[CERT-daily] Tageszusammenfassung - 21.02.2024

Wed Feb 21 18:51:27 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 20-02-2024 18:00 − Mittwoch 21-02-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Open Source in Enterprise Environments - Where Are We Now and What Is Our Way Forward? ∗∗∗
---------------------------------------------
We have been used to hearing that free and open source software and enterprise environments in Big Business are fundamentally opposed and do not mix well. Is that actually the case, or should we rather explore how business and free software can both benefit going forward?
---------------------------------------------
https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.html


∗∗∗ VoltSchemer attacks use wireless chargers to inject voice commands, fry phones ∗∗∗
---------------------------------------------
A team of academic researchers show that a new set of attacks called VoltSchemer can inject voice commands to manipulate a smartphones voice assistant through the magnetic field emitted by an off-the-shelf wireless charger.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/voltschemer-attacks-use-wireless-chargers-to-inject-voice-commands-fry-phones/


∗∗∗ Security: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen ∗∗∗
---------------------------------------------
Die Methode basiert auf einer Reihe komplexer Algorithmen, mit denen sich schließlich ein Master-Fingerabdruck erzeugen lässt.
---------------------------------------------
https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wischgeraeuschen-2402-182449.html


∗∗∗ Phishing pages hosted on archive.org, (Wed, Feb 21st) ∗∗∗
---------------------------------------------
The Internet Archive is a well-known and much-admired institution, devoted to creating a “digital library of Internet sites and other cultural artifacts in digital form”[1]. [...] Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time[2,3].
---------------------------------------------
https://isc.sans.edu/diary/rss/30676


∗∗∗ Breakdown of Tycoon Phishing-as-a-Service System ∗∗∗
---------------------------------------------
Just weeks after Trustwave SpiderLabs reported  on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-of-tycoon-phishing-as-a-service-system/


∗∗∗ re: Zyxel VPN Series Pre-auth Remote Command Execution ∗∗∗
---------------------------------------------
An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012. The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected.
---------------------------------------------
https://vulncheck.com/blog/zyxel-cve-2023-33012


∗∗∗ Vibrator virus steals your personal information ∗∗∗
---------------------------------------------
One of our customers found their vibrator was buzzing with a hint of malware.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information


∗∗∗ Redis Servers Targeted With New ‘Migo’ Malware ∗∗∗
---------------------------------------------
Attackers weaken Redis instances to deploy the new Migo malware and install a rootkit and cryptominers.
---------------------------------------------
https://www.securityweek.com/redis-servers-targeted-with-new-migo-malware/


∗∗∗ Fake-SMS zum Ablauf der Finanz-Online ID im Umlauf! ∗∗∗
---------------------------------------------
Kriminelle versenden aktuell massenhaft SMS im Namen des BMF zum angeblichen Ablauf der FinanzOnline ID, beziehungsweise ID Austria. Links in den Smishing-Nachrichten führen auf gefälschte Finanz-Online-Websites, auf denen persönliche Daten abgegriffen werden. Diese Daten können anschließend für personalisierte Folgebetrugsmaschen eingesetzt werden. Ignorieren Sie diese SMS-Nachrichten!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-sms-zum-ablauf-der-finanz-online-id-im-umlauf/


∗∗∗ Detecting Malicious Actors By Observing Commands in Shell History ∗∗∗
---------------------------------------------
Among the myriad techniques and tools at the disposal of cybersecurity experts, one subtle yet powerful method often goes unnoticed: the analysis of shell history to detect malicious actors.
---------------------------------------------
https://orca.security/resources/blog/understand-shell-commands-detect-malicious-behavior/


∗∗∗ Practical Vulnerability Archaeology Starring Ivantis CVE-2021-44529 ∗∗∗
---------------------------------------------
In 2021, Ivanti patched a vulnerability that they called “code injection”. Rumors say it was a backdoor in an open source project. Let’s find out what actually happened!
---------------------------------------------
https://www.greynoise.io/blog/practical-vulnerability-archaeology-starring-ivantis-cve-2021-44529


∗∗∗ CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems ∗∗∗
---------------------------------------------
Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance [...]
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release-top-cyber-actions-securing-water-systems


∗∗∗ Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack ∗∗∗
---------------------------------------------
Aqua Nautilus has unveiled a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid. Upon investigation, it was discovered that the attacker exploits existing misconfigurations and vulnerabilities within our Apache cloud honeypots to execute the attacks.
---------------------------------------------
https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Unified Intelligence Center Insufficient Access Control Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-access-control-jJsZQMjj


∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB


∗∗∗ WS_FTP Server Service Pack (February 2024) ∗∗∗
---------------------------------------------
This article contains the details of the specific updates within the WS_FTP Server February 2024 Service Pack. The Service Pack contains a fix for the newly disclosed CVE described below. Progress highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully.
---------------------------------------------
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-February-2024


∗∗∗ Broadcom schließt Sicherheitslücken in VMware Aria Operations und EAP-Plug-in ∗∗∗
---------------------------------------------
Broadcom verteilt Updates für VMware Aria Operations und das EAP Browser Plug-in. Sie bessern teils kritische Sicherheitslücken aus.
---------------------------------------------
https://www.heise.de/-9634714.html


∗∗∗ Firefox und Thunderbird: Neue Versionen liefern Sicherheitsfixes ∗∗∗
---------------------------------------------
Neue Versionen von Firefox, Firefox ESR und Thunderbird stehen bereit. Sie dichten im Kern Sicherheitslücken ab.
---------------------------------------------
https://www.heise.de/-9634418.html


∗∗∗ VMSA-2024-0003 ∗∗∗
---------------------------------------------
Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2024-0003.html


∗∗∗ VMSA-2024-0004 ∗∗∗
---------------------------------------------
VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2024-0004.html


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial).
---------------------------------------------
https://lwn.net/Articles/963035/


∗∗∗ Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities ∗∗∗
---------------------------------------------
Google and Mozilla resolve high-severity memory safety vulnerabilities with the latest Chrome and Firefox updates.
---------------------------------------------
https://www.securityweek.com/chrome-122-firefox-123-patch-high-severity-vulnerabilities/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ K000138649 : GnuTLS vulnerability CVE-2023-5981 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138649


∗∗∗ K000138650 : cURL vulnerability CVE-2023-46218 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138650

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily