[CERT-daily] Tageszusammenfassung - 01.09.2023

Fri Sep 1 18:23:01 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 31-08-2023 18:00 − Freitag 01-09-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Monitoring aus der Cloud: Kundensysteme dank schwacher Standardpasswörter gehackt ∗∗∗
---------------------------------------------
Hacker haben offenbar aufgrund schwacher Standardpasswörter eine Ransomware auf lokalen Systemen von Logicmonitor-Kunden verbreitet.
---------------------------------------------
https://www.golem.de/news/monitoring-aus-der-cloud-kundensysteme-dank-schwacher-standardpasswoerter-gehackt-2309-177289.html


∗∗∗ WordPress Vulnerability & Patch Roundup August 2023 ∗∗∗
---------------------------------------------
To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-august-2023.html


∗∗∗ Potential Weaponizing of Honeypot Logs ∗∗∗
---------------------------------------------
Escape sequences have long been used to create ASCII art on screens and allow for customization of a user’s terminal. Because most terminals support some kind of escape sequences, it could be possible to manipulate the analyst’s terminal, and hypothetically allow for remote code execution on the analysist’s system.
---------------------------------------------
https://isc.sans.edu/diary/rss/30178


∗∗∗ MONDEO: Multistage Botnet Detection ∗∗∗
---------------------------------------------
MONDEO is a multistage mechanism with a flexible design to detect DNS-based botnet malware. MONDEO is lightweight and can be deployed without requiring the deployment of software, agents, or configuration in mobile devices, allowing easy integration in core networks. MONDEO comprises four detection stages: Blacklisting/Whitelisting, Query rate analysis, DGA analysis, and Machine learning evaluation. [..] The implementation is available at github.
---------------------------------------------
https://arxiv.org/abs/2308.16570


∗∗∗ Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd ∗∗∗
---------------------------------------------
Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer’s disk. This blog post runs through how this vulnerability was identified and exploited - no tiny soldering required.
---------------------------------------------
https://pulsesecurity.co.nz/advisories/tpm-luks-bypass


∗∗∗ BitLocker, TPM and Pluton | What Are They and How Do They Work ∗∗∗
---------------------------------------------
The optimal kind of security measure is imperceptible to the user during deployment and usage. Whenever there is a potential delay or difficulty due to a security feature, there is a high probability that users will attempt to circumvent security. This situation is particularly prevalent for data protection, and that is a scenario that organizations need to prevent.
---------------------------------------------
https://github.com/HotCakeX/Harden-Windows-Security/wiki/BitLocker,-TPM-and-Pluton-%7C--What-Are-They-and-How-Do-They-Work


∗∗∗ NetNTLMv1 Downgrade to compromise ∗∗∗
---------------------------------------------
In this blogpost I’m going to blow your mind with some easy to understand NetNTLMv1 downgrade and relaying stuff. I will keep this blogpost simple, so that everyone can follow these steps, but I will link further resources for those who want to get the bigger picture at the end of this post.
---------------------------------------------
https://www.r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html


∗∗∗ Free Decryptor Available for ‘Key Group’ Ransomware ∗∗∗
---------------------------------------------
EclecticIQ has released a free decryption tool to help victims of the Key Group ransomware recover their data without paying a ransom.
---------------------------------------------
https://www.securityweek.com/free-decryptor-available-for-key-group-ransomware/


∗∗∗ How companies can get a grip on ‘business email compromise’ ∗∗∗
---------------------------------------------
The delivery methods vary but the most exploited vector is email as a vehicle for a credential harvesting phishing campaign. Phishing, in general, has grown in scale and sophistication in recent years, with the most damaging form of phishing from a financial perspective being “business email compromise” (BEC). According to Check Point Research, credential harvesting makes up about 15% of all email-based attacks but is the most financially damaging category.
---------------------------------------------
https://blog.checkpoint.com/security/how-companies-can-get-a-grip-on-business-email-compromise/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Multiple vulnerabilities in i-PRO VI Web Client ∗∗∗
---------------------------------------------
VI Web Client provided by i-PRO Co., Ltd. contains multiple vulnerabilities. Update the software to the latest version according to the information provided by the developer. These vulnerabilities have been addressed in VI Web Client 7.9.6.
---------------------------------------------
https://jvn.jp/en/jp/JVN60140221/


∗∗∗ Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service ∗∗∗
---------------------------------------------
The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php


∗∗∗ Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗
---------------------------------------------
Autodesk AutoCAD and certain AutoCAD-based products have been affected by Out-of-Bounds Write, Heap-based Buffer Overflow, Untrusted Pointer Dereference, and Memory Corruption vulnerabilities. CVE IDs: CVE-2023-29073, CVE-2023-29074, CVE-2023-29075, CVE-2023-29076, CVE-2023-41139, CVE-2023-41140
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018


∗∗∗ Acronis: Updates dichten Sicherheitslecks in mehreren Produkten ab ∗∗∗
---------------------------------------------
Acronis hat Sicherheitsmeldungen zu insgesamt zwölf Schwachstellen in mehreren Produkten herausgegeben. Updates stehen länger bereit.
---------------------------------------------
https://heise.de/-9291446


∗∗∗ Kritische Lücke in VPN von Securepoint ∗∗∗
---------------------------------------------
Updates sollen eine kritische Sicherheitslücke in der VPN-Software von Securepoint schließen, durch die Angreifer ihre Rechte ausweiten können.
---------------------------------------------
https://heise.de/-9291723


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git).
---------------------------------------------
https://lwn.net/Articles/943302/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily