[CERT-daily] Tageszusammenfassung - 24.10.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 23-10-2023 18:00 − Dienstag 24-10-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Log in With... Feature Allows Full Online Account Takeover for Millions ∗∗∗
---------------------------------------------
Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.
---------------------------------------------
https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-takeover-millions


∗∗∗ Hostile Takeover: Malicious Ads via Facebook ∗∗∗
---------------------------------------------
Criminals hijack business accounts on Facebook and run their own advertising campaigns in someone elses name and at the expense of those affected.
---------------------------------------------
https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads


∗∗∗ Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware ∗∗∗
---------------------------------------------
In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows.
---------------------------------------------
https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/


∗∗∗ Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar ∗∗∗
---------------------------------------------
The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts.
---------------------------------------------
https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html


∗∗∗ Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 ∗∗∗
---------------------------------------------
We were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued our interest.
---------------------------------------------
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966


∗∗∗ Best Practices for Writing Quality Vulnerability Reports ∗∗∗
---------------------------------------------
How to write great vulnerability reports? If you’re a security consultant, penetration tester or a bug bounty hunter, these tips are for you!
---------------------------------------------
https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27


∗∗∗ Kriminelle verbreiten falsche Ryanair-Telefonnummern ∗∗∗
---------------------------------------------
Vorsicht, wenn Sie im Internet nach einer Telefonnummer von Ryanair suchen. Kriminelle stellen Webseiten mit falschen Nummern ins Netz. Wenn Sie bei der falschen Ryanair-Servicehotline anrufen, stehlen Kriminelle Ihnen sensible Daten und Geld.
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-verbreiten-falsche-ryanair-telefonnummern/


∗∗∗ LOLBin mit WorkFolders.exe unter Windows ∗∗∗
---------------------------------------------
Die legitime Windows-Anwendung WorkFolders.exe lässt sich verwenden, um andere .exe-Programme im Windows-Ordner System32 oder im aktuellen Ordner zu starten. Dies ermöglicht Malware sogenannte LOLBin-Angriffe, bei der legitime Betriebssystemdateien zur Ausführung von Schadprogrammen missbraucht werden.
---------------------------------------------
https://www.borncity.com/blog/2023/10/24/lolbin-mit-workfolders-exe-unter-windows/


∗∗∗ The Great CVSS Bake Off: Testing How CVSS v4 Performs Versus v3 ∗∗∗
---------------------------------------------
The highly anticipated Common Vulnerability Scoring System (CVSS) version 4 is planned to be released on October 31st by the Forum of Incident Response and Security Teams (FIRST).
---------------------------------------------
https://orca.security/resources/blog/cvss-version-4-versus-version-3/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VMware warns admins of public exploit for vRealize RCE flaw ∗∗∗
---------------------------------------------
VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/


∗∗∗ Viele Systeme längst kompromittiert: Cisco stellt Patches für IOS XE bereit ∗∗∗
---------------------------------------------
Durch Schwachstellen in der Betriebssoftware IOS XE sind weltweit Zehntausende von Cisco-Geräten infiltriert worden. Jetzt gibt es erste Patches.
---------------------------------------------
https://www.golem.de/news/viele-systeme-laengst-kompromittiert-cisco-stellt-patches-fuer-ios-xe-bereit-2310-178749.html


∗∗∗ CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files ∗∗∗
---------------------------------------------
Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system.
---------------------------------------------
https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-servers-with-polyglot-files/


∗∗∗ Proxy: Squid-Entwickler dichten teils kritische Lecks in Version 6.4 ab ∗∗∗
---------------------------------------------
Mit Squid 6.4 haben die Entwickler eine um vier Sicherheitslücken bereinigte Version des Proxy-Servers vorgelegt. Es klaffen jedoch weitere Lücken darin.
---------------------------------------------
https://www.heise.de/news/Proxy-Squid-6-4-schliesst-teils-kritische-Sicherheitsluecken-9342384.html


∗∗∗ Lücke in LiteSpeed-Cache-Plug-in gefährdet 4 Millionen WordPress-Websites ∗∗∗
---------------------------------------------
Angreifer können WordPress-Websites mit Schadcode-Skripten verseuchen. Ein Sicherheitsupdate repariert das LiteSpeed-Cache-Plug-in.
---------------------------------------------
https://www.heise.de/news/Luecke-in-LiteSpeed-Cache-Plug-in-gefaehrdet-4-Millionen-WordPress-Websites-9342838.html


∗∗∗ Sicherheitsupdates: Firefox-Browser anfällig für Clickjacking-Attacken ∗∗∗
---------------------------------------------
Mozilla hat in aktuellen Versionen von Firefox und Firefox ESR mehrere Sicherheitsprobleme gelöst.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdates-Firefox-Browser-anfaellig-fuer-Clickjacking-Attacken-9342945.html


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu [...]
---------------------------------------------
https://lwn.net/Articles/948688/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Vulnerability in SICK Flexi Soft Gateway ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-164691.html


∗∗∗ Rockwell Automation Stratix 5800 and Stratix 5200 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-297-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily