[CERT-daily] Tageszusammenfassung - 30.08.2023

Wed Aug 30 18:46:24 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 29-08-2023 18:00 − Mittwoch 30-08-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Border Gateway Protocol: Der Klebstoff des Internets hat eine Schwachstelle ∗∗∗
---------------------------------------------
Durch eine neu entdeckte Schwachstelle im Border Gateway Protocol können Angreifer potenziell Teile des Internets abschotten.
---------------------------------------------
https://www.golem.de/news/border-gateway-protocol-der-klebstoff-des-internets-hat-eine-schwachstelle-2308-177218.html


∗∗∗ Kritische Sicherheitslücke in VMware Aria Operations for Networks ∗∗∗
---------------------------------------------
VMware schließt Sicherheitslücken in Aria Operations for Networks. Eine gilt als kritisch und erlaubt den Zugriff ohne Anmeldung.
---------------------------------------------
https://heise.de/-9288934


∗∗∗ Botnet: Internationale Strafverfolger deinstallieren 700.000 Qakbot-Drohnen ∗∗∗
---------------------------------------------
Zusammen mit internationalen Strafverfolgern hat das FBI das Qakbot-Botnetz vorerst außer Gefecht gesetzt. Von 700.000 Systemen entfernten sie die Malware.
---------------------------------------------
https://heise.de/-9289070


∗∗∗ Cisco warnt vor Ransomware-Angriffen auf VPNs ohne Mehrfaktorauthentifizierung ∗∗∗
---------------------------------------------
Cisco warnt vor Angriffen mit der Akira-Ransomware, die auf VPNs des Herstellers zielt. Bei nicht genutzter Mehrfaktorauthentifizierung gelingen Einbrüche.
---------------------------------------------
https://heise.de/-9289242


∗∗∗ Vorsicht vor Jobs auf zalandoovip.vip und remote-rpo-at.com! ∗∗∗
---------------------------------------------
Auf remote-rpo-at.com wird Ihnen ein lukratives Job-Angebot präsentiert. „Seien Sie Ihr Eigener Chef Und Verdienen Sie Bis zu €1260 Pro Woche!“, heißt es da auf der Startseite. Sie sollen im weiteren Verlauf auf der betrügerischen Website zalandoovip.vip für Zalando Produktbewertungen abgeben und so angeblich Verkäufe steigern. Sobald Sie Ihr verdientes Geld auszahlen lassen wollen, folgt die böse Überraschung: [...]
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-jobs-auf-zalandoovipvip-und-remote-rpo-atcom/


∗∗∗ Tausende Organisationen verwundbar auf Subdomain Hijacking ∗∗∗
---------------------------------------------
Subdomain-Hijacking stellt ein besorgniserregendes Szenario dar, bei dem Angreifer die Kontrolle über Websites übernehmen, die auf Subdomains seriöser Organisationen gehostet werden. Dies ermöglicht Angreifern zum Beispiel die Verbreitung von Schadsoftware und Desinformationen oder die Durchführung Phishing-Angriffen.
---------------------------------------------
https://certitude.consulting/blog/de/subdomain-hijacking-2/


∗∗∗ Trojanized Signal and Telegram apps on Google Play delivered spyware ∗∗∗
---------------------------------------------
Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegram-apps-on-google-play-delivered-spyware/


∗∗∗ Getting into AWS cloud security research as a n00bcake ∗∗∗
---------------------------------------------
Today, AWS security research can feel impenetrable, like understanding the latest meme that’s already gone through three ironic revivals. But if I’m being honest, I might suggest AWS security research is far more accessible than the other insane research in our industry. That’s why I attempt it. I’m just too dumb to write shellcode or disassemble a binary. So don’t be scared, let’s do it together!
---------------------------------------------
https://dagrz.com/writing/aws-security/getting-into-aws-security-research/


∗∗∗ CISA Releases IOCs Associated with Malicious Barracuda Activity ∗∗∗
---------------------------------------------
CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-associated-malicious-barracuda-activity


∗∗∗ Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) ∗∗∗
---------------------------------------------
On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques, and procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant’s incident response engagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners.  Over the course of this
---------------------------------------------
https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation


∗∗∗ Pay our ransom instead of a GDPR fine, cybercrime gang tells its targets ∗∗∗
---------------------------------------------
Researchers are tracking a new cybercrime group that uses a never-seen-before extortion tactic. The gang, which operates through a blog called Ransomed, tells victims that if they don’t pay to protect stolen files, they will face fines under data protection laws like the EU’s GDPR, according to a new report by cybersecurity firm Flashpoint.
---------------------------------------------
https://therecord.media/ransomed-cybercrime-group-extortion-gdpr


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Netgear: Security Advisory for Post-authentication Command Injection on the Prosafe® Network Management System, PSV-2023-0037 ∗∗∗
---------------------------------------------
NETGEAR is aware of a post-authentication command injection security vulnerability on NMS300 and strongly recommends that you download the latest version of NMS300 as soon as possible.
---------------------------------------------
https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-Command-Injection-on-the-Prosafe-Network-Management-System-PSV-2023-0037


∗∗∗ Netgear: Security Advisory for Authentication Bypass on the RBR760, PSV-2023-0052 ∗∗∗
---------------------------------------------
NETGEAR is aware of an authentication bypass security vulnerability on the RBR760. This vulnerability requires an attacker to have your WiFi password or an Ethernet connection to a device on your network to be exploited.
---------------------------------------------
https://kb.netgear.com/000065734/Security-Advisory-for-Authentication-Bypass-on-the-RBR760-PSV-2023-0052


∗∗∗ Webbrowser: Google-Chrome-Update stopft hochriskante Sicherheitslücke ∗∗∗
---------------------------------------------
Google bessert im Webbrowser Chrome eine als hochriskant eingestufte Schwachstelle aus.
---------------------------------------------
https://heise.de/-9288903


∗∗∗ Entwickler von Notepad++ ignoriert offensichtlich Sicherheitslücken ∗∗∗
---------------------------------------------
Mehrere Sicherheitslücken gefährden den Texteditor Notepad++. Trotz Informationen zu den Lücken und möglichen Fixes steht ein Sicherheitsupdate noch aus.
---------------------------------------------
https://heise.de/-9289124


∗∗∗ VMSA-2023-0018 ∗∗∗
---------------------------------------------
Synopsis: VMware Aria Operations for Networks updates address multiple vulnerabilities.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0018.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (qpdf, ring, and tryton-server), Fedora (mingw-qt5-qtbase and moby-engine), Red Hat (cups, kernel, kernel-rt, kpatch-patch, librsvg2, and virt:rhel and virt-devel:rhel), and Ubuntu (amd64-microcode, firefox, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-bluefield, linux-ibm, linux-oem-6.1, and openjdk-lts, openjdk-17).
---------------------------------------------
https://lwn.net/Articles/943087/


∗∗∗ Remote Code Execution in RTS VLink Virtual Matrix ∗∗∗
---------------------------------------------
BOSCH-SA-893251-BT: A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-893251-bt.html


∗∗∗ 2023-08-29 Out-of-Cycle Security Bulletin: Junos OS and Junos OS Evolved: A crafted BGP UPDATE message allows a remote attacker to de-peer (reset) BGP sessions (CVE-2023-4481) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-08-29-Out-of-Cycle-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-A-crafted-BGP-UPDATE-message-allows-a-remote-attacker-to-de-peer-reset-BGP-sessions-CVE-2023-4481


∗∗∗ [R1] Nessus Version 10.6.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-29


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily