[CERT-daily] Tageszusammenfassung - 02.10.2023

Daily end-of-shift report team at cert.at
Mon Oct 2 19:05:51 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 29-09-2023 18:00 − Montag 02-10-2023 18:00
Handler:     Stephan Richter
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang ∗∗∗
---------------------------------------------
The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-likely-rebrand-of-the-metaencryptor-gang/


∗∗∗ New Marvin attack revives 25-year-old decryption flaw in RSA ∗∗∗
---------------------------------------------
A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25-year-old-decryption-flaw-in-rsa/


∗∗∗ The Silent Threat of APIs: What the New Data Reveals About Unknown Risk ∗∗∗
---------------------------------------------
The rapid growth of APIs creates a widening attack surface and increasing unknown cybersecurity risks.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/silent-threat-of-apis-what-new-data-reveals-about-unknown-risk


∗∗∗ Jetzt patchen: Exploit für kritische Sharepoint-Schwachstelle aufgetaucht ∗∗∗
---------------------------------------------
Er ist Teil einer sehr effektiven Exploit-Kette zur Schadcodeausführung auf Sharepoint-Servern, die ein Forscher kürzlich offenlegte.
---------------------------------------------
https://www.golem.de/news/jetzt-patchen-exploit-fuer-kritische-sharepoint-schwachstelle-aufgetaucht-2309-178119.html


∗∗∗ Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar ∗∗∗
---------------------------------------------
Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week.
---------------------------------------------
https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html


∗∗∗ BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground ∗∗∗
---------------------------------------------
Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader thats being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," [...]
---------------------------------------------
https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html


∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗
---------------------------------------------
Early signs emerge after Progress Software said there were no active attempts last week Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_update/


∗∗∗ Temporary suspension of automatic snap registration following security incident ∗∗∗
---------------------------------------------
On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.
---------------------------------------------
https://forum.snapcraft.io/t/temporary-suspension-of-automatic-snap-registration-following-security-incident/37077


∗∗∗ The Hitchhikers Guide to Malicious Third-Party Dependencies ∗∗∗
---------------------------------------------
The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., NPM, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, [...] In this work, we show how attackers can [...] achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain chain attacks.
---------------------------------------------
https://arxiv.org/abs/2307.09087


∗∗∗ Fritzbox-Sicherheitsleck analysiert: Risiko sogar bei deaktiviertem Fernzugriff ∗∗∗
---------------------------------------------
AVM schließt bei vielen Fritzboxen eine Sicherheitslücke. Unserer Analyse zufolge lässt sie sich aus der Ferne ausnutzen – sogar mit abgeschaltetem Fernzugriff.
---------------------------------------------
https://www.heise.de/-9323225.html


∗∗∗ BSI-Umfrage: Kritische Infrastrukturen haben Nachholbedarf bei IT-Sicherheit ∗∗∗
---------------------------------------------
Vor allem bei der Umsetzung organisatorischer Sicherheitsmaßnahmen hapert es noch bei Betreibern kritischer Infrastrukturen. Gründe: Personal- und Geldmangel.
---------------------------------------------
https://www.heise.de/-9323606.html


∗∗∗ Don’t Let Zombie Zoom Links Drag You Down ∗∗∗
---------------------------------------------
Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.
---------------------------------------------
https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-down/


∗∗∗ Silverfort Open Sources Lateral Movement Detection Tool ∗∗∗
---------------------------------------------
Silverfort has released the source code for its lateral movement detection tool LATMA, to help identify and analyze intrusions.
---------------------------------------------
https://www.securityweek.com/silverfort-open-sources-lateral-movement-detection-tool/


∗∗∗ Die Österreichische Post AG verkauft keine Zufallspakete für 2 Euro! ∗∗∗
---------------------------------------------
Betrügerische Werbeschaltungen auf Facebook spielen vor, dass die Post AG nicht zustellbare Pakete für nur 2 Euro verkauft. Angeblich haben Sie so die Möglichkeit, mit tollen Gegenständen wie Tablets, Kaffeemaschinen oder Büchern überrascht zu werden. Achtung: Es handelt sich um reinen Betrug. Werbung und Profile stammen nicht von der Post und die Pakete existieren nicht. Sie landen hier in einer Abo-Falle oder geben Ihr Zahlungsmittel unbeabsichtigt für Zahlungen durch Kriminelle frei.
---------------------------------------------
https://www.watchlist-internet.at/news/die-oesterreichische-post-ag-verkauft-keine-zufallspakete-fuer-2-euro/


∗∗∗ Keine Warnung zu den aktuellen Exim Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) ∗∗∗
---------------------------------------------
Am Mittwoch 27. September wurden durch die Zero Day Initiative sechs Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) im Mail Transfer Agent (MTA) Exim veröffentlicht.[1][2][3][4][5][6] Nach interner Analyse und im Austausch mit Experten sind wir zu ähnlichen Schlüssen, wie nun auf der offiziellen Mailingliste des Projekts veröffentlicht[7], gekommen.
---------------------------------------------
https://cert.at/de/aktuelles/2023/10/keine-warnung-zu-den-aktuellen-exim-schwachstellen-cve-2023-42114-cve-2023-42115-cve-2023-42116-cve-2023-42117-cve-2023-42118-cve-2023-42119


∗∗∗ E-Mail-Angriff via Dropbox ∗∗∗
---------------------------------------------
BEC 3.0-Angriffe häufen sich und sind noch schwieriger zu erkennen, weil Hacker Links über legitime Dienste versenden.
---------------------------------------------
https://www.zdnet.de/88412118/e-mail-angriff-via-dropbox/


∗∗∗ Kritische Sicherheitsupdates: Chrome, Edge, Firefox, Thunderbird,Tor ∗∗∗
---------------------------------------------
Ende September 2023 gab es Sicherheitsupdates für diverse Software, die kritische Schwachstellen (0-Days) schließen sollen. Bei den Chromium-Browsern wurde eine Sicherheitslücke im V8 Encoder geschlossen (betrifft Google Chrome und beim Edge). Die Mozilla Entwickler haben ebenfalls Notfall-Updates für den Firefox und den Thunderbird herausgebracht. Und Tor wurde diesbezüglich ebenfalls aktualisiert. Ich fasse mal die Updates in diesem Sammelbeitrag zusammen.
---------------------------------------------
https://www.borncity.com/blog/2023/10/02/kritische-sicherheitsupdates-chrome-edge-firefox-thunderbirdtor/


∗∗∗ Bitsight identifies nearly 100,000 exposed industrial control systems ∗∗∗
---------------------------------------------
Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) potentially allowing an attacker to access and control physical infrastructure.
---------------------------------------------
https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems



=====================
=  Vulnerabilities  =
=====================

∗∗∗ JetBrains TeamCity Unauthenticated Remote Code Execution ∗∗∗
---------------------------------------------
Topic: JetBrains TeamCity Unauthenticated Remote Code Execution 
Risk: High 
Text:## # This module requires Metasploit [...]
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023100003


∗∗∗ OpenRefines Zip Slip Vulnerability Could Let Attackers Execute Malicious Code ∗∗∗
---------------------------------------------
A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below.
---------------------------------------------
https://thehackernews.com/2023/10/openrefines-zip-slip-vulnerability.html


∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.1.381 ∗∗∗
---------------------------------------------
Released version 10.1.1.381, which addresses potential security and stability issues.
---------------------------------------------
https://www.tracker-software.com/support/security-bulletins.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, cups, firefox-esr, firmware-nonfree, gerbv, jetty9, libvpx, mosquitto, open-vm-tools, python-git, python-reportlab, and trafficserver), Fedora (firefox, giflib, libvpx, libwebp, webkitgtk, and xen), Gentoo (Chromium, Google Chrome, Microsoft Edge, ClamAV, GNU Binutils, and wpa_supplicant, hostapd), Mageia (flac, giflib, indent, iperf, java, libvpx, libxml2, quictls, wireshark, and xrdp), Oracle (kernel), Slackware (libvpx and mozilla), and SUSE (bind, python, python-bugzilla, roundcubemail, seamonkey, and xen).
---------------------------------------------
https://lwn.net/Articles/946186/


∗∗∗ Suprema BioStar 2 ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01


∗∗∗ Multiple Vulnerabilities in Electrolink FM/DAB/TV Transmitter ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/


∗∗∗ K000137058 : Linux kernel vulnerability CVE-2022-4269 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137058


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list