[CERT-daily] Tageszusammenfassung - 16.08.2023

Wed Aug 16 18:37:36 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 14-08-2023 18:00 − Mittwoch 16-08-2023 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Jetzt 2FA aktivieren: Hackerangriffe auf Linkedin-Konten nehmen massiv zu ∗∗∗
---------------------------------------------
Cyberkriminelle haben es zuletzt vermehrt auf Linkedin-Konten abgesehen. Bei Google getätigte Suchanfragen bestätigen diesen Trend.
---------------------------------------------
https://www.golem.de/news/jetzt-2fa-aktivieren-hackerangriffe-auf-linkedin-konten-nehmen-massiv-zu-2308-176794.html


∗∗∗ Vielfältige Attacken auf Ivanti Enterprise Mobility Management möglich (CVE-2023-32560) ∗∗∗
---------------------------------------------
Die Forscher geben an, die Schwachstelle im April 2023 gemeldet zu haben. Die gegen die Attacke abgesicherte EMM-Version 6.4.1 ist Anfang August erschienen. Mitte August haben die Sicherheitsforscher ihren Bericht veröffentlicht.
---------------------------------------------
https://www.heise.de/news/Vielfaeltige-Attacken-auf-Ivanti-Enterprise-Mobility-Management-moeglich-9245340.html


∗∗∗ IT-Schutz für Kommunen: 18 Checklisten für den Schnelleinstieg ∗∗∗
---------------------------------------------
Kommunen sind zunehmend Ziele von Cyber-Angriffen. Für angemessenen Schutz mangelt es oft an Wissen und Personal. 18 WiBA-Checklisten des BSI sollen das ändern.
---------------------------------------------
https://heise.de/-9246027


∗∗∗ TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519 ∗∗∗
---------------------------------------------
Use this Checklist to identify if your infrastructure already shows indications of a successful compromise
---------------------------------------------
https://www.circl.lu/pub/tr-75/


∗∗∗ Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) ∗∗∗
---------------------------------------------
Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances.
---------------------------------------------
https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner


∗∗∗ l+f: Trojaner unterscheiden nicht zwischen Gut und Böse ∗∗∗
---------------------------------------------
D’oh! Sicherheitsforscher sind auf rund 120.000 mit Malware infizierte PCs gestoßen – von Cybergangstern.
---------------------------------------------
https://heise.de/-9244810


∗∗∗ Instagram-Nachricht: Gefälschte Beschwerde über Produktqualität führt zu Schadsoftware ∗∗∗
---------------------------------------------
Sie erhalten eine Nachricht auf Instagram. Darin beschwert sich eine Kundin, dass Ihre Produktqualität schlecht ist und das Produkt bereits nach 2 Tagen kaputt war. Ein Bild wird mitgeschickt. Laden Sie das Dokument mit der Endung .rar nicht herunter, es handelt sich um Schadsoftware.
---------------------------------------------
https://www.watchlist-internet.at/news/instagram-nachricht-gefaelschte-beschwerde-ueber-produktqualitaet-fuehrt-zu-schadsoftware/


∗∗∗ An Apple malware-flagging tool is “trivially” easy to bypass ∗∗∗
---------------------------------------------
Background Task Manager can potentially miss malicious software on your machine.
---------------------------------------------
https://arstechnica.com/?p=1960742


∗∗∗ Ongoing scam tricks kids playing Roblox and Fortnite ∗∗∗
---------------------------------------------
The scams are often disguised as promotions, and they can all be linked to one network.
---------------------------------------------
https://arstechnica.com/?p=1961085


∗∗∗ Raccoon Stealer malware returns with new stealthier version ∗∗∗
---------------------------------------------
The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-returns-with-new-stealthier-version/


∗∗∗ Massive 400,000 proxy botnet built with stealthy malware infections ∗∗∗
---------------------------------------------
A new campaign involving the delivery of proxy server apps to Windows systems has been uncovered, where users are reportedly involuntarily acting as residential exit nodes controlled by a private company.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/


∗∗∗ QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord ∗∗∗
---------------------------------------------
A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victims Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers Telegram bot, providing them with unauthorized access to the victims sensitive information," [...]
---------------------------------------------
https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html


∗∗∗ Cookie Crumbles: Breaking and Fixing Web Session Integrity ∗∗∗
---------------------------------------------
In this paper, we question the effectiveness of existing protections and study the real-world security implications of cookie integrity issues. In particular, we focus on network and same-site attackers, a class of attackers increasingly becoming a significant threat to Web application security.
---------------------------------------------
https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf


∗∗∗ Chrome 116 Patches 26 Vulnerabilities ∗∗∗
---------------------------------------------
Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser.
---------------------------------------------
https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/


∗∗∗ Monti ransomware targets legal and gov’t entities with new Linux-based variant ∗∗∗
---------------------------------------------
The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research. Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business.
---------------------------------------------
https://therecord.media/monti-ransomware-targets-govt-entities


∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-exploited-vulnerability-catalog


∗∗∗ PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks ∗∗∗
---------------------------------------------
Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallerys policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registrys vast user base.
---------------------------------------------
https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expose-users-to-attacks


∗∗∗ Verwundbare Webserver: Status in Österreich ∗∗∗
---------------------------------------------
Nachdem wir in den letzten Wochen von Schwachstellen in Systemen von Citrix, Ivanti und Fortinet berichtet haben, wollte ich wissen, wie weit Österreich beim Patchen ist. Wir bekommen von ShadowServer täglich Reports mit den Ergebnissen ihrer Scans über das ganze Internet. Im „Vulnerable HTTP Report“ geht es unter anderem um Schwachstellen, die in Web-Applikationen gefunden wurden. Auf Hersteller bezogen kann man aus den Daten für Österreich folgende folgende Entwicklung ablesen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterreich


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Advisory | NetModule Router Software Race Condition Leads to Remote Code Execution ∗∗∗
---------------------------------------------
CVSSv3.1 Score: 8.4 Affected Vendor & Products: NetModule NB1601, NB1800, NB1810, NB2800, NB2810, NB3701, NB3800, NB800, NG800 Vulnerable version: < 4.6.0.105, < 4.7.0.103
---------------------------------------------
https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/


∗∗∗ Sicherheitslücken: Angreifer können Hintertüren in Datenzentren platzieren ∗∗∗
---------------------------------------------
Schwachstellen in Software von CyberPower und Dataprobe zur Energieüberwachung und -Verteilung gefährden Datenzentren.
---------------------------------------------
https://heise.de/-9245788


∗∗∗ Lücken in Kennzeichenerkennungssoftware gefährden Axis-Überwachungskamera ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken in Software für Überwachungskameras von Axis gefährden Geräte.
---------------------------------------------
https://heise.de/-9245978


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome).
---------------------------------------------
https://lwn.net/Articles/941658/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/941722/


∗∗∗ Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-01


∗∗∗ Rockwell Automation Armor PowerFlex ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-02


∗∗∗ K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000135852


∗∗∗ CPE2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) – 15 August 2023 ∗∗∗
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/


∗∗∗ [R1] Sensor Proxy Version 1.0.8 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-28


∗∗∗ Vulnerabilities in Node.js modules affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7026694


∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6380956


∗∗∗ Multiple Eclipse Jetty Vulnerabilities Affect IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027483


∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027598


∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7027509


∗∗∗ IBM Cognos Analytics has addressed multiple security vulnerabilities (CVE-2022-48285, CVE-2023-35009, CVE-2023-35011) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7026692


∗∗∗ Zyxel security advisory for post-authentication command injection in NTP feature of NBG6604 home router ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-in-ntp-feature-of-nbg6604-home-router


∗∗∗ Zyxel security advisory for DoS vulnerability of XGS2220, XMG1930, and XS1930 series switches ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-dos-vulnerability-of-xgs2220-xmg1930-and-xs1930-series-switches

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily