[CERT-daily] Tageszusammenfassung - 25.09.2023

Mon Sep 25 18:50:32 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 22-09-2023 18:00 − Montag 25-09-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Akira Ransomware Mutates to Target Linux Systems ∗∗∗
---------------------------------------------
The newly emerged ransomware actively targets both Windows and Linux systems with a double-extortion approach.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/akira-ransomware-mutates-to-target-linux-systems-adds-ttps


∗∗∗ Predator-Spyware: Staatstrojaner wurde über iOS-Schwachstellen eingeschleust ∗∗∗
---------------------------------------------
Intellexa hat die jüngst von Apple gepatchten Schwachstellen in iOS ausgenutzt, um eine Zero-Day-Exploit-Kette für iPhones zu entwickeln.
---------------------------------------------
https://www.golem.de/news/predator-spyware-staatstrojaner-wurde-ueber-ios-schwachstellen-eingeschleust-2309-177918.html


∗∗∗ Blocking Visual Studio Code embedded reverse shell before its too late ∗∗∗
---------------------------------------------
Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used development tool. With just a few clicks, any user with a github account can share their visual studio desktop on the web. VS code tunnel is almost considered a lolbin (Living Of the Land Binary).
---------------------------------------------
https://ipfyx.fr/post/visual-studio-code-tunnel/


∗∗∗ iRacing Exploit allows attackers to take control of users computer ∗∗∗
---------------------------------------------
If you have updated iRacing since 2023 Season 2 Patch 5, you’re safe. But if you have the game installed and haven’t updated it, it’s important to either update or uninstall it as soon as possible. Keep in mind this exploit is possible even if you haven’t got an active iRacing subscription, so if you were thinking about updating it later, it’s worth uninstalling it in the meanwhile.
---------------------------------------------
https://blog.ss23.geek.nz/2023/09/21/iracing-electron-rce-exploit.html


∗∗∗ Außergewöhnliche Malware nimmt westeuropäische Telkos ins Visier ∗∗∗
---------------------------------------------
Lua Dream ist ein mittels Lua modular aufgebauter Schädling, der es auf Telekommunikationsunternehmen abgesehen hat – und wahrscheinlich aus Asien stammt.
---------------------------------------------
https://www.heise.de/-9315204.html


∗∗∗ In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover ∗∗∗
---------------------------------------------
A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers.
---------------------------------------------
https://www.securityweek.com/in-the-wild-exploitation-expected-for-critical-teamcity-flaw-allowing-server-takeover/


∗∗∗ Webinar: Manipulation durch Dark Patterns – wie kann ich mich schützen? ∗∗∗
---------------------------------------------
Dark Patterns werden im Internet eingesetzt, um uns zu Handlungen zu verleiten, die nicht in unserem Interesse liegen – und so z. B. mehr Geld auszugeben oder mehr Daten zu teilen, als wir eigentlich möchten. Dieses Webinar erklärt, wie uns Dark Patterns manipulieren und wie Sie sich davor schützen können. Nehmen Sie kostenlos teil: Dienstag 03. Oktober 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-manipulation-durch-dark-patterns-wie-kann-ich-mich-schuetzen/


∗∗∗ Gefälschtes Gewinnspiel für ÖBB-Geschenkkarten & iPhone 15 Pro ∗∗∗
---------------------------------------------
Uns werden aktuell betrügerische Gewinnspiele für das neue iPhone sowie ÖBB-Geschenkkarten zum Gratis-Zugfahren gemeldet. Die Gewinnspiele werden über Soziale Netzwerke, Messenger und per E-Mail verbreitet. Den Gewinn bekommen Sie angeblich, wenn Sie € 1,95 zahlen. Wer bezahlt verliert aber Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-oebb-geschenkkarten-iphone-15-pro/


∗∗∗ SCCM Hierarchy Takeover ∗∗∗
---------------------------------------------
tl;dr: There is no security boundary between sites in the same hierarchy. 
When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, in any primary site, the underlying database changes propagate upward to the central administration site (CAS) and then to other primary sites in the hierarchy. 
This means that if an attacker gains control of any primary site, they gain control of the entire SCCM hierarchy.
---------------------------------------------
https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087


∗∗∗ iOS 17 update secretly changed your privacy settings; here’s how to set them back ∗∗∗
---------------------------------------------
Many iPhone users who upgraded their iPhones to the recently-released iOS 17 will be alarmed to hear that they may have actually downgraded their security and privacy.
---------------------------------------------
https://www.bitdefender.com/blog/hotforsecurity/ios-17-update-secretly-changed-your-privacy-settings-heres-how-to-set-them-back/


∗∗∗ From ScreenConnect to Hive Ransomware in 61 hours ∗∗∗
---------------------------------------------
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, [...]
---------------------------------------------
https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/


∗∗∗ CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR) ∗∗∗
---------------------------------------------
AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system’s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining.
---------------------------------------------
https://asec.ahnlab.com/en/57222/


∗∗∗ Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom ∗∗∗
---------------------------------------------
Kaspersky Unveils Alarming IoT Vulnerabilities and Dark Webs Thriving DDoS Economy.
---------------------------------------------
https://www.hackread.com/iot-vulnerabilities-dark-web-ddos-economy/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Elasticsearch 8.9.0, 7.17.13 Security Update ∗∗∗
---------------------------------------------
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests.
---------------------------------------------
https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools).
---------------------------------------------
https://lwn.net/Articles/945503/


∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-exploited-vulnerabilities-catalog


∗∗∗ RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php


∗∗∗ Wago: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-042/


∗∗∗ Stored Cross-Site Scripting in der mb Support broker management Solution openVIVA c2 ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scripting-in-der-mb-support-broker-management-solution-openviva-c2/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily