[CERT-daily] Tageszusammenfassung - 27.10.2023

Fri Oct 27 19:44:10 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 25-10-2023 18:00 − Freitag 27-10-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ StripedFly malware framework infects 1 million Windows, Linux hosts ∗∗∗
---------------------------------------------
A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts/


∗∗∗ How to catch a wild triangle ∗∗∗
---------------------------------------------
How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.
---------------------------------------------
https://securelist.com/operation-triangulation-catching-wild-triangle/110916/


∗∗∗ Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction ∗∗∗
---------------------------------------------
Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/


∗∗∗ iLeakage: Safari unzureichend vor Spectre-Seitenkanalangriff geschützt ∗∗∗
---------------------------------------------
Sicherheitsforscher sagen, dass Apples Browser nicht ausreichend vor CPU-Seitenkanalangriffen schützt. Angreifer können Daten lesen. Es gibt Schutzmaßnahmen.
---------------------------------------------
https://www.heise.de/-9344659


∗∗∗ CISA, HHS Release Cybersecurity Healthcare Toolkit ∗∗∗
---------------------------------------------
CISA and the HHS have released resources for healthcare and public health organizations to improve their security.
---------------------------------------------
https://www.securityweek.com/cisa-hhs-release-cybersecurity-healthcare-toolkit/


∗∗∗ CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater ∗∗∗
---------------------------------------------
The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn’t exist on the filesystem [...] This vulnerability has been fixed in the latest version of the Lenovo System Updater application.
---------------------------------------------
https://posts.specterops.io/cve-2023-4632-local-privilege-escalation-in-lenovo-system-updater-2762e9667120


∗∗∗ ESET APT Activity Report Q2–Q3 2023 ∗∗∗
---------------------------------------------
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-q3-2023/


∗∗∗ Most common Active Directory misconfigurations and default settings that put your organization at risk ∗∗∗
---------------------------------------------
Introduction In this blog post, we will go over the most recurring (and critical) findings that we discovered when auditing the Active Directory environment of different companies, explain why these configurations can be dangerous, how they can be abused by attackers and how they can be mitigated or remediated.
---------------------------------------------
https://blog.nviso.eu/2023/10/26/most-common-active-directory-misconfigurations-and-default-settings-that-put-your-organization-at-risk/


∗∗∗ CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm ∗∗∗
---------------------------------------------
Citrixs NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967 [...] As of this post’s publish time, GreyNoise has observed just under seventy IP addresses attempting to exploit this vulnerability.
---------------------------------------------
https://www.greynoise.io/blog/cve-2023-4966-helps-usher-in-a-bakers-dozen-of-citrix-tags-to-further-help-organizations-mitigate-harm


∗∗∗ CISA Announces Launch of Logging Made Easy ∗∗∗
---------------------------------------------
Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/10/27/cisa-announces-launch-logging-made-easy


∗∗∗ Rhysida Ransomware Technical Analysis ∗∗∗
---------------------------------------------
Technical analysis of Rhysida Ransomware family that emerged in the Q2 of 2023
---------------------------------------------
https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-23-299-01 Dingtian DT-R002 ICSA-23-299-02 Centralite Pearl Thermostat ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium ICSA-23-299-04 Rockwell Automation Arena ICSA-23-299-05 Rockwell Automation FactoryTalk View Site Edition ICSA-23-299-06 Rockwell Automation FactoryTalk Services Platform ICSA-23-299-07 Sielco PolyEco FM Transmitter ICSA-23-299-08 Sielco Radio Link and Analog FM Transmitters ICSMA-23-194-01 BD Alaris System with Guardrails Suite MX (Update A)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/10/26/cisa-releases-nine-industrial-control-systems-advisories


∗∗∗ Cisco Update: HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023 ∗∗∗
---------------------------------------------
Version 1.5: Updated the lists of vulnerable products and products confirmed not vulnerable.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ


∗∗∗ Cisco Update: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗
---------------------------------------------
Version 2.3: Updated summary to indicate additional fixed releases. Updated fixed release table and SMU table. Updated recommendations to add link to technical FAQ.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z


∗∗∗ Juniper Update: 2023-10 Security Bulletin: Junos OS: jkdsd crash due to multiple telemetry requests (CVE-2023-44188) ∗∗∗
---------------------------------------------
2023-10-25: Added note that SRX Series devices are not vulnerable to this issue
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-jkdsd-crash-due-to-multiple-telemetry-requests-CVE-2023-44188


∗∗∗ HPE Aruba Networking Product Security Advisory ∗∗∗
---------------------------------------------
HPE Aruba Networking has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.
---------------------------------------------
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt


∗∗∗ Sicherheitsupdates: Jenkins-Plug-ins als Einfallstor für Angreifer ∗∗∗
---------------------------------------------
Jenkins kann bei der Softwareentwicklung helfen. Einige Plug-ins weisen Sicherheitslücken auf. Ein paar Updates stehen noch aus.
---------------------------------------------
https://www.heise.de/-9344802


∗∗∗ Sicherheitslücken im X.Org X-Server und Xwayland erlauben Rechteausweitung ∗∗∗
---------------------------------------------
Aktualisierte Fassung des X.Org X-Servers und von Xwayland schließen Sicherheitslücken. Die erlauben die Rechteausweitung oder einen Denial-of-Service.
---------------------------------------------
https://www.heise.de/-9345096


∗∗∗ Rechteausweitung durch Lücke in HP Print and Scan Doctor ∗∗∗
---------------------------------------------
Aktualisierte Software korrigiert einen Fehler im Support-Tool HP Print and Scan Doctor, der die Ausweitung der Rechte im System ermöglicht.
---------------------------------------------
https://www.heise.de/-9345192


∗∗∗ Konfigurationsprogramm von BIG-IP-Appliances als Sprungbrett für Angreifer ∗∗∗
---------------------------------------------
F5 hat wichtige Sicherheitsupdates für BIG-IP-Produkte veröffentlicht. Angreifer können Geräte kompromittieren.
---------------------------------------------
https://www.heise.de/-9346460


∗∗∗ Lücken in Nessus Network Monitor ermöglichen Rechteerhöhung ∗∗∗
---------------------------------------------
Eine neue Version vom Nessus Network Monitor schließt Sicherheitslücken, durch die Angreifer etwa ihre Rechte erhöhen können.
---------------------------------------------
https://www.heise.de/news/-9346392


∗∗∗ VMWare Tools: Schwachstellen erlauben Rechteausweitung ∗∗∗
---------------------------------------------
Die VMware Tools unter Linux, Windows und macOS erlauben Angreifern unter bestimmten Umständen, unbefugt Kommandos abzusetzen. Noch sind nicht alle Updates da.
---------------------------------------------
https://www.heise.de/-9346863


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023) ∗∗∗
---------------------------------------------
Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-16-2023-to-october-22-2023/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and xorg-server), Fedora (firefox, mbedtls, nodejs18, nodejs20, and xen), Gentoo (libinput, unifi, and USBView), Mageia (python-nltk), Oracle (linux-firmware), Red Hat (nginx:1.22), SUSE (chromium, firefox, java-11-openjdk, jetty-minimal, nghttp2, nodejs18, webkit2gtk3, and zlib), and Ubuntu (linux, linux-lowlatency, linux-oracle-5.15, vim, and xorg-server, xwayland).
---------------------------------------------
https://lwn.net/Articles/948930/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk).
---------------------------------------------
https://lwn.net/Articles/949057/


∗∗∗ Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data ∗∗∗
---------------------------------------------
Mirth Connect versions prior to 4.4.1 are vulnerable to CVE-2023-43208, a bypass for an RCE vulnerability.
---------------------------------------------
https://www.securityweek.com/critical-mirth-connect-vulnerability-could-expose-sensitive-healthcare-data/


∗∗∗ Apple Releases Security Advisories for Multiple Products ∗∗∗
---------------------------------------------
Apple has released security updates to address vulnerabilities in multiple products.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/10/26/apple-releases-security-advisories-multiple-products


∗∗∗ Schwachstelle CVE-2023-5363 in OpenSSL ∗∗∗
---------------------------------------------
In der Software OpenSSL wurde eine Schwachstelle CVE-2023-5363 gefunden. Die Initialisierung der Verschlüsselungsschlüssellänge und des Initialisierungsvektors in OpenSLL ist fehlerhaft. Für die Linux-Distributionen Debian und Ubuntu ist ein Fix aber bereits verfügbar.
---------------------------------------------
https://www.borncity.com/blog/2023/10/27/schwachstelle-cve-2023-5363-in-openssl/


∗∗∗ ServiceNow fixt stillschweigend Bug aus 2015 der Datenlecks ermöglichte ∗∗∗
---------------------------------------------
Das US-Unternehmen ServiceNow Inc. bietet eine Cloud-Plattform an, in deren Software wohl seit 2015 ein Bug klaffte, über den Dritte ohne Authentifizierung Informationen abziehen konnten. Nachdem ein Sicherheitsforscher auf die Schwachstelle gestoßen ist, wurde diese stillschweigend in der Cloud-Lösung beseitigt.
---------------------------------------------
https://www.borncity.com/blog/2023/10/27/servicenow-fixt-stillschweigend-bug-aus-2015-der-datenlecks-ermglichte/


∗∗∗ 9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution ∗∗∗
---------------------------------------------
Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-oct-25-2023/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ VMSA-2023-0024 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0024.html


∗∗∗ SonicWall SSO Agent - Directory Services Connector MSI Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0016


∗∗∗ SonicWall NetExtender Windows Client DLL Search Order Hijacking Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0017

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily