[CERT-daily] Tageszusammenfassung - 10.10.2023

Tue Oct 10 18:59:46 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 09-10-2023 18:00 − Dienstag 10-10-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet ∗∗∗
---------------------------------------------
Thousands of devices, including D-Link and Zyxel gear, remain vulnerable to takeover despite the availability of patches for the several bugs being exploited by IZ1H9 campaign.
---------------------------------------------
https://www.darkreading.com/cloud/patch-now-massive-rce-campaign-d-link-zyxel-botnet


∗∗∗ Over 17,000 WordPress sites hacked in Balada Injector attacks last month ∗∗∗
---------------------------------------------
Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-hacked-in-balada-injector-attacks-last-month/


∗∗∗ The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages ∗∗∗
---------------------------------------------
A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites.
---------------------------------------------
https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer


∗∗∗ Inzwischen vorhanden: Details zu gefixten Lücken in iOS 17 und Co. ∗∗∗
---------------------------------------------
Als iOS 17, iPadOS 17, watchOS 10 und tvOS 17 erschienen, machte Apple keine Angaben zu enthaltenen Sicherheitspatches. Mittlerweile lassen sie sich einsehen.
---------------------------------------------
https://www.heise.de/-9319162


∗∗∗ ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History ∗∗∗
---------------------------------------------
Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.
---------------------------------------------
https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-largest-ddos-attacks-in-history/


∗∗∗ Take a note of SpyNote! ∗∗∗
---------------------------------------------
Among noteworthy spyware, one that has been in the limelight recently is SpyNote. This spyware app spreads via smishing (i.e. malicious SMS messages) by urging the victims to install the app from provided links. Naturally, the hosting and downloading happen outside of the official Play Store app, to prevent the security evaluation done by Google Play Store from thwarting the spread of this spyware.
---------------------------------------------
https://blog.f-secure.com/take-a-note-of-spynote/


∗∗∗ Android-Geräte ab Werk mit Malware infiziert ∗∗∗
---------------------------------------------
Settop-Boxen mit bestimmten Chipsätzen von Allwinner und Rockchip enthalten den Trojaner Badbox. Der zeigt unterwünschte Werbung an und verbreitet schädliche Apps.
---------------------------------------------
https://www.zdnet.de/88412275/android-geraete-ab-werk-mit-malware-infiziert/


∗∗∗ Infostealer with Abnormal Certificate Being Distributed ∗∗∗
---------------------------------------------
Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates.
---------------------------------------------
https://asec.ahnlab.com/en/57553/


∗∗∗ CISA, Government, and Industry Partners Publish Fact Sheet for Organizations Using Open Source Software ∗∗∗
---------------------------------------------
This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources.
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-government-and-industry-partners-publish-fact-sheet-organizations-using-open-source-software


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Per SSID: Schwachstelle in D-Link-Repeater erlaubt Codeausführung ∗∗∗
---------------------------------------------
Beim Netzwerk-Scan des D-Link DAP-X1860 kann es zu einer unerwünschten Codeausführung kommen. Über spezielle SSIDs sind Angriffe möglich.
---------------------------------------------
https://www.golem.de/news/per-ssid-schwachstelle-in-d-link-repeater-erlaubt-codeausfuehrung-2310-178351.html


∗∗∗ Siemens Security Advisories 2023-10-10 ∗∗∗
---------------------------------------------
SSA-843070: SCALANCE W1750D, SSA-829656: Xpedition Layout Browser, SSA-784849: SIMATIC CP Devices, SSA-770890: SICAM A8000 Devices, SSA-647455: RUGGEDCOM APE1808 devices, SSA-594373: SINEMA Server V14, SSA-524778: Tecnomatix Plant Simulation, SSA-386812: Simcenter Amesim before V2021.1, SSA-295483: Mendix, SSA-160243: SINEC NMS before V2.0, SSA-134651: SICAM A8000 Devices, SSA-035466: SICAM PAS/PQS
---------------------------------------------
https://www.siemens.com/global/en/products/services/cert.html#SecurityPublications


∗∗∗ Backup: Acronis schließt Sicherheitslücken im Agent für Linux, Mac und Windows ∗∗∗
---------------------------------------------
Acronis hat eine Aktualisierung des Agent für Linux, Mac und Windows veröffentlicht. Sie dichtet unter anderem ein Leck mit hohem Risiko ab.
---------------------------------------------
https://www.heise.de/-9329516


∗∗∗ Sicherheitsupdates: Schadcode- und Root-Lücken bedrohen IBM-Software ∗∗∗
---------------------------------------------
IBM hat unter anderem im Datenbankmanagementsystem Db2 schwerwiegende Schwachstellen geschlossen.
---------------------------------------------
https://www.heise.de/-9329404


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).
---------------------------------------------
https://lwn.net/Articles/947233/


∗∗∗ One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems ∗∗∗
---------------------------------------------
A one-click exploit targeting the Libcue component of the GNOME desktop environment could pose a serious threat to Linux systems.
---------------------------------------------
https://www.securityweek.com/one-click-gnome-exploit-could-pose-serious-threat-to-linux-systems/


∗∗∗ SAP Releases 7 New Notes on October 2023 Patch Day ∗∗∗
---------------------------------------------
SAP has released seven new notes as part of its October 2023 Security Patch Day, all rated ‘medium severity’.
---------------------------------------------
https://www.securityweek.com/sap-releases-7-new-notes-on-october-2023-patch-day/


∗∗∗ Unverschlüsselte Bluetoothverbindung bei Smartwatch Amazfit Bip U (SYSS-2023-022) ∗∗∗
---------------------------------------------
Die Smartwatch Amazfit Bip U kommuniziert unverschlüsselt mit dem verbundenen Smartphone. Alle Nachrichten können daher von Angreifenden abgehört werden.
---------------------------------------------
https://www.syss.de/pentest-blog/unverschluesselte-bluetoothverbindung-bei-smartwatch-amazfit-bip-u-syss-2023-022


∗∗∗ Ivanti Endpoint Manager new vulnerabilities ∗∗∗
---------------------------------------------
There are two vulnerabilities we have recently discovered that impact Ivanti Endpoint Manager (EPM) versions 2022 and below. They both have CVSS scores in the ‘Moderate’ range. We are reporting them as CVE-2023-35083 and CVE-2023-35084.
---------------------------------------------
https://www.ivanti.com/blog/ivanti-endpoint-manager-new-vulnerabilities


∗∗∗ F5 BIG-IP Security Advisories 2023-10-10 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_published_date%20descending&periodFilter=0&dateField=0


∗∗∗ Xen Security Advisories ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/


∗∗∗ Citrix NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967


∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX575089/citrix-hypervisor-multiple-security-updates

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily