracuda.com/company/legal/esg-vulnerabilityCVE-2023-2825 - GitLab CE/EE version 16.0.0 allows unauthenticated users to read arbitrary files through path traversal when an attachment exists in a public project nested within at least five groups.Product: GitLab CVSS Score: 7.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-2825ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8514NVD References: - https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json- https://gitlab.com/gitlab-org/gitlab/-/issues/412371- https://hackerone.com/reports/1994725CVE-2020-20012 - WebPlus Pro v1.4.7.8.4-01 is vulnerable to Incorrect Access Control.Product: Sudytech Webplus ProCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-20012NVD References: https://gist.github.com/1915504804/9503198d3cbd5bc7db47625ac0caaadeCVE-2023-27068 - Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx.Product: Sitecore Experience PlatformCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27068NVD References: - https://blogs.night-wolf.io/0-day-vulnerabilities-at-sitecore-pagedesigner- https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/103/Sitecore%20Experience%20Platform%20103/Release%20Notes- https://www.sitecore.com/products/sitecore-experience-platformCVE-2023-29919 - SolarView Compact <= 6.0 has insecure permissions, allowing any server file to be read or modified through unrestricted access to texteditor.php.Product: Contec Solarview CompactCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29919NVD References: - https://github.com/xiaosed/CVE-2023-29919/- https://www.solarview.io/CVE-2023-31814 - D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/__lang_msg.php.Product: D-Link Dir-300CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-31814NVD References: - https://gist.github.com/1915504804/9503198d3cbd5bc7db47625ac0caaade- https://www.dlink.com/en/security-bulletin/CVE-2023-25953 - Drive Explorer for macOS versions 3.5.4 and earlier is vulnerable to code injection, allowing attackers logged in to the client to execute arbitrary code and potentially access files without privileges.Product: Worksmobile Drive ExplorerCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25953NVD References: - https://jvn.jp/en/jp/JVN01937209/- https://line.worksmobile.com/jp/release-notes/20230216/CVE-2023-27388 - T&D Corporation and ESPEC MIC CORP. data logger products have an improper authentication vulnerability that allows remote unauthenticated login as a registered user.Product: T&D Tr-71WCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27388NVD References: - https://jvn.jp/en/jp/JVN14778242/- https://www.monitoring.especmic.co.jp/post/VulnerabilityInRT-12N_RS-12N_RT-22BNandTEU-12N- https://www.tandd.com/news/detail.html?id=780CVE-2023-27397 - MicroEngine Mailform allows remote attackers to save and execute arbitrary files via unrestricted file upload with dangerous type.Product: MicroEngine MailformCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27397NVD References: - https://jvn.jp/en/jp/JVN31701509/- https://microengine.jp/information/security_2023_05.htmlCVE-2023-27507 - MicroEngine Mailform versions 1.1.0 to 1.1.8 allow remote attackers to upload and execute arbitrary files on the server due to a path traversal vulnerability.Product: MicroEngine MailformCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27507NVD References: - https://jvn.jp/en/jp/JVN31701509/- https://microengine.jp/information/security_2023_05.htmlCVE-2023-28408 - MW WP Form versions v4.4.2 and earlier allow remote attackers to alter websites, cause DoS, and obtain sensitive information through directory traversal vulnerabilities.Product: MW WP Form Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28408NVD References: - https://jvn.jp/en/jp/JVN01093915/- https://plugins.2inc.org/mw-wp-form/blog/2023/05/08/752/CVE-2023-28409 - MW WP Form versions up to v4.4.2 allow remote attackers to upload dangerous files without authentication.Pro…