[CERT-daily] Tageszusammenfassung - 18.10.2023

Wed Oct 18 18:56:41 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 17-10-2023 18:00 − Mittwoch 18-10-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Malicious Notepad++ Google ads evade detection for months ∗∗∗
---------------------------------------------
A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-google-ads-evade-detection-for-months/


∗∗∗ Over 40,000 admin portal accounts use admin as a password ∗∗∗
---------------------------------------------
Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-40-000-admin-portal-accounts-use-admin-as-a-password/


∗∗∗ Recently patched Citrix NetScaler bug exploited as zero-day since August ∗∗∗
---------------------------------------------
A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/recently-patched-citrix-netscaler-bug-exploited-as-zero-day-since-august/


∗∗∗ Hiding in Hex, (Wed, Oct 18th) ∗∗∗
---------------------------------------------
There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal.
---------------------------------------------
https://isc.sans.edu/diary/rss/30322


∗∗∗ Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign ∗∗∗
---------------------------------------------
Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. "The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub," security researchers Matt Muir and Nate Bill said in a Wednesday write-up.
---------------------------------------------
https://thehackernews.com/2023/10/qubitstrike-targets-jupyter-notebooks.html


∗∗∗ BlackCat Climbs the Summit With a New Tactic ∗∗∗
---------------------------------------------
BlackCat ransomware gang has released a utility called Munchkin, allowing attackers to propagate their payload to remote machines. We analyze this new tool.
---------------------------------------------
https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/


∗∗∗ Updated MATA attacks industrial companies in Eastern Europe ∗∗∗
---------------------------------------------
Kaspersky experts discovered several detections of malware from the MATA cluster, previously attributed to the Lazarus group, compromising defense contractor companies in Eastern Europe.
---------------------------------------------
https://ics-cert.kaspersky.com/publications/updated-mata-attacks-industrial-companies-in-eastern-europe/


∗∗∗ Where Has the MS Office Document Malware Gone? ∗∗∗
---------------------------------------------
Infostealers, which steal user account credentials saved in web browsers or email clients, constitute the majority of attacks targeting general or corporate users. Related information was shared through the ASEC Blog in December of last year. [1] While the distribution method for the named malware differs slightly depending on their main features, Infostealer-type malware typically uses malicious sites disguised as pages for downloading legitimate programs as their distribution route.
---------------------------------------------
https://asec.ahnlab.com/en/57883/


∗∗∗ CISA Updates Toolkit to Promote Public Safety Communications and Cyber Resiliency ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) collaborates with public safety, national security, and emergency preparedness communities to enhance seamless and secure communications to keep America safe, secure, and resilient. Any interruption in communications can have a cascading effect, impacting a public safety agency’s ability to deliver critical lifesaving services to the community.
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-updates-toolkit-promote-public-safety-communications-and-cyber-resiliency-0


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Patchday: Oracle veröffentlicht 387 Sicherheits-Patches ∗∗∗
---------------------------------------------
Der vierteljährliche Patchday von Oracle hat stattgefunden. Er bringt im Oktober 387 Updates für mehr als 120 Produkte.
---------------------------------------------
https://www.heise.de/-9337238


∗∗∗ AMD-Grafiktreiber: Codeschmuggel durch Sicherheitslücke möglich ∗∗∗
---------------------------------------------
AMD warnt vor einer Sicherheitslücke in den eigenen Grafiktreibern. Angreifer könnten Code einschleusen und mit erhöhten Rechten ausführen.
---------------------------------------------
https://www.heise.de/-9337480


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (slurm-wlm), Fedora (icecat and python-configobj), Oracle (dotnet6.0, kernel-container, nginx, nginx:1.20, nginx:1.22, and python3.9), Red Hat (bind9.16, curl, dotnet6.0, kernel-rt, kpatch-patch, nghttp2, nodejs, python-reportlab, and virt:rhel), Slackware (util), SUSE (buildah, conmon, erlang, glibc, kernel, nghttp2, opensc, python-urllib3, samba, slurm, and suse-module-tools), and Ubuntu (frr, linux-azure, and pmix).
---------------------------------------------
https://lwn.net/Articles/948097/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily