[CERT-daily] Tageszusammenfassung - 27.11.2023

Mon Nov 27 18:21:11 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 24-11-2023 18:00 − Montag 27-11-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Atomic Stealer malware strikes macOS via fake browser updates ∗∗∗
---------------------------------------------
The ClearFake fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strikes-macos-via-fake-browser-updates/


∗∗∗ EvilSlackbot: A Slack Attack Framework ∗∗∗
---------------------------------------------
To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack. [..] In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind.
---------------------------------------------
https://github.com/Drew-Sec/EvilSlackbot


∗∗∗ Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th) ∗∗∗
---------------------------------------------
Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys.
---------------------------------------------
https://isc.sans.edu/diary/rss/30432


∗∗∗ WordPress Vulnerability & Patch Roundup November 2023 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-november-2023.html


∗∗∗ Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections ∗∗∗
---------------------------------------------
A new study has demonstrated that its possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. [..] The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel.
---------------------------------------------
https://thehackernews.com/2023/11/experts-uncover-passive-method-to.html


∗∗∗ Eine Milliarde unsichere Webseiten … Vergessen Sie die Duschmatte nicht! ∗∗∗
---------------------------------------------
In der Werbung aufgebauschte Risiken dienen eher dem Verkauf von Sicherheitsprodukten als der Sicherheit selbst. Im Gegenteil, für diese sind sie oft schädlich.
---------------------------------------------
https://www.heise.de/meinung/Eine-Milliarde-unsichere-Webseiten-Vergessen-Sie-die-Duschmatte-nicht-9538304.html


∗∗∗ BSI und weitere Cybersicherheitsbehörden veröffentlichen KI-Richtlinien ∗∗∗
---------------------------------------------
Das BSI veröffentlicht Richtlinien für sichere KI-Systeme in Zusammenarbeit mit Partnerbehörden aus Großbritannien und den USA.
---------------------------------------------
https://www.heise.de/news/BSI-und-weitere-Cybersicherheitsbehoerden-veroeffentlichen-KI-Richtlinien-9540951.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag


∗∗∗ Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day) ∗∗∗
---------------------------------------------
On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.) with an embedded Access database.
---------------------------------------------
https://blog.0patch.com/2023/11/free-micropatches-for-microsoft-access.html


∗∗∗ Vorsicht vor Fake-Shops für Skins ∗∗∗
---------------------------------------------
Beim Online-Shop fngalaxy.de finden Sie Skins und Accounts für Fortnite. „Renegade Raider“, „OG Ghoul Trooper“ oder „Black Knight“ werden dort vergünstigt angeboten. Wir raten aber von einer Bestellung ab, da Sie nur mit einem Paysafecard- oder Amazon-Code bezahlen können und Ihre Bestellung nicht erhalten.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-fuer-skins/


∗∗∗ Warnung vor betrügerischen Mails im Namen von Finanz Online ∗∗∗
---------------------------------------------
Die täuschend echt wirkenden E-Mails verlinken auf eine gefälschte Website, auf der die Opfer wiederum ihre Bankdaten eingeben sollen
---------------------------------------------
https://www.derstandard.at/story/3000000197015/warnung-betrugs-mails-finanzonline


∗∗∗ LKA-Warnung vor gefälschten Temu-Benachrichtigungen ∗∗∗
---------------------------------------------
Das Landeskriminalamt Niedersachsen hat die Tage eine Warnung herausgegeben, die Kunden des chinesischen Billig-Versandhändlers Temu betrifft. Betrüger versuchen Empfänger mit der Vorspiegelung falscher Tatsachen in Form einer vorgeblichen Temu-Benachrichtigung zur Preisgabe persönlicher Informationen zu bringen. Hier ein kurzer Überblick [..]
---------------------------------------------
https://www.borncity.com/blog/2023/11/26/lka-warnung-vor-geflschten-temu-benachrichtigungen/


∗∗∗ Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) ∗∗∗
---------------------------------------------
While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.
---------------------------------------------
https://asec.ahnlab.com/en/59318/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities ∗∗∗
---------------------------------------------
The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon as possible.
---------------------------------------------
https://spring.io/blog/2023/11/27/cve-2023-34053-cve-2023-34055-spring-framework-and-spring-boot


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird).
---------------------------------------------
https://lwn.net/Articles/952923/


∗∗∗ MISP 2.4.179 released with a host of improvements a security fix and some new tooling. ∗∗∗
---------------------------------------------
MISP 2.4.179 released with a host of improvements a security fix and some new tooling.First baby steps taken towards LLM integration.
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.179

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily