[CERT-daily] Tageszusammenfassung - 18.12.2023

Mon Dec 18 19:23:45 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 15-12-2023 18:00 − Montag 18-12-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Zwei Monate nach Meldung: SQL-Injection-Schwachstelle in 3CX noch immer ungepatcht ∗∗∗
---------------------------------------------
Statt einen Patch bereitzustellen, fordert 3CX seine Kunden nun dazu auf, aus Sicherheitsgründen ihre SQL-Datenbank-Integrationen zu deaktivieren.
---------------------------------------------
https://www.golem.de/news/zwei-monate-nach-meldung-sql-injection-schwachstelle-in-3cx-noch-immer-ungepatcht-2312-180393.html


∗∗∗ SMTP Smuggling - Spoofing E-Mails Worldwide ∗∗∗
---------------------------------------------
Introducing a novel technique for e-mail spoofing
---------------------------------------------
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/


∗∗∗ SLP Denial of Service Amplification - Attacks are ongoing and rising ∗∗∗
---------------------------------------------
We build on our previous work and look into how threat actors are abusing SLP to launch reflection/amplification DDoS attacks, their evolution, and what targets are they focused on at the moment.
---------------------------------------------
https://www.bitsight.com/blog/slp-denial-service-amplification-attacks-are-ongoing-and-rising


∗∗∗ WordPress hosting service Kinsta targeted by Google phishing ads ∗∗∗
---------------------------------------------
WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-hosting-service-kinsta-targeted-by-google-phishing-ads/


∗∗∗ Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds ∗∗∗
---------------------------------------------
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster its tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.
---------------------------------------------
https://thehackernews.com/2023/12/microsoft-warns-of-storm-0539-rising.html


∗∗∗ PikaBot distributed via malicious search ads ∗∗∗
---------------------------------------------
PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads


∗∗∗ QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry ∗∗∗
---------------------------------------------
A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
---------------------------------------------
https://thehackernews.com/2023/12/qakbot-malware-resurfaces-with-new.html


∗∗∗ iOS 17.2: Flipper Zero kann keine iPhones mehr crashen ∗∗∗
---------------------------------------------
Apple verhindert mit iOS 17.2 offenbar, dass iPhones mit einem Flipper-Zero-Bluetooth-Exploit ge-DoSt werden können.
---------------------------------------------
https://www.heise.de/-9576526


∗∗∗ Ransomware-Gruppen buhlen zunehmend um Medien-Aufmerksamkeit ∗∗∗
---------------------------------------------
Um sich von der Konkurrenz abzusetzen und die eigenen Leistungen gewürdigt zu wissen, suchen Ransomware-Gruppen zunehmend den direkten Kontakt zu Journalisten.
---------------------------------------------
https://www.heise.de/-9576774


∗∗∗ E-Mail vom Entschädigungsamt ist Fake ∗∗∗
---------------------------------------------
Kriminelle geben sich als „Entschädigungsamt“ aus und behaupten in einem E-Mail, dass Betrugsopfer mit einer Gesamtsumme von 3.500.000 Euro entschädigt werden. Antworten Sie nicht und schicken Sie keinesfalls persönliche Daten und Ausweiskopien. Sie werden erneut betrogen!
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-vom-entschaedigungsamt-ist-fake/


∗∗∗ Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains ∗∗∗
---------------------------------------------
Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams.
---------------------------------------------
https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/


∗∗∗ An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th) ∗∗∗
---------------------------------------------
A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as cve:2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score: 2/60
---------------------------------------------
https://isc.sans.edu/diary/rss/30492


∗∗∗ CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks ∗∗∗
---------------------------------------------
CISA is advising device makers to stop relying on customers to change default passwords following attacks targeting water sector ICS.
---------------------------------------------
https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-passwords-after-recent-ics-attacks/


∗∗∗ CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector ∗∗∗
---------------------------------------------
Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers 
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-releases-key-risk-and-vulnerability-findings-healthcare-and-public-health-sector


∗∗∗ #StopRansomware: Play Ransomware ∗∗∗
---------------------------------------------
These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server ∗∗∗
---------------------------------------------
Four new unauthenticated remotely exploitable security vulnerabilities discovered in the popular source code management platform Perforce Helix Core Server have been remediated after being responsibly disclosed by Microsoft. Perforce Server customers are strongly urged to update to version 2023.1/2513900.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-perforations-critical-rce-vulnerability-discovered-in-perforce-helix-core-server/


∗∗∗ ZDI-23-1799: Ivanti Avalanche Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Avalanche. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-41726.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-1799/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (freeimage, ghostscript, intel-microcode, spip, and xorg-server), Fedora (chromium, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, PyDrive2, seamonkey, and vim), Gentoo (Leptonica), Mageia (audiofile, gimp, golang, and poppler), Oracle (buildah, containernetworking-plugins, gstreamer1-plugins-bad-free, kernel, kernel-container, libxml2, pixman, podman, postgresql, postgresql:15, runc, skopeo, tracker-miners, and webkit2gtk3), and SUSE (fish).
---------------------------------------------
https://lwn.net/Articles/955566/


∗∗∗ OpenSSH Security December 18, 2023 ∗∗∗
---------------------------------------------
penSSH 9.6 was released on 2023-12-18. It is available from the mirrors listed at https://www.openssh.com/. This release contains a number of security fixes, some small features and bugfixes.
---------------------------------------------
https://www.openssh.com/security.html


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Nextcloud Security Advisories ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily